I was right about there being a RootKit on the system. You have a variant of Trojan.Peacomm, which I added for detection by ISeeYouXP on the last update.
Download and install RegistrarLite. Make sure you select a Majorgeeks download link and not the Authors!
Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (explained further down).
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000\Control
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72\Enum
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\Control
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72\Enum
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\controlset002\Services\w indev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\controlset002\Services\w indev-1a2a-2d72
To take ownership of the key do the following:
* Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
* Click-on Security in the top Menu
* Select Take Ownership
* Repeat these steps for all of the registry keys given above before continue to the next steps below.
* Now leave RegistrarLite running and continue
* Now run the fixME.reg REGISTRY PATCH below in this message.
* Tell me the results. Any error messages?
* Now in RegistrarLite click View and then Refresh
* Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
* If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.
Registry Patch
Download the attached FixME_reg.zip to your Desktop and Unzip it. Now double click it and allow it to merge with the registry.
PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.
Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).After click Edit Permissions, here is what I expect you to see in the Group or user names area of the form:HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000\Control
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\currentcontrolset\Enum\R oot\LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72\Enum
HKEY_LOCAL_MACHINE\system\currentcontrolset\Servic es\windev-1a2a-2d72
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\Control
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\controlset001\Enum\Root\ LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72\Enum
HKEY_LOCAL_MACHINE\system\controlset001\Services\w indev-1a2a-2d72
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000\LogConf
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72\0000
HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\ LEGACY_WINDEV-1A2A-2D72
HKEY_LOCAL_MACHINE\system\controlset002\Services\w indev-1a2a-2d72\Security
HKEY_LOCAL_MACHINE\system\controlset002\Services\w indev-1a2a-2d72
Everyone
SYSTEM
Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, boot into safe mode and repeat these exact same steps from safe mode. Reboot your PC!
Now run Pocket Killbox:
Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..
Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\ijl11.dll
C:\WINDOWS\uccspecb.sys
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\keylog.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\LexFiles.ulf
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tmp.txt
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\windev-1a2a-2d72.sys- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.
Now boot into SAFE MODE
Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\ijl11.dll
C:\WINDOWS\uccspecb.sys
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\keylog.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\LexFiles.ulf
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tmp.txt
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\windev-1a2a-2d72.sys
Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.
REBOOT to Normal Mode.
Attach the following logs:
HijackThis
ISeeYouXP
Reply With Quote