Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Metajuan


  • Please log in to reply
16 replies to this topic

#1 gibby5

gibby5

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 05 August 2009 - 09:45 AM

Norton picked a trojan.metajaun virus and I can't figure out how to delete it. Ive tried safemode, updating to virus definitions, and everything they say to do, but I can't figure out how to be rid of it.

I really would like to be rid of this so if anybody can help that would be incredible, thanks in advance

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 05 August 2009 - 10:02 AM

Please download Malwarebytes Anti-Malware (v1.40) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- If Malwarebytes Anti-Malware results in any error messages, please refer to Fixes for common problems and Error Codes. Some issues with errors can be related to malware infection but others are not.

-- Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 gibby5

gibby5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 05 August 2009 - 10:42 AM

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/5/2009 11:37:52 AM
mbam-log-2009-08-05 (11-37-52).txt

Scan type: Quick Scan
Objects scanned: 88711
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dailybucks_install.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\msa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\msb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Gibson\Local Settings\Temp\a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Gibson\Local Settings\Temp\axnscoewmr.tmp (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Gibson\Local Settings\Temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Gibson\Local Settings\Temp\d.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Gibson\Local Settings\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Gibson\Local Settings\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Gibson\Local Settings\Temp\f.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Gibson\Local Settings\Temp\msxml71.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Gibson\Local Settings\Temp\nwomecaxsr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.




----------------------------
Thanks for the help so far

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 05 August 2009 - 11:08 AM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Important: Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

Now rescan again with Malwarebytes Anti-Malware but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Your database shows 2551. Last I checked it was 2563.

IMPORTANT NOTE: One or more of the identified infections (UAC[random characters].***) was related to a backdoor Trojan and a nasty variant of the TDSSSERV rootkit . Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 gibby5

gibby5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 05 August 2009 - 12:05 PM

Sophos Anti-Rootkit Version 1.5.0 2009 Sophos Plc
Started logging on 8/5/2009 at 12:12:40 PM
User "Bret Gibson" on computer "BRETBOX"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\uacinit.dll
Hidden: file C:\WINDOWS\system32\UACxydjejnkxx.dll
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS1.dat
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS2.dat
Hidden: file C:\WINDOWS\Temp\UAC6b43.tmp
Hidden: file C:\WINDOWS\Temp\UACf00d.tmp
Hidden: file C:\WINDOWS\system32\UACylayoaquhr.db
Hidden: file C:\WINDOWS\system32\UACsdlhqacnxt.dat
Hidden: file C:\WINDOWS\system32\UACmkulptnlbc.dll
Hidden: file C:\WINDOWS\Temp\UACf414.tmp
Hidden: file C:\WINDOWS\Temp\UACf82b.tmp
Hidden: file C:\WINDOWS\Temp\UACfb48.tmp
Hidden: file C:\WINDOWS\Temp\UACff30.tmp
Hidden: file C:\WINDOWS\system32\UACyatqpkjent.dll
Hidden: file C:\WINDOWS\system32\drivers\UACyjlicngkrn.sys
Hidden: file C:\WINDOWS\system32\UACupiahsvwly.dll
Hidden: file C:\WINDOWS\system32\UACkbhlbtcebn.dll
Stopped logging on 8/5/2009 at 12:16:01 PM


Sophos Anti-Rootkit Version 1.5.0 2009 Sophos Plc
Started logging on 8/5/2009 at 12:16:07 PM
User "Bret Gibson" on computer "BRETBOX"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\uacinit.dll
Hidden: file C:\WINDOWS\system32\UACxydjejnkxx.dll
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS1.dat
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS2.dat
Hidden: file C:\WINDOWS\Temp\UAC6b43.tmp
Hidden: file C:\WINDOWS\Temp\UACf00d.tmp
Hidden: file C:\WINDOWS\system32\UACylayoaquhr.db
Hidden: file C:\WINDOWS\system32\UACsdlhqacnxt.dat
Hidden: file C:\WINDOWS\system32\UACmkulptnlbc.dll
Hidden: file C:\WINDOWS\Temp\UACf414.tmp
Hidden: file C:\WINDOWS\Temp\UACf82b.tmp
Hidden: file C:\WINDOWS\Temp\UACfb48.tmp
Hidden: file C:\WINDOWS\Temp\UACff30.tmp
Hidden: file C:\WINDOWS\system32\UACyatqpkjent.dll
Hidden: file C:\WINDOWS\system32\drivers\UACyjlicngkrn.sys
Hidden: file C:\WINDOWS\system32\UACupiahsvwly.dll
Hidden: file C:\WINDOWS\system32\UACkbhlbtcebn.dll
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\Documents and Settings\Bret Gibson\Local Settings\Temp\UAC48d3.tmp
Stopped logging on 8/5/2009 at 12:35:54 PM


A few questions:
Okay so the root kit scan didnt surn up anything it said to remove, so should I do anything else there?
And finally if my computer is infected until it is wiped clean, would it be safe to use it for web browsing and such, if I didn't enter any passwords or other information into it?

EDIT: Fixed malwarebytes problem, the scan log will be posted in the next post.

Edited by gibby5, 05 August 2009 - 12:08 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 05 August 2009 - 12:33 PM

And finally if my computer is infected until it is wiped clean, would it be safe to use it for web browsing and such, if I didn't enter any passwords or other information into it?

Using infected computers on the Internet is a security risk to everyone. When there are insecure or infected computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, spammers have more platforms from which to send e-mail and more machines become compromised. The longer malware remains on your system, the more time it has to download more malicious files which makes disinfection more problematic.

Sophos ARK does not recommend removal of files which the scanner does not recognize. However, that does not mean those files are all good and should be left alone. Further investigation is required after the initial scan to analyze and identify malicious files which were detected so they can be manually removed during a subsequent scan.

Please rescan with Sophos AntiRootkit again and select to remove the following entries if still present.
Hidden: file C:\WINDOWS\system32\uacinit.dll
Hidden: file C:\WINDOWS\system32\UACxydjejnkxx.dll
Hidden: file C:\WINDOWS\Temp\UAC6b43.tmp
Hidden: file C:\WINDOWS\Temp\UACf00d.tmp
Hidden: file C:\WINDOWS\system32\UACylayoaquhr.db
Hidden: file C:\WINDOWS\system32\UACsdlhqacnxt.dat
Hidden: file C:\WINDOWS\system32\UACmkulptnlbc.dll
Hidden: file C:\WINDOWS\Temp\UACf414.tmp
Hidden: file C:\WINDOWS\Temp\UACf82b.tmp
Hidden: file C:\WINDOWS\Temp\UACfb48.tmp
Hidden: file C:\WINDOWS\Temp\UACff30.tmp
Hidden: file C:\WINDOWS\system32\UACyatqpkjent.dll
Hidden: file C:\WINDOWS\system32\drivers\UACyjlicngkrn.sys
Hidden: file C:\WINDOWS\system32\UACupiahsvwly.dll
Hidden: file C:\WINDOWS\system32\UACkbhlbtcebn.dll
Hidden: file C:\Documents and Settings\Bret Gibson\Local Settings\Temp\UAC48d3.tmp
  • Follow the prompts to remove them and restart your computer.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • Post the contents of the sarscan.log in your next reply.
Then rescan again with Malwarebytes Anti-Malware but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Edited by quietman7, 05 August 2009 - 12:34 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 gibby5

gibby5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 05 August 2009 - 02:06 PM

ARK:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/5/2009 at 12:12:40 PM
User "Bret Gibson" on computer "BRETBOX"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\uacinit.dll
Hidden: file C:\WINDOWS\system32\UACxydjejnkxx.dll
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS1.dat
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS2.dat
Hidden: file C:\WINDOWS\Temp\UAC6b43.tmp
Hidden: file C:\WINDOWS\Temp\UACf00d.tmp
Hidden: file C:\WINDOWS\system32\UACylayoaquhr.db
Hidden: file C:\WINDOWS\system32\UACsdlhqacnxt.dat
Hidden: file C:\WINDOWS\system32\UACmkulptnlbc.dll
Hidden: file C:\WINDOWS\Temp\UACf414.tmp
Hidden: file C:\WINDOWS\Temp\UACf82b.tmp
Hidden: file C:\WINDOWS\Temp\UACfb48.tmp
Hidden: file C:\WINDOWS\Temp\UACff30.tmp
Hidden: file C:\WINDOWS\system32\UACyatqpkjent.dll
Hidden: file C:\WINDOWS\system32\drivers\UACyjlicngkrn.sys
Hidden: file C:\WINDOWS\system32\UACupiahsvwly.dll
Hidden: file C:\WINDOWS\system32\UACkbhlbtcebn.dll
Stopped logging on 8/5/2009 at 12:16:01 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/5/2009 at 12:16:07 PM
User "Bret Gibson" on computer "BRETBOX"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\uacinit.dll
Hidden: file C:\WINDOWS\system32\UACxydjejnkxx.dll
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS1.dat
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS2.dat
Hidden: file C:\WINDOWS\Temp\UAC6b43.tmp
Hidden: file C:\WINDOWS\Temp\UACf00d.tmp
Hidden: file C:\WINDOWS\system32\UACylayoaquhr.db
Hidden: file C:\WINDOWS\system32\UACsdlhqacnxt.dat
Hidden: file C:\WINDOWS\system32\UACmkulptnlbc.dll
Hidden: file C:\WINDOWS\Temp\UACf414.tmp
Hidden: file C:\WINDOWS\Temp\UACf82b.tmp
Hidden: file C:\WINDOWS\Temp\UACfb48.tmp
Hidden: file C:\WINDOWS\Temp\UACff30.tmp
Hidden: file C:\WINDOWS\system32\UACyatqpkjent.dll
Hidden: file C:\WINDOWS\system32\drivers\UACyjlicngkrn.sys
Hidden: file C:\WINDOWS\system32\UACupiahsvwly.dll
Hidden: file C:\WINDOWS\system32\UACkbhlbtcebn.dll
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\Documents and Settings\Bret Gibson\Local Settings\Temp\UAC48d3.tmp
Stopped logging on 8/5/2009 at 12:35:54 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/5/2009 at 13:44:15 PM
User "Bret Gibson" on computer "BRETBOX"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&2803e7c1&0&00E2\LogConf\BootConfig
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpDomain
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A817FC98-7065-4DA8-BE74-C507D9A70DD4}\DhcpIPAddress
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A817FC98-7065-4DA8-BE74-C507D9A70DD4}\DhcpSubnetMask
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A817FC98-7065-4DA8-BE74-C507D9A70DD4}\DhcpRetryTime
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A817FC98-7065-4DA8-BE74-C507D9A70DD4}\DhcpRetryStatus
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A817FC98-7065-4DA8-BE74-C507D9A70DD4}\DhcpNameServer
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A817FC98-7065-4DA8-BE74-C507D9A70DD4}\DhcpDefaultGateway
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A817FC98-7065-4DA8-BE74-C507D9A70DD4}\DhcpDomain
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A817FC98-7065-4DA8-BE74-C507D9A70DD4}\DhcpSubnetMaskOpt
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{A817FC98-7065-4DA8-BE74-C507D9A70DD4}\Parameters\Tcpip\DhcpDefaultGateway
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{A817FC98-7065-4DA8-BE74-C507D9A70DD4}\Parameters\Tcpip\DhcpSubnetMaskOpt
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\uacinit.dll
Hidden: file C:\WINDOWS\system32\UACxydjejnkxx.dll
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS1.dat
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS2.dat
Hidden: file C:\WINDOWS\system32\UACsdlhqacnxt.dat
Hidden: file C:\WINDOWS\system32\UACyatqpkjent.dll
Hidden: file C:\WINDOWS\Temp\UAC6b43.tmp
Hidden: file C:\WINDOWS\system32\drivers\UACyjlicngkrn.sys
Hidden: file C:\WINDOWS\system32\UACylayoaquhr.db
Hidden: file C:\WINDOWS\Temp\UACf8a8.tmp
Hidden: file C:\WINDOWS\system32\UACmkulptnlbc.dll
Hidden: file C:\WINDOWS\system32\UACupiahsvwly.dll
Hidden: file C:\WINDOWS\system32\UACkbhlbtcebn.dll
Hidden: file C:\WINDOWS\Temp\UACfd4b.tmp
Hidden: file C:\WINDOWS\Temp\UAC1d0.tmp
Hidden: file C:\WINDOWS\Temp\UAC395.tmp
Hidden: file C:\WINDOWS\Temp\UAC7cb.tmp
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\Documents and Settings\Bret Gibson\Local Settings\Temp\UAC48d3.tmp
Stopped logging on 8/5/2009 at 14:03:23 PM

Other Scan:
Malwarebytes' Anti-Malware 1.40
Database version: 2564
Windows 5.1.2600 Service Pack 3

8/5/2009 3:05:48 PM
mbam-log-2009-08-05 (15-05-48).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 138678
Time elapsed: 52 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 05 August 2009 - 02:29 PM

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • When the program opens, click the Report tab at the bottom, then click the Scan button.
  • In the Select Scan, dialog which asks What do you want to include in the scan?, check all the boxes.
    Posted Image
  • Click OK.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • The scan can take some time to finish. Do not use the computer while the scan is running.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 gibby5

gibby5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 05 August 2009 - 03:14 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/05 16:07
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA967C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BF4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP8862
Image Path: \Driver\PCI_PNP8862
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA89A1000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spzp.sys
Image Path: spzp.sys
Address: 0xF751D000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF73DC000 Size: 323584 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x85de7e90

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x85de88e8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x857c17e0

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x861636b0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x85c15520

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa8e7040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8602bbb8

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x85c2c1f8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x85e74af0

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x86163fd0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa8e72c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa8e7820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8603b450

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spzp.sys" at address 0xf753cca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spzp.sys" at address 0xf753d030

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86159bc0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x85de7ae0

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x85de7d18

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x85b85848

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x85fc0b90

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x85de7888

#: 119 Function Name: NtOpenKey
Status: Hooked by "spzp.sys" at address 0xf751e0c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8602a5b0

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x85deee70

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x85de6508

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8602a4d8

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x85c26cb8

#: 160 Function Name: NtQueryKey
Status: Hooked by "spzp.sys" at address 0xf753d108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spzp.sys" at address 0xf753cf88

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x85e2c148

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x85de9410

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86173548

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x85c5d418

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa8e7a70

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85de6718

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85de8a80

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85e05ca0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85de90c8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x85de9b30

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x85bde6a8

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x863661f8 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_CREATE]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_CLOSE]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_READ]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_WRITE]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_CLEANUP]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Udfsȅఆ䵃ĸꏀ㞀㞀䀀#䀀, IRP_MJ_PNP]
Process: System Address: 0x85cf5500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x860b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x861451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x861451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x861451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x861451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x861451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x861451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x861451f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x863681f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x85bc8500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x85bc8500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85bc8500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85bc8500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x85bc8500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x85bc8500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x862081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x862081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x862081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x862081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x862081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x862081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x862081f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85bb7500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x85bb7500 Size: 121

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACyjlicngkrn.sys

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x85e36910

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x85e79528

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x85e77290

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x85e2b5c0

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x8615fef0

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x861c9e40

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x86212818

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x86211d50

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x84c4d008

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x85e224b0

==EOF==

#10 gibby5

gibby5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 05 August 2009 - 06:44 PM

bump bump bump..

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 05 August 2009 - 09:08 PM

Please be patient. Staff members are all volunteers and we assist other members as well as you. We have jobs in the real world and families so we are not logged into the forums all day long.

Double-click on RootRepeal.exe to launch it.
  • Click the Drivers tab, then click the Scan button.
  • Right-click on UACyjlicngkrn.sys and then click the Wipe File option only.
  • Click on the Files tab, then click the Scan button.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Use your mouse to highlight the following files:
    Path: C:\WINDOWS\system32\drivers\UACyjlicngkrn.sys
  • Right-click on those files and then click the Wipe File option only.
  • Click the Hidden Services tab, then click the Scan button.
  • Right-click on UACd.sys and then click the Wipe File option.
  • Exit RootRepeal and immediately restart the computer.
Then rescan again with Malwarebytes Anti-Malware (Full Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 gibby5

gibby5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 06 August 2009 - 09:20 AM

okay after running root repeal i couldn't find the driver that you were talking about nor did the file show up, but the hidden service did and it wouldn't let me wipe because it said error could not find file on disk.

Any ideas?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 06 August 2009 - 09:30 AM

RootRepeal searches for any services that have been hidden, and allows the corresponding service file to be wiped, copied or force-deleted. The registry entry is either present and hidden, or present and locked. However, finding a hidden service entry does not always mean that the associated file is present so it appears we were able to remove it.

Continue with running MBAM again. Also let me know how your computer is running and if there are any more reports/signs of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 gibby5

gibby5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 06 August 2009 - 04:06 PM

Well mbam didn't find anything
scan:
Malwarebytes' Anti-Malware 1.40
Database version: 2570
Windows 5.1.2600 Service Pack 3

8/6/2009 5:03:22 PM
mbam-log-2009-08-06 (17-03-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 138424
Time elapsed: 1 hour(s), 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And the computer seems to be running pretty well, maybe a little bit slow but that would be it.

Thanks so much for all your help!

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 06 August 2009 - 08:42 PM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.

If your computer/browser seems to be slow, please refer to Slow Computer/Browser? Check here first; it may not be malware. There are reasons for slowness and poor performance besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, too many browser Add-ons (toolbars), not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users