Computer infected! Flash Drives, Autorun, etc disabled!

[FPSFan]

My computer appears to be infected pretty badly and has been for awhile! I would be grateful if this wonderful forum helped me out! It would be greatly appreciated!

<AVZ_CollectSysInfo>
--------------------
Start time: 1/20/2009 3:24:11 PM
Duration: 00:00:43
Finish time: 1/20/2009 3:24:54 PM


<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
1/20/2009 3:24:11 PM Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
1/20/2009 3:24:11 PM System Restore: enabled
1/20/2009 3:24:12 PM 1.1 Searching for user-mode API hooks
1/20/2009 3:24:12 PM Analysis: kernel32.dll, export table found in section .text
1/20/2009 3:24:12 PM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
1/20/2009 3:24:12 PM Hook kernel32.dll:CreateProcessA (99) blocked
1/20/2009 3:24:12 PM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
1/20/2009 3:24:12 PM Hook kernel32.dll:CreateProcessW (103) blocked
1/20/2009 3:24:12 PM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ABDE->61F041FC
1/20/2009 3:24:12 PM Hook kernel32.dll:FreeLibrary (241) blocked
1/20/2009 3:24:12 PM Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B4CF->61F040FB
1/20/2009 3:24:12 PM Hook kernel32.dll:GetModuleFileNameA (372) blocked
1/20/2009 3:24:12 PM Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B3D5->61F041A0
1/20/2009 3:24:12 PM Hook kernel32.dll:GetModuleFileNameW (373) blocked
1/20/2009 3:24:12 PM Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADA0->61F04648
1/20/2009 3:24:12 PM Hook kernel32.dll:GetProcAddress (408) blocked
1/20/2009 3:24:12 PM Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
1/20/2009 3:24:12 PM Hook kernel32.dll:LoadLibraryA (578) blocked
1/20/2009 3:24:12 PM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
1/20/2009 3:24:12 PM Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
1/20/2009 3:24:12 PM Hook kernel32.dll:LoadLibraryExA (579) blocked
1/20/2009 3:24:12 PM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
1/20/2009 3:24:12 PM Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
1/20/2009 3:24:12 PM Hook kernel32.dll:LoadLibraryExW (580) blocked
1/20/2009 3:24:12 PM Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE4B->61F03D0C
1/20/2009 3:24:12 PM Hook kernel32.dll:LoadLibraryW (581) blocked
1/20/2009 3:24:12 PM IAT modification detected: LoadLibraryW - 01130010<>7C80AE4B
1/20/2009 3:24:12 PM Analysis: ntdll.dll, export table found in section .text
1/20/2009 3:24:12 PM Analysis: user32.dll, export table found in section .text
1/20/2009 3:24:12 PM Analysis: advapi32.dll, export table found in section .text
1/20/2009 3:24:12 PM Analysis: ws2_32.dll, export table found in section .text
1/20/2009 3:24:12 PM Analysis: wininet.dll, export table found in section .text
1/20/2009 3:24:12 PM Analysis: rasapi32.dll, export table found in section .text
1/20/2009 3:24:12 PM Analysis: urlmon.dll, export table found in section .text
1/20/2009 3:24:12 PM Analysis: netapi32.dll, export table found in section .text
1/20/2009 3:24:12 PM 1.2 Searching for kernel-mode API hooks
1/20/2009 3:24:12 PM Driver loaded successfully
1/20/2009 3:24:12 PM SDT found (RVA=08A500)
1/20/2009 3:24:12 PM Kernel TUKERNEL.EXE found in memory at address 804D7000
1/20/2009 3:24:12 PM SDT = 80561500
1/20/2009 3:24:12 PM KiST = 804E48B0 (284)
1/20/2009 3:24:12 PM Function NtAssignProcessToJobObject (13) intercepted (805A96D4->8A763630), hook not defined
1/20/2009 3:24:12 PM >>> Function restored successfully !
1/20/2009 3:24:12 PM >>> Hook code blocked
1/20/2009 3:24:12 PM Function NtOpenProcess (7A) intercepted (80579084->8A762A60), hook not defined
1/20/2009 3:24:12 PM >>> Function restored successfully !
1/20/2009 3:24:12 PM >>> Hook code blocked
1/20/2009 3:24:12 PM Function NtOpenThread (80) intercepted (805B1334->8A762E80), hook not defined
1/20/2009 3:24:12 PM >>> Function restored successfully !
1/20/2009 3:24:12 PM >>> Hook code blocked
1/20/2009 3:24:12 PM Function NtSuspendProcess (FD) intercepted (80635B0B->8A763460), hook not defined
1/20/2009 3:24:12 PM >>> Function restored successfully !
1/20/2009 3:24:12 PM >>> Hook code blocked
1/20/2009 3:24:12 PM Function NtSuspendThread (FE) intercepted (80635A27->8A763280), hook not defined
1/20/2009 3:24:12 PM >>> Function restored successfully !
1/20/2009 3:24:12 PM >>> Hook code blocked
1/20/2009 3:24:12 PM Function NtTerminateProcess (101) intercepted (8058C39D->8A762C90), hook not defined
1/20/2009 3:24:12 PM >>> Function restored successfully !
1/20/2009 3:24:12 PM >>> Hook code blocked
1/20/2009 3:24:12 PM Function NtTerminateThread (102) intercepted (805845F0->8A7630B0), hook not defined
1/20/2009 3:24:12 PM >>> Function restored successfully !
1/20/2009 3:24:12 PM >>> Hook code blocked
1/20/2009 3:24:13 PM Functions checked: 284, intercepted: 7, restored: 7
1/20/2009 3:24:13 PM 1.3 Checking IDT and SYSENTER
1/20/2009 3:24:13 PM Analysis for CPU 1
1/20/2009 3:24:13 PM Analysis for CPU 2
1/20/2009 3:24:13 PM Analysis for CPU 3
1/20/2009 3:24:13 PM Analysis for CPU 4
1/20/2009 3:24:13 PM Checking IDT and SYSENTER - complete
1/20/2009 3:24:13 PM 1.4 Searching for masking processes and drivers
1/20/2009 3:24:13 PM Checking not performed: extended monitoring driver (AVZPM) is not installed
1/20/2009 3:24:13 PM Driver loaded successfully
1/20/2009 3:24:13 PM 1.5 Checking of IRP handlers
1/20/2009 3:24:13 PM Checking - complete
1/20/2009 3:24:14 PM C:\WINDOWS\system32\wbsys.dll --> Suspicion for Keylogger or Trojan DLL
1/20/2009 3:24:14 PM C:\WINDOWS\system32\wbsys.dll>>> Behavioral analysis
1/20/2009 3:24:14 PM Behaviour typical for keyloggers not detected
1/20/2009 3:24:14 PM C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll --> Suspicion for Keylogger or Trojan DLL
1/20/2009 3:24:14 PM C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll>>> Behavioral analysis
1/20/2009 3:24:14 PM 1. Reacts to events: keyboard
1/20/2009 3:24:14 PM 2. Determines the window which has input focus
1/20/2009 3:24:14 PM C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
1/20/2009 3:24:14 PM C:\Program Files\WinPatrol\PATROLPRO.DLL --> Suspicion for Keylogger or Trojan DLL
1/20/2009 3:24:14 PM C:\Program Files\WinPatrol\PATROLPRO.DLL>>> Behavioral analysis
1/20/2009 3:24:14 PM Behaviour typical for keyloggers not detected
1/20/2009 3:24:14 PM C:\Program Files\Stardock\IconPackager\iprepair.dll --> Suspicion for Keylogger or Trojan DLL
1/20/2009 3:24:14 PM C:\Program Files\Stardock\IconPackager\iprepair.dll>>> Behavioral analysis
1/20/2009 3:24:14 PM Behaviour typical for keyloggers not detected
1/20/2009 3:24:14 PM Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
1/20/2009 3:24:24 PM Latent loading of libraries through AppInit_DLLs suspected: "wbsys.dll"
1/20/2009 3:24:25 PM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
1/20/2009 3:24:25 PM >> Services: potentially dangerous service allowed: Alerter (Alerter)
1/20/2009 3:24:25 PM >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
1/20/2009 3:24:25 PM >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
1/20/2009 3:24:25 PM > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
1/20/2009 3:24:25 PM >> Security: disk drives' autorun is enabled
1/20/2009 3:24:25 PM >> Security: anonymous user access is enabled
1/20/2009 3:24:28 PM >> Disable HDD autorun
1/20/2009 3:24:28 PM >> Disable autorun from network drives
1/20/2009 3:24:28 PM >> Disable CD/DVD autorun
1/20/2009 3:24:28 PM >> Disable removable media autorun
1/20/2009 3:24:29 PM System Analysis in progress
1/20/2009 3:24:54 PM System Analysis - complete
1/20/2009 3:24:54 PM Delete file:C:\Documents and Settings\LEO\Desktop\Virus Removal Tool\is-GJMMG\LOG\avptool_syscheck.htm
1/20/2009 3:24:54 PM Delete file:C:\Documents and Settings\LEO\Desktop\Virus Removal Tool\is-GJMMG\LOG\avptool_syscheck.xml
1/20/2009 3:24:54 PM Deleting service/driver: utiyodu4
1/20/2009 3:24:54 PM Delete file:C:\WINDOWS\system32\Drivers\utiyodu4.sys
1/20/2009 3:24:54 PM Deleting service/driver: ujiyodu4
1/20/2009 3:24:54 PM Script executed without errors

[drongo]

what is this? you should attach avptool_syscheck.zip file, not post it.
http://avptool.virusinfo.info/en/AVP...sk_sysinfo.htm


http://virusinfo.info/faq.php?faq=vb...b3_attachments

[FPSFan]

I apologize, this Russian text confuses me, but I found the English setting on the forum's bottom, so I can read this all now.

Attached logfile.zip

[drongo]

Hi!
just one file(if it steal exist) i would like to see :
Please unload all you antivirus, antyspyware and execute this script in avptool:

Код:

begin
 QuarantineFile('C:\DOCUME~1\LEO\LOCALS~1\Temp\QPLIEVXV.exe','');
end.

in sub-folder of avptool a quarantine will be created, zip it with password virus and send by http://virusinfo.info/upload_virus_eng.php?tid=37882

You have a lot of antispyware- in my opinion it is not giving you an extra protection- it just may bring you some new bugs
Also you should update your system, sp3 and other security updates, go to windows update site

Did you run an automatic scan with avptool in safe mode? If not, do it now and tell us what it will find.

[FPSFan]

File no longer exists, due to nothing being quarantined. The file was part of RookitRevealer program, which is legit.

I cannot update to sp3, due to game compatibility issues if updated to sp3.


I will need to run the scan later, because school work is pinning me down.

Добавлено через 1 минуту

Also, in the log it says some CD stuff is disabled.

Can you write me a fix or tell me a way to enable all of the CD drives and stuff? It would be greatly appreciated.

[drongo]

On the contrary, in log i see that "CD drives and stuff "are enabled. So, what do you want to fix? In my opinion and opinion of avptool they must be disabled, but it is up to you
Again, your main problem is to much "anti" and sp3 missing.

[RiC]

Helped at Geekstogo - http://www.geekstogo.com/forum/I-Thi...843.html&st=15

Topic closed.