BleepingComputer.com: TrojanWin32.TDSS & Win32Crytor Virus Removal

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

TrojanWin32.TDSS & Win32Crytor Virus Removal Moved to AII

#1 User is offline   gosolarbg 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 22-June 09
  • Location:Bakersfield, CA.

Posted 28 June 2009 - 09:37 PM

Hello,

Please help! I have been trying to remove virus and spyware for a week now and everytime I download and try to run different scanners the programs either won't install or won't run when they do. This goes for Malwarebytes, ATP, SAS, and Spybot. I have been able to install and run Adaware, but virus returns after reboot. AVG Free is the Anti-Virus I am running on my computer and after installing it I got a warning about Win32/Cryptor, which it couldn't remove. In the process of trying to remove that I ran the adaware scan and it returned a threat of Trojanwin32.TDSS.

I have been able to download and install Root Repeal and the Log file is below. I also attached the scan log from AVG.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/28 17:57
Program Version: Version 1.3.0.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_diskdump.sys
Image Path: C:\Windows\System32\Drivers\dump_diskdump.sys
Address: 0x8E349000 Size: 40960 File Visible: No Signed: -
Status: -

Name: dump_nvstor32.sys
Image Path: C:\Windows\System32\Drivers\dump_nvstor32.sys
Address: 0x8E353000 Size: 106496 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9C1B1000 Size: 49152 File Visible: No Signed: -
Status: -

Name: UACipplsidfwmsrteo.sys
Image Path: C:\Windows\system32\drivers\UACipplsidfwmsrteo.sys
Address: 0x86DA1000 Size: 81920 File Visible: - Signed: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{709b627b-6275-11de-a985-001b24550fe7}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8dd1e67b-5d5b-11de-9d17-001b24550fe7}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\AppPatch\$$DeleteMe.AcGenral.dll.01c9f0de0b20e233.0008
Status: Locked to the Windows API!

Path: C:\Windows\servicing\$$DeleteMe.TrustedInstaller.exe.01c9f0de9d0c0c13.00c3
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.emdmgmt.dll.01c9f0de5d026e73.0079
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.es.dll.01c9f0de62f37d13.008c
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.esent.dll.01c9f0de55ffa1b3.0066
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.locale.nls.01c9f0de71218df3.00ab
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.localspl.dll.01c9f0de655c0133.0096
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.profsvc.dll.01c9f0de5dc0dc73.007b
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.propsys.dll.01c9f0de2573b6d3.002b
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.NaturalLanguage6.dll.01c9f0de6b4128f3.00a4
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.ncrypt.dll.01c9f0de53aa2893.0061
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.srclient.dll.01c9f0de18aab433.001c
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.srvsvc.dll.01c9f0de368d3773.0038
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.advapi32.dll.01c9f0de18cc0773.001d
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.adsldpc.dll.01c9f0de37258f73.0039
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.adtschema.dll.01c9f0de5b265b73.0074
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.apphelp.dll.01c9f0de652ec713.0095
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.audiodg.exe.01c9f0de19515473.001e
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.AudioSes.dll.01c9f0de58447133.006b
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.audiosrv.dll.01c9f0de63446bd3.008d
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.authui.dll.01c9f0de54c30ad3.0063
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.authz.dll.01c9f0de60eef2b3.0086
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.bcrypt.dll.01c9f0de1f876af3.0020
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.BFE.DLL.01c9f0de00aaf753.0002
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.bitsigd.dll.01c9f0de4a1b2313.0053
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.CertEnroll.dll.01c9f0de5ace4893.0073
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.certprop.dll.01c9f0de67381433.009e
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.comdlg32.dll.01c9f0de3a9b0ef3.0040
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.comsvcs.dll.01c9f0de59cd3413.006f
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.credui.dll.01c9f0de0ccd59b3.000a
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.crypt32.dll.01c9f0de5c75fd53.0077
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.cryptsvc.dll.01c9f0de3db15773.0047
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.cryptui.dll.01c9f0de52640c33.005f
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.cscapi.dll.01c9f0de6680ca53.009a
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.dhcpcsvc.dll.01c9f0de669636b3.009b
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.dhcpcsvc6.dll.01c9f0de0e704bb3.000d
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.diagperf.dll.01c9f0de6f7777d3.00a9
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.dnsapi.dll.01c9f0de149a7b53.0016
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.dnsrslvr.dll.01c9f0de34355cf3.0034
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.fdSSDP.dll.01c9f0de476b35b3.004f
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.fdWSD.dll.01c9f0de64ddd853.0092
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.feclient.dll.01c9f0de6a6faff3.00a2
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.fundisc.dll.01c9f0de3752c993.003b
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.FWPUCLNT.DLL.01c9f0de006850d3.0001
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.FwRemoteSvr.dll.01c9f0de50b9f613.005e
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.gdi32.dll.01c9f0de5c5e2f93.0076
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.gpapi.dll.01c9f0de4d871d13.0059
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.IKEEXT.DLL.01c9f0de03881ed3.0006
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.imm32.dll.01c9f0de253371b3.002a
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.inetpp.dll.01c9f0de33b00ff3.0030
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.IPHLPAPI.DLL.01c9f0de367569b3.0037
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.iphlpsvc.dll.01c9f0de01ac0bd3.0004
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.IPSECSVC.DLL.01c9f0de46e125f3.004e
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.kerberos.dll.01c9f0de5f1ec693.007f
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.kernel32.dll.01c9f0de2516e133.0029
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.mfplat.dll.01c9f0de118db853.0012
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.MMDevAPI.dll.01c9f0de6ceda073.00a5
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.modemui.dll.01c9f0de72c942b3.00ae
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.mpr.dll.01c9f0de3bf8f913.0043
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.mprapi.dll.01c9f0de0d33b4d3.000c
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.MPSSVC.dll.01c9f0de5f82c053.0082
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.mscms.dll.01c9f0de4d6cedf3.0058
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.msctf.dll.01c9f0de11145233.0011
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.msi.dll.01c9f0de16a16713.0018
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.msiexec.exe.01c9f0de12796073.0014
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.msscb.dll.01c9f0de615a1093.0087
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.mssprxy.dll.01c9f0de5cbb0533.0078
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.mssrch.dll.01c9f0de5d9ac673.007a
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.mstlsapi.dll.01c9f0de17c63033.001a
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.msv1_0.dll.01c9f0de588254f3.006c
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.msvcrt.dll.01c9f0de48d043f3.0052
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.mswsock.dll.01c9f0de4f2a0f13.005b
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.msxml3.dll.01c9f0de62d48b33.008b
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.msxml6.dll.01c9f0de7331ff33.00af
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.netapi32.dll.01c9f0de60d724f3.0085
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.netlogon.dll.01c9f0de22fa8913.0025
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.netshell.dll.01c9f0de62481a13.0089
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.newdev.dll.01c9f0de32b15cd3.002e
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.lsasrv.dll.01c9f0de02c4ee13.0005
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.NlsLexicons0009.dll.01c9f0de38e511f3.003e
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.ntdll.dll.01c9f0de0185f5d3.0003
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.ntmarta.dll.01c9f0de452d8a53.004c
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.ole32.dll.01c9f0de3e6b02b3.004b
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.oleaut32.dll.01c9f0de341b2dd3.0033
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.onex.dll.01c9f0de10a21033.0010
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.PortableDeviceApi.dll.01c9f0de57220973.0069
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.PortableDeviceTypes.dll.01c9f0de202485b3.0021
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.powrprof.dll.01c9f0de635776d3.008e
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.qmgr.dll.01c9f0de4dc500d3.005a
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.Query.dll.01c9f0de4cec63b3.0056
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rasapi32.dll.01c9f0de1210a3f3.0013
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.raschap.dll.01c9f0de33cca073.0031
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rasdlg.dll.01c9f0de0cff5693.000b
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rasmans.dll.01c9f0de591f6fb3.006e
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rasplap.dll.01c9f0de64399973.0091
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rasppp.dll.01c9f0de3c49e7d3.0044
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rastapi.dll.01c9f0de5aa83293.0072
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rastls.dll.01c9f0de4fbda453.005d
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rdpwsx.dll.01c9f0de56281913.0067
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.regapi.dll.01c9f0de150f1eb3.0017
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rpcrt4.dll.01c9f0de670f9cd3.009d
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rpcss.dll.01c9f0de6277b593.008a
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.rsaenh.dll.01c9f0de3afa45f3.0041
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.samlib.dll.01c9f0de4c91ef73.0055
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.samsrv.dll.01c9f0de174a68b3.0019
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.scecli.dll.01c9f0de0cba4eb3.0009
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.scesrv.dll.01c9f0de6ad3a9b3.00a3
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.schannel.dll.01c9f0de55de4e73.0064
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.schedsvc.dll.01c9f0de3dcb8693.0048
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.SearchIndexer.exe.01c9f0de5ba222f3.0075
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.secur32.dll.01c9f0de03b7ba53.0007
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.services.exe.01c9f0de22695533.0023
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.setupapi.dll.01c9f0de5e2998f3.007d
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.shell32.dll.01c9f0de576bd413.006a
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.shlwapi.dll.01c9f0de3e4029f3.004a
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.shsvcs.dll.01c9f0de54a8dbb3.0062
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.SLC.dll.01c9f0de456dcf73.004d
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.SLsvc.exe.01c9f0de35660cf3.0036
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.slwga.dll.01c9f0de4818fa13.0050
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.SmartcardCredentialProvider.dll.01c9f0de59fa6e33.0070
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.smss.exe.01c9f0de000b7b33.0000
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.spoolss.dll.01c9f0de55ec96b3.0065
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.spoolsv.exe.01c9f0de6384b0f3.008f
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.spp.dll.01c9f0de6a401473.00a1
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.tapisrv.dll.01c9f0de3b9c2373.0042
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.swprv.dll.01c9f0de66219353.0098
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.sysmain.dll.01c9f0de48a0a873.0051
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.taskcomp.dll.01c9f0de63a60433.0090
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.taskeng.exe.01c9f0de58b6b333.006d
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.tcpmon.dll.01c9f0de6e65b9b3.00a7
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.termsrv.dll.01c9f0de65064fb3.0093
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.tquery.dll.01c9f0de5de22fb3.007c
Status: Locked to the Windows API!

Path: C:\Windows\System32\UACdmcepdibmvupiuq.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACffterkvngncpwpq.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACkrbgeggkiekyvrt.log
Status: Invisible to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.umpnpmgr.dll.01c9f0de679e6f53.00a0
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.unimdm.tsp.01c9f0de33e46e33.0032
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.user32.dll.01c9f0de23907fb3.0026
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.userenv.dll.01c9f0de669fbc33.009c
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.usp10.dll.01c9f0de33879893.002f
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.uxsms.dll.01c9f0de66539033.0099
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.version.dll.01c9f0de131419d3.0015
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.vssapi.dll.01c9f0de1abd86d3.001f
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.VSSVC.exe.01c9f0de6ffcc4d3.00aa
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.w32time.dll.01c9f0de60354773.0083
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.wdscore.dll.01c9f0de4f4dc3b3.005c
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.WebClnt.dll.01c9f0de5e6c3f73.007e
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.wersvc.dll.01c9f0de5a59a533.0071
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.wevtapi.dll.01c9f0de0ecd2153.000f
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.wevtsvc.dll.01c9f0de18823cd3.001b
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.wiaservc.dll.01c9f0de6083d4d3.0084
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.win32spl.dll.01c9f0de324d6313.002d
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.WindowsCodecs.dll.01c9f0de71584d93.00ac
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.winhttp.dll.01c9f0de2485ad53.0028
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.winlogon.exe.01c9f0de66076433.0097
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.winmm.dll.01c9f0de5f57e793.0080
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.WinSCard.dll.01c9f0de4ad99113.0054
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.winspool.drv.01c9f0de61e8e313.0088
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.winsrv.dll.01c9f0de30f69d13.002c
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.wlanmsm.dll.01c9f0de23ed5553.0027
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.wlansvc.dll.01c9f0de53925ad3.0060
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.Wldap32.dll.01c9f0de4d0692d3.0057
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.wlgpclnt.dll.01c9f0de3df19c93.0049
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.wscapi.dll.01c9f0de376cf8b3.003c
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.WSDApi.dll.01c9f0de3d9989b3.0046
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.WSDMon.dll.01c9f0de22968f53.0024
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.wsnmp32.dll.01c9f0de37389a73.003a
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.xolehlp.dll.01c9f0de6d0c9253.00a6
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.certcli.dll.01c9f0de3a775a53.003f
Status: Locked to the Windows API!

Path: C:\Windows\System32\UACmrjteyfhadxqxws.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACnnspqgxwoqvtmqm.db
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACoohpplfdsnvapxn.log
Status: Invisible to the Windows API!

Path: C:\Windows\System32\uactmp.db
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACtnyemspxgqcxjru.dat
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACuiqanjbiutbakxi.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACuqmhiwkccbqhrjn.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACwtcrtyqomrqrvun.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.eappcfg.dll.01c9f0de0e9fe733.000e
Status: Locked to the Windows API!

Path: C:\Windows\System32\$$DeleteMe.eapphost.dll.01c9f0de6f02d473.00a8
Status: Locked to the Windows API!

Path: c:\windows\temp\sqlite_5x9shqwm0qt0sv9
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_cfgbinafdoknx3n
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Windows\Temp\UACb6d0.tmp
Status: Invisible to the Windows API!

Path: C:\Windows\Temp\UACbedb.tmp
Status: Invisible to the Windows API!

Path: c:\windows\temp\sqlite_hetsrvfdm55ruoe
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Windows\System32\en-US\$$DeleteMe.tquery.dll.mui.01c9f0de84765893.00be
Status: Locked to the Windows API!

Path: C:\Windows\System32\AdvancedInstallers\$$DeleteMe.cmiv2.dll.01c9f0de7d88f833.00bd
Status: Locked to the Windows API!

Path: C:\Windows\System32\drivers\UACipplsidfwmsrteo.sys
Status: Invisible to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.esscli.dll.01c9f0de77effc73.00b5
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.fastprox.dll.01c9f0de788ab5d3.00b7
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.NCProv.dll.01c9f0de77e676f3.00b4
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.repdrvfs.dll.01c9f0de79067d53.00ba
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.wbemcore.dll.01c9f0de7965b453.00bb
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.wbemess.dll.01c9f0de7752e1b3.00b0
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.wbemprox.dll.01c9f0de799a1293.00bc
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.wbemsvc.dll.01c9f0de78c89993.00b8
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.wmiprov.dll.01c9f0de7790c573.00b2
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.WmiPrvSD.dll.01c9f0de78ec4e33.00b9
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.WmiPrvSE.exe.01c9f0de77b47a13.00b3
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.WMIsvc.dll.01c9f0de7872e813.00b6
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\$$DeleteMe.wmiutils.dll.01c9f0de77801bd3.00b1
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_5c400d5e63e93b68.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e20e9863b4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_58b1a5ca663317c4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa6920e9f98fc.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8cc63a6e4c2a3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_dc9917e997f80c63.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_588445e3d272feb1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_54c1279468b7b84b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_poliProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 208 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACuqmhiwkccbqhrjn.dll]
Process: wininit.exe (PID: 576) Address: 0x00490000 Size: 49152

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: wininit.exe (PID: 576) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACuqmhiwkccbqhrjn.dll]
Process: winlogon.exe (PID: 632) Address: 0x00860000 Size: 49152

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: winlogon.exe (PID: 632) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: services.exe (PID: 676) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: lsass.exe (PID: 728) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: lsm.exe (PID: 748) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdmcepdibmvupiuq.dll]
Process: svchost.exe (PID: 1148) Address: 0x008c0000 Size: 73728

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 1148) Address: 0x01160000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 1148) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 1292) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 1408) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 1656) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1656) Address: 0x015d0000 Size: 323584

Object: Hidden Module [Name: tquery.dll]
Process: svchost.exe (PID: 1656) Address: 0x71c80000 Size: 1589248

Object: Hidden Module [Name: WinMgmtR.dll]
Process: svchost.exe (PID: 1656) Address: 0x714d0000 Size: 8192

Object: Hidden Module [Name: profsvc.dll]
Process: svchost.exe (PID: 1656) Address: 0x74100000 Size: 163840

Object: Hidden Module [Name: schedsvc.dll]
Process: svchost.exe (PID: 1656) Address: 0x73030000 Size: 606208

Object: Hidden Module [Name: wevtapi.dll]
Process: svchost.exe (PID: 1656) Address: 0x75670000 Size: 258048

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 1780) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 1892) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 496) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: SLsvc.exe (PID: 788) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 920) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 1092) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: AAWService.exe (PID: 1600) Address: 0x002e0000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: WLANExt.exe (PID: 1612) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: spoolsv.exe (PID: 368) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 780) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: avgwdsvc.exe (PID: 1880) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 704) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: LSSrvc.exe (PID: 1328) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 668) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: avgrsx.exe (PID: 840) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: avgnsx.exe (PID: 988) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 2092) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 2368) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 2444) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: VongoService.exe (PID: 2580) Address: 0x00510000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 3104) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: SearchIndexer.exe (PID: 3208) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: xaudio.exe (PID: 3320) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: hpqwmiex.exe (PID: 3416) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: unsecapp.exe (PID: 3744) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: wmiprvse.exe (PID: 3940) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: taskeng.exe (PID: 3232) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: Dwm.exe (PID: 3800) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: Explorer.EXE (PID: 4012) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: taskeng.exe (PID: 3140) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: SynTPEnh.exe (PID: 2620) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: jusched.exe (PID: 3728) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: avgtray.exe (PID: 3112) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: Admin.exe (PID: 1736) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: AAWTray.exe (PID: 3380) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: wmpnscfg.exe (PID: 2776) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: wmpnetwk.exe (PID: 2472) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: HP.ActiveSupportLibrary.dll]
Process: hphc_service.exe (PID: 2296) Address: 0x01400000 Size: 110592

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: hphc_service.exe (PID: 2296) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: svchost.exe (PID: 3848) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: avgcsrvx.exe (PID: 3184) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: iexplore.exe (PID: 2792) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: iexplore.exe (PID: 288) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: iexplore.exe (PID: 4104) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: FlashUtil10b.exe (PID: 5176) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: RootRepeal.exe (PID: 4816) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll]
Process: logon.scr (PID: 4480) Address: 0x10000000 Size: 40960

Object: Hidden Code [ETHREAD: 0x83ec07c8]
Process: System Address: 0x87669ba8 Size: 1113

Object: Hidden Code [ETHREAD: 0x83f03580]
Process: System Address: 0x83f03774 Size: 897

Object: Hidden Code [ETHREAD: 0x83f032d8]
Process: System Address: 0x946ec958 Size: 520

Object: Hidden Code [ETHREAD: 0x83f04020]
Process: System Address: 0x99c819d0 Size: 1305

Object: Hidden Code [ETHREAD: 0x83f04d78]
Process: System Address: 0x8db73ca0 Size: 105

Object: Hidden Code [ETHREAD: 0x83f04ad0]
Process: System Address: 0x9460f728 Size: 2264

Hidden Services
-------------------
Service Name: SKYNETopngrsxk
Image Path: C:\Windows\system32\drivers\SKYNETvcwgrnyv.sys

Service Name: UACd.sys
Image Path: C:\Windows\system32\drivers\UACipplsidfwmsrteo.sys

==EOF==

Here is the Log File from the AVG scan I ran.

Scan "Scan whole computer" was finished.
Infections;"8";"7";"1"
Folders selected for scanning:;"Scan whole computer"
Scan started:;"Wednesday, June 17, 2009, 3:09:03 AM"
Scan finished:;"Wednesday, June 17, 2009, 5:47:31 AM (2 hour(s) 38 minute(s) 27 second(s))"
Total object scanned:;"1058490"
User who launched the scan:;"Gabe"

Infections
File;"Infection";"Result"
C:\Users\Gabe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Antiphishing Component Update 8;"Trojan horse Adload_r.JY";"Moved to Virus Vault"
C:\Users\Gabe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Antiphishing Component Update 8:\$IK\$KC;"Trojan horse Adload_r.JY";"Moved to Virus Vault"
C:\Users\Gabe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3W5KWT1E\orInThose[1].pdf;"Virus identified Exploit.PDF";"Moved to Virus Vault"
C:\Users\Gabe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5CA4T8HZ\get[1].php;"Trojan horse Downloader.Zlob_r.FT";"Moved to Virus Vault"
C:\Users\Gabe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5CA4T8HZ\get[1].php:\$IL;"Trojan horse Downloader.Zlob_r.FT";"Moved to Virus Vault"
C:\Users\Gabe\AppData\Local\Temp\Temp1_Spector Pro 6.0 Retail inc Serial and eBlaster - Bunty.zip\Install_Full.exe;"Trojan horse Agent.AOMA";"Moved to Virus Vault"
C:\Windows\System32\SKYNETchiplxff.dll;"Virus identified Win32/Cryptor";"Infected"
C:\Windows\System32\SKYNETjlkfyqxh.dll;"Virus identified Packed.Rolex";"Moved to Virus Vault"

Any assistance would be greatly appreciated

Thanks,

GoSolarBG

This post has been edited by garmanma: 28 June 2009 - 09:47 PM

#2 User is offline   quietman7 

  • Bleepin' Janitor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 25,108
  • Joined: 09-July 05
  • Location:Virginia, USA

Posted 29 June 2009 - 09:24 AM

Double-click on RootRepeal.exe to launch it.
  • Click the Drivers tab, then click the Scan button.
  • Right-click on SKYNETvcwgrnyv.sys and UACipplsidfwmsrteo.sys, then click the Wipe File option only.
  • Click on the Files tab, then click the Scan button.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Use your mouse to highlight the following files:
    C:\Windows\system32\drivers\SKYNETvcwgrnyv.sys
C:\Windows\System32\drivers\UACipplsidfwmsrteo.sys
C:\Windows\System32\UACmrjteyfhadxqxws.dll
C:\Windows\System32\UACnnspqgxwoqvtmqm.db
C:\Windows\System32\UACoohpplfdsnvapxn.log
C:\Windows\System32\uactmp.db
C:\Windows\System32\UACtnyemspxgqcxjru.dat
C:\Windows\System32\UACuiqanjbiutbakxi.dll
C:\Windows\System32\UACuqmhiwkccbqhrjn.dll
C:\Windows\System32\UACwtcrtyqomrqrvun.dll
C:\Windows\Temp\UACb6d0.tmp
C:\Windows\Temp\UACbedb.tmp

  • Right-click on those files and then click the Wipe File option only.
  • Exit RootRepeal and immediately restart the computer.
.

Then try to download, install and scan with Malwarebytes Anti-Malware (v1.38)
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Microsoft MVP - Consumer Security 2007-2012 Posted Image
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 User is offline   gosolarbg 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 22-June 09
  • Location:Bakersfield, CA.

Posted 29 June 2009 - 10:20 AM

Morning,

Just got your post and will be starting process right now. Wish me luck!

Thanks a Ton and I'll let you know how it goes.

Best,

GoSolarBG

#4 User is offline   gosolarbg 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 22-June 09
  • Location:Bakersfield, CA.

Posted 29 June 2009 - 10:56 AM

QuietMan7-

I ran rootrepeal and 2 of the files did not show up in Scan and I didn't remove.

C:\Windows\system32\drivers\SKYNETvcwgrnyv.sys
C:\Windows\Temp\UACb6d0.tmp


Restarting now should I run Rootrepeal again? And should I change the name of malwarebytes when I install it?

Thanks,

GoSolarBG

#5 User is offline   quietman7 

  • Bleepin' Janitor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 25,108
  • Joined: 09-July 05
  • Location:Virginia, USA

Posted 29 June 2009 - 11:05 AM

Only change the name if you have a problem getting MBAM to install.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.
Microsoft MVP - Consumer Security 2007-2012 Posted Image
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#6 User is offline   gosolarbg 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 22-June 09
  • Location:Bakersfield, CA.

Posted 29 June 2009 - 03:17 PM

Quietman7,

After spending hours and hours on my own for whats been more then a week now trying to get my computer halfway back to normal following your instructions this morning appears to be working absolute wonders and I wasn't sure I would ever get things back to normal. Well thanks alot again and while I can't give much you be getting a donation from me before we are done.

Well here is the log file I saved being performing the removal process in Malwarebytes, which downloaded, installed, and ran with absolutely no problems! After the removal I got a message saving I needed to restart and that a log file had been saved. However I have been unable to locate any log file generated after removing the threats.


Malwarebytes' Anti-Malware 1.38
Database version: 2352
Windows 6.0.6001 Service Pack 1

6/29/2009 12:01:37 PM
mbam-log-2009-06-29.txt

Scan type: Quick Scan
Objects scanned: 96467
Time elapsed: 11 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\UACdmcepdibmvupiuq.dll (Trojan.TDSS) -> No action taken.
c:\Windows\System32\UACffterkvngncpwpq.dll (Trojan.TDSS) -> No action taken.
c:\Users\Gabe\AppData\Local\Temp\UAC168c.tmp (Trojan.Dropper) -> No action taken.
c:\Users\Gabe\AppData\Local\Temp\UAC1ed5.tmp (Trojan.Dropper) -> No action taken.
c:\Users\Gabe\AppData\Local\Temp\UAC21d2.tmp (Trojan.Dropper) -> No action taken.
c:\Users\Gabe\AppData\Local\Temp\UAC31c9.tmp (Trojan.Dropper) -> No action taken.
c:\Users\Gabe\AppData\Local\Temp\UAC3f8f.tmp (Trojan.Dropper) -> No action taken.
c:\Users\Gabe\AppData\Local\Temp\UACba88.tmp (Trojan.Dropper) -> No action taken.
c:\Users\Admin\Admin.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\uacinit.dll (Trojan.Agent) -> No action taken.
c:\Windows\System32\UACmrjteyfhadxqxws.dll (Trojan.Agent) -> No action taken.
c:\Windows\System32\UACuiqanjbiutbakxi.dll (Trojan.Agent) -> No action taken.
c:\Windows\System32\UACuqmhiwkccbqhrjn.dll (Trojan.Agent) -> No action taken.
c:\Windows\System32\UACwtcrtyqomrqrvun.dll (Trojan.Agent) -> No action taken.
c:\Windows\System32\drivers\SKYNETvcwgrnyv.sys (Trojan.Agent) -> No action taken.
c:\Windows\System32\drivers\UACipplsidfwmsrteo.sys (Trojan.Agent) -> No action taken.


Well thanks for the help just getting this far has made my day.

Best,

GoSolarBG

#7 User is offline   quietman7 

  • Bleepin' Janitor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 25,108
  • Joined: 09-July 05
  • Location:Virginia, USA

Posted 30 June 2009 - 08:25 AM

That's good news.

There are no shortcuts or guarantees when it comes to malware removal, especially when dealing with rootkits. Sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous.

Now rescan again with Malwarebytes Anti-Malware but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.

  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs
Microsoft MVP - Consumer Security 2007-2012 Posted Image
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users