Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

uacinit.dll


  • Please log in to reply
11 replies to this topic

#1 JSteger

JSteger

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 29 August 2009 - 02:55 PM

A colleague of mine accidentally got a virus on my computer.
It was some kind of Antivirus Pro 2010.

I ran malaware bytes anti malware and scanned my computer and it cleaned all the files.
I only symptom i seem to have left is some Google redirection.

The only infected file i seem to have is...

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

But of course it never deletes.
I tried to use a program called unlocker to directly delete the file but i cant even find the file.

Please inform on the steps i need to take.

Thank you

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:55 PM

Posted 29 August 2009 - 04:00 PM

Hello.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 JSteger

JSteger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 30 August 2009 - 12:33 AM

I kept getting ("Could not read the boot sector. Try adjusting the disk access level in the options dialog")
However i was still able to do the scan.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/08/29 22:29
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xB7F12000	Size: 102400	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79CD000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: PCI_PNP5936
Image Path: \Driver\PCI_PNP5936
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB6E52000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: spqe.sys
Image Path: spqe.sys
Address: 0xF74D6000	Size: 1048576	File Visible: No	Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACwxamivamrf.dll]
Process: svchost.exe (PID: 936)	Address: 0x00760000	Size: 77824

Object: Hidden Module [Name: UACultoqbiqmq.dll]
Process: svchost.exe (PID: 936)	Address: 0x00b20000	Size: 73728

Object: Hidden Module [Name: UACb7b7.tmppeldlk.dll]
Process: svchost.exe (PID: 936)	Address: 0x10000000	Size: 217088

Object: Hidden Module [Name: UACwxamivamrf.dll]
Process: Explorer.EXE (PID: 1612)	Address: 0x10000000	Size: 77824

Object: Hidden Module [Name: UACb7b7.tmppeldlk.dll]
Process: Iexplore.exe (PID: 1684)	Address: 0x10000000	Size: 217088

Object: Hidden Module [Name: UACb7b7.tmppeldlk.dll]
Process: Iexplore.exe (PID: 420)	Address: 0x10000000	Size: 217088

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System	Address: 0x8a1c31f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System	Address: 0x897981f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CLOSE]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_READ]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_WRITE]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_EA]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_EA]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_POWER]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_PNP]
Process: System	Address: 0x8a1c41f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System	Address: 0x8a1051f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System	Address: 0x8a06e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a06e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a06e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a06e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System	Address: 0x8a06e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a06e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System	Address: 0x8a06e1f8	Size: 121

Object: Hidden Code [Driver: alxp1iozȅఅ瑎獆란骨ᶸ, IRP_MJ_CREATE]
Process: System	Address: 0x8a0221f8	Size: 121

Object: Hidden Code [Driver: alxp1iozȅఅ瑎獆란骨ᶸ, IRP_MJ_CLOSE]
Process: System	Address: 0x8a0221f8	Size: 121

Object: Hidden Code [Driver: alxp1iozȅఅ瑎獆란骨ᶸ, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a0221f8	Size: 121

Object: Hidden Code [Driver: alxp1iozȅఅ瑎獆란骨ᶸ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a0221f8	Size: 121

Object: Hidden Code [Driver: alxp1iozȅఅ瑎獆란骨ᶸ, IRP_MJ_POWER]
Process: System	Address: 0x8a0221f8	Size: 121

Object: Hidden Code [Driver: alxp1iozȅఅ瑎獆란骨ᶸ, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a0221f8	Size: 121

Object: Hidden Code [Driver: alxp1iozȅఅ瑎獆란骨ᶸ, IRP_MJ_PNP]
Process: System	Address: 0x8a0221f8	Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System	Address: 0x897f11f8	Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System	Address: 0x897f11f8	Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System	Address: 0x897f11f8	Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System	Address: 0x897f11f8	Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x897f11f8	Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x897f11f8	Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System	Address: 0x897f11f8	Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x897f11f8	Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System	Address: 0x897f11f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System	Address: 0x8a1c51f8	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System	Address: 0x8a05e500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a05e500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a05e500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a05e500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System	Address: 0x8a05e500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a05e500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System	Address: 0x8a05e500	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System	Address: 0x8a1541f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System	Address: 0x897fd1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System	Address: 0x897fd1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x897fd1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x897fd1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System	Address: 0x897fd1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System	Address: 0x897fd1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System	Address: 0x897f91f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_CREATE]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_CLOSE]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_READ]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_CLEANUP]
Process: System	Address: 0x8979a1f8	Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ剒敬澼, IRP_MJ_PNP]
Process: System	Address: 0x8979a1f8	Size: 121

==EOF==


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:55 PM

Posted 30 August 2009 - 01:34 AM

Let's try another ARK scanner

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
~Blade


In your next reply, please include the following:
Sophos log

Edited by Blade Zephon, 30 August 2009 - 01:35 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 JSteger

JSteger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 30 August 2009 - 01:24 PM

The scan took and 100minutes but it did not find anything recommended for deletion.

By the way i dont know if i was supposed to do this but before i scanned i ran SUPERAntiSpyware Free Edition and it found around 40 infected objects and cleaned them.

Heres the log from the Anti Rootkit.

Sophos Anti-Rootkit Version 1.5.0  (c) 2009 Sophos Plc
Started logging on 8/30/2009 at 9:37:02 AM
User "Big Y" on computer "YAMEN"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info:	Starting process scan.
Info:	Starting registry scan.
Hidden:	registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009021920090220
Info:	Starting disk scan of C: (NTFS).
Hidden:	file C:\System Volume Information\_restore{B7E4771B-30A1-43D9-97F1-A058494A219F}\RP164\A0076587.dll
Hidden:	file C:\System Volume Information\_restore{B7E4771B-30A1-43D9-97F1-A058494A219F}\RP164\A0075589.dll
Hidden:	file C:\Documents and Settings\Big Y\Local Settings\Temporary Internet Files\Content.IE5\HJ1FZPX5\;vpec=sp;atf=p;dt=s;!c=hagl;!c=hagn;cpall=all;cp2=fin;cp2=cmt;cp2=fbv;;tt=j;u=b0011rhwr590v8j315g,f0fp2sa,g10005c;sz=160x600,120x600;tile=1;ord=7267211182505778;[1]
Hidden:	file C:\Documents and Settings\Big Y\Application Data\SecuROM\UserData\???????????p????????? 
Hidden:	file C:\Documents and Settings\Big Y\Local Settings\Temporary Internet Files\Content.IE5\HJ1FZPX5\___www.majorgeeks.com_SUPERAntiSpyware_d5116.html;ref=;ce=1;je=1;sr=1440x900x32;dg=P5780-W-MS-8;dst=1;et=1251612596078;tzo=420;a=p-fdwEfW0hIeH9U;tags=729.1318[1].gif
Hidden:	file C:\Documents and Settings\Big Y\Local Settings\Temporary Internet Files\Content.IE5\BJNXY3XQ\9;ns=0;url=http___www.majorgeeks.com_downloadget.php_id=5116&file=15&evp=4b877f10ddee47cecae8038a2f67054e;ref=http___www.majorgeeks.com_SUPERAntiSpyware_d5116[1].gif
Hidden:	file C:\Documents and Settings\Big Y\Application Data\SecuROM\UserData\???????????p????????? 
Hidden:	file C:\WINDOWS\system32\drivers\sptd.sys
Stopped logging on 8/30/2009 at 11:18:54 AM


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:55 PM

Posted 30 August 2009 - 03:02 PM

By the way i dont know if i was supposed to do this but before i scanned i ran SUPERAntiSpyware Free Edition and it found around 40 infected objects and cleaned them.


Thank you for telling me. In the future, while you are receiving help please do not make any changes to your computer (running fix tools, installing/uninstalling programs, deleting files, etc) unless directed to by a helper. By doing things beyond what I request, it becomes impossible for me to have a clear understanding of the current situation, and thus I will not know what needs to be done.

Could you please post the log from SUPERAntiSpyware? Also, are you still experiencing redirection?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 JSteger

JSteger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 30 August 2009 - 03:17 PM

Actually im not getting any bad symptoms at all, but i want to make sure. I will reply later today if the topic should be closed.

Thanks for all the help Blade.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/29/2009 at 11:30 PM

Application Version : 4.27.1002

Core Rules Database Version : 4076
Trace Rules Database Version: 2016

Scan type	   : Quick Scan
Total Scan Time : 00:07:07

Memory items scanned	  : 341
Memory threats detected   : 1
Registry items scanned	: 413
Registry threats detected : 2
File items scanned		: 6859
File threats detected	 : 48

Rootkit.Agent/Gen-UACFake
	\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACVMTTPELDLK.DLL
	\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACVMTTPELDLK.DLL
	C:\WINDOWS\SYSTEM32\UACMUXNBSXVXE.DLL
	C:\WINDOWS\SYSTEM32\UACULTOQBIQMQ.DLL
	C:\WINDOWS\SYSTEM32\UACVMTTPELDLK.DLL
	C:\WINDOWS\SYSTEM32\UACWXAMIVAMRF.DLL

Rootkit.Agent/Gen-UAC
	HKLM\system\controlset001\services\UACd.sys
	C:\WINDOWS\SYSTEM32\DRIVERS\UACXWHSVDNBOD.SYS
	HKLM\system\controlset002\services\UACd.sys

Adware.Tracking Cookie
	C:\Documents and Settings\Big Y\Cookies\big_y@overture[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@iacas.adbureau[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@dc.tremormedia[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@insightexpressai[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@cdn.at.atwola[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@content.yieldmanager[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@fastclick[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@oasn04.247realmedia[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@casalemedia[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@ar.atwola[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@serving-sys[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@at.atwola[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@tacoda[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@247realmedia[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@cdn4.specificclick[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@viacom.adbureau[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@doubleclick[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@advertising[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@adserver.adtechus[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@bs.serving-sys[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@atwola[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@content.yieldmanager[3].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@media.mtvnservices[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@ad.yieldmanager[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@specificmedia[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@tribalfusion[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@revsci[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@trafficmp[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@collective-media[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@questionmarket[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@ads.addynamix[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@2o7[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@mediaplex[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@specificclick[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@atdmt[1].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@apmebf[2].txt
	C:\Documents and Settings\Big Y\Cookies\big_y@ads.financialcontent[2].txt

Adware.Vundo/Variant-MSFake
	C:\DOCUMENTS AND SETTINGS\BIG Y\7ZS2004.TMP\2_VC2008.EXE
	C:\DOCUMENTS AND SETTINGS\DEFAULT USER\7ZS2004.TMP\2_VC2008.EXE
	C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\7ZS2004.TMP\2_VC2008.EXE

Rootkit.Agent/Gen-Rustock[KBI]
	C:\WINDOWS\SYSTEM32\DRIVERS\JQVRIEERCIQXNOSS.SYS

Trojan.Agent/Gen
	C:\WINDOWS\SYSTEM32\UACINIT.DLL

Edited by JSteger, 30 August 2009 - 03:21 PM.


#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:55 PM

Posted 30 August 2009 - 04:15 PM

Could you update malwarebytes and then run a quick scan for me to see if that entry is still popping up?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 JSteger

JSteger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 30 August 2009 - 05:30 PM

Malwarebytes' Anti-Malware 1.40

Database version: 2719

Windows 5.1.2600 Service Pack 3



8/30/2009 3:29:38 PM

mbam-log-2009-08-30 (15-29-38).txt



Scan type: Quick Scan

Objects scanned: 90374

Time elapsed: 2 minute(s), 22 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

C:\WINDOWS\system32\UACbvsiwutkyf.db (Trojan.TDSS) -> Quarantined and deleted successfully.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:55 PM

Posted 30 August 2009 - 05:36 PM

Well it's not the same file as before, so that's good. I think we got it. :thumbsup: To be sure, could you reboot the computer and then run one more MBAM quick scan? Post the log when finished.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 JSteger

JSteger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 02 September 2009 - 05:29 PM

No real signs of infection anymore.
Thanks a lot Blaze.

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:55 PM

Posted 02 September 2009 - 06:11 PM

lol. . . that's Blade. :thumbsup:

It was my pleasure.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users