Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uacinit.dll On My Computer


  • Please log in to reply
9 replies to this topic

#1 beaker3

beaker3

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 18 July 2009 - 12:19 PM

Hi -

A few weeks ago I had accidentally clicked on the WinPC popup that appeared on my computer, which seemed to activate this malware on my computer. At the time I downloaded Malwarebytes and it removed a series of items. But the uacinit.dll remains on my computer. I thankfully backed up all my files offline and deleted the important ones from my computer when I first saw the infection but I didn't realize how dangerous this could be. So I re-ran Malware and the uacinit.dll is still on my pc. I'm posting the first log from Malwarebytes on June 21, then the latest one, and then the log from RootRepeal. Any help would be appreciated before I go ahead and reformat my hard drive.

June 21 MalwareBytes
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

6/21/2009 5:27:44 PM
mbam-log-2009-06-21 (17-27-44).txt

Scan type: Quick Scan
Objects scanned: 92149
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71848431-9c3e-4217-9f76-4772c41e44e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{71848431-9c3e-4217-9f76-4772c41e44e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{71848431-9c3e-4217-9f76-4772c41e44e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

July 18 MalwareBytes
Malwarebytes' Anti-Malware 1.38
Database version: 2413
Windows 5.1.2600 Service Pack 3

7/18/2009 1:16:18 PM
mbam-log-2009-07-18 (13-16-18).txt

Scan type: Quick Scan
Objects scanned: 98607
Time elapsed: 10 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

July 18 RootRepeal
OOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/18 13:12
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDA3C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CB9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF7CCD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEBED0000 Size: 49152 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UAConbofopdqbtsiobob.dll]
Process: svchost.exe (PID: 756) Address: 0x00fc0000 Address: 204800

Object: Hidden Module [Name: UAC2cd6.tmppdlagiogsbuev.dll]
Process: svchost.exe (PID: 756) Address: 0x10000000 Address: 73728

Object: Hidden Module [Name: UACnwtfymudsydnpnvjs.dll]
Process: svchost.exe (PID: 756) Address: 0x02aa0000 Address: 45056

Object: Hidden Module [Name: UACfymmmrurrdskthsxp.dll]
Process: svchost.exe (PID: 756) Address: 0x02b40000 Address: 49152

Object: Hidden Module [Name: UACfymmmrurrdskthsxp.dll]
Process: WINWORD.EXE (PID: 7952) Address: 0x00a30000 Address: 49152

Object: Hidden Module [Name: UACnwtfymudsydnpnvjs.dll]
Process: WINWORD.EXE (PID: 7952) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACfymmmrurrdskthsxp.dll]
Process: new.exe (PID: 6028) Address: 0x00f80000 Address: 49152

Object: Hidden Module [Name: UACnwtfymudsydnpnvjs.dll]
Process: new.exe (PID: 6028) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACfymmmrurrdskthsxp.dll]
Process: RootRepeal.exe (PID: 9532) Address: 0x00bb0000 Address: 49152

Object: Hidden Module [Name: UACnwtfymudsydnpnvjs.dll]
Process: RootRepeal.exe (PID: 9532) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACfymmmrurrdskthsxp.dll]
Process: rundll32.exe (PID: 1248) Address: 0x00b40000 Address: 49152

Object: Hidden Module [Name: UACnwtfymudsydnpnvjs.dll]
Process: rundll32.exe (PID: 1248) Address: 0x10000000 Address: 45056

==EOF==

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:08 PM

Posted 18 July 2009 - 12:47 PM

Can you post the files section of the RootRepeal log. Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 beaker3

beaker3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 18 July 2009 - 12:55 PM

I tried to run RootRepeal for the files but when I ran RootRepeal, it gave me the error message that it could not read the boot sector and to adjust the disk access level in the options dialog - could you tell me where i can adjust this?

#4 beaker3

beaker3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 18 July 2009 - 02:11 PM

Sorry - I should have been able to figure out how to make RootRepeal work before. I have posted below the results that should include the files section.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/18 15:01
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDA3C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CB9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF7CCD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED1E4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACfymmmrurrdskthsxp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnwtfymudsydnpnvjs.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAConbofopdqbtsiobob.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpmhwdqjuqvldanedl.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpwfnpdlagiogsbuev.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACubbvolbhfusftewwn.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxcdlbnifnpklmrclt.dll
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcmsc_5aops4apqwcsm2c
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ou97vfdhn6wmoy5
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_pwiev0do1ifimfq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_2tmneeambwmv2sf
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_trjh0pzmocv1mqb
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_fiyslgvqvebiggr
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\UAC1a86.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC2515.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC2cd6.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC2f47.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC3022.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC30fc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACbvqlxqubcgajhdtvm.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\UAC621b.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\nsd8A2.tmp\UAC.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\covers;rel=Sports;rel=Baseball;rel=Nomar_Garciaparra;rel=Professional_Baseball;rel=Major_League_Baseball_Red_Sox;rel=Tom_Verducci;rel=Walter_Iooss;rel=Major_League_Baseball[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\Credits%7EFederal%20Taxes&sid=S1040PERb7387&w=1280&h=768&trial=false&prodID=8&token=k%2BxIswsAYbBkEW4jaBJSnBlWS7MlKW%2FmfcaPzhnsQtFogCqowZR71MKon8m98qM7gOL7OtCQ3ZWqpvQrHnxxlg%3D%3D
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;writ=luke_winn;slug=wall;path=2009;path=writers;path=luke_winn;path=04;path=16;path=wall;file=index_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;rsi=10112;t[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=basketball_nba;ptyp=main;path=basketball;path=nba;file=index_html;rsi=10038;rsi=10058;rsi=10059;rsi=10079;rsi=10112;dcopt=ist;tile=1;dcove=d;sz=728x90,988x90;ord=77404[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\Type=click&FlightID=190291&AdID=264889&TargetID=55011&Segments=660,2743,3030,3285,4008,6298,7842,8463,8796,8806,9496,10373,11532,13079,16113,18517,18672,18823,18961,18982,1[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\Type=click&FlightID=206513&AdID=283911&TargetID=24357&Segments=660,2743,3030,3285,4008,6298,7842,8463,8796,8806,9496,10373,11532,13079,16113,18517,18672,18823,18961,18982,1[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\dref=http%253A%252F%252Fsportsillustrated[1].html%253FcontestId%253D24469%2526vendorId%253D2009041514%2526vendorVisitTeam%253D8%2526vendorHomeTeam%253D14%2526pageType%253Drecap
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\activity;src=2082207;met=1;v=1;pid=35235053;aid=213746357;ko=0;cid=30944448;rid=30962324;rv=1;&timestamp=1239741740656;eid1=2;ecn1=0;etm1=10;eid2=12;ecn2=0;etm2=10;eid4=18;[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\activity;src=2082207;met=1;v=1;pid=35235053;aid=213746357;ko=0;cid=30944454;rid=30962330;rv=1;&timestamp=1239741250953;eid1=2;ecn1=0;etm1=7;eid2=12;ecn2=0;etm2=8;[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0903;path=two_sport_athletes;file=content_1_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=725811847444[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0903;path=two_sport_athletes;file=content_3_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=882751654737[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=basketball_nba;slug=hornets;slug=ap;path=2009;path=basketball;path=nba;path=04;path=09;path=hornets_ap;file=index_html;dcopt=ist;tile=1;dcove=d;sz=728x90,988x90;ord=35[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=football_ncaa;ptyp=main;path=football;path=ncaa;file=index_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;rsi=10112;tile=2;dcove=d;sz=300x250;ord=271378597470[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_8_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;r[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=basketball_ncaa;slug=thabeet;slug=nba;path=2009;path=basketball;path=ncaa;path=04;path=14;path=thabeet_nba;file=index_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=athletes_who_died_in_accidents;file=content_25_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=65989[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=cbk_all_tournament_team;file=content_1_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=718792418543[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=cbk_all_tournament_team;file=content_7_html;dcopt=ist;tile=1;dcove=d;sz=222x53;ord=45018292299[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_10_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_14_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_14_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_15_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\football_ncaa;spt=football_ncaa;unid=29580858;pos=top;dcopt=ist;dcove=d;sz=728x90,988x90;tile=1;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;rsi=10112;ord=525120581089[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0903;path=two_sport_athletes;file=content_8_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=671962847412[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_18_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_31_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\maindetails;tile=4;sz=300x250%2C300x600%2C160x600%2C171x600%2C11x1;p=tr;g=th;id=tt0407887;m=R;tt=f;k=pu;b=t250;b=t250a;g=cr;g=dr;coo=hk;coo=usa;k=c;ord=6694107784351788[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_21_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_22_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_2_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;r[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_2_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;r[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_32_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_3_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;r[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\09MFCXQR\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_4_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;r[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_31_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\articles;rel=College_Athletics;rel=College_Football;rel=Pacific_Tigers;rel=Durell_Price;rel=Big_West_Conference;rel=Southeastern_Conference;rel=Florida_Gators;rel=Football;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_17_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_25_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\Type=click&FlightID=191065&AdID=263261&TargetID=55007&Segments=660,2619,2725,2743,3030,3285,3598,3800,4008,5045,5180,5380,6298,8463,8796,9496,9956,10072,10373,12396,12438,1[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\football_ncaa;spt=football_ncaa;unid=29580858;pos=top;dcove=d;sz=160x600,300x250,300x600;tile=2;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;rsi=10112;ord=525120581089[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\dref=http%253A%252F%252Fsportsillustrated[1].html%253FcontestId%253D24493%2526vendorId%253D2009041506%2526vendorVisitTeam%253D10%2526vendorHomeTeam%253D6%2526pageType%253Drecap
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\covers;rel=Sports;rel=Baseball;rel=Nomar_Garciaparra;rel=Professional_Baseball;rel=Major_League_Baseball_Red_Sox;rel=Tom_Verducci;rel=Walter_Iooss;rel=Major_League_Baseball[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\Type=click&FlightID=207671&AdID=286988&TargetID=24198&Segments=730,2259,2401,2725,2743,3030,3285,3434,3738,3800,4635,6298,8260,8463,8788,8796,9496,9779,9781,9853,10381,1141[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\galleries;rel=Entertainment;rel=Celebrity_News;rel=Sports_Stars;rel=Moses_Malone;rel=Sports;rel=Basketball;rel=National_Basketball_Association;rel=Men_s_Professional_Basket[11]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\;spt=basketball_ncaa;ptyp=main;path=basketball;path=ncaa;file=index_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;rsi=10112;dcopt=ist;tile=1;dcove=d;sz=728x90,988x[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\galleries;rel=Entertainment;rel=Celebrity_News;rel=Sports_Stars;rel=Moses_Malone;rel=Sports;rel=Basketball;rel=National_Basketball_Association;rel=Men_s_Professional_Basket[13]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\tile=77261364&site=network2&channel=cheerleading&subchannel=nosubchannel&tanproduct=eteamz&b2borb2c=b2c&feature=eteamz_sites&subfeature1=home&subfeature2=nosubfeature2&subf[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\galleries;rel=Entertainment;rel=Celebrity_News;rel=Sports_Stars;rel=Moses_Malone;rel=Sports;rel=Basketball;rel=National_Basketball_Association;rel=Men_s_Professional_Basket[12]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\;spt=basketball_nba;ptyp=viewcast;path=_element;path=ssi;path=sect;path=3_0;path=basketball;path=nba;path=viewcast;file=iframe1_exclude_html;dcopt=ist;tile=1;dcove=d;sz=728[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\;spt=basketball_nba;ptyp=viewcast;path=_element;path=ssi;path=sect;path=3_0;path=basketball;path=nba;path=viewcast;file=iframe2_exclude_html;dcopt=ist;tile=1;dcove=d;sz=300[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\7REGUQJO\;spt=basketball_nba;ptyp=viewcast;path=_element;path=ssi;path=sect;path=3_0;path=basketball;path=nba;path=viewcast;file=iframe2_exclude_html;dcopt=ist;tile=1;dcove=d;sz=300[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;writ=steve_aschburner;slug=awards;path=2009;path=writers;path=steve_aschburner;path=04;path=14;path=awards;file=1_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=100[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\activity;src=2082207;met=1;v=1;pid=35235053;aid=213746357;ko=0;cid=30944448;rid=30962324;rv=1;&timestamp=1239741770656;eid1=2;ecn1=0;etm1=30;eid2=12;ecn2=0;etm2=11;eid5=13;[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\activity;src=2082207;met=1;v=1;pid=35235053;aid=213746357;ko=0;cid=30944452;rid=30962328;rv=1;&timestamp=1239740993937;eid1=2;ecn1=1;etm1=1;eid2=12;ecn2=1;etm2=0;eid3=11;ec[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\activity;src=2082207;met=1;v=1;pid=35235053;aid=213746357;ko=0;cid=30944453;rid=30962329;rv=1;&timestamp=1239742210593;eid1=2;ecn1=0;etm1=8;eid2=12;ecn2=0;etm2=8;eid4=18;ec[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\galleries;rel=Entertainment;rel=Celebrity_News;rel=Sports_Stars;rel=Moses_Malone;rel=Sports;rel=Basketball;rel=National_Basketball_Association;rel=Men_s_Professional_Basket[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\galleries;rel=Entertainment;rel=Celebrity_News;rel=Sports_Stars;rel=Moses_Malone;rel=Sports;rel=Basketball;rel=National_Basketball_Association;rel=Men_s_Professional_Basket[4]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\activity;src=2082207;met=1;v=1;pid=35235053;aid=213746357;ko=0;cid=30944454;rid=30962330;rv=1;&timestamp=1239741290953;eid1=2;ecn1=0;etm1=30;eid2=12;ecn2=0;etm2=12;eid5=13;[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\activity;src=2082207;met=1;v=1;pid=35235053;aid=213746357;ko=0;cid=30944455;rid=30962331;rv=1;&timestamp=1239740562234;eid1=2;ecn1=0;etm1=30;eid2=12;ecn2=0;etm2=10;eid5=13;[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0903;path=two_sport_athletes;file=content_11_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=378593975893[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0903;path=two_sport_athletes;file=content_13_html;dcopt=ist;tile=1;dcove=d;sz=222x53;ord=968528100396[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0903;path=two_sport_athletes;file=content_13_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=478902981118[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0903;path=two_sport_athletes;file=content_4_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=287430377678[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=athletes_who_died_in_accidents;file=content_24_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=52372[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_10_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_11_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=athletes_who_died_in_accidents;file=content_12_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=24633[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\activity;src=2082207;met=1;v=1;pid=35235053;aid=213746357;ko=0;cid=30944455;rid=30962331;rv=1;&timestamp=1239740513703;eid1=2;ecn1=1;etm1=1;eid2=12;ecn2=1;etm2=0;eid3=11;ec[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\activity;src=2082207;met=1;v=1;pid=35235053;aid=213746357;ko=0;cid=30944455;rid=30962331;rv=1;&timestamp=1239740522234;eid1=2;ecn1=0;etm1=9;eid2=12;ecn2=0;etm2=9;[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\activity;src=2082207;met=1;v=1;pid=35235053;aid=213746357;ko=0;cid=30944455;rid=30962331;rv=1;&timestamp=1239740532234;eid1=2;ecn1=0;etm1=10;eid2=12;ecn2=0;etm2=10;eid4=18;[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0903;path=two_sport_athletes;file=content_6_html;tile=2;dcove=d;sz=300x250,300x600,160x600;ord=184605650917[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=athletes_who_died_in_accidents;file=content_15_html;dcopt=ist;tile=1;dcove=d;sz=222x53;ord=803953255550[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_12_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_24_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_9_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;r[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;writ=steve_aschburner;slug=awards;path=2009;path=writers;path=steve_aschburner;path=04;path=14;path=awards;file=1_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=100[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=football_nfl;slug=paulus;slug=ap;path=2009;path=football;path=nfl;path=04;path=14;path=paulus_ap;file=index_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;rsi=[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=basketball_nba;ptyp=main;path=basketball;path=nba;file=index_html;rsi=10038;rsi=10058;rsi=10059;rsi=10079;rsi=10112;tile=2;dcove=d;sz=300x250;ord=63994212649[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=basketball_nba;ptyp=viewcast;path=_element;path=ssi;path=sect;path=3_0;path=basketball;path=nba;path=viewcast;file=iframe1_exclude_html;dcopt=ist;tile=1;dcove=d;sz=728[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=basketball_ncaa;slug=flynn;slug=ap;path=2009;path=basketball;path=ncaa;path=04;path=16;path=flynn_ap;file=index_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_13_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_20_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_23_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;path=multimedia;path=photo_gallery;path=0904;path=nfl_best_first_round_picks_1-32;file=content_26_html;rsi=10055;rsi=10038;rsi=10058;rsi=10059;rsi=10079;[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\81MRKDE7\;spt=;ptyp=gallery;Stealth Objects
-------------------
Object: Hidden Module [Name: UAConbofopdqbtsiobob.dll]
Process: svchost.exe (PID: 756) Address: 0x00fc0000 Address: 204800

Object: Hidden Module [Name: UAC2cd6.tmppdlagiogsbuev.dll]
Process: svchost.exe (PID: 756) Address: 0x10000000 Address: 73728

Object: Hidden Module [Name: UACnwtfymudsydnpnvjs.dll]
Process: svchost.exe (PID: 756) Address: 0x02aa0000 Address: 45056

Object: Hidden Module [Name: UACfymmmrurrdskthsxp.dll]
Process: svchost.exe (PID: 756) Address: 0x02b40000 Address: 49152

Object: Hidden Module [Name: UACfymmmrurrdskthsxp.dll]
Process: WINWORD.EXE (PID: 7952) Address: 0x00a30000 Address: 49152

Object: Hidden Module [Name: UACnwtfymudsydnpnvjs.dll]
Process: WINWORD.EXE (PID: 7952) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACfymmmrurrdskthsxp.dll]
Process: new.exe (PID: 6028) Address: 0x00f80000 Address: 49152

Object: Hidden Module [Name: UACnwtfymudsydnpnvjs.dll]
Process: new.exe (PID: 6028) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACfymmmrurrdskthsxp.dll]
Process: rundll32.exe (PID: 1248) Address: 0x00b40000 Address: 49152

Object: Hidden Module [Name: UACnwtfymudsydnpnvjs.dll]
Process: rundll32.exe (PID: 1248) Address: 0x10000000 Address: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image PathC:\WINDOWS\system32\drivers\UACbvqlxqubcgajhdtvm.sys

==EOF==

#5 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:08 PM

Posted 18 July 2009 - 09:10 PM

One thing you should know:

You have been infected by a nasty rootkit {TDSS Variant}. This rootkit may steal personal information from your computer and can monitor traffic as you surf. If you do on-line banking. shopping, or other financial transactions, you need to contact your bank to monitor your account -and- change all passwords immediately. I also recommend changing the password on your router - if applicable. Do to the nature of rootkits, some members elect to reformat their computer, verses trying to clean it. If you wish to do that, please let me know.

We continue:

1st - update Malwarebytes. Do not run it yet...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:
  • C:\WINDOWS\system32\UACfymmmrurrdskthsxp.dll
  • C:\WINDOWS\system32\uacinit.dll
  • C:\WINDOWS\system32\UACnwtfymudsydnpnvjs.dll
  • C:\WINDOWS\system32\UAConbofopdqbtsiobob.dll
  • C:\WINDOWS\system32\UACpmhwdqjuqvldanedl.log
  • C:\WINDOWS\system32\UACpwfnpdlagiogsbuev.dll
  • C:\WINDOWS\system32\UACubbvolbhfusftewwn.dat
  • C:\WINDOWS\system32\UACxcdlbnifnpklmrclt.dll
  • C:\WINDOWS\Temp\UAC1a86.tmp
  • C:\WINDOWS\Temp\UAC2515.tmp
  • C:\WINDOWS\Temp\UAC2cd6.tmp
  • C:\WINDOWS\Temp\UAC2f47.tmp
  • C:\WINDOWS\Temp\UAC3022.tmp
  • C:\WINDOWS\Temp\UAC30fc.tmp
  • C:\WINDOWS\system32\drivers\UACbvqlxqubcgajhdtvm.sys
  • C:\Documents and Settings\Brian\Local Settings\Temp\UAC621b.tmp
  • C:\Documents and Settings\Brian\Local Settings\Temp\nsd8A2.tmp\UAC.dll
Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.

Rerun Malwarebytes in full mode. - Let me know if you need any help with these steps.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 beaker3

beaker3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 19 July 2009 - 12:56 PM

Thanks very much. I updated Malware, used RootRepeal and wiped out those files, then rebooted and reran Malware, which then found 6 Trojan.agents. I removed them all and have posted the log below. Would you recommend a reformat if there is a chance this could spring up again? Also, there is no way to tell what files, if any, may have been stolen by this virus, correct?

Malwarebytes' Anti-Malware 1.38
Database version: 2413
Windows 5.1.2600 Service Pack 3

7/19/2009 1:54:54 PM
mbam-log-2009-07-19 (13-54-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160271
Time elapsed: 1 hour(s), 13 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\UACfymmmrurrdskthsxp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACnwtfymudsydnpnvjs.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UAConbofopdqbtsiobob.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACpwfnpdlagiogsbuev.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACxcdlbnifnpklmrclt.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACbvqlxqubcgajhdtvm.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:08 PM

Posted 19 July 2009 - 08:26 PM

That is correct. TDSS monitors traffic and can steal information. Some say that a reformat should be considered - especially if you are doing financial or confidential work.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:08 PM

Posted 19 July 2009 - 08:27 PM

Also if you can easily reformat, I might choose that. if this computer is used for basic surfing... you may wish to try and clean it.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 beaker3

beaker3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 19 July 2009 - 08:47 PM

I generally use this computer for non-essential work but I think I would have more peace of mind with a reformat. I've never reformatted a hard drive before - do you have a guide I can follow to reformat my hard drive? Thanks.

#10 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:08 PM

Posted 21 July 2009 - 08:25 PM

I will find one for you...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users