I have attempted several times to remove uacinit.dll this using malwarbyte and have been unsuccessful. It says it will be removed on reboot but when i rerun the scan it is still there.

Here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:52 PM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Hawking\Common\RaUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://whitesox.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HWDN2 Wireless Utility.lnk = C:\Program Files\Hawking\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108488196921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184710139390
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7478 bytes

and the mbam log:

Malwarebytes' Anti-Malware 1.37
Database version: 2273
Windows 5.1.2600 Service Pack 3

6/13/2009 10:35:32 PM
mbam-log-2009-06-13 (22-35-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130540
Time elapsed: 46 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

and I also ran ATF cleaned up all temp files and locations. Finally I ran rootrepeal and it listed UACD.sys as a hidden process:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/13 18:56
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAF395000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE04000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAF865000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sfc.SYS
Image Path: C:\WINDOWS\System32\Drivers\sfc.SYS
Address: 0xAD749000 Size: 12256 File Visible: No Signed: -
Status: -

Name: svmgiyhj.sys
Image Path: C:\WINDOWS\system32\drivers\svmgiyhj.sys
Address: 0xB0D40000 Size: 61440 File Visible: No Signed: -
Status: -

Name: UACnoxvkdujkdabijd.sys
Image Path: C:\WINDOWS\system32\drivers\UACnoxvkdujkdabijd.sys
Address: 0xB45AB000 Size: 77824 File Visible: - Signed: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\UACcnppfgnodbuyxwi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACehbqwgitweivosd.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClilwbwuiqnylibp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnvgcxxwuswafccs.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpqeewmgtprrgvjm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtethcvhelwpkvlt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvjmmjakqcxbownw.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC118a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC13fb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC15c0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC1e9a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC2011.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd15.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACnoxvkdujkdabijd.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\PCuser\Local Settings\Temp\UAC6e37.tmp
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: sfcfiles.dll]
Process: winlogon.exe (PID: 888) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: mssfc.dll]
Process: winlogon.exe (PID: 888) Address: 0x66700000 Size: 1622016

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: svchost.exe (PID: 1164) Address: 0x028d0000 Size: 45056

Object: Hidden Module [Name: UACpqeewmgtprrgvjm.dll]
Process: svchost.exe (PID: 1164) Address: 0x00a40000 Size: 53248

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: svchost.exe (PID: 1164) Address: 0x02970000 Size: 49152

Object: Hidden Module [Name: UAC13fb.tmpcvhelwpkvlt.dll]
Process: svchost.exe (PID: 1164) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: atiptaxx.exe (PID: 2180) Address: 0x009c0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: atiptaxx.exe (PID: 2180) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: DVDLauncher.exe (PID: 2416) Address: 0x009f0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: DVDLauncher.exe (PID: 2416) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: SHSTAT.EXE (PID: 1788) Address: 0x00970000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: SHSTAT.EXE (PID: 1788) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: UdaterUI.exe (PID: 2664) Address: 0x00910000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: UdaterUI.exe (PID: 2664) Address: 0x009d0000 Size: 49152

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: jusched.exe (PID: 3372) Address: 0x00bc0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: jusched.exe (PID: 3372) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: McTray.exe (PID: 3556) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: McTray.exe (PID: 3556) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: ZCfgSvc.exe (PID: 3588) Address: 0x00e50000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: ZCfgSvc.exe (PID: 3588) Address: 0x00f10000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: ifrmewrk.exe (PID: 184) Address: 0x00d70000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: ifrmewrk.exe (PID: 184) Address: 0x00e30000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: quickset.exe (PID: 3628) Address: 0x00d30000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: quickset.exe (PID: 3628) Address: 0x00df0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: tfswctrl.exe (PID: 3736) Address: 0x00920000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: tfswctrl.exe (PID: 3736) Address: 0x009f0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: iTunesHelper.exe (PID: 4004) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: iTunesHelper.exe (PID: 4004) Address: 0x00bb0000 Size: 49152

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: ctfmon.exe (PID: 4052) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: ctfmon.exe (PID: 4052) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: Dot1XCfg.exe (PID: 2248) Address: 0x00c00000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: Dot1XCfg.exe (PID: 2248) Address: 0x00d50000 Size: 49152

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: svchost.exe (PID: 2352) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: svchost.exe (PID: 2352) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: RaUI.exe (PID: 1692) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: RaUI.exe (PID: 1692) Address: 0x00b60000 Size: 49152

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: iPodService.exe (PID: 2676) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: iPodService.exe (PID: 2676) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: Copy of mbam.exe (PID: 2780) Address: 0x01320000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: Copy of mbam.exe (PID: 2780) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: jucheck.exe (PID: 500) Address: 0x01030000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: jucheck.exe (PID: 500) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: RootRepeal.exe (PID: 3112) Address: 0x00b10000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: RootRepeal.exe (PID: 3112) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: logon.scr (PID: 5700) Address: 0x008a0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: logon.scr (PID: 5700) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: wmiprvse.exe (PID: 4272) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: wmiprvse.exe (PID: 4272) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACnoxvkdujkdabijd.sys

==EOF==

I looked for the files but was unable to find them. I have not run it in sae mode yet.

Any help you can give would be appreciated.

Thank you.

This post has been edited by ron_d: Jun 13 2009, 09:48 PM

Hi,

Looks like you've got a nasty Rootkit on board.

Download ComboFix by sUBs from here or here

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

**Save it to your desktop**

We need to disable one or more of your security programs so that they do not interfere with ComboFix.

Please disable McAfee via the system tray icon if possible.

Double click on ComboFix.exe & follow the prompts. If you are prompted to install the Recovery Console I recommend you go ahead and hit yes.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Notes:

1. Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
4. ComboFix disconnects your machine from the internet when it runs. This connection should be automatically restored when ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Combofix log:

ComboFix 09-06-13.09 - PCuser 06/14/2009 14:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1708 [GMT -5:00]
Running from: c:\documents and settings\PCuser\Desktop\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACnoxvkdujkdabijd.sys
c:\windows\system32\UACcnppfgnodbuyxwi.dll
c:\windows\system32\UACehbqwgitweivosd.dat
c:\windows\system32\UACklvivqdmhiuhnuy.log
c:\windows\system32\UAClilwbwuiqnylibp.dll
c:\windows\system32\UACnvgcxxwuswafccs.dll
c:\windows\system32\UACpqeewmgtprrgvjm.dll
c:\windows\system32\UACrhcxjkgirsbkpyq.log
c:\windows\system32\UACtethcvhelwpkvlt.dll
c:\windows\system32\UACvjmmjakqcxbownw.log
c:\windows\system32\drivers\UACnoxvkdujkdabijd.sys
c:\windows\system32\UACcnppfgnodbuyxwi.dll
c:\windows\system32\UACehbqwgitweivosd.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACklvivqdmhiuhnuy.log
c:\windows\system32\UAClilwbwuiqnylibp.dll
c:\windows\system32\UACnvgcxxwuswafccs.dll
c:\windows\system32\UACpqeewmgtprrgvjm.dll
c:\windows\system32\UACrhcxjkgirsbkpyq.log
c:\windows\system32\UACtethcvhelwpkvlt.dll
c:\windows\system32\UACvjmmjakqcxbownw.log

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_SFC
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-14 02:37 . 2009-06-14 02:37 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 02:36 . 2009-06-14 02:36 152576 ----a-w- c:\documents and settings\PCuser\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-13 21:18 . 2009-06-13 21:18 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-13 21:18 . 2009-06-13 21:18 -------- d-----w- c:\documents and settings\PCuser\Application Data\Malwarebytes
2009-06-13 20:08 . 2009-06-13 20:08 -------- d-----w- c:\documents and settings\ron\Local Settings\Application Data\Apple Computer
2009-06-13 19:48 . 2009-06-13 19:48 -------- d-----w- c:\documents and settings\PCuser\.housecall6.6
2009-06-13 19:35 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 19:35 . 2009-06-13 21:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 19:35 . 2009-06-13 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 19:35 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-13 19:27 . 2009-06-13 19:27 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 02:36 . 2005-02-15 19:28 -------- d-----w- c:\program files\Java
2009-05-19 19:04 . 2009-03-05 04:09 -------- d-----w- c:\program files\World of Warcraft
2009-05-13 04:12 . 2009-03-16 22:41 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-10 04:12 . 2009-05-10 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-05-07 15:32 . 2004-08-12 13:21 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-12 13:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-12 13:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-18 21:55 . 2007-07-18 16:57 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-04-18 21:51 . 2009-04-18 21:51 -------- d-----w- c:\program files\Hawking
2009-04-18 21:51 . 2005-02-15 17:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-17 12:26 . 2004-08-12 13:33 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-12 13:27 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-04 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-14 148888]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HWDN2 Wireless Utility.lnk - c:\program files\Hawking\Common\RaUI.exe [2009-4-18 1146880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5800:TCP"= 5800:TCP:VNCa
"5900:TCP"= 5900:TCP:VNCb
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [4/18/2009 4:52 PM 564480]
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://whitesox.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 14:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3344)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-14 14:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-14 19:28

Pre-Run: 57,551,130,624 bytes free
Post-Run: 57,500,602,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

169 --- E O F --- 2009-06-14 04:00

Looks like ComboFix has done a good job there. Please run RootRepeal again and post the log it gives.

I'd also like to run the general scan to see if there's anything left.

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

Let me know how things are running now.

Both logs were empty so I think we are good to go thank you very much.

This post has been edited by ron_d: Jun 17 2009, 11:35 AM

Glad to hear things are looking better

Just a few things to do to clean up.

Click Start >> Run, and then type ComboFix /u and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.


Now that your system appears to be clean, theres just a few steps I'd like you to take to prevent any future infections.

• Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.
  
  
• Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.
  
  
• Some more programs that it would be useful to have [OPTIONAL but RECOMMENDED]:
  
  Download Spybot Search and Destroy 1.5 from here
  Check for Updates/ Immunize and run a Full System Scan on a regular basis.
  
  SpywareBlaster is another real-time scanner that prevents most spyware from even being installed.
  Freely available: Download SpywareBlaster
  
  Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff

Yes very well done thank you.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.