Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help a complete newbie remove the Win 32 Trojan.Tdss


  • Please log in to reply
18 replies to this topic

#1 kimba707

kimba707

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:03:24 PM

Posted 25 August 2009 - 03:46 AM

hi all,

so... ive got the trojan.tdss and please forgive me but i'm not too good with tech stuff. i know the basics and have read some other topics and forums on this but am not confident enough to follow the instructions given to someone else so i hope you can please help me.

i ran a scan with avg free and the new adaware anniversary edition and even after a reboot, the above trojan just won't disappear.

i've got an old sony vaio laptop running windows xp. it's pretty old and slow but i have to live with it for now. ive also tried malwarebytes but it won't run.

would really appreciate any help or advice. if you need more details please ask me and i will try to answer as best i can.

hope to hear from you soon.

thx, kimberley.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 25 August 2009 - 06:41 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 kimba707

kimba707
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:03:24 PM

Posted 26 August 2009 - 03:40 PM

Thanks for the reply and instructions... don't think its working for me though... tried to run RootRepeal and received this msg: Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog. Then after a few presses of the OK button it opened the program but then when I pressed the scan button, it did not show the seven boxes you described. I saved the report it did run but don't think it's what you're after... details below.

Argh this is driving me insane!!!! :thumbsup:






ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/26 21:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xF77AD000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF773E000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xF7BA9000 Size: 11648 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xF7A55000 Size: 19008 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB2557000 Size: 138496 File Visible: - Signed: -
Status: -

Name: ALCXSENS.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXSENS.SYS
Address: 0xF6BCA000 Size: 391424 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF6C4E000 Size: 603328 File Visible: - Signed: -
Status: -

Name: aliide.sys
Image Path: aliide.sys
Address: 0xF7C91000 Size: 5248 File Visible: - Signed: -
Status: -

Name: ANIO.SYS
Image Path: C:\WINDOWS\system32\ANIO.SYS
Address: 0xF7B25000 Size: 28128 File Visible: - Signed: -
Status: -

Name: Apfiltr.sys
Image Path: C:\WINDOWS\System32\DRIVERS\Apfiltr.sys
Address: 0xF6BB3000 Size: 91712 File Visible: - Signed: -
Status: -

Name: ar5416.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ar5416.sys
Address: 0xF6AAA000 Size: 1000096 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Address: 0xF794D000 Size: 60800 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF76D8000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D5000 Size: 393216 File Visible: - Signed: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ati2mtag.sys
Address: 0xF6EF0000 Size: 745472 File Visible: - Signed: -
Status: -

Name: ati3d1ag.dll
Image Path: C:\WINDOWS\System32\ati3d1ag.dll
Address: 0xBFA35000 Size: 868352 File Visible: - Signed: -
Status: -

Name: atisgkaf.sys
Image Path: atisgkaf.sys
Address: 0xF7BAD000 Size: 13088 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7DFF000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xB241D000 Size: 328576 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF7B6D000 Size: 21120 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xB25A1000 Size: 101888 File Visible: - Signed: -
Status: -

Name: AWINDIS5.SYS
Image Path: C:\WINDOWS\system32\AWINDIS5.SYS
Address: 0xAFFE8000 Size: 14880 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\BATTC.SYS
Address: 0xF7BA5000 Size: 16384 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7CBF000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7B9D000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF69FE000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF79BD000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF77ED000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\CmBatt.sys
Address: 0xF7C79000 Size: 13952 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF7BA1000 Size: 10240 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF77DD000 Size: 36352 File Visible: - Signed: -
Status: -

Name: DMICall.sys
Image Path: C:\WINDOWS\System32\DRIVERS\DMICall.sys
Address: 0xF7ED1000 Size: 3552 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF796D000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB0CDE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CED000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF6926000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7E54000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF792D000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF76B8000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7CBD000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF76F0000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF7C71000 Size: 9984 File Visible: - Signed: -
Status: -

Name: GTNDIS5.SYS
Image Path: C:\PROGRA~1\WIRELE~1\GTNDIS5.SYS
Address: 0xAFF00000 Size: 15872 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 81152 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Address: 0xB01CC000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Address: 0xB0D1E000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Address: 0xAFD54000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys
Address: 0xF6CE2000 Size: 681344 File Visible: - Signed: -
Status: -

Name: HSF_DP.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_DP.sys
Address: 0xF6D89000 Size: 1042432 File Visible: - Signed: -
Status: -

Name: HSFHWALI.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSFHWALI.sys
Address: 0xF6EAB000 Size: 196736 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF797D000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF79AD000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xF795D000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xB246E000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xB2613000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF778D000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF7ABD000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7C8D000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xAFBE6000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xF6E88000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF768F000 Size: 92928 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF77FD000 Size: 57472 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
Address: 0xB0656000 Size: 9920 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7CC1000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF7AAD000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF7AB5000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xAFC29000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF77BD000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xB076E000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xB2494000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7B45000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF782D000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF7586000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF75BB000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF75D5000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF7C7D000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xB0C52000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF6A5E000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF784D000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF790D000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xB2579000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Address: 0xF798D000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7B4D000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7602000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7E42000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF779D000 Size: 61696 File Visible: - Signed: -
Status: -

Name: OPRGHDLR.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
Address: 0xF7D55000 Size: 4096 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF6B9F000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF7A15000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7D29000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF772D000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF7A0D000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF770F000 Size: 120192 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6C2A000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF69AD000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF7AE5000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF780D000 Size: 36320 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF7C49000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF79DD000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF79ED000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF79FD000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF7AED000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xB252C000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7CC3000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF79CD000 Size: 57600 File Visible: - Signed: -
Status: -

Name: RimSerial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\RimSerial.sys
Address: 0xF7AF5000 Size: 27136 File Visible: - Signed: -
Status: -

Name: RootMdm.sys
Image Path: C:\WINDOWS\System32\Drivers\RootMdm.sys
Address: 0xF7CB1000 Size: 5888 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB0706000 Size: 49152 File Visible: No Signed: -
Status: -

Name: Rtlnic51.sys
Image Path: C:\WINDOWS\System32\DRIVERS\Rtlnic51.sys
Address: 0xF6A75000 Size: 67712 File Visible: - Signed: -
Status: -

Name: SonyNC.sys
Image Path: C:\WINDOWS\System32\Drivers\SonyNC.sys
Address: 0xF7AC5000 Size: 20512 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF76A6000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xB02BC000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF7CB3000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB0A86000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xB25BA000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7ADD000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF783D000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tifmsony.sys
Image Path: C:\WINDOWS\system32\drivers\tifmsony.sys
Address: 0xF799D000 Size: 64512 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF694F000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF7CBB000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF7AD5000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF78CD000 Size: 59520 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbohci.sys
Address: 0xF7ACD000 Size: 17152 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF6A86000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Address: 0xF7A95000 Size: 26368 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7B3D000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6EDC000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF77CD000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF793D000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7A3D000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB08E1000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7C8F000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

#4 Straythe

Straythe

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:24 AM

Posted 26 August 2009 - 03:43 PM

Then after a few presses of the OK button it opened the program but then when I pressed the scan button, it did not show the seven boxes you described.


The seven boxes only show up when you first open the Reports tab and then hit the Scan button. Strange, yes. Can you give it another try?

Good luck - Straythe (not a staff member)
***"When you surround an enemy, leave an outlet free [...] to make him believe there is a road to safety, and thus prevent his fighting with the courage of despair." Sun Tzu ***

#5 kimba707

kimba707
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:03:24 PM

Posted 26 August 2009 - 03:54 PM

oops I missed that bit... what an idiot!! it's just scanning now...

thanks! :thumbsup:

will post when finished..,.

-k.

#6 kimba707

kimba707
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:03:24 PM

Posted 26 August 2009 - 04:24 PM

Ok... here it is!!! Thanks so much for the help!!

-K.





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/26 21:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB0CDE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CED000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB04E6000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACbftimppyuy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdwkspivrub.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACemnuvgmwki.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjeqbonffld.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACkbsmspdulk.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACphxlvnssrs.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxmfbjgmcjw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC45f6.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Sony\Desktop\Kimberley Anderson - CV 2009.pdf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\UACxpqhxbvttn.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Sony\Local Settings\Temp\UAC99c9.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\sony\local settings\application data\mozilla\firefox\profiles\j9zsb0r0.default\urlclassifier3.sqlite
Status: Allocation size mismatch (API: 18128896, Raw: 17723392)

Path: D:\My Documents\Kimberley Anderson - CV Jan09.pdf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: D:\My Documents\_CAREER\Resume & Applications\2009 Applications\DIRECT~1.PDF:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: D:\My Documents\_CAREER\Resume & Applications\2009 Applications\JUSTMA~1.PDF:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: winlogon.exe (PID: 612) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: winlogon.exe (PID: 612) Address: 0x00930000 Size: 49152

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: services.exe (PID: 660) Address: 0x00a30000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: services.exe (PID: 660) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: lsass.exe (PID: 672) Address: 0x00ad0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: lsass.exe (PID: 672) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: Ati2evxx.exe (PID: 824) Address: 0x00e30000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: Ati2evxx.exe (PID: 824) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACemnuvgmwki.dll]
Process: svchost.exe (PID: 840) Address: 0x00c70000 Size: 73728

Object: Hidden Module [Name: UACbftimppyuy.dll]
Process: svchost.exe (PID: 840) Address: 0x00830000 Size: 77824

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: svchost.exe (PID: 840) Address: 0x00b40000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: svchost.exe (PID: 840) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UAC45f6.tmppivrub.dll]
Process: svchost.exe (PID: 840) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACbftimppyuy.dll]
Process: svchost.exe (PID: 940) Address: 0x00830000 Size: 77824

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: svchost.exe (PID: 940) Address: 0x00b40000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: svchost.exe (PID: 940) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UAC45f6.tmppivrub.dll]
Process: svchost.exe (PID: 940) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACbftimppyuy.dll]
Process: svchost.exe (PID: 1032) Address: 0x00830000 Size: 77824

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: svchost.exe (PID: 1032) Address: 0x00b40000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: svchost.exe (PID: 1032) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UAC45f6.tmppivrub.dll]
Process: svchost.exe (PID: 1032) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACbftimppyuy.dll]
Process: svchost.exe (PID: 1100) Address: 0x00830000 Size: 77824

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: svchost.exe (PID: 1100) Address: 0x00b40000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: svchost.exe (PID: 1100) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UAC45f6.tmppivrub.dll]
Process: svchost.exe (PID: 1100) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACbftimppyuy.dll]
Process: svchost.exe (PID: 1196) Address: 0x00830000 Size: 77824

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: svchost.exe (PID: 1196) Address: 0x00b40000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: svchost.exe (PID: 1196) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UAC45f6.tmppivrub.dll]
Process: svchost.exe (PID: 1196) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: AAWService.exe (PID: 1424) Address: 0x00b20000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: AAWService.exe (PID: 1424) Address: 0x01020000 Size: 49152

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: spoolsv.exe (PID: 1488) Address: 0x00e30000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: spoolsv.exe (PID: 1488) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbftimppyuy.dll]
Process: svchost.exe (PID: 396) Address: 0x00830000 Size: 77824

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: svchost.exe (PID: 396) Address: 0x00b40000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: svchost.exe (PID: 396) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UAC45f6.tmppivrub.dll]
Process: svchost.exe (PID: 396) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: AppleMobileDeviceService.exe (PID: 452) Address: 0x00b80000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: AppleMobileDeviceService.exe (PID: 452) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: avgwdsvc.exe (PID: 472) Address: 0x00bb0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: avgwdsvc.exe (PID: 472) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: mDNSResponder.exe (PID: 496) Address: 0x00bc0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: mDNSResponder.exe (PID: 496) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: Ati2evxx.exe (PID: 552) Address: 0x00e30000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: Ati2evxx.exe (PID: 552) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: Explorer.EXE (PID: 1088) Address: 0x00e00000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: Explorer.EXE (PID: 1088) Address: 0x00eb0000 Size: 49152

Object: Hidden Module [Name: UACbftimppyuy.dll]
Process: Explorer.EXE (PID: 1088) Address: 0x10000000 Size: 77824

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: jqs.exe (PID: 1136) Address: 0x00b90000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: jqs.exe (PID: 1136) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: Apoint.exe (PID: 772) Address: 0x00f70000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: Apoint.exe (PID: 772) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: atiptaxx.exe (PID: 1660) Address: 0x00f30000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: atiptaxx.exe (PID: 1660) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: ICO.EXE (PID: 1668) Address: 0x00dd0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: ICO.EXE (PID: 1668) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: HKserv.exe (PID: 1676) Address: 0x00f70000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: HKserv.exe (PID: 1676) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: SPMgr.exe (PID: 1724) Address: 0x00fa0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: SPMgr.exe (PID: 1724) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: ezSP_Px.exe (PID: 1752) Address: 0x00e60000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: ezSP_Px.exe (PID: 1752) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: WZCSLDR2.exe (PID: 1764) Address: 0x00dd0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: WZCSLDR2.exe (PID: 1764) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: ctfmon.exe (PID: 1684) Address: 0x00d40000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: ctfmon.exe (PID: 1684) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: WLService.exe (PID: 1832) Address: 0x00f50000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: WLService.exe (PID: 1832) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: WPN511.exe (PID: 1896) Address: 0x00bc0000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: WPN511.exe (PID: 1896) Address: 0x010e0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: iTunesHelper.exe (PID: 1916) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: iTunesHelper.exe (PID: 1916) Address: 0x00e20000 Size: 49152

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: WPC300N.exe (PID: 1928) Address: 0x01390000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: WPC300N.exe (PID: 1928) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: avgtray.exe (PID: 1320) Address: 0x01160000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: avgtray.exe (PID: 1320) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: RIMAutoUpdate.exe (PID: 2004) Address: 0x00e70000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: RIMAutoUpdate.exe (PID: 2004) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: avgrsx.exe (PID: 2120) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: avgrsx.exe (PID: 2120) Address: 0x00be0000 Size: 49152

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: ISUSPM.exe (PID: 2128) Address: 0x00f00000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: ISUSPM.exe (PID: 2128) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: avgnsx.exe (PID: 2136) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: avgnsx.exe (PID: 2136) Address: 0x00c00000 Size: 49152

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: HKWnd.exe (PID: 2180) Address: 0x00f90000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: HKWnd.exe (PID: 2180) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: Apntex.exe (PID: 2256) Address: 0x00dd0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: Apntex.exe (PID: 2256) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: iPodService.exe (PID: 2808) Address: 0x00ce0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: iPodService.exe (PID: 2808) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: unsecapp.exe (PID: 3004) Address: 0x00fb0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: unsecapp.exe (PID: 3004) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: alg.exe (PID: 3168) Address: 0x00ab0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: alg.exe (PID: 3168) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: wmiprvse.exe (PID: 3324) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: wmiprvse.exe (PID: 3324) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: AAWTray.exe (PID: 204) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: AAWTray.exe (PID: 204) Address: 0x00f80000 Size: 49152

Object: Hidden Module [Name: UACdwkspivrub.dll]
Process: firefox.exe (PID: 132) Address: 0x01060000 Size: 217088

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: firefox.exe (PID: 132) Address: 0x01230000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: firefox.exe (PID: 132) Address: 0x016b0000 Size: 49152

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: RootRepeal.exe (PID: 1652) Address: 0x00f70000 Size: 49152

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: RootRepeal.exe (PID: 1652) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxmfbjgmcjw.dll]
Process: Iexplore.exe (PID: 1976) Address: 0x00c30000 Size: 45056

Object: Hidden Module [Name: UACjeqbonffld.dll]
Process: Iexplore.exe (PID: 1976) Address: 0x010b0000 Size: 49152

Object: Hidden Module [Name: UACdwkspivrub.dll]
Process: Iexplore.exe (PID: 1976) Address: 0x10000000 Size: 217088

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACxpqhxbvttn.sys

==EOF==

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 26 August 2009 - 05:06 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\UACxpqhxbvttn.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes. Keep rebooting and running quick-scans with Malwarebytes until it shows zero infections. If after 3 scans it is still not clean post the final log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 kimba707

kimba707
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:03:24 PM

Posted 26 August 2009 - 06:04 PM

Hi... thanks again! I wiped that file and re-booted, then received a Resident Shield Alert from AVG with the following threats detected...

C:\WINDOWS\system32\UACdwkspivrub.dll - Virus Win32/Cryptor (x6)
C:\WINDOWS\system32\UACbftimppyuy.dll - Trojan horse Downloader Zlob.AOED (x6)
C:\WINDOWS\system32\UACjeqbonffld.dll - Trojan horse Downloader Zlob.AOEC (x6)
C:\WINDOWS\system32\UACxmfbjgmcjw.dll - Trojan horse Generic13.BQUV (x6)


When I try to remove selected infections it says 'Some files cannot be healed. Specified file was not found'.

Should I still scan with Malwarebytes??

Thanks again for everything!!

-Kimberley.

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 26 August 2009 - 06:07 PM

Yes - run the Malwarebytes scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 kimba707

kimba707
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:03:24 PM

Posted 26 August 2009 - 06:34 PM

Ok... so the quick scan finally finished after 20-odd minutes... found 14 infected objects... shall i hit the 'remove selected' button??

-K.

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 26 August 2009 - 06:35 PM

Yes - remove anything found, reboot and run the Malwarebytes scan again. Keep doing this until you get zero infections.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 kimba707

kimba707
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:03:24 PM

Posted 26 August 2009 - 06:36 PM

ok will do, thank you! do you think these are the same items as found by avg? i suppose avg will bring up the resident advisor thing again too...

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 26 August 2009 - 06:47 PM

It's all part of the same infection.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 kimba707

kimba707
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London
  • Local time:03:24 PM

Posted 26 August 2009 - 07:04 PM

Ok so malwarebytes gives me the all clear!!! can i believe its really truly gone??

:thumbsup:


thank you so very much for walking me through this!!

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 26 August 2009 - 07:19 PM

Run this scan as a double-check:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users