Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to fix infected laptop


  • Please log in to reply
5 replies to this topic

#1 mbrookes

mbrookes

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 01 September 2009 - 09:23 AM

Hey, im trying to fix my girlfriends dads laptop that has become heavily infected. It is still redirecting searches, going slow, blocking programs from running and apparently occasionally playing music without any programs open (i may have solved this last one while using anti virus/malware programs as it has not happened recently)

The laptop has never had antivirus before and is used by someone who has no clue about computers and installs anything and everything.
I have so far installed avg and run a rootkit scan and virus scan, and installed malwarebytes and scanned with that (after problems getting it working in the first place). There are still major problems though, and malwarebytes is again refusing to run, and some searches are still being redirected. The last thing I did remove was Client Services For Netware that was blocking me from changing the login mode back to how it was.

Any help is appreciated, Im not a novice with computers, but I have little experience with this sort of thing and its been a while since I dropped IT for biology in uni lol.

The operating system is XP Media Center: Service Pack 3

Thanks, Michael

Edited by mbrookes, 01 September 2009 - 09:25 AM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:19 PM

Posted 01 September 2009 - 11:39 AM

Hello mbrookes.

The laptop has never had antivirus before and is used by someone who has no clue about computers and installs anything and everything.

Hoo boy. . . we might have our work cut out for us.

First I need to get a little history. Could you please post any malwarebytes logs you have where infections were found? Also please list the names of any tools you have run, and the results (if any) that those tools returned.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 mbrookes

mbrookes
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 02 September 2009 - 08:46 AM

Hey, thanks for the reply.

I have a bit of a problem. After a confused search for the logs she has told me that after I talked her through scanning with malwarebytes over the phone last week (it took a while to figure out how to get it installed and running as it was blocked, but I found solutions online) she has since tried to scan herself before I had the chance to get here. When it wouldn’t run for her she uninstalled/installed and deleted files to get it working. There are no logs there, but I remember her saying there were around 180 results at the time! - although I think nearly all were successfully removed from what she said. The avg log from the same time is below, but there are only a few results, and as I said malwarebytes will not run to do another scan.

Sorry I cant give you more, I actually live nearly 100 miles away as we met in uni so I couldn’t come straight here to help - I should really have said to not to touch it until I could.

- I do now know what is causing the random music and adverts (it just this minute happened to me), I checked and internet explorer was running even though I’m using Firefox - something is occasionally opening a hidden IE window! :thumbsup: -

"Scan ""Scan whole computer"" was finished."
"Rootkits";"14";"0";"14"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"21 August 2009, 21:15:35"
"Scan finished:";"21 August 2009, 22:05:03 (49 minute(s) 27 second(s))"
"Total object scanned:";"288808"
"User who launched the scan:";"peter atkinson"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite";"Found ";"Healed"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\2o7.net.b2664238";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\2o7.net.c7b585e6";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\ad.yieldmanager.com.539b0606";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\ad.yieldmanager.com.557bf2b0";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\ad.yieldmanager.com.830b6f08";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\ad.yieldmanager.com.8a47878";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\ad.yieldmanager.com.b68f2b7b";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adengage.com.6b2a3f1";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adrevolver.com.4a719aa9";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adrevolver.com.b595d4db";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adtech.de.a9245469";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\advertising.com.1820df7a";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\advertising.com.f62113d5";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\ad.yieldmanager.com.ff92306";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adbrite.com.44f92a69";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adbrite.com.557c9f74";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adbrite.com.71beeff9";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adbrite.com.d5e309c2";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adrevolver.com.9b9d670a";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adrevolver.com.f6cfcad4";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\advertising.com.1dfa2206";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\advertising.com.525a5fb9";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adviva.net.39ec90c";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adviva.net.85256b16";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\atdmt.com.74c5668";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\atdmt.com.9e6d7fd3";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\bs.serving-sys.com.5bf1f00f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\casalemedia.com.1773afc";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\casalemedia.com.80ad4799";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\casalemedia.com.987e6b46";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adbrite.com.775ee79c";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\adbrite.com.e1f04284";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\advertising.com.203aa218";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\advertising.com.b624fa46";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\atdmt.com.7247c262";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\atdmt.com.b3e33b5f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\doubleclick.net.bf396750";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\fastclick.net.57e8da10";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\fastclick.net.8a6435e9";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\fastclick.net.8dd1284a";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\fastclick.net.9b41aa53";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\mediaplex.com.dc30fb3c";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\mediaplex.com.f652b123";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\fastclick.net.fac3d6f0";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\media.adrevolver.com.2be00b0";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\media.adrevolver.com.539b0606";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\media.adrevolver.com.57f415b5";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\media.adrevolver.com.7fd89687";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\msnportal.112.2o7.net.7225be6f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\overture.com.52ca467a";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\overture.com.d727de6f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\questionmarket.com.3eb5a9f1";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\overture.com.e626e6be";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\questionmarket.com.4dd5e426";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\revenue.net.bcf44ea1";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\revsci.net.44927ec";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\revsci.net.26b016c3";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\revsci.net.2df99d79";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\revsci.net.55564293";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\revsci.net.6ac59ebd";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\revsci.net.8642c85d";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\revsci.net.b8d48360";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\revsci.net.e936b9b1";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\revsci.net.e9dbeb91";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\serving-sys.com.255d6f2f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\serving-sys.com.400f83f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\serving-sys.com.6a1cf9e8";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\searchportal.information.com.3a8d7204";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\serving-sys.com.4b416ef8";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\serving-sys.com.606c3d3b";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\serving-sys.com.c9034af6";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\statse.webtrendslive.com.b4ca7df0";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\tacoda.net.4366831a";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\tacoda.net.27341d57";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\tacoda.net.c4fe2ebb";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\tradedoubler.com.adc507fa";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\tradedoubler.com.ba12c0e9";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\tradedoubler.com.dc3c9994";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\tradedoubler.com.eab0972e";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\tradedoubler.com.ef90aa95";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\tradedoubler.com.f4648305";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\yadro.ru.a4842f54";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\yadro.ru.c77afad5";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\zedo.com.6a4b36ab";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\tribalfusion.com.dcc03271";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\zedo.com.27f1639b";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\zedo.com.a5b6a132";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Application Data\Mozilla\Firefox\Profiles\pvo0x35b.default\cookies.sqlite:\zedo.com.c1dd09f2";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@247realmedia[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@247realmedia[1].txt:\247realmedia.com.855b46d";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@2o7[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@2o7[2].txt:\2o7.net.b2664238";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@ad.yieldmanager[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@ad.yieldmanager[1].txt:\ad.yieldmanager.com.539b0606";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@ad.yieldmanager[1].txt:\ad.yieldmanager.com.557bf2b0";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@ad.yieldmanager[1].txt:\ad.yieldmanager.com.830b6f08";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@ad.yieldmanager[1].txt:\ad.yieldmanager.com.8a47878";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@ad.yieldmanager[1].txt:\ad.yieldmanager.com.b68f2b7b";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@ad.yieldmanager[1].txt:\ad.yieldmanager.com.ff92306";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@adrevolver[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@adrevolver[2].txt:\adrevolver.com.9b9d670a";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@adrevolver[2].txt:\adrevolver.com.f6cfcad4";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@adtech[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@adtech[1].txt:\adtech.de.a9245469";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@advertising[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@advertising[2].txt:\advertising.com.1820df7a";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@advertising[2].txt:\advertising.com.203aa218";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@advertising[2].txt:\advertising.com.b624fa46";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@advertising[2].txt:\advertising.com.f62113d5";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@adviva[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@adviva[2].txt:\adviva.net.39ec90c";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@atdmt[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@atdmt[1].txt:\atdmt.com.7247c262";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@bs.serving-sys[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@doubleclick[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@doubleclick[1].txt:\doubleclick.net.bf396750";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@fastclick[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@fastclick[1].txt:\fastclick.net.57e8da10";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@fastclick[1].txt:\fastclick.net.6fd479aa";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@fastclick[1].txt:\fastclick.net.8a6435e9";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@fastclick[1].txt:\fastclick.net.8dd1284a";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@fastclick[1].txt:\fastclick.net.94ca190b";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@fastclick[1].txt:\fastclick.net.fac3d6f0";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@media.adrevolver[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@media.adrevolver[2].txt:\media.adrevolver.com.7fd89687";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@mediaplex[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@mediaplex[2].txt:\mediaplex.com.dc30fb3c";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@mediaplex[2].txt:\mediaplex.com.f652b123";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@questionmarket[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@questionmarket[2].txt:\questionmarket.com.3eb5a9f1";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@questionmarket[2].txt:\questionmarket.com.4dd5e426";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@revsci[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@revsci[1].txt:\revsci.net.2df99d79";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@revsci[1].txt:\revsci.net.44927ec";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@revsci[1].txt:\revsci.net.d494ec35";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@revsci[1].txt:\revsci.net.e9dbeb91";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@serving-sys[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@serving-sys[2].txt:\serving-sys.com.255d6f2f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@serving-sys[2].txt:\serving-sys.com.400f83f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@serving-sys[2].txt:\serving-sys.com.4b416ef8";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@serving-sys[2].txt:\serving-sys.com.606c3d3b";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@serving-sys[2].txt:\serving-sys.com.6a1cf9e8";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@serving-sys[2].txt:\serving-sys.com.c9034af6";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@statse.webtrendslive[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@statse.webtrendslive[2].txt:\statse.webtrendslive.com.b4ca7df0";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@tradedoubler[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@tradedoubler[1].txt:\tradedoubler.com.ba12c0e9";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@tradedoubler[1].txt:\tradedoubler.com.eab0972e";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\peter atkinson\Cookies\peter_atkinson@tradedoubler[1].txt:\tradedoubler.com.ef90aa95";"Found ";"Moved to Virus Vault"

"Rootkits"
"File";"Infection";"Result"
"c:\Documents and Settings\peter atkinson\Local Settings\Temp\UAC6387.tmp";"Hidden file";"Moved to Virus Vault"
"C:\WINDOWS\system32\drivers\UACkpkpllrxumngysppe.sys";"Hidden driver";"Object is hidden"
"c:\WINDOWS\system32\drivers\UACkpkpllrxumngysppe.sys";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\uacinit.dll";"Hidden file";"Moved to Virus Vault"
"c:\WINDOWS\system32\UACinqklxevavbwlqoob.dll";"Hidden file";"Moved to Virus Vault"
"c:\WINDOWS\system32\UACpoqbpcbwnhwuwdexl.dll";"Hidden file";"Moved to Virus Vault"
"c:\WINDOWS\system32\UACvpxntyxjlkmovdhrf.dll";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\UACyedrfqmaghxsjdbej.dll";"Hidden file";"Moved to Virus Vault"
"c:\WINDOWS\system32\UACymsifdnamrqqipbll.dat";"Hidden file";"Moved to Virus Vault"
"c:\WINDOWS\Temp\UAC65d9.tmp";"Hidden file";"Deleted"
"c:\WINDOWS\Temp\UACd08e.tmp";"Hidden file";"Moved to Virus Vault"
"c:\WINDOWS\Temp\UACe3a9.tmp";"Hidden file";"Moved to Virus Vault"
"c:\WINDOWS\Temp\UACeb69.tmp";"Hidden file";"Moved to Virus Vault"
"c:\WINDOWS\Temp\UACee28.tmp";"Hidden file";"Moved to Virus Vault"

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:19 PM

Posted 02 September 2009 - 02:45 PM

We need to run a rootkit scan.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 mbrookes

mbrookes
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 02 September 2009 - 05:17 PM

Hi I just finished the scan. I was unable to open rootrepeal without the warning message "Could not read boot sector. Try adjusting the Disk Access Level in the options tab" coming up 5 times, after clicking ok on each one I then followed the instructions and completed the scan as normal:



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/02 22:42
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9EA3000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B66000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA92F3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACinqklxevavbwlqoob.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpoqbpcbwnhwuwdexl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvpxntyxjlkmovdhrf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyedrfqmaghxsjdbej.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACymsifdnamrqqipbll.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACac0a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACkpkpllrxumngysppe.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\peter atkinson\Local Settings\Temporary Internet Files\Content.IE5\GFX8CFYP\info_48[4]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\peter atkinson\Local Settings\Temporary Internet Files\Content.IE5\GFX8CFYP\bullet[1]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\peter atkinson\Local Settings\Temporary Internet Files\Content.IE5\JCG7RUWA\tools[1]
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: winlogon.exe (PID: 752) Address: 0x00650000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: winlogon.exe (PID: 752) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: services.exe (PID: 800) Address: 0x00650000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: services.exe (PID: 800) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: lsass.exe (PID: 812) Address: 0x00720000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: lsass.exe (PID: 812) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: svchost.exe (PID: 980) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACac0a.tmplxevavbwlqoob.dll]
Process: svchost.exe (PID: 980) Address: 0x009f0000 Size: 217088

Object: Hidden Module [Name: UACvpxntyxjlkmovdhrf.dll]
Process: svchost.exe (PID: 980) Address: 0x00ae0000 Size: 73728

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: svchost.exe (PID: 980) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: svchost.exe (PID: 1052) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: svchost.exe (PID: 1052) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: svchost.exe (PID: 1092) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: svchost.exe (PID: 1092) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: svchost.exe (PID: 1220) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: svchost.exe (PID: 1220) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: spoolsv.exe (PID: 1556) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: spoolsv.exe (PID: 1556) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: svchost.exe (PID: 1636) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: svchost.exe (PID: 1636) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: avgwdsvc.exe (PID: 1668) Address: 0x00710000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: avgwdsvc.exe (PID: 1668) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: ehRecvr.exe (PID: 1708) Address: 0x00620000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: ehRecvr.exe (PID: 1708) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: ehSched.exe (PID: 1736) Address: 0x00600000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: ehSched.exe (PID: 1736) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: jqs.exe (PID: 1796) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: jqs.exe (PID: 1796) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: o2flash.exe (PID: 1852) Address: 0x006b0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: o2flash.exe (PID: 1852) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: svchost.exe (PID: 1944) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: svchost.exe (PID: 1944) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: svchost.exe (PID: 1976) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: svchost.exe (PID: 1976) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: mcrdsvc.exe (PID: 204) Address: 0x00610000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: mcrdsvc.exe (PID: 204) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: avgemc.exe (PID: 368) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: avgemc.exe (PID: 368) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: avgam.exe (PID: 532) Address: 0x00790000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: avgam.exe (PID: 532) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: avgrsx.exe (PID: 548) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: avgrsx.exe (PID: 548) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: avgnsx.exe (PID: 560) Address: 0x00760000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: avgnsx.exe (PID: 560) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: avgcsrvx.exe (PID: 696) Address: 0x00770000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: avgcsrvx.exe (PID: 696) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: avgcsrvx.exe (PID: 1124) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: avgcsrvx.exe (PID: 1124) Address: 0x00770000 Size: 49152

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: dllhost.exe (PID: 2104) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: dllhost.exe (PID: 2104) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: alg.exe (PID: 2148) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: alg.exe (PID: 2148) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: Explorer.EXE (PID: 3828) Address: 0x00c10000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: Explorer.EXE (PID: 3828) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: igfxtray.exe (PID: 448) Address: 0x00910000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: igfxtray.exe (PID: 448) Address: 0x009d0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: hkcmd.exe (PID: 456) Address: 0x00910000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: hkcmd.exe (PID: 456) Address: 0x009d0000 Size: 49152

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: igfxpers.exe (PID: 464) Address: 0x00960000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: igfxpers.exe (PID: 464) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: ctfmon.exe (PID: 680) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: ctfmon.exe (PID: 680) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: igfxsrvc.exe (PID: 1704) Address: 0x00970000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: igfxsrvc.exe (PID: 1704) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: svchost.exe (PID: 2576) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: svchost.exe (PID: 2576) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: lxcycoms.exe (PID: 2880) Address: 0x009b0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: lxcycoms.exe (PID: 2880) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: WLLoginProxy.exe (PID: 376) Address: 0x00860000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: WLLoginProxy.exe (PID: 376) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: wuauclt.exe (PID: 3036) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: wuauclt.exe (PID: 3036) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: Iexplore.exe (PID: 200) Address: 0x00a10000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: Iexplore.exe (PID: 200) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: RootRepeal.exe (PID: 3452) Address: 0x00af0000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: RootRepeal.exe (PID: 3452) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyedrfqmaghxsjdbej.dll]
Process: Iexplore.exe (PID: 3248) Address: 0x00a10000 Size: 49152

Object: Hidden Module [Name: UACpoqbpcbwnhwuwdexl.dll]
Process: Iexplore.exe (PID: 3248) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACkpkpllrxumngysppe.sys

==EOF==

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:19 PM

Posted 02 September 2009 - 06:12 PM

You've got a rootkit active on your machine. With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users