Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help.


  • This topic is locked This topic is locked
14 replies to this topic

#1 Diekenny20

Diekenny20

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 23 July 2009 - 05:52 PM

Hello. I have been having trouble with a few viruses the past few days and have tried 3 or 4 different antivirus programs to try to get rid of them. Malwarebytes finally pinned down the files but can't delete them for some reason. I searched on google for help and I found this site where people with the same problem as me have been helped so I figured it would be a good idea. The viruses do a few things that I am aware of, first they send me fake security center alerts every five minutes or so, second some google links are redirected to advertisement sites (The links redirected are usually ones that come up in a search I made about the virus, unrelated links worked fine), third every once in a while a commercial or music or something that sounds like a tv show or interview will come on when nothing is open and I can't shut it off. Also I have tried to make this post about 3 times but every single time I get about halfway through and the browser just shuts down so I'm trying to make this quick. Here is the latest malwarebytes log.
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/23/2009 5:03:14 PM
mbam-log-2009-07-23 (17-03-14).txt

Scan type: Quick Scan
Objects scanned: 108222
Time elapsed: 13 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\tm (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
I:\Autorun.inf (Worm.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


Any help would be greatly appreciated, thank you.

Edited by Diekenny20, 23 July 2009 - 06:06 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:05 PM

Posted 23 July 2009 - 06:09 PM

Hello and welcome!

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
Not this >>> SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Diekenny20

Diekenny20
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 23 July 2009 - 06:23 PM

Thank you for the help. After running the scan I got a message saying "Could not read system registry, please contact the author." Here is the log though.
ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/07/23 19:19
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1DF6000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89B5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP4278
Image Path: \Driver\PCI_PNP4278
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFA0D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spdl.sys
Image Path: spdl.sys
Address: 0xF837E000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: winlogon.exe (PID: 588) Address: 0x00740000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: winlogon.exe (PID: 588) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: services.exe (PID: 632) Address: 0x00740000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: services.exe (PID: 632) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: lsass.exe (PID: 644) Address: 0x007e0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: lsass.exe (PID: 644) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 792) Address: 0x00730000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 792) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACdulhypkhbg.dll]
Process: svchost.exe (PID: 792) Address: 0x00960000 Address: 73728

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 792) Address: 0x02960000 Address: 45056

Object: Hidden Module [Name: UACrnlltimoto.dll]
Process: svchost.exe (PID: 792) Address: 0x02990000 Address: 217088

Object: Hidden Module [Name: UACbbb9.tmptimoto.dll]
Process: svchost.exe (PID: 792) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 792) Address: 0x02c80000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 964) Address: 0x00730000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 964) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACbbb9.tmptimoto.dll]
Process: svchost.exe (PID: 964) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 1052) Address: 0x00730000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 1052) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACbbb9.tmptimoto.dll]
Process: svchost.exe (PID: 1052) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 1112) Address: 0x00730000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 1112) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACbbb9.tmptimoto.dll]
Process: svchost.exe (PID: 1112) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 1240) Address: 0x00730000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 1240) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACbbb9.tmptimoto.dll]
Process: svchost.exe (PID: 1240) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: aawservice.exe (PID: 1472) Address: 0x00be0000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: aawservice.exe (PID: 1472) Address: 0x00d50000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: aswUpdSv.exe (PID: 1556) Address: 0x00a30000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: aswUpdSv.exe (PID: 1556) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ashServ.exe (PID: 1608) Address: 0x00a40000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ashServ.exe (PID: 1608) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: spoolsv.exe (PID: 1916) Address: 0x00a40000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: spoolsv.exe (PID: 1916) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 880) Address: 0x00730000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 880) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACbbb9.tmptimoto.dll]
Process: svchost.exe (PID: 880) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ACService.exe (PID: 888) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ACService.exe (PID: 888) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: AppleMobileDeviceService.exe (PID: 920) Address: 0x007d0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: AppleMobileDeviceService.exe (PID: 920) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: avgwdsvc.exe (PID: 948) Address: 0x00800000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: avgwdsvc.exe (PID: 948) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: mDNSResponder.exe (PID: 988) Address: 0x00810000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: mDNSResponder.exe (PID: 988) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 1284) Address: 0x00730000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 1284) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACbbb9.tmptimoto.dll]
Process: svchost.exe (PID: 1284) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: jqs.exe (PID: 1348) Address: 0x007e0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: jqs.exe (PID: 1348) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 1364) Address: 0x00730000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 1364) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACbbb9.tmptimoto.dll]
Process: svchost.exe (PID: 1364) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: nvsvc32.exe (PID: 1400) Address: 0x007b0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: nvsvc32.exe (PID: 1400) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: Omniserv.exe (PID: 1352) Address: 0x00a30000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: Omniserv.exe (PID: 1352) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 1456) Address: 0x00730000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 1456) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACbbb9.tmptimoto.dll]
Process: svchost.exe (PID: 1456) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: PnkBstrA.exe (PID: 1480) Address: 0x008c0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: PnkBstrA.exe (PID: 1480) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 1532) Address: 0x00730000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 1532) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACbbb9.tmptimoto.dll]
Process: svchost.exe (PID: 1532) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: wdfmgr.exe (PID: 1660) Address: 0x006d0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: wdfmgr.exe (PID: 1660) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: avgrsx.exe (PID: 180) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: avgrsx.exe (PID: 180) Address: 0x00830000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: avgnsx.exe (PID: 200) Address: 0x00850000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: avgnsx.exe (PID: 200) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ashMaiSv.exe (PID: 1800) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ashMaiSv.exe (PID: 1800) Address: 0x00a60000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ashWebSv.exe (PID: 2000) Address: 0x00a80000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ashWebSv.exe (PID: 2000) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: OPXPApp.exe (PID: 2096) Address: 0x00600000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: OPXPApp.exe (PID: 2096) Address: 0x00750000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: Explorer.EXE (PID: 2572) Address: 0x00b80000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: Explorer.EXE (PID: 2572) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: alg.exe (PID: 2616) Address: 0x007c0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: alg.exe (PID: 2616) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: hpsysdrv.exe (PID: 3020) Address: 0x00a30000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: hpsysdrv.exe (PID: 3020) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: hpqcmon.exe (PID: 3108) Address: 0x00ab0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: hpqcmon.exe (PID: 3108) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: HPWuSchd2.exe (PID: 3180) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: HPWuSchd2.exe (PID: 3180) Address: 0x00a30000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: hphmon05.exe (PID: 3248) Address: 0x00ac0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: hphmon05.exe (PID: 3248) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: KBD.EXE (PID: 3272) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: KBD.EXE (PID: 3272) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ccApp.exe (PID: 3504) Address: 0x008f0000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ccApp.exe (PID: 3504) Address: 0x00a30000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: shwicon2k.exe (PID: 3604) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: shwicon2k.exe (PID: 3604) Address: 0x00a50000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: mmtask.exe (PID: 3648) Address: 0x00a30000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: mmtask.exe (PID: 3648) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: jusched.exe (PID: 3692) Address: 0x00a70000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: jusched.exe (PID: 3692) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ALCXMNTR.EXE (PID: 3740) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ALCXMNTR.EXE (PID: 3740) Address: 0x00ac0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ccEvtMgr.exe (PID: 3752) Address: 0x006b0000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ccEvtMgr.exe (PID: 3752) Address: 0x00820000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ACDaemon.exe (PID: 3820) Address: 0x00a80000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ACDaemon.exe (PID: 3820) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: iTunesHelper.exe (PID: 1524) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: iTunesHelper.exe (PID: 1524) Address: 0x00a90000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: avgtray.exe (PID: 1324) Address: 0x00ca0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: avgtray.exe (PID: 1324) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ashDisp.exe (PID: 340) Address: 0x00a40000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ashDisp.exe (PID: 340) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACrnlltimoto.dll]
Process: svchost.exe (PID: 752) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 752) Address: 0x01000000 Address: 20480

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 752) Address: 0x00e10000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 752) Address: 0x00ea0000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: MsnMsgr.Exe (PID: 384) Address: 0x01350000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: MsnMsgr.Exe (PID: 384) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: GoogleToolbarNotifier.exe (PID: 1128) Address: 0x00a20000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: GoogleToolbarNotifier.exe (PID: 1128) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: msmsgs.exe (PID: 1300) Address: 0x00a00000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: msmsgs.exe (PID: 1300) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: Weather.exe (PID: 2052) Address: 0x016f0000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: Weather.exe (PID: 2052) Address: 0x01860000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: RUNDLL32.EXE (PID: 2228) Address: 0x00b40000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: RUNDLL32.EXE (PID: 2228) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: Owner.exe (PID: 2232) Address: 0x00e70000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: Owner.exe (PID: 2232) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: aoltray.exe (PID: 2492) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: aoltray.exe (PID: 2492) Address: 0x00a30000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: hpqtra08.exe (PID: 2564) Address: 0x00a70000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: hpqtra08.exe (PID: 2564) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: EasyShare.exe (PID: 2744) Address: 0x00a80000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: EasyShare.exe (PID: 2744) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: BackWeb-137903.exe (PID: 2892) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: BackWeb-137903.exe (PID: 2892) Address: 0x00a20000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: SpamSubtract.exe (PID: 2880) Address: 0x00a10000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: SpamSubtract.exe (PID: 2880) Address: 0x00b80000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: iPodService.exe (PID: 3064) Address: 0x00850000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: iPodService.exe (PID: 3064) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: wuauclt.exe (PID: 3060) Address: 0x00a40000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: wuauclt.exe (PID: 3060) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ymsgr_tray.exe (PID: 3580) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ymsgr_tray.exe (PID: 3580) Address: 0x00a50000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: hpqSTE08.exe (PID: 3704) Address: 0x00a10000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: hpqSTE08.exe (PID: 3704) Address: 0x00b80000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: wymhgd.exe (PID: 3564) Address: 0x00e90000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: wymhgd.exe (PID: 3564) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: cmd.exe (PID: 2752) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: cmd.exe (PID: 2752) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: usnsvc.exe (PID: 1192) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: usnsvc.exe (PID: 1192) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: winlogon.exe.exe (PID: 3812) Address: 0x00f90000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: winlogon.exe.exe (PID: 3812) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: NOTEPAD.EXE (PID: 2056) Address: 0x00a40000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: NOTEPAD.EXE (PID: 2056) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: NOTEPAD.EXE (PID: 3888) Address: 0x00a40000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: NOTEPAD.EXE (PID: 3888) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: Iexplore.exe (PID: 1256) Address: 0x00ac0000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: Iexplore.exe (PID: 1256) Address: 0x00c80000 Address: 49152

Object: Hidden Module [Name: UACrnlltimoto.dll]
Process: Iexplore.exe (PID: 1256) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: WinRAR.exe (PID: 2776) Address: 0x00b60000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: WinRAR.exe (PID: 2776) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: RootRepeal.exe (PID: 2788) Address: 0x00bc0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: RootRepeal.exe (PID: 2788) Address: 0x10000000 Address: 45056

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x82a881f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8282a1f8 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x828291f8 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x828291f8 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x828291f8 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x828291f8 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x828291f8 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x828291f8 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x828291f8 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x828291f8 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x828291f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x828ab500 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x828ed1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x828ed1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x828ed1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x828ed1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x828ed1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x828ed1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x828ed1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x82af61f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82578500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82578500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82578500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82578500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82578500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82578500 Address: 121

Object: Hidden Code [Driver: usbehci==EOF==

Edited by Diekenny20, 23 July 2009 - 06:27 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:05 PM

Posted 23 July 2009 - 07:11 PM

Hello, you're welcome. You have this rootkit and it's active. I need for you to read ths before we move on.

IMPORTANT NOTE: uacinit.dll is related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?


Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. Let me know how you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Diekenny20

Diekenny20
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 23 July 2009 - 07:29 PM

I would like to at least attempt to fix this without any reformatting, it's not MY computer, it's my grandma's/parents' and they have final say on whether it can be wiped. My dad is at work right now...I will have him read the warnings as soon as he gets home, but for now I would like to proceed with trying to get rid of it.

Edited by Diekenny20, 23 July 2009 - 07:39 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:05 PM

Posted 23 July 2009 - 08:38 PM

Ok.. let's see if we can do this...
Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware

, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you

should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Diekenny20

Diekenny20
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 24 July 2009 - 02:46 AM

Thanks again for the help. This seems to have helped some, for one I'm not getting fake security center alerts anymore. There are a few things I should mention though. First I keep getting messages saying that "So and so file is corrupt, run the chckdsk utility" and second in the lower right hand corner of the of the screen is a white box with a red X and the white box goes about a third up the screen, it's not really hurting anything but it probably shouldn't be there all the same. Here are the logs for superantispyware and malwarebytes.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/24/2009 at 02:49 AM

Application Version : 4.26.1006

Core Rules Database Version : 4015
Trace Rules Database Version: 1955

Scan type : Complete Scan
Total Scan Time : 04:24:45

Memory items scanned : 233
Memory threats detected : 0
Registry items scanned : 6852
Registry threats detected : 75
File items scanned : 144329
File threats detected : 10

Trojan.Agent/Gen-NameThief[Smart]
[Java Quick Start] C:\DOCUMENTS AND SETTINGS\OWNER\JUSCHED.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\JUSCHED.EXE
[Owner] C:\DOCUMENTS AND SETTINGS\OWNER\OWNER.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\OWNER.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\CEQKJG.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\FHTNMJ.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\IHSEPS.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\KMYSRO.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\OQEWVS.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\VXLFEB.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\YCOIHE.EXE

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-917611465-2140003579-660869194-1003\SOFTWARE\FunWebProducts
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#MyWebSearch Plugin [ rundll32 C:\PROGRA~1\MYWEBS~2\bar\1.bin\M3PLUGIN.DLL,UPF ]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#My Web Search Bar [ rundll32 C:\PROGRA~1\MYWEBS~2\bar\1.bin\MWSBAR.DLL,S ]

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC#pval
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#f2065612
HKLM\SOFTWARE\UAC\connections#20d04c0a
HKLM\SOFTWARE\UAC\connections#905b3008
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#2469d708
HKLM\SOFTWARE\UAC\mask#1ed943f0
HKLM\SOFTWARE\UAC\mask#6aed4b25
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init

Adware.k8l
C:\PROGRAM FILES\WINDOWS NT\RTEPREKYFSO.HTML


Malwarebytes' Anti-Malware 1.39
Database version: 2492
Windows 5.1.2600 Service Pack 3

7/24/2009 3:16:53 AM
mbam-log-2009-07-24 (03-16-53).txt

Scan type: Quick Scan
Objects scanned: 102632
Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\tm (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Edited by Diekenny20, 24 July 2009 - 02:47 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:05 PM

Posted 24 July 2009 - 02:03 PM

Helo,Ok looking much better. If those things don't clear out by removals we will try fixu=ing them last.

RE Run RootRepeal
Click Settings - Options
Set the Disk Access Level slider in the general tab to High

Try scanning now with the settings as described above.



Rerun MBAM )MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Diekenny20

Diekenny20
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 24 July 2009 - 04:10 PM

The rootrepeal and malwarebytes logs.



ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/07/24 16:36
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF13D3000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89FF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: nrjhvhls.sys
Image Path: C:\WINDOWS\system32\drivers\nrjhvhls.sys
Address: 0xF167A000 Size: 61440 File Visible: No Signed: -
Status: -

Name: PCI_PNP8124
Image Path: \Driver\PCI_PNP8124
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF2E6000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spzu.sys
Image Path: spzu.sys
Address: 0xF837E000 Size: 1048576 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: svchost.exe (PID: 808) Address: 0x027a0000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: svchost.exe (PID: 808) Address: 0x02830000 Address: 49152

Object: Hidden Module [Name: UACdf4f.tmpypkhbg.dll]
Process: svchost.exe (PID: 808) Address: 0x10000000 Address: 73728

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: Falconpunch.exe (PID: 4076) Address: 0x003d0000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: Falconpunch.exe (PID: 4076) Address: 0x02c20000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: aoltray.exe (PID: 1312) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: aoltray.exe (PID: 1312) Address: 0x00970000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: hpqtra08.exe (PID: 1252) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: hpqtra08.exe (PID: 1252) Address: 0x009a0000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: EasyShare.exe (PID: 496) Address: 0x009c0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: EasyShare.exe (PID: 496) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: BackWeb-137903.exe (PID: 1544) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: BackWeb-137903.exe (PID: 1544) Address: 0x00930000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: SpamSubtract.exe (PID: 1600) Address: 0x00a00000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: SpamSubtract.exe (PID: 1600) Address: 0x00ac0000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: iPodService.exe (PID: 2776) Address: 0x00760000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: iPodService.exe (PID: 2776) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: hpqSTE08.exe (PID: 3584) Address: 0x00a00000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: hpqSTE08.exe (PID: 3584) Address: 0x00ac0000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: ymsgr_tray.exe (PID: 3648) Address: 0x00990000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: ymsgr_tray.exe (PID: 3648) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: wuauclt.exe (PID: 2560) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: wuauclt.exe (PID: 2560) Address: 0x00980000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: usnsvc.exe (PID: 3940) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: usnsvc.exe (PID: 3940) Address: 0x00600000 Address: 49152

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: iexplore.exe (PID: 2808) Address: 0x00a90000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: iexplore.exe (PID: 2808) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: WinRAR.exe (PID: 2720) Address: 0x00aa0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: WinRAR.exe (PID: 2720) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeweiifo.dll]
Process: RootRepeal.exe (PID: 2772) Address: 0x00af0000 Address: 49152

Object: Hidden Module [Name: UACxscxjkxypq.dll]
Process: RootRepeal.exe (PID: 2772) Address: 0x10000000 Address: 45056

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x82af41f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x82517500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x828f1500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x828f1500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x828f1500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x828f1500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x828f1500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x828f1500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x828f1500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x828f1500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x828f1500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x829211f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8294c1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8294c1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8294c1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8294c1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8294c1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8294c1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8294c1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x82a891f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82560500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82560500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82560500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82560500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82560500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82560500 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x829351f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x829351f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x829351f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x829351f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x829351f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x829351f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x829351f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x825ae500 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_CREATE]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_CLOSE]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_READ]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_SHUTDOWN]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_CLEANUP]
Process: System Address: 0x825cc408 Address: 121

Object: Hidden Code [Driver: CdfsЅడ䵃㤳, IRP_MJ_PNP]
Process: System Address: 0x825cc408 Address: 121

==EOF==




Malwarebytes' Anti-Malware 1.39
Database version: 2494
Windows 5.1.2600 Service Pack 3

7/24/2009 4:53:12 PM
mbam-log-2009-07-24 (16-53-12).txt

Scan type: Quick Scan
Objects scanned: 103970
Time elapsed: 12 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\autorun.inf (Worm.Agent.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Edited by Diekenny20, 24 July 2009 - 10:08 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:05 PM

Posted 25 July 2009 - 08:37 AM

Hi, I am not happy yet . I think it survived.
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Diekenny20

Diekenny20
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 25 July 2009 - 05:06 PM

I have tried the scan three times so far. The first time it got to about 12% and my computer rebooted, the second time it got to 9% and stopped scanning, and on the third time the same thing happened as the first time. All three times though it had detected about 5 threats before it quit on me. I am going to try one more time, but I'm not expecting anything. What do I do from here?

Edited by Diekenny20, 25 July 2009 - 05:16 PM.


#12 Diekenny20

Diekenny20
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 25 July 2009 - 05:06 PM

Got to about 12% and rebooted, detected 5 infected objects again.

Edited by Diekenny20, 25 July 2009 - 06:08 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:05 PM

Posted 25 July 2009 - 07:18 PM

Hello, as I mentioned this is one nasty item.. We will need to use specialized tool that we do not use here.
You will need to run HJT/DDS.
Please follow this guide. Do what ever steps you can to get to steps 6 and 7 Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Diekenny20

Diekenny20
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 27 July 2009 - 06:26 PM

I followed the instructions and posted the new topic and everything worked out alright, thank you so much for the help.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:05 PM

Posted 27 July 2009 - 08:20 PM

You're welcome!

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users