Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Video popups opening by themselves


  • Please log in to reply
38 replies to this topic

#1 brussel57

brussel57

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:09:44 AM

Posted 09 August 2009 - 08:48 PM

Some thing is going on with my computer but I can't figure it out. Think some type of spyware is running on it.

My computer is a Dell running Windows XP Version 2002 service pack 2.

Noticed last night what sounded like a video playing on my computer. Thought at first there was window minimize but couldn't see it. My husband then said that he had a warning earlier about virus and installed "Protection System Software" from the link in the warning. (I now have explained to him to never do this again - it can be fake). I ran McAfee to see if there was a problem - came back with following below with dectection, file name and McAfee action taken.

Generic Rootkit.d!rootkit ----- ntoskrnl-hook ------ removed
FakeAlert-FN --------- wscvc32.exe ------------- quarantined
FakeAlert-FT --------- resdel.dll ------------ quarantined
Generic FakeAlert.k ---------- wingenocx.dll ----------- quarantined

Thought everything was okay but my son said this after noon when he was on the computer a commercial kept playing but he couldn't see it. I figured the pop setting had been messed with - so adjusted for no popup allowed.

However, this evening while watching tv - no one was on the computer. I saw a video commercial suddently start up. There was nothing - no programs, no internet - nothing being used on the computer at the time.

I've tried to use Malwarebytes' Anti-Malware but the program won't run after I install it. Could someone help?

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 09 August 2009 - 08:55 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.


Lets try a fix to get Malwarebytes to run:

let's try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Computer Pro

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 AM

Posted 09 August 2009 - 09:08 PM

Hello please run this too.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:09:44 AM

Posted 09 August 2009 - 10:58 PM

Thank you both for helping out so quickly. I really appreciate it. I made the adjustment to my topic notification as you told me Computer Pro

I got Malwarebytes to run and the log is posted below. But with RootRepeal I can get it to run - but it goes thru scan quickly and then just closes without saying if it completes the scan. It doesn't give me the option to view or save the log so I can't post that information.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

8/9/2009 11:24:26 PM
mbam-log-2009-08-09 (23-24-26).txt

Scan type: Quick Scan
Objects scanned: 95919
Time elapsed: 7 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Margie\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margie\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margie\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Margie\Application Data\MalwareRemovalBot\Log\2009 Aug 09 - 07_51_15 PM_968.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 AM

Posted 09 August 2009 - 11:39 PM

Hi..

Rerun MBAM (MalwareBytes) like this:
Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:09:44 AM

Posted 10 August 2009 - 06:11 PM

Hi Boopme

I downloaded both ATF Cleaner and SuperAntiSpyware. Unfortunately I can't install SuperAntiSpyware if I download first. It gives me an "SUPERAntiSpyware Free Edition has encountered a problem and needs to close. We are sorry for the inconvenience" "Please tell Microsoft about it." Option to send a report to them.

I was able to install it if I hit run when I go to download it. Thought it was all right but when I proceed in safe mode I get the same error message.

Is there something else I can do?

Thanks
brussel57

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 AM

Posted 10 August 2009 - 09:10 PM

If SUPERAntiSpyware is not currently installed, please download and run one of these alternate versions of the install package:

SUPERAntiSpyware FREE Edition Installer

If SUPERAntiSpyware is already installed but simply will not run, please download and run the following program

RUNSAS.EXE


After that scan or not.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:09:44 AM

Posted 11 August 2009 - 08:45 AM

Hi Boopme

Wanted to update you so you didn't think I wasn't doing as instructed. I am now able to run SuperAntiSpyware using the Runsas (thank you so much for the link) :thumbsup:.

SuperAntiSpyware was running last night and was finding quite a few things. However, I paused part way thru so I could go to bed. I finished scan this morning and SuperAntiSpyware was halfway in quarantine phase when I received message about computer shutting down due to RPC terminating. RPC = Remote Procedure Call. I think this occurred because I left modem on. There was no way for me to stop the shut down.

Anyways, I have now rebooted in safemode, restarted scan after turning modem off. When I get home from work hopefully everything will be done and I can post the log for you.

Keeping my fingers crossed
brussel57

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 AM

Posted 11 August 2009 - 11:31 AM

OK ,thank you..as I am sure i'll still want this after that I will post it now.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

As always..How is it running?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:09:44 AM

Posted 11 August 2009 - 11:34 PM

boopme

I'm having problems completing SuperAntiSpyware instructions. I get to the point where it is quaranting items it found during scan, half way through I received the following error message: "windows must restart because RPS (remote procedure service) terminated unexpectedly". . There is no way I can stop the system from shutting down, it just reboots on its own.

This is the third time I tried to get past the quaranting process.

I have posted the SuperAntiSpyware log which shows some items. Hopefully it helps.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/11/2009 at 11:32 PM

Application Version : 4.27.1002

Core Rules Database Version : 4048
Trace Rules Database Version: 1988

Scan type : Complete Scan
Total Scan Time : 03:34:38

Memory items scanned : 290
Memory threats detected : 1
Registry items scanned : 6961
Registry threats detected : 72
File items scanned : 181237
File threats detected : 7

Rootkit.Agent/Gen-UACFake
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACXUJYENJTTK.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACXUJYENJTTK.DLL

Adware.MovieLand/MediaPipe
HKCR\AppId\AMNotifier.EXE
HKCR\AppId\AMNotifier.EXE#AppID
HKCR\AppId\MPAgent.DLL
HKCR\AppId\MPAgent.DLL#AppID

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC#pval
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#7d72e91c
HKLM\SOFTWARE\UAC\connections#f2065612
HKLM\SOFTWARE\UAC\connections#905b3008
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#e0ae8144
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init

Malware.Installer-Pkg/Gen
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 AM

Posted 11 August 2009 - 11:43 PM

OK, we have a rootkit trying to survive the SAS..
Let's see if we can catch it as SAS has got some of it.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:09:44 AM

Posted 11 August 2009 - 11:58 PM

Running RootRepeal now.

Quick question, would it be okay to let RootRepeal run overnight without supervision? If it is can I shut my modem down while it runs?

Thanks
brussel57

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 AM

Posted 12 August 2009 - 12:05 AM

YES. shut off the modem and monitor (it uses 75% of the power).
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:09:44 AM

Posted 12 August 2009 - 12:09 AM

Never mind, RootRepeal finished just now. Report is posted below. BTW, I received this error message when I was starting RootRepeal "could not read the boot sector. Try adjusting the Disk Access level in the Options dialog". But then RootRepeal came up and I was able to proceed. (Not sure if it is important)

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/12 00:51
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE949000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79CE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE7C9000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACapqmrvtudd.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdsnbgriten.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACovcgqhbtpx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpgopobocxb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtmqxjtqwuy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACulqbbibqjm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxmllhrmuvr.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxujyenjttk.dll
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcmsc_pey0xrz68jy4pil
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_3vdt7vuv7fzcgnd
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_45uxbjixpho13nk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\UAC1484.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8160.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac9f0d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacb4a8.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacc206.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacc2f0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacc3cb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacc4a6.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacc5de.tmp
Status: Invisible to the Windows API!

Path: c:\windows\temp\sqlite_mbqlviau3kgfrru
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Corel\Suite8\Template\UACC8EN.AST
Status: Invisible to the Windows API!

Path: C:\Corel\Suite8\Template\UACC8EN.DLL
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACmuiyqoltxd.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Margie\Local Settings\Temp\sqlite_3MT4ScRUDXBVlWI
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Margie\Local Settings\Temp\sqlite_412VL77QHVsd60b
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Margie\Local Settings\Temp\UACc017.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Margie\Local Settings\Temp\sqlite_dz2nzfT1KhNeXao
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Margie\Local Settings\Temp\sqlite_vY5ded17mbuEG41
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Margie\Local Settings\Temp\~DF1EB4.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Corel\Suite8\Shared\Help\uacc8en.hlp
Status: Invisible to the Windows API!

Path: C:\Corel\Suite8\Shared\Help\UACC8EN.NLI
Status: Invisible to the Windows API!

Path: C:\Program Files\Verizon\OCB\ecef5b31-f4f8-4f3d-b887-1a5ddd5fe9d5\scripts\UACHelper.js
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: winlogon.exe (PID: 896) Address: 0x00650000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: winlogon.exe (PID: 896) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: services.exe (PID: 940) Address: 0x00710000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: services.exe (PID: 940) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: lsass.exe (PID: 952) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: lsass.exe (PID: 952) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACovcgqhbtpx.dll]
Process: svchost.exe (PID: 1128) Address: 0x00a90000 Size: 73728

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: svchost.exe (PID: 1128) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UAC1484.tmpenjttk.dll]
Process: svchost.exe (PID: 1128) Address: 0x00990000 Size: 217088

Object: Hidden Module [Name: UACxujyenjttk.dll]
Process: svchost.exe (PID: 1128) Address: 0x027f0000 Size: 217088

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: svchost.exe (PID: 1128) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: svchost.exe (PID: 1280) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: svchost.exe (PID: 1280) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: svchost.exe (PID: 1324) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: svchost.exe (PID: 1324) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: svchost.exe (PID: 1464) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: svchost.exe (PID: 1464) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: svchost.exe (PID: 1544) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: svchost.exe (PID: 1544) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: spoolsv.exe (PID: 1744) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: spoolsv.exe (PID: 1744) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: Explorer.EXE (PID: 1840) Address: 0x00bb0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: Explorer.EXE (PID: 1840) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: svchost.exe (PID: 1876) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: svchost.exe (PID: 1876) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: AppleMobileDeviceService.exe (PID: 1928) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: AppleMobileDeviceService.exe (PID: 1928) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: mDNSResponder.exe (PID: 1980) Address: 0x00720000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: mDNSResponder.exe (PID: 1980) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: cvpnd.exe (PID: 2028) Address: 0x00b50000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: cvpnd.exe (PID: 2028) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: jusched.exe (PID: 220) Address: 0x00ab0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: jusched.exe (PID: 220) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: jqs.exe (PID: 236) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: jqs.exe (PID: 236) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: DMXLauncher.exe (PID: 252) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: DMXLauncher.exe (PID: 252) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: RealPlay.exe (PID: 260) Address: 0x01250000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: RealPlay.exe (PID: 260) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: DLACTRLW.EXE (PID: 276) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: DLACTRLW.EXE (PID: 276) Address: 0x00af0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: hkcmd.exe (PID: 312) Address: 0x003b0000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: hkcmd.exe (PID: 312) Address: 0x00a60000 Size: 49152

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: McSACore.exe (PID: 308) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: McSACore.exe (PID: 308) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: igfxpers.exe (PID: 336) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: igfxpers.exe (PID: 336) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: McciCMService.exe (PID: 448) Address: 0x00930000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: McciCMService.exe (PID: 448) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: Acrotray.exe (PID: 512) Address: 0x00b30000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: Acrotray.exe (PID: 512) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: mcmscsvc.exe (PID: 580) Address: 0x008d0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: mcmscsvc.exe (PID: 580) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: HPWuSchd2.exe (PID: 612) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: HPWuSchd2.exe (PID: 612) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: smax4pnp.exe (PID: 632) Address: 0x00c10000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: smax4pnp.exe (PID: 632) Address: 0x00cc0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: mcnasvc.exe (PID: 680) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: mcnasvc.exe (PID: 680) Address: 0x00a60000 Size: 49152

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: mcagent.exe (PID: 808) Address: 0x00b20000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: mcagent.exe (PID: 808) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: McciTrayApp.exe (PID: 832) Address: 0x00c10000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: McciTrayApp.exe (PID: 832) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: iTunesHelper.exe (PID: 1216) Address: 0x009a0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: iTunesHelper.exe (PID: 1216) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: mcproxy.exe (PID: 1424) Address: 0x00810000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: mcproxy.exe (PID: 1424) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: mcshield.exe (PID: 1584) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: mcshield.exe (PID: 1584) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: MDM.EXE (PID: 1884) Address: 0x00ab0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: MDM.EXE (PID: 1884) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: MPFSrv.exe (PID: 2144) Address: 0x008a0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: MPFSrv.exe (PID: 2144) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: MskSrver.exe (PID: 2296) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: MskSrver.exe (PID: 2296) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: HPZipm12.exe (PID: 2384) Address: 0x006c0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: HPZipm12.exe (PID: 2384) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: svchost.exe (PID: 2528) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: svchost.exe (PID: 2528) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: wdfmgr.exe (PID: 2568) Address: 0x005e0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: wdfmgr.exe (PID: 2568) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: svchost.exe (PID: 2668) Address: 0x00a60000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: svchost.exe (PID: 2668) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: iPodService.exe (PID: 3120) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: iPodService.exe (PID: 3120) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: FNPLicensingService.exe (PID: 3220) Address: 0x00750000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: FNPLicensingService.exe (PID: 3220) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: alg.exe (PID: 3652) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: alg.exe (PID: 3652) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: CalCheck.exe (PID: 3716) Address: 0x01250000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: CalCheck.exe (PID: 3716) Address: 0x01300000 Size: 49152

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: DSAgnt.exe (PID: 3748) Address: 0x00ae0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: DSAgnt.exe (PID: 3748) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: ctfmon.exe (PID: 3772) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: ctfmon.exe (PID: 3772) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: 655f30a0-f564-4889-9f51-5c9840066d06.exe (PID: 3852) Address: 0x003d0000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: 655f30a0-f564-4889-9f51-5c9840066d06.exe (PID: 3852) Address: 0x02d20000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: Snsicon.exe (PID: 3880) Address: 0x01d60000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: Snsicon.exe (PID: 3880) Address: 0x01e10000 Size: 49152

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: hpqimzone.exe (PID: 3928) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: hpqimzone.exe (PID: 3928) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: wuauclt.exe (PID: 116) Address: 0x009a0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: wuauclt.exe (PID: 116) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: mcsysmon.exe (PID: 1816) Address: 0x00860000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: mcsysmon.exe (PID: 1816) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: svchost.exe (PID: 2940) Address: 0x00810000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: svchost.exe (PID: 2940) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: RootRepeal.exe (PID: 3604) Address: 0x00ef0000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: RootRepeal.exe (PID: 3604) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: Iexplore.exe (PID: 3160) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: Iexplore.exe (PID: 3160) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpgopobocxb.dll]
Process: iexplore.exe (PID: 2916) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACapqmrvtudd.dll]
Process: iexplore.exe (PID: 2916) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACmuiyqoltxd.sys

==EOF==

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 AM

Posted 12 August 2009 - 12:16 AM

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\UACapqmrvtudd.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACovcgqhbtpx.dll
C:\WINDOWS\system32\UACpgopobocxb.dll
C:\WINDOWS\system32\UACtmqxjtqwuy.dll
C:\WINDOWS\system32\UACulqbbibqjm.dll
C:\WINDOWS\system32\UACxujyenjttk.dll
C:\WINDOWS\system32\drivers\UACmuiyqoltxd.sys


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users