 TrojanWin32.TDSS & Win32Crytor Virus Removal, Moved to AII |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
 Jun 28 2009, 09:37 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 4 Joined: 22-June 09 From: Bakersfield, CA. Member No.: 344,448  |
Please help! I have been trying to remove virus and spyware for a week now and everytime I download and try to run different scanners the programs either won't install or won't run when they do. This goes for Malwarebytes, ATP, SAS, and Spybot. I have been able to install and run Adaware, but virus returns after reboot. AVG Free is the Anti-Virus I am running on my computer and after installing it I got a warning about Win32/Cryptor, which it couldn't remove. In the process of trying to remove that I ran the adaware scan and it returned a threat of Trojanwin32.TDSS. I have been able to download and install Root Repeal and the Log file is below. I also attached the scan log from AVG. ROOTREPEAL © AD, 2007-2009 ================================================== Scan Time: 2009/06/28 17:57 Program Version: Version 1.3.0.0 Windows Version: Windows Vista SP1 ================================================== Drivers ------------------- Name: dump_diskdump.sys Image Path: C:\Windows\System32\Drivers\dump_diskdump.sys Address: 0x8E349000 Size: 40960 File Visible: No Signed: - Status: - Name: dump_nvstor32.sys Image Path: C:\Windows\System32\Drivers\dump_nvstor32.sys Address: 0x8E353000 Size: 106496 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0x9C1B1000 Size: 49152 File Visible: No Signed: - Status: - Name: UACipplsidfwmsrteo.sys Image Path: C:\Windows\system32\drivers\UACipplsidfwmsrteo.sys Address: 0x86DA1000 Size: 81920 File Visible: - Signed: - Status: Hidden from Windows API! Hidden/Locked Files ------------------- Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{709b627b-6275-11de-a985-001b24550fe7}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{8dd1e67b-5d5b-11de-9d17-001b24550fe7}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\Windows\AppPatch\$$DeleteMe.AcGenral.dll.01c9f0de0b20e233.0008 Status: Locked to the Windows API! Path: C:\Windows\servicing\$$DeleteMe.TrustedInstaller.exe.01c9f0de9d0c0c13.00c3 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.emdmgmt.dll.01c9f0de5d026e73.0079 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.es.dll.01c9f0de62f37d13.008c Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.esent.dll.01c9f0de55ffa1b3.0066 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.locale.nls.01c9f0de71218df3.00ab Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.localspl.dll.01c9f0de655c0133.0096 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.profsvc.dll.01c9f0de5dc0dc73.007b Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.propsys.dll.01c9f0de2573b6d3.002b Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.NaturalLanguage6.dll.01c9f0de6b4128f3.00a4 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.ncrypt.dll.01c9f0de53aa2893.0061 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.srclient.dll.01c9f0de18aab433.001c Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.srvsvc.dll.01c9f0de368d3773.0038 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.advapi32.dll.01c9f0de18cc0773.001d Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.adsldpc.dll.01c9f0de37258f73.0039 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.adtschema.dll.01c9f0de5b265b73.0074 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.apphelp.dll.01c9f0de652ec713.0095 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.audiodg.exe.01c9f0de19515473.001e Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.AudioSes.dll.01c9f0de58447133.006b Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.audiosrv.dll.01c9f0de63446bd3.008d Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.authui.dll.01c9f0de54c30ad3.0063 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.authz.dll.01c9f0de60eef2b3.0086 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.bcrypt.dll.01c9f0de1f876af3.0020 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.BFE.DLL.01c9f0de00aaf753.0002 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.bitsigd.dll.01c9f0de4a1b2313.0053 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.CertEnroll.dll.01c9f0de5ace4893.0073 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.certprop.dll.01c9f0de67381433.009e Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.comdlg32.dll.01c9f0de3a9b0ef3.0040 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.comsvcs.dll.01c9f0de59cd3413.006f Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.credui.dll.01c9f0de0ccd59b3.000a Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.crypt32.dll.01c9f0de5c75fd53.0077 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.cryptsvc.dll.01c9f0de3db15773.0047 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.cryptui.dll.01c9f0de52640c33.005f Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.cscapi.dll.01c9f0de6680ca53.009a Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.dhcpcsvc.dll.01c9f0de669636b3.009b Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.dhcpcsvc6.dll.01c9f0de0e704bb3.000d Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.diagperf.dll.01c9f0de6f7777d3.00a9 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.dnsapi.dll.01c9f0de149a7b53.0016 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.dnsrslvr.dll.01c9f0de34355cf3.0034 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.fdSSDP.dll.01c9f0de476b35b3.004f Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.fdWSD.dll.01c9f0de64ddd853.0092 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.feclient.dll.01c9f0de6a6faff3.00a2 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.fundisc.dll.01c9f0de3752c993.003b Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.FWPUCLNT.DLL.01c9f0de006850d3.0001 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.FwRemoteSvr.dll.01c9f0de50b9f613.005e Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.gdi32.dll.01c9f0de5c5e2f93.0076 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.gpapi.dll.01c9f0de4d871d13.0059 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.IKEEXT.DLL.01c9f0de03881ed3.0006 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.imm32.dll.01c9f0de253371b3.002a Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.inetpp.dll.01c9f0de33b00ff3.0030 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.IPHLPAPI.DLL.01c9f0de367569b3.0037 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.iphlpsvc.dll.01c9f0de01ac0bd3.0004 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.IPSECSVC.DLL.01c9f0de46e125f3.004e Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.kerberos.dll.01c9f0de5f1ec693.007f Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.kernel32.dll.01c9f0de2516e133.0029 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.mfplat.dll.01c9f0de118db853.0012 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.MMDevAPI.dll.01c9f0de6ceda073.00a5 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.modemui.dll.01c9f0de72c942b3.00ae Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.mpr.dll.01c9f0de3bf8f913.0043 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.mprapi.dll.01c9f0de0d33b4d3.000c Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.MPSSVC.dll.01c9f0de5f82c053.0082 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.mscms.dll.01c9f0de4d6cedf3.0058 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.msctf.dll.01c9f0de11145233.0011 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.msi.dll.01c9f0de16a16713.0018 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.msiexec.exe.01c9f0de12796073.0014 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.msscb.dll.01c9f0de615a1093.0087 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.mssprxy.dll.01c9f0de5cbb0533.0078 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.mssrch.dll.01c9f0de5d9ac673.007a Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.mstlsapi.dll.01c9f0de17c63033.001a Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.msv1_0.dll.01c9f0de588254f3.006c Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.msvcrt.dll.01c9f0de48d043f3.0052 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.mswsock.dll.01c9f0de4f2a0f13.005b Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.msxml3.dll.01c9f0de62d48b33.008b Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.msxml6.dll.01c9f0de7331ff33.00af Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.netapi32.dll.01c9f0de60d724f3.0085 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.netlogon.dll.01c9f0de22fa8913.0025 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.netshell.dll.01c9f0de62481a13.0089 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.newdev.dll.01c9f0de32b15cd3.002e Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.lsasrv.dll.01c9f0de02c4ee13.0005 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.NlsLexicons0009.dll.01c9f0de38e511f3.003e Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.ntdll.dll.01c9f0de0185f5d3.0003 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.ntmarta.dll.01c9f0de452d8a53.004c Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.ole32.dll.01c9f0de3e6b02b3.004b Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.oleaut32.dll.01c9f0de341b2dd3.0033 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.onex.dll.01c9f0de10a21033.0010 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.PortableDeviceApi.dll.01c9f0de57220973.0069 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.PortableDeviceTypes.dll.01c9f0de202485b3.0021 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.powrprof.dll.01c9f0de635776d3.008e Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.qmgr.dll.01c9f0de4dc500d3.005a Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.Query.dll.01c9f0de4cec63b3.0056 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rasapi32.dll.01c9f0de1210a3f3.0013 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.raschap.dll.01c9f0de33cca073.0031 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rasdlg.dll.01c9f0de0cff5693.000b Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rasmans.dll.01c9f0de591f6fb3.006e Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rasplap.dll.01c9f0de64399973.0091 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rasppp.dll.01c9f0de3c49e7d3.0044 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rastapi.dll.01c9f0de5aa83293.0072 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rastls.dll.01c9f0de4fbda453.005d Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rdpwsx.dll.01c9f0de56281913.0067 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.regapi.dll.01c9f0de150f1eb3.0017 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rpcrt4.dll.01c9f0de670f9cd3.009d Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rpcss.dll.01c9f0de6277b593.008a Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.rsaenh.dll.01c9f0de3afa45f3.0041 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.samlib.dll.01c9f0de4c91ef73.0055 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.samsrv.dll.01c9f0de174a68b3.0019 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.scecli.dll.01c9f0de0cba4eb3.0009 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.scesrv.dll.01c9f0de6ad3a9b3.00a3 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.schannel.dll.01c9f0de55de4e73.0064 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.schedsvc.dll.01c9f0de3dcb8693.0048 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.SearchIndexer.exe.01c9f0de5ba222f3.0075 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.secur32.dll.01c9f0de03b7ba53.0007 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.services.exe.01c9f0de22695533.0023 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.setupapi.dll.01c9f0de5e2998f3.007d Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.shell32.dll.01c9f0de576bd413.006a Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.shlwapi.dll.01c9f0de3e4029f3.004a Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.shsvcs.dll.01c9f0de54a8dbb3.0062 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.SLC.dll.01c9f0de456dcf73.004d Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.SLsvc.exe.01c9f0de35660cf3.0036 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.slwga.dll.01c9f0de4818fa13.0050 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.SmartcardCredentialProvider.dll.01c9f0de59fa6e33.0070 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.smss.exe.01c9f0de000b7b33.0000 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.spoolss.dll.01c9f0de55ec96b3.0065 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.spoolsv.exe.01c9f0de6384b0f3.008f Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.spp.dll.01c9f0de6a401473.00a1 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.tapisrv.dll.01c9f0de3b9c2373.0042 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.swprv.dll.01c9f0de66219353.0098 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.sysmain.dll.01c9f0de48a0a873.0051 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.taskcomp.dll.01c9f0de63a60433.0090 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.taskeng.exe.01c9f0de58b6b333.006d Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.tcpmon.dll.01c9f0de6e65b9b3.00a7 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.termsrv.dll.01c9f0de65064fb3.0093 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.tquery.dll.01c9f0de5de22fb3.007c Status: Locked to the Windows API! Path: C:\Windows\System32\UACdmcepdibmvupiuq.dll Status: Invisible to the Windows API! Path: C:\Windows\System32\UACffterkvngncpwpq.dll Status: Invisible to the Windows API! Path: C:\Windows\System32\uacinit.dll Status: Invisible to the Windows API! Path: C:\Windows\System32\UACkrbgeggkiekyvrt.log Status: Invisible to the Windows API! Path: C:\Windows\System32\$$DeleteMe.umpnpmgr.dll.01c9f0de679e6f53.00a0 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.unimdm.tsp.01c9f0de33e46e33.0032 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.user32.dll.01c9f0de23907fb3.0026 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.userenv.dll.01c9f0de669fbc33.009c Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.usp10.dll.01c9f0de33879893.002f Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.uxsms.dll.01c9f0de66539033.0099 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.version.dll.01c9f0de131419d3.0015 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.vssapi.dll.01c9f0de1abd86d3.001f Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.VSSVC.exe.01c9f0de6ffcc4d3.00aa Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.w32time.dll.01c9f0de60354773.0083 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.wdscore.dll.01c9f0de4f4dc3b3.005c Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.WebClnt.dll.01c9f0de5e6c3f73.007e Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.wersvc.dll.01c9f0de5a59a533.0071 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.wevtapi.dll.01c9f0de0ecd2153.000f Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.wevtsvc.dll.01c9f0de18823cd3.001b Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.wiaservc.dll.01c9f0de6083d4d3.0084 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.win32spl.dll.01c9f0de324d6313.002d Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.WindowsCodecs.dll.01c9f0de71584d93.00ac Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.winhttp.dll.01c9f0de2485ad53.0028 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.winlogon.exe.01c9f0de66076433.0097 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.winmm.dll.01c9f0de5f57e793.0080 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.WinSCard.dll.01c9f0de4ad99113.0054 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.winspool.drv.01c9f0de61e8e313.0088 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.winsrv.dll.01c9f0de30f69d13.002c Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.wlanmsm.dll.01c9f0de23ed5553.0027 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.wlansvc.dll.01c9f0de53925ad3.0060 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.Wldap32.dll.01c9f0de4d0692d3.0057 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.wlgpclnt.dll.01c9f0de3df19c93.0049 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.wscapi.dll.01c9f0de376cf8b3.003c Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.WSDApi.dll.01c9f0de3d9989b3.0046 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.WSDMon.dll.01c9f0de22968f53.0024 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.wsnmp32.dll.01c9f0de37389a73.003a Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.xolehlp.dll.01c9f0de6d0c9253.00a6 Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.certcli.dll.01c9f0de3a775a53.003f Status: Locked to the Windows API! Path: C:\Windows\System32\UACmrjteyfhadxqxws.dll Status: Invisible to the Windows API! Path: C:\Windows\System32\UACnnspqgxwoqvtmqm.db Status: Invisible to the Windows API! Path: C:\Windows\System32\UACoohpplfdsnvapxn.log Status: Invisible to the Windows API! Path: C:\Windows\System32\uactmp.db Status: Invisible to the Windows API! Path: C:\Windows\System32\UACtnyemspxgqcxjru.dat Status: Invisible to the Windows API! Path: C:\Windows\System32\UACuiqanjbiutbakxi.dll Status: Invisible to the Windows API! Path: C:\Windows\System32\UACuqmhiwkccbqhrjn.dll Status: Invisible to the Windows API! Path: C:\Windows\System32\UACwtcrtyqomrqrvun.dll Status: Invisible to the Windows API! Path: C:\Windows\System32\$$DeleteMe.eappcfg.dll.01c9f0de0e9fe733.000e Status: Locked to the Windows API! Path: C:\Windows\System32\$$DeleteMe.eapphost.dll.01c9f0de6f02d473.00a8 Status: Locked to the Windows API! Path: c:\windows\temp\sqlite_5x9shqwm0qt0sv9 Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\windows\temp\sqlite_cfgbinafdoknx3n Status: Allocation size mismatch (API: 4096, Raw: 0) Path: C:\Windows\Temp\UACb6d0.tmp Status: Invisible to the Windows API! Path: C:\Windows\Temp\UACbedb.tmp Status: Invisible to the Windows API! Path: c:\windows\temp\sqlite_hetsrvfdm55ruoe Status: Allocation size mismatch (API: 4096, Raw: 0) Path: C:\Windows\System32\en-US\$$DeleteMe.tquery.dll.mui.01c9f0de84765893.00be Status: Locked to the Windows API! Path: C:\Windows\System32\AdvancedInstallers\$$DeleteMe.cmiv2.dll.01c9f0de7d88f833.00bd Status: Locked to the Windows API! Path: C:\Windows\System32\drivers\UACipplsidfwmsrteo.sys Status: Invisible to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.esscli.dll.01c9f0de77effc73.00b5 Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.fastprox.dll.01c9f0de788ab5d3.00b7 Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.NCProv.dll.01c9f0de77e676f3.00b4 Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.repdrvfs.dll.01c9f0de79067d53.00ba Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.wbemcore.dll.01c9f0de7965b453.00bb Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.wbemess.dll.01c9f0de7752e1b3.00b0 Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.wbemprox.dll.01c9f0de799a1293.00bc Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.wbemsvc.dll.01c9f0de78c89993.00b8 Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.wmiprov.dll.01c9f0de7790c573.00b2 Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.WmiPrvSD.dll.01c9f0de78ec4e33.00b9 Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.WmiPrvSE.exe.01c9f0de77b47a13.00b3 Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.WMIsvc.dll.01c9f0de7872e813.00b6 Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\$$DeleteMe.wmiutils.dll.01c9f0de77801bd3.00b1 Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e 58.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c .cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.c at Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b 5d18a9128.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed .cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.c at Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003 bc63e949f6.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365 .cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_5c400d 5e63e93b68.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d 131.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_ab ac38a907ee8801.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e2 0e9863b4.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_58b1a5 ca663317c4.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c 0566bec5b24.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949 b06671d08ae.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa692 0e9f98fc.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8 cc63a6e4c2a3.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f3 9.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d21850 4d2.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a 620671dde41.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cd a6db.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f2 1d3d46d84.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_dc9917e997f80c63. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.c at Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053 e8c6967ba9d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df5 6e60dc5df.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8d d7dea5d5a7a18a.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f 59bf601aa775.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_588 445e3d272feb1.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc 0ea08098.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_54c127 9468b7b84b.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0e bd6590e0b.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8 .cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_poliProcesses ------------------- Path: System PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 208 Status: Locked to the Windows API! Stealth Objects ------------------- Object: Hidden Module [Name: UACuqmhiwkccbqhrjn.dll] Process: wininit.exe (PID: 576) Address: 0x00490000 Size: 49152 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: wininit.exe (PID: 576) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACuqmhiwkccbqhrjn.dll] Process: winlogon.exe (PID: 632) Address: 0x00860000 Size: 49152 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: winlogon.exe (PID: 632) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: services.exe (PID: 676) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: lsass.exe (PID: 728) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: lsm.exe (PID: 748) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACdmcepdibmvupiuq.dll] Process: svchost.exe (PID: 1148) Address: 0x008c0000 Size: 73728 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 1148) Address: 0x01160000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 1148) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 1292) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 1408) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 1656) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: winlogon.exe] Process: svchost.exe (PID: 1656) Address: 0x015d0000 Size: 323584 Object: Hidden Module [Name: tquery.dll] Process: svchost.exe (PID: 1656) Address: 0x71c80000 Size: 1589248 Object: Hidden Module [Name: WinMgmtR.dll] Process: svchost.exe (PID: 1656) Address: 0x714d0000 Size: 8192 Object: Hidden Module [Name: profsvc.dll] Process: svchost.exe (PID: 1656) Address: 0x74100000 Size: 163840 Object: Hidden Module [Name: schedsvc.dll] Process: svchost.exe (PID: 1656) Address: 0x73030000 Size: 606208 Object: Hidden Module [Name: wevtapi.dll] Process: svchost.exe (PID: 1656) Address: 0x75670000 Size: 258048 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 1780) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 1892) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 496) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: SLsvc.exe (PID: 788) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 920) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 1092) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: AAWService.exe (PID: 1600) Address: 0x002e0000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: WLANExt.exe (PID: 1612) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: spoolsv.exe (PID: 368) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 780) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: avgwdsvc.exe (PID: 1880) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 704) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: LSSrvc.exe (PID: 1328) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 668) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: avgrsx.exe (PID: 840) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: avgnsx.exe (PID: 988) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 2092) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 2368) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 2444) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: VongoService.exe (PID: 2580) Address: 0x00510000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 3104) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: SearchIndexer.exe (PID: 3208) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: xaudio.exe (PID: 3320) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: hpqwmiex.exe (PID: 3416) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: unsecapp.exe (PID: 3744) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: wmiprvse.exe (PID: 3940) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: taskeng.exe (PID: 3232) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: Dwm.exe (PID: 3800) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: Explorer.EXE (PID: 4012) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: taskeng.exe (PID: 3140) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: SynTPEnh.exe (PID: 2620) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: jusched.exe (PID: 3728) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: avgtray.exe (PID: 3112) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: Admin.exe (PID: 1736) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: AAWTray.exe (PID: 3380) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: wmpnscfg.exe (PID: 2776) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: wmpnetwk.exe (PID: 2472) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: HP.ActiveSupportLibrary.dll] Process: hphc_service.exe (PID: 2296) Address: 0x01400000 Size: 110592 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: hphc_service.exe (PID: 2296) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: svchost.exe (PID: 3848) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: avgcsrvx.exe (PID: 3184) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: iexplore.exe (PID: 2792) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: iexplore.exe (PID: 288) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: iexplore.exe (PID: 4104) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: FlashUtil10b.exe (PID: 5176) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: RootRepeal.exe (PID: 4816) Address: 0x10000000 Size: 40960 Object: Hidden Module [Name: UACmrjteyfhadxqxws.dll] Process: logon.scr (PID: 4480) Address: 0x10000000 Size: 40960 Object: Hidden Code [ETHREAD: 0x83ec07c8] Process: System Address: 0x87669ba8 Size: 1113 Object: Hidden Code [ETHREAD: 0x83f03580] Process: System Address: 0x83f03774 Size: 897 Object: Hidden Code [ETHREAD: 0x83f032d8] Process: System Address: 0x946ec958 Size: 520 Object: Hidden Code [ETHREAD: 0x83f04020] Process: System Address: 0x99c819d0 Size: 1305 Object: Hidden Code [ETHREAD: 0x83f04d78] Process: System Address: 0x8db73ca0 Size: 105 Object: Hidden Code [ETHREAD: 0x83f04ad0] Process: System Address: 0x9460f728 Size: 2264 Hidden Services ------------------- Service Name: SKYNETopngrsxk Image Path: C:\Windows\system32\drivers\SKYNETvcwgrnyv.sys Service Name: UACd.sys Image Path: C:\Windows\system32\drivers\UACipplsidfwmsrteo.sys ==EOF== Here is the Log File from the AVG scan I ran. Scan "Scan whole computer" was finished. Infections;"8";"7";"1" Folders selected for scanning:;"Scan whole computer" Scan started:;"Wednesday, June 17, 2009, 3:09:03 AM" Scan finished:;"Wednesday, June 17, 2009, 5:47:31 AM (2 hour(s) 38 minute(s) 27 second(s))" Total object scanned:;"1058490" User who launched the scan:;"Gabe" Infections File;"Infection";"Result" C:\Users\Gabe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Antiphishing Component Update 8;"Trojan horse Adload_r.JY";"Moved to Virus Vault" C:\Users\Gabe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Antiphishing Component Update 8:\$IK\$KC;"Trojan horse Adload_r.JY";"Moved to Virus Vault" C:\Users\Gabe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3W5KWT1E\orInThose[1].pdf;"Virus identified Exploit.PDF";"Moved to Virus Vault" C:\Users\Gabe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5CA4T8HZ\get[1].php;"Trojan horse Downloader.Zlob_r.FT";"Moved to Virus Vault" C:\Users\Gabe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5CA4T8HZ\get[1].php:\$IL;"Trojan horse Downloader.Zlob_r.FT";"Moved to Virus Vault" C:\Users\Gabe\AppData\Local\Temp\Temp1_Spector Pro 6.0 Retail inc Serial and eBlaster - Bunty.zip\Install_Full.exe;"Trojan horse Agent.AOMA";"Moved to Virus Vault" C:\Windows\System32\SKYNETchiplxff.dll;"Virus identified Win32/Cryptor";"Infected" C:\Windows\System32\SKYNETjlkfyqxh.dll;"Virus identified Packed.Rolex";"Moved to Virus Vault" Any assistance would be greatly appreciated Thanks, GoSolarBG This post has been edited by garmanma: Jun 28 2009, 09:47 PM |
 |
 
|
|
Jun 29 2009, 09:24 AM
Post
#2
|
|
 Bleepin' Janitor Group: Global Moderator Posts: 17,879 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
Double-click on RootRepeal.exe to launch it.
Then try to download, install and scan with Malwarebytes Anti-Malware (v1.38) alternate download link 1 alternate download link 2 MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
-------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2009  Member of UNITE, Unified Network of Instructors and Trusted Eliminators |
|
|
|
|
Jun 29 2009, 10:20 AM
Post
#3
|
|
|
New Member Group: Members Posts: 4 Joined: 22-June 09 From: Bakersfield, CA. Member No.: 344,448 |
Morning,
Just got your post and will be starting process right now. Wish me luck! Thanks a Ton and I'll let you know how it goes. Best, GoSolarBG |
|
|
|
|
Jun 29 2009, 10:56 AM
Post
#4
|
|
|
New Member Group: Members Posts: 4 Joined: 22-June 09 From: Bakersfield, CA. Member No.: 344,448 |
QuietMan7-
I ran rootrepeal and 2 of the files did not show up in Scan and I didn't remove. C:\Windows\system32\drivers\SKYNETvcwgrnyv.sys C:\Windows\Temp\UACb6d0.tmp Restarting now should I run Rootrepeal again? And should I change the name of malwarebytes when I install it? Thanks, GoSolarBG |
|
|
|
|
Jun 29 2009, 11:05 AM
Post
#5
|
|
|
Bleepin' Janitor Group: Global Moderator Posts: 17,879 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
Only change the name if you have a problem getting MBAM to install.
Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2009 Member of UNITE, Unified Network of Instructors and Trusted Eliminators |
|
|
|
|
Jun 29 2009, 03:17 PM
Post
#6
|
|
|
New Member Group: Members Posts: 4 Joined: 22-June 09 From: Bakersfield, CA. Member No.: 344,448 |
Quietman7,
After spending hours and hours on my own for whats been more then a week now trying to get my computer halfway back to normal following your instructions this morning appears to be working absolute wonders and I wasn't sure I would ever get things back to normal. Well thanks alot again and while I can't give much you be getting a donation from me before we are done. Well here is the log file I saved being performing the removal process in Malwarebytes, which downloaded, installed, and ran with absolutely no problems! After the removal I got a message saving I needed to restart and that a log file had been saved. However I have been unable to locate any log file generated after removing the threats. Malwarebytes' Anti-Malware 1.38 Database version: 2352 Windows 6.0.6001 Service Pack 1 6/29/2009 12:01:37 PM mbam-log-2009-06-29.txt Scan type: Quick Scan Objects scanned: 96467 Time elapsed: 11 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 16 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\Windows\System32\UACdmcepdibmvupiuq.dll (Trojan.TDSS) -> No action taken. c:\Windows\System32\UACffterkvngncpwpq.dll (Trojan.TDSS) -> No action taken. c:\Users\Gabe\AppData\Local\Temp\UAC168c.tmp (Trojan.Dropper) -> No action taken. c:\Users\Gabe\AppData\Local\Temp\UAC1ed5.tmp (Trojan.Dropper) -> No action taken. c:\Users\Gabe\AppData\Local\Temp\UAC21d2.tmp (Trojan.Dropper) -> No action taken. c:\Users\Gabe\AppData\Local\Temp\UAC31c9.tmp (Trojan.Dropper) -> No action taken. c:\Users\Gabe\AppData\Local\Temp\UAC3f8f.tmp (Trojan.Dropper) -> No action taken. c:\Users\Gabe\AppData\Local\Temp\UACba88.tmp (Trojan.Dropper) -> No action taken. c:\Users\Admin\Admin.exe (Trojan.Agent) -> No action taken. C:\Windows\System32\uacinit.dll (Trojan.Agent) -> No action taken. c:\Windows\System32\UACmrjteyfhadxqxws.dll (Trojan.Agent) -> No action taken. c:\Windows\System32\UACuiqanjbiutbakxi.dll (Trojan.Agent) -> No action taken. c:\Windows\System32\UACuqmhiwkccbqhrjn.dll (Trojan.Agent) -> No action taken. c:\Windows\System32\UACwtcrtyqomrqrvun.dll (Trojan.Agent) -> No action taken. c:\Windows\System32\drivers\SKYNETvcwgrnyv.sys (Trojan.Agent) -> No action taken. c:\Windows\System32\drivers\UACipplsidfwmsrteo.sys (Trojan.Agent) -> No action taken. Well thanks for the help just getting this far has made my day. Best, GoSolarBG |
|
|
|
|
Jun 30 2009, 08:25 AM
Post
#7
|
|
|
Bleepin' Janitor Group: Global Moderator Posts: 17,879 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
That's good news.
There are no shortcuts or guarantees when it comes to malware removal, especially when dealing with rootkits. Sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous. Now rescan again with Malwarebytes Anti-Malware but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply. To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs -- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2009 Member of UNITE, Unified Network of Instructors and Trusted Eliminators |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 7th November 2009 - 01:56 PM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.