Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Thousands of Apps Leak Sensitive Data via Misconfigured Firebase Backends

Featured Deal: Get Over 90% off a Windscribe Pro VPN Lifetime Subscription Deal

virus/ Google, Yahoo, Ask... all blank screens and more...

Started by copperhed , Aug 09 2009 08:49 PM

Please log in to reply

8 replies to this topic

#1 copperhed

Members
9 posts
OFFLINE

Local time:02:45 PM

Posted 09 August 2009 - 08:49 PM

Hello.
Seems I may have met my match here and need help finding/removing this problem.
I have Windows Vista Home Ultimate and Norton anti-virus is installed but expired.

In a nutshell, my problems are as follows:

Got a message that a Trojan was blocked (from either Norton or Windows) during internet usage. Then came a Windows Security Alert that I could not close. Shortly thereafter, internet stopped working. Restarted computer and internet worked fine but now Google, Yahoo, Altavista and Ask.com all return a blank screen after I attempt a search. Other sites seem to work fine. The Windows Security Alert icon remains in the tray. When I click it, "The Security Center is turned off". When I click "Turn On Now", I get "The Security Service can't be started". I used another method to enable Security service and it resumed but, once I restarted the computer, it has returned to the same problem.

In addition, System Restore says I have no restore points and acts as though I have never used it before even though I have.
Also, during some restarts, I get Error: 0xC004D401 "The security processor reported a system title mismatch error". Via an online message, Windows tells me that my Vista is "not validated/does not pass validation" likely due to some type of incompatible software I have installed but... I have not installed any new software. When this occurs, it obviously won't even open Windows.

This one is a real doozy.
Any help?

Edited by copperhed, 09 August 2009 - 08:50 PM.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 boopme

To Insanity and Beyond

Global Moderator
73,072 posts
OFFLINE

Gender:Male
Location:NJ USA
Local time:02:45 PM

Posted 09 August 2009 - 08:56 PM

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.
Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 copperhed

Topic Starter

Members
9 posts
OFFLINE

Local time:02:45 PM

Posted 09 August 2009 - 09:10 PM

Thank you for response.
While performing the above operations, I reached the point of "MBAM will automatically start and you will be asked to update the program before performing a scan."
MBAM did NOT automatically start. When I doubleclick the icon to start it, I get a Windows prompt of "Malwarebytes Anti-Malware has stopped working" Windows checks for a solution to the problem, finds nothing and then gives me the option of "close program".
So, MBAM is not running and can't start. I believe I got the same Windows message when the internet wasn't working before.

???

#4 copperhed

Topic Starter

Members
9 posts
OFFLINE

Local time:02:45 PM

Posted 09 August 2009 - 09:30 PM

Just received a "Windows Defender Warning" that said...

-Review harmful or potentially unwanted software-
windows defender detected programs that might compromise your privacy or damage your computer
NAME- Trojan:Win32/Winwebsec
ALERT LEVEL- Severe

After clciking "Remove All", it runs a removal and responds "successful" but I am still having the Google, Yahoo, etc. problem.

#5 boopme

To Insanity and Beyond

Global Moderator
73,072 posts
OFFLINE

Gender:Male
Location:NJ USA
Local time:02:45 PM

Posted 09 August 2009 - 10:16 PM

Ok we will run 2 tools. The first may just fix it ,but we should check with the second as we don't want to leave a kit behind.
Please read and follow all these instructions very carefully.

Please download GooredFix and save it to your Desktop.
Double-click GooredFix.exe to run it.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

We Need to check for Rootkits with RootRepeal

Download RootRepeal from the following location and save it to your desktop.
- Zip Mirrors (Recommended)
- Rar Mirrors - Only if you know what a RAR is and can extract it.
Extract RootRepeal.exe from the archive.
Open on your desktop.
Click the tab.
Click the button.
Check all seven boxes:
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

#6 copperhed

Topic Starter

Members
9 posts
OFFLINE

Local time:02:45 PM

Posted 09 August 2009 - 11:12 PM

GooredFix by jpshortstuff (12.07.09)
Log created at 00:02 on 10/08/2009 (Greg)
Firefox version [Unable to determine]

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [01:09 13/02/2009]

-=E.O.F=-

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/10 00:03
Program Version: Version 1.3.3.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_dumpfve.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpfve.sys
Address: 0x903E4000 Size: 69632 File Visible: No Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8A50E000 Size: 815104 File Visible: No Signed: -
Status: -

Name: SKYNETwuhnpbps.sys
Image Path: C:\Windows\system32\drivers\SKYNETwuhnpbps.sys
Address: 0x8F31F000 Size: 151552 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Windows\System32\SKYNETcqlvidno.dat
Status: Invisible to the Windows API!

Path: C:\Windows\System32\SKYNETenywtcfm.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\SKYNETlxscqtsb.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\SKYNETxlgqpvrt.dat
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACdxcehacipy.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UAClbkpxrxido.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACmevipegodv.db
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACqtnivoiixv.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACubrwuprjrl.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACwruitnnqmb.dat
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACyclbejbtxt.dll
Status: Invisible to the Windows API!

Path: C:\Windows\Temp\SKYNETafivduewqb.tmp
Status: Invisible to the Windows API!

Path: C:\Windows\Temp\UAC40d6.tmp
Status: Invisible to the Windows API!

Path: C:\Windows\System32\drivers\SKYNETwuhnpbps.sys
Status: Invisible to the Windows API!

Path: C:\Windows\System32\drivers\UACedegimxndh.sys
Status: Invisible to the Windows API!

Path: C:\Windows\System32\wbem\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_57b67ceb7de564e6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_118a7387f9d14a82.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_c9dd3cb0e555217c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_5d1777c2e857a23b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_9f63b3c292618dec.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_bdf22a22ab9e15d5.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8cc63a6e4c2a3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16772_none_3fd0636ec44d63f6\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20949_none_408173e9dd4c5e75\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18165_none_41c472dec16924fb\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22299_none_4231a10dda9b7df4\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18248_none_01c5b9e9a1ec46b0\$$DeleteMe.wininet.dll.01ca109ca1ae2e90.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_data_files_b03f5f7f11d50a3a_6.0.6001.18111_none_7c8b5cbf426fb0d2\MICROS~1.TAS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_data_files_b03f5f7f11d50a3a_6.0.6001.22230_none_65bfcd5b5c1529e5\MICROS~1.TAS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalmonospacecf_31bf3856ad364e35_6.0.6000.16708_none_820ff368b2f34b62\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalmonospacecf_31bf3856ad364e35_6.0.6000.20864_none_8254af83cc452d76\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalmonospacecf_31bf3856ad364e35_6.0.6001.18096_none_8392e048b064a7f7\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalmonospacecf_31bf3856ad364e35_6.0.6001.22208_none_847fced9c9377c1d\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalsansserifcf_31bf3856ad364e35_6.0.6000.16708_none_4c6d3f4bfe5170cb\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalsansserifcf_31bf3856ad364e35_6.0.6000.20864_none_4cb1fb6717a352df\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalsansserifcf_31bf3856ad364e35_6.0.6001.18096_none_4df02c2bfbc2cd60\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_data_files_b03f5f7f11d50a3a_6.0.6000.16720_none_7cb07809421da431\MICROS~1.TAS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_data_files_b03f5f7f11d50a3a_6.0.6000.20883_none_65e88ead5bbfe924\MICROS~1.TAS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.16708_none_319b7f14a2b4f78c\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.20864_none_31e03b2fbc06d9a0\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6001.18096_none_331e6bf4a0265421\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6001.22208_none_340b5a85b8f92847\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6000.16708_none_ac1fffb2b6ba9be9\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6000.20864_none_ac64bbcdd00c7dfd\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-winfxtargets_31bf3856ad364e35_6.0.6000.16708_none_c7595a2aa4b56e63\MICROS~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-winfxtargets_31bf3856ad364e35_6.0.6000.20864_none_c79e1645be075077\MICROS~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-winfxtargets_31bf3856ad364e35_6.0.6001.18096_none_c8dc470aa226caf8\MICROS~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-winfxtargets_31bf3856ad364e35_6.0.6001.22208_none_c9c9359bbaf99f1e\MICROS~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-system.speech_31bf3856ad364e35_6.0.6000.16708_none_7fdeb5cb1f6006f4\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-system.speech_31bf3856ad364e35_6.0.6000.20864_none_802371e638b1e908\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-system.speech_31bf3856ad364e35_6.0.6001.18096_none_8161a2ab1cd16389\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-system.speech_31bf3856ad364e35_6.0.6001.22208_none_824e913c35a437af\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6001.22208_none_ae8fdb23ccfecca4\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalsansserifcf_31bf3856ad364e35_6.0.6001.22208_none_4edd1abd1495a186\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6001.18096_none_ada2ec92b42bf87e\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18248_none_478070c58c9d650d\$$DeleteMe.iertutil.dll.01ca109ca1abcd30.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6000.16386_none_c7e203aac103cf9f\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6000.16386_none_c7e203aac103cf9f\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6000.16720_none_c7dc8a0ec1089f13\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6000.16720_none_c7dc8a0ec1089f13\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6000.16762_none_c7e05da6c10537b1\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6000.16762_none_c7e05da6c10537b1\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6000.20883_none_b114a0b2daaae406\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6000.20883_none_b114a0b2daaae406\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6000.20935_none_b10f718cdaaf98e6\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6000.20935_none_b10f718cdaaf98e6\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6001.18000_none_c7b68566c15b786b\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6001.18000_none_c7b68566c15b786b\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6001.18111_none_c7b76ec4c15aabb4\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6001.18111_none_c7b76ec4c15aabb4\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6001.18155_none_c7bb14ccc1577794\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6001.18155_none_c7bb14ccc1577794\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6001.22230_none_b0ebdf60db0024c7\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6001.22230_none_b0ebdf60db0024c7\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6001.22286_none_b0f05822dafc3d40\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_mscorlib_b77a5c561934e089_6.0.6001.22286_none_b0f05822dafc3d40\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18248_none_b4bfde47d6e3201d\$$DeleteMe.urlmon.dll.01ca109ca1a4a910.0000
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MICROS~1.TAS
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MICROS~1.TAR
Status: Locked to the Windows API!

Path: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Users\Greg\AppData\Local\Temp\UAC1765.tmp
Status: Invisible to the Windows API!

Path: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\$$DeleteMe.sortkey.nlp.01c9bec6461dadd0.0007
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\$$DeleteMe.sorttbls.nlp.01c98d783df56c80.000a
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PRESEN~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Locked to the Windows API!

Path: c:\programdata\microsoft\search\data\applications\windows\gatherlogs\systemindex\systemindex.220.crwl
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\programdata\microsoft\search\data\applications\windows\gatherlogs\systemindex\systemindex.220.gthr
Status: Allocation size mismatch (API: 288, Raw: 0)

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WC48HWF\hysterical[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WC48HWF\icon13[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WC48HWF\icon5[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WC48HWF\icon_open[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WC48HWF\p_edit[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WC48HWF\rte-bold[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WC48HWF\rte-email-button[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WC48HWF\rte-justify[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WC48HWF\wacko[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3Q4ZXBNV\t_qr[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OKI147Q\crazy[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OKI147Q\find_posts[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OKI147Q\icon11[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OKI147Q\in_love[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OKI147Q\rte-align-center[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OKI147Q\rte-dd-bg[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OKI147Q\rte-link-button[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OKI147Q\rte-resize-down[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OKI147Q\rte-toggle-html[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9YDZDGBP\icon10[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9YDZDGBP\icon3[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9YDZDGBP\mellow[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9YDZDGBP\rte-align-left[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9YDZDGBP\rte-emoticon[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9YDZDGBP\rte-remove-formatting[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9YDZDGBP\rte-resize-up[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9YDZDGBP\rte_tile[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9YDZDGBP\send_pm_small[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FYUXY6FO\friend_add_small[1].png
Status: Could not get file information (Error 0xc0000008)

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G6IYFEBD\greg@bleepingcomputer[1].txt
Status: Locked to the Windows API!

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G6IYFEBD\index[2].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YCTWNK9W\rte-emo-button[1].png
Status: Could not get file information (Error 0xc0000008)

Path: C:\Users\Greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z3AWIZXU\__utm[2].gif
Status: Could not get file information (Error 0xc0000008)

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1448 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UAClbkpxrxido.dll]
Process: wininit.exe (PID: 644) Address: 0x007c0000 Size: 45056

Object: Hidden Module [Name: UACqtnivoiixv.dll]
Process: wininit.exe (PID: 644) Address: 0x00cc0000 Size: 49152

Object: Hidden Module [Name: SKYNETenywtcfm.dll]
Process: wininit.exe (PID: 644) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UAClbkpxrxido.dll]
Process: services.exe (PID: 692) Address: 0x00850000 Size: 45056

Object: Hidden Module [Name: UACqtnivoiixv.dll]
Process: services.exe (PID: 692) Address: 0x00f30000 Size: 49152

Object: Hidden Module [Name: SKYNETenywtcfm.dll]
Process: services.exe (PID: 692) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UAClbkpxrxido.dll]
Process: lsass.exe (PID: 704) Address: 0x007a0000 Size: 45056

Object: Hidden Module [Name: UACqtnivoiixv.dll]
Process: lsass.exe (PID: 704) Address: 0x01550000 Size: 49152

Object: Hidden Module [Name: SKYNETenywtcfm.dll]
Process: lsass.exe (PID: 704) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UAClbkpxrxido.dll]
Process: lsm.exe (PID: 712) Address: 0x007f0000 Size: 45056

Object: Hidden Module [Name: UACqtnivoiixv.dll]
Process: lsm.exe (PID: 712) Address: 0x01620000 Size: 49152

Object: Hidden Module [Name: SKYNETenywtcfm.dll]
Process: lsm.exe (PID: 712) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETlxscqtsb.dll]
Process: svchost.exe (PID: 868) Address: 0x00510000 Size: 53248

Object: Hidden Module [Name: UAC40d6.tmphacipy.dll]
Process: svchost.exe (PID: 868) Address: 0x006f0000 Size: 217088

Object: Hidden Module [Name: UACubrwuprjrl.dll]
Process: svchost.exe (PID: 868) Address: 0x006b0000 Size: 77824

Object: Hidden Module [Name: UAClbkpxrxido.dll]
Process: svchost.exe (PID: 868) Address: 0x01600000 Size: 45056

Object: Hidden Module [Name: UACqtnivoiixv.dll]
Process: svchost.exe (PID: 868) Address: 0x016d0000 Size: 49152

Object: Hidden Module [Name: UACyclbejbtxt.dll]
Process: svchost.exe (PID: 868) Address: 0x01770000 Size: 73728

Object: Hidden Module [Name: UAClbkpxrxido.dll]
Process: svchost.exe (PID: 868) Address: 0x020b0000 Size: 45056

Object: Hidden Module [Name: UACdxcehacipy.dll]
Process: svchost.exe (PID: 868) Address: 0x021c0000 Size: 217088

Object: Hidden Module [Name: UACqtnivoiixv.dll]
Process: svchost.exe (PID: 868) Address: 0x02350000 Size: 49152

Object: Hidden Module [Name: SKYNETenywtcfm.dll]
Process: svchost.exe (PID: 868) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UAClbkpxrxido.dll]
Process: winlogon.exe (PID: 892) Address: 0x007d0000 Size: 45056

Object: Hidden Module [Name: UACqtnivoiixv.dll]
Process: winlogon.exe (PID: 892) Address: 0x019d0000 Size: 49152

Object: Hidden Module [Name: SKYNETenywtcfm.dll]
Process: winlogon.exe (PID: 892) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UAC40d6.tmphacipy.dll]
Process: svchost.exe (PID: 1000) Address: 0x00540000 Size: 217088

Object: Hidden Module [Name: UACubrwuprjrl.dll]
Process: svchost.exe (PID: 1000) Address: 0x00730000 Size: 77824

Object: Hidden Module [Name: UAClbkpxrxido.dll]
Process: svchost.exe (PID: 1000) Address: 0x00ff0000 Size: 45056

Object: Hidden Module [Name: UACqtnivoiixv.dll]
Process: svchost.exe (PID: 1000) Address: 0x01680000 Size: 49152

Object: Hidden Module [Name: SKYNETenywtcfm.dll]
Process: svchost.exe (PID: 1000) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETenywtcfm.dll]
Process: svchost.exe (PID: 1156) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: UAC40d6.tmphacipy.dll]
Process: svchost.exe (PID: 1156) Address: 0x00c90000 Size: 217088

Object: Hidden Module [Name: UACubrwuprjrl.dll]
Process: svchost.exe (PID: 1156) Address: 0x00d50000 Size: 77824

Object: Hidden Module [Name: UAClbkpxrxido.dll]
Process: svchost.exe (PID: 1156) Address: 0x01400000 Size: 45056

Object: Hidden Module [Name: UACqtnivoiixv.dll]
Process: svchost.exe (PID: 1156) Address: 0x01490000 Size: 49152

Object: Hidden Module [Name: SKYNETenywtcfm.dll]
Process: nvvsvc.Hidden Services
-------------------
Service Name: SKYNETubtmjbjr
Image Path: C:\Windows\system32\drivers\SKYNETwuhnpbps.sys

Service Name: UACd.sys
Image Path: C:\Windows\system32\drivers\UACedegimxndh.sys

==EOF==

Edited by copperhed, 09 August 2009 - 11:18 PM.

#7 boopme

To Insanity and Beyond

Global Moderator
73,072 posts
OFFLINE

Gender:Male
Location:NJ USA
Local time:02:45 PM

Posted 09 August 2009 - 11:45 PM

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\Windows\System32\SKYNETenywtcfm.dll
C:\Windows\System32\SKYNETlxscqtsb.dll
C:\Windows\System32\UACdxcehacipy.dll
C:\Windows\System32\uacinit.dll
C:\Windows\System32\UAClbkpxrxido.dll
C:\Windows\System32\UACqtnivoiixv.dll
C:\Windows\System32\UACubrwuprjrl.dll
C:\Windows\System32\UACyclbejbtxt.dll
C:\Windows\System32\drivers\SKYNETwuhnpbps.sys
C:\Windows\System32\drivers\UACedegimxndh.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How is it running now?

#8 copperhed

Topic Starter

Members
9 posts
OFFLINE

Local time:02:45 PM

Posted 10 August 2009 - 12:19 AM

Thank you very much.

Seems to have fixed it.
Google, etc. work fine now.

I still have the Windows Security Alert icon that Security Center is turned off and when I attempt to turn it on it replies "can't be started".

Also, System Restore still states that I have no restore points. I suppose somehow they have been wiped away permanently.

Any suggestions?

In any case, I can not thank you enough for the help you have already offered.

Edited by copperhed, 10 August 2009 - 12:20 AM.