DogSoldier
2009-08-30, 19:32
I picked up something surfing with IE and immediately, all my windows minimized as this thing installed itself. VIPRE Rescue5360 was able to log what was wrong but couldn't delete all the bad files. Most of them were sitting in Windows/System32 and were named UACyoultoejtk.dll or such. The names given for these viruses/trojans were Explorer32.Hijacker, Generic MBR Rootkit and Packed.Win32.TDSS.y
I was able to borrow a computer to burn F-Secure ISO onto CD, after booting from this CD I ran the scan and it deleted 6 instances of UAC*** All that remains now is something called globalroot\Device\__max++>\69AEAAFC.x86.dll and this seems to be preventing the other antivirus programs from installing or working. I get a lot of NT Policy errors, like if I kill a process with the 69AEAAFC.x86.dll in it, I get a "System Shutdown" due to a missing RPC or something. I am able to disable the shutdown by typing shutdown -a in Run
I disabled Paging Files (Virual memory) for all drives, switched System Restore off (It was off before so this thing must have turned it back on) and ran the F-Secure CD again over night. It found one virus in the Restore folder and I booted into safe mode but I still have the same problems. Which is globalroot\Device\__max++>\87B7C76E.x86.dll inserting itself into at least 8 processes. Notice the dll renames itself after every reboot.
I ran Gmer's mbr.exe and it comes up clean, evidently, no MBR virus but I don't know...
After I ran the F-Secure CD, I was able to run Gmer but it won't do a full scan, it only gets so far then shuts off and I have to unzip a new fresh version because XP disabled the old one. Before I get to that partial log (Files unchecked), here is a list of programs that will still NOT run, in safe Mode OR normal: HiJackThis, Malwarebytes, ComboFix, RootRepeal, Kaspersky Antivirus - both standalone and browser, Counterspy, BitDefender standalone and browser.. a few others I forgot...
What does work?! F-Secure ISO on CD, Gmer (Up to a point), CCleaner, ATF-Cleaner and VIPRE Rescue5360
Here's the Gmer log:
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 12:17:03
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xF79BD4D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xF79BD520]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB6F2A6D0]
---- Kernel code sections - GMER 1.0.15 ----
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP100.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1072] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1284] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1324] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1440] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1520] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1616] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe [1652] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3848] 0x35670000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
---- EOF - GMER 1.0.15 ----
IE doesn't work and only redirects my searches so I've been using Firefox. I've been looking for solutions for the past 2 days. I never post in these help forums.. I'm usually able to fix things myself, but this bug IS VICIOUS! I'm hoping someone here will help save this computer, it's very valuable with over a decades worth of work files and backups. I'm a graphic designer.
I was able to borrow a computer to burn F-Secure ISO onto CD, after booting from this CD I ran the scan and it deleted 6 instances of UAC*** All that remains now is something called globalroot\Device\__max++>\69AEAAFC.x86.dll and this seems to be preventing the other antivirus programs from installing or working. I get a lot of NT Policy errors, like if I kill a process with the 69AEAAFC.x86.dll in it, I get a "System Shutdown" due to a missing RPC or something. I am able to disable the shutdown by typing shutdown -a in Run
I disabled Paging Files (Virual memory) for all drives, switched System Restore off (It was off before so this thing must have turned it back on) and ran the F-Secure CD again over night. It found one virus in the Restore folder and I booted into safe mode but I still have the same problems. Which is globalroot\Device\__max++>\87B7C76E.x86.dll inserting itself into at least 8 processes. Notice the dll renames itself after every reboot.
I ran Gmer's mbr.exe and it comes up clean, evidently, no MBR virus but I don't know...
After I ran the F-Secure CD, I was able to run Gmer but it won't do a full scan, it only gets so far then shuts off and I have to unzip a new fresh version because XP disabled the old one. Before I get to that partial log (Files unchecked), here is a list of programs that will still NOT run, in safe Mode OR normal: HiJackThis, Malwarebytes, ComboFix, RootRepeal, Kaspersky Antivirus - both standalone and browser, Counterspy, BitDefender standalone and browser.. a few others I forgot...
What does work?! F-Secure ISO on CD, Gmer (Up to a point), CCleaner, ATF-Cleaner and VIPRE Rescue5360
Here's the Gmer log:
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 12:17:03
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xF79BD4D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xF79BD520]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB6F2A6D0]
---- Kernel code sections - GMER 1.0.15 ----
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP100.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1072] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1284] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1324] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1440] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1520] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1616] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe [1652] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3848] 0x35670000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
---- EOF - GMER 1.0.15 ----
IE doesn't work and only redirects my searches so I've been using Firefox. I've been looking for solutions for the past 2 days. I never post in these help forums.. I'm usually able to fix things myself, but this bug IS VICIOUS! I'm hoping someone here will help save this computer, it's very valuable with over a decades worth of work files and backups. I'm a graphic designer.