Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.metajuan


  • Please log in to reply
20 replies to this topic

#1 nitro1

nitro1

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 02 August 2009 - 04:46 PM

Norton picked up trojan.metajuan and failed to remove it. I've run norton in safe mode as well as ad-aware, both were unsuccessful in removing it. I'm not sure what else to do, and I would really appreciate some help. Let me know any information needed and I will do my best to post it.

Also, I wasn't sure where to post this so hopefully I'm in the right section

Edited by nitro1, 02 August 2009 - 04:48 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 02 August 2009 - 05:11 PM

Hello and welcome .
Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 nitro1

nitro1
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 02 August 2009 - 06:17 PM

Sorry for the delay, I was having some issues but managed to get it to work. Had to run it twice, as my computer locked up during the restart. So here is the first log:

Malwarebytes' Anti-Malware 1.39
Database version: 2547
Windows 5.1.2600 Service Pack 2

8/2/2009 4:45:31 PM
mbam-log-2009-08-02 (16-45-31).txt

Scan type: Quick Scan
Objects scanned: 106713
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Dudu (Adware.DuDu) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.


----------------------------------------------------------------------------------------------------------

And here is the second log:

Malwarebytes' Anti-Malware 1.39
Database version: 2547
Windows 5.1.2600 Service Pack 2

8/2/2009 5:05:11 PM
mbam-log-2009-08-02 (17-05-11).txt

Scan type: Quick Scan
Objects scanned: 106195
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


Now whats the next step?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 02 August 2009 - 06:21 PM

Ok, not a problem we all have lives too. First a reboot was needed after that scan. Please do that if you haven't yet.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 nitro1

nitro1
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 02 August 2009 - 06:29 PM

I did the reboot right after the scan.

I have extracted to my desktop, however when I try to run it I get the errror: "Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialogue."

How do I get around that?

Edit: Apparently clicking ok multiple times works.. Should I continue the process then?

Edited by nitro1, 02 August 2009 - 06:29 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 02 August 2009 - 06:43 PM

Yes,please.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 nitro1

nitro1
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 02 August 2009 - 08:02 PM

Well first attempt the program froze, second attempt crashed my computer (unless something else did it, I wasn't around), and third attempt finally worked. Here it is:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/02 18:48
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: am0bfo1z.SYS
Image Path: C:\WINDOWS\System32\Drivers\am0bfo1z.SYS
Address: 0xF626D000 Size: 303104 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF45D4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AE8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP9648
Image Path: \Driver\PCI_NTPNP9648
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8B5D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7304000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\UACbcdwqiwihe.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdxxdevjlnc.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACgoevruwxut.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjypjppcvsa.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACkjduqtxnfv.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACkmrsdommju.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClkytjixols.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC2a37.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC2eea.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACqrosrvoiye.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temp\UACe42d.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\all users\application data\pure networks\log\logfile.nmsrvc_exe.txt
Status: Size mismatch (API: 26042, Raw: 25908)

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\52\5452-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5452-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5452-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\53\5453-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\54\5454-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5454-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5454-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\55\5455-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5455-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5455-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\56\5456-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5456-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5456-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\57\5457-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5457-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5457-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\59\5459-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5459-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5459-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\60\5460-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5460-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5460-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\61\5461-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5461-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5461-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\62\5462-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5462-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5462-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\65\5465-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5465-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5465-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\66\5466-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5466-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5466-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\67\5467-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5467-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5467-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\68\5468-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5468-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5468-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\vide-infra@hotmail.com\SharingMetadata\pamela_k_giborski@hotmail.com\DFSR\Staging\CS{D5F4BBAC-8EF4-FE43-286F-F23476B4FBCD}\69\5469-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5469-{EB56783E-CEAE-4BF1-ABCC-EAD889A0B842}-v5469-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: winlogon.exe (PID: 1264) Address: 0x00640000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: winlogon.exe (PID: 1264) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: services.exe (PID: 1340) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: services.exe (PID: 1340) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: lsass.exe (PID: 1352) Address: 0x00710000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: lsass.exe (PID: 1352) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: svchost.exe (PID: 1516) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: svchost.exe (PID: 1516) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UAC2eea.tmpjixols.dll]
Process: svchost.exe (PID: 1516) Address: 0x00880000 Size: 217088

Object: Hidden Module [Name: UACdxxdevjlnc.dll]
Process: svchost.exe (PID: 1516) Address: 0x00980000 Size: 73728

Object: Hidden Module [Name: UAClkytjixols.dll]
Process: svchost.exe (PID: 1516) Address: 0x00e10000 Size: 217088

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: svchost.exe (PID: 1516) Address: 0x00e00000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: svchost.exe (PID: 1516) Address: 0x00ff0000 Size: 49152

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: svchost.exe (PID: 1904) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: svchost.exe (PID: 1904) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: svchost.exe (PID: 2016) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: svchost.exe (PID: 2016) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: svchost.exe (PID: 192) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: svchost.exe (PID: 192) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: svchost.exe (PID: 368) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: svchost.exe (PID: 368) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: svchost.exe (PID: 640) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: svchost.exe (PID: 640) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: aawservice.exe (PID: 868) Address: 0x00bc0000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: aawservice.exe (PID: 868) Address: 0x00c80000 Size: 49152

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: LEXBCES.EXE (PID: 1940) Address: 0x00970000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: LEXBCES.EXE (PID: 1940) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: spoolsv.exe (PID: 1984) Address: 0x00970000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: spoolsv.exe (PID: 1984) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: agrsmsvc.exe (PID: 596) Address: 0x00660000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: agrsmsvc.exe (PID: 596) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: AppleMobileDeviceService.exe (PID: 384) Address: 0x006d0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: AppleMobileDeviceService.exe (PID: 384) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: guard.exe (PID: 620) Address: 0x006e0000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: guard.exe (PID: 620) Address: 0x00790000 Size: 49152

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: mDNSResponder.exe (PID: 684) Address: 0x00710000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: mDNSResponder.exe (PID: 684) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: CTsvcCDA.EXE (PID: 776) Address: 0x006a0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: CTsvcCDA.EXE (PID: 776) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: svchost.exe (PID: 680) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: svchost.exe (PID: 680) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: LSSrvc.exe (PID: 904) Address: 0x006b0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: LSSrvc.exe (PID: 904) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: LinksysUpdater.exe (PID: 952) Address: 0x00960000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: LinksysUpdater.exe (PID: 952) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: MDM.EXE (PID: 1172) Address: 0x009a0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: MDM.EXE (PID: 1172) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: ccSvcHst.exe (PID: 1196) Address: 0x00610000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: ccSvcHst.exe (PID: 1196) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: java.exe (PID: 1228) Address: 0x008a0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: java.exe (PID: 1228) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: nvsvc32.exe (PID: 1628) Address: 0x006c0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: nvsvc32.exe (PID: 1628) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: svchost.exe (PID: 2988) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: svchost.exe (PID: 2988) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: TUProgSt.exe (PID: 3120) Address: 0x00770000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: TUProgSt.exe (PID: 3120) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: CALMAIN.exe (PID: 3188) Address: 0x006b0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: CALMAIN.exe (PID: 3188) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: WMPNetwk.exe (PID: 3256) Address: 0x00770000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: WMPNetwk.exe (PID: 3256) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: nmsrvc.exe (PID: 3428) Address: 0x006b0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: nmsrvc.exe (PID: 3428) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: alg.exe (PID: 3596) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: alg.exe (PID: 3596) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: wmiprvse.exe (PID: 1532) Address: 0x00810000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: wmiprvse.exe (PID: 1532) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: Explorer.EXE (PID: 2348) Address: 0x00ab0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: Explorer.EXE (PID: 2348) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: ccSvcHst.exe (PID: 2452) Address: 0x00890000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: ccSvcHst.exe (PID: 2452) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: ctfmon.exe (PID: 2644) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: ctfmon.exe (PID: 2644) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: MemOptimizer.exe (PID: 3652) Address: 0x01480000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: MemOptimizer.exe (PID: 3652) Address: 0x01530000 Size: 49152

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: pg2.exe (PID: 928) Address: 0x00b50000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: pg2.exe (PID: 928) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: RootRepeal.exe (PID: 2796) Address: 0x00ae0000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: RootRepeal.exe (PID: 2796) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: Iexplore.exe (PID: 3476) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: Iexplore.exe (PID: 3476) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbcdwqiwihe.dll]
Process: wmiprvse.exe (PID: 1768) Address: 0x00810000 Size: 49152

Object: Hidden Module [Name: UACgoevruwxut.dll]
Process: wmiprvse.exe (PID: 1768) Address: 0x10000000 Size: 45056

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x867d11e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8606d460 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x864911e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x867d21e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x867d21e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867d21e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867d21e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x867d21e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867d21e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x867d21e8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8647f600 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8647f600 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8647f600 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8647f600 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8647f600 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8647f600 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8647f600 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x864817c0 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x864817c0 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864817c0 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864817c0 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x864817c0 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864817c0 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x864817c0 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x86267980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x86267980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x86267980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x86267980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86267980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86267980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x86267980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86267980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x86267980 Size: 463

Object: Hidden Code [Driver: am0bfo1zЅఔ瑎汦܋˜, IRP_MJ_CREATE]
Process: System Address: 0x863bb1e8 Size: 463

Object: Hidden Code [Driver: am0bfo1zЅఔ瑎汦܋˜, IRP_MJ_CLOSE]
Process: System Address: 0x863bb1e8 Size: 463

Object: Hidden Code [Driver: am0bfo1zЅఔ瑎汦܋˜, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863bb1e8 Size: 463

Object: Hidden Code [Driver: am0bfo1zЅఔ瑎汦܋˜, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863bb1e8 Size: 463

Object: Hidden Code [Driver: am0bfo1zЅఔ瑎汦܋˜, IRP_MJ_POWER]
Process: System Address: 0x863bb1e8 Size: 463

Object: Hidden Code [Driver: am0bfo1zЅఔ瑎汦܋˜, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863bb1e8 Size: 463

Object: Hidden Code [Driver: am0bfo1zЅఔ瑎汦܋˜, IRP_MJ_PNP]
Process: System Address: 0x863bb1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x867651e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x86134438 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x86134438 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86134438 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86134438 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x86134438 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x86134438 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8613c438 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8613c438 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Add==EOF==

Edited by nitro1, 02 August 2009 - 08:08 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 02 August 2009 - 09:13 PM

OK,that's what we needed!!

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\UACbcdwqiwihe.dll
C:\WINDOWS\system32\UACdxxdevjlnc.dll
C:\WINDOWS\system32\UACgoevruwxut.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACkmrsdommju.dll
C:\WINDOWS\system32\UAClkytjixols.dll
C:\WINDOWS\system32\drivers\UACqrosrvoiye.sys


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 nitro1

nitro1
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 02 August 2009 - 10:09 PM

Newest log:
Malwarebytes' Anti-Malware 1.39
Database version: 2548
Windows 5.1.2600 Service Pack 2

8/2/2009 9:08:38 PM
mbam-log-2009-08-02 (21-08-38).txt

Scan type: Quick Scan
Objects scanned: 106555
Time elapsed: 14 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\temp\UAC2a37.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACbcdwqiwihe.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACdxxdevjlnc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACgoevruwxut.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACkjduqtxnfv.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACkmrsdommju.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UAClkytjixols.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACqrosrvoiye.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Going to restart now.

Edit: it appears to be good now. Running better, though still a bit slow. But nothing seems to be picked up by norton or mbam. Let me know if there is anything else I can do to help speed up my computer. If not, thanks a ton for all the help. I really appreciate it.

Edited by nitro1, 02 August 2009 - 10:58 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 03 August 2009 - 08:30 AM

You're welcome and it does look good. Let's do these and see if there is anything left..

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 nitro1

nitro1
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 03 August 2009 - 03:33 PM

Posting this from another computer as I am currently running super on the infected one. Been going nearly 3 hours now, kind of regretting my itunes library right about now... Don't think it'll be done anytime soon unfortunately, but the scanned memory and registry items are showing no threats detected.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 03 August 2009 - 03:52 PM

The ITUNES are probably safe unless they were pulled from a Limewire type.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 nitro1

nitro1
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 03 August 2009 - 04:50 PM

I assumed it would be safe as well, didn't think to somehow exclude it before hand. I'd rather not start over now so I suppose I will let it run the rest of the day. Hopefully by the time I go to bed it will be finished and I can post a log for you to see in the morning or whenever you next check up on me. Again, thanks for your continued help.

#14 nitro1

nitro1
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 04 August 2009 - 01:09 AM

Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/03/2009 at 10:37 PM

Application Version : 4.27.1000

Core Rules Database Version : 4034
Trace Rules Database Version: 1974

Scan type : Complete Scan
Total Scan Time : 10:57:04

Memory items scanned : 210
Memory threats detected : 0
Registry items scanned : 9605
Registry threats detected : 0
File items scanned : 124352
File threats detected : 0

Any more steps or is it safe to say I'm finally clean? PC seems to be running fine as of now.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 04 August 2009 - 10:27 AM

Well since they upgraded MBAM yesterday ,let's get one more ten minute scan and be safe about this.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users