Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Home Personal Antivirus Windows


  • Please log in to reply
7 replies to this topic

#1 whitevanman

whitevanman

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich , East Anglia
  • Local time:10:26 PM

Posted 02 October 2009 - 04:50 PM

I have a laptop with Home Personal Antivirus Windows on it but have tried to run Malwarebytes on the desktop envioment and in safe mode but it will not appear on the screen.
looking in the task manager it is in there but not visible on screen

Is there anything I am missing

Cheers

Hijack this log to follow Saturday

I have stopped Home Personal Antivirus Windows from running by using msconfig to stop it running and now AVG 8.5 will update and run
But I cannot get Malwarebytes to run on the screen or HJK.

any ideas

need help.

Edited by whitevanman, 03 October 2009 - 01:16 PM.

Solar Wind and Biodiesel I am doing my bit to stop Climate change to this World but What have the British Government done?

BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 03 October 2009 - 08:34 AM

Moved from HJT to a more appropriate forum. Tw

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio

Posted 03 October 2009 - 08:34 PM

Please do not post a HJT log in this forum


Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

    --------------------------------------
Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:26 PM

Posted 03 October 2009 - 08:35 PM

Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 whitevanman

whitevanman
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich , East Anglia
  • Local time:05:26 PM

Posted 06 October 2009 - 05:44 AM

Running from: C:\Documents and Settings\marty\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\marty\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

Volume in drive C has no label.
Volume Serial Number is DC20-6BE4

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 01:12 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 01:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/08/2004 13:00 180,224 scecli.dll

Directory of C:\WINDOWS\system32

04/08/2004 13:00 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/08/2004 13:00 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\system32\dllcache

04/08/2004 13:00 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

04/08/2004 13:00 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

04/08/2004 13:00 55,808 eventlog.dll
3 File(s) 643,072 bytes

Total Files Listed:
9 File(s) 1,930,752 bytes
0 Dir(s) 25,315,135,488 bytes free


MBAM clean fails to run small box on screen cannot find hook or handle something 01

MBAM will not complete installation and just freezes each time I try to install it.

Regedit has been disabled by the administer

Edited by whitevanman, 06 October 2009 - 04:40 PM.

Solar Wind and Biodiesel I am doing my bit to stop Climate change to this World but What have the British Government done?

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:26 PM

Posted 06 October 2009 - 05:32 PM

Please try these


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
----------------------------------------------------------------



Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 whitevanman

whitevanman
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich , East Anglia
  • Local time:05:26 PM

Posted 06 October 2009 - 07:05 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 00:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA4EA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A04000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA934B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACgviuqhtpdyjbabwct.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAChowxduiduxuxeikuh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnmycfalvrrexgiphw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrjsvepchjickhjkwk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyonstioepofmklwtr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC5aaa.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8f73.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACce8b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf0f7.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC119f.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC15c5.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC1730.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC175b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC1aa0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC1bc2.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC1bf5.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC2386.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC238c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC25bd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC26fb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC272a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC2b00.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC2d57.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC2ff9.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC35d3.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC3a26.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC3a40.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC3db9.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC42a0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC4447.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC4488.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC44b5.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC4702.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC4afe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC4b1b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC4cc4.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC5137.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC51bd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC5701.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf30a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf3c4.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf6a0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACfc07.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACfd0d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACfff3.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\url.txt
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uxeventlog.txt
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WGAErrLog.txt
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\WGANotify.settings
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_add_ds.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_ISTMP1.DIR
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_ISTMP2.DIR
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\_remove_ds.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\{AC76BA86-7AD7-1033-7B44-A81000000003}.ini
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC9009.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC90c7.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC912b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC94a9.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC9d0a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC9fd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa05b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa08c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa3f1.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa529.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa5b3.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa619.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa7d1.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACae10.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb19.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb2ff.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb4a4.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb91a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb939.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb9db.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACbbef.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACbc05.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACc027.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACca50.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACcab6.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACcdc6.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC5b5e.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC606f.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC663a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC67cd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6801.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6901.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC69ab.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6acc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6b43.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6be1.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6e4c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC704c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC731c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7463.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7d1d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7dca.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7ec9.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7f52.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7f6f.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8021.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8203.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8464.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC847c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC84f9.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8529.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8850.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8913.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8d42.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8e6c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACcee0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACcf44.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd21.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd358.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd373.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd4a0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd670.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd6c9.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd735.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd987.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACdbcb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACddd2.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe0a7.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe1fe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe228.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe48.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe572.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe869.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACea9e.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACeac4.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACedac.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACbekxillovyxtudevb.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\marty\Local Settings\Temp\UACfe4b.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\marty\Local Settings\Temporary Internet Files\Content.IE5\C3B2ESHE\UACHGe%2FB%3DmyfyX9mSuyM-%2FJ%3D1249562565636503%2FK%3Dj5Y7rGPERRM1vwdnOyqR9g%2FA%3D200850219%2FR%3D0%2F%2A%24,http%3A%2F%2Fuk.mc861.mail.yahoo.com%2Fmc%2Fmd[1].htm
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: winlogon.exe (PID: 676) Address: 0x00730000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: winlogon.exe (PID: 676) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: services.exe (PID: 724) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: services.exe (PID: 724) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: lsass.exe (PID: 736) Address: 0x008d0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: lsass.exe (PID: 736) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAChowxduiduxuxeikuh.dll]
Process: svchost.exe (PID: 880) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: svchost.exe (PID: 880) Address: 0x00820000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: svchost.exe (PID: 880) Address: 0x008b0000 Size: 49152

Object: Hidden Module [Name: UACnmycfalvrrexgiphw.dll]
Process: svchost.exe (PID: 880) Address: 0x00bb0000 Size: 73728

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: svchost.exe (PID: 992) Address: 0x00820000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: svchost.exe (PID: 992) Address: 0x008b0000 Size: 49152

Object: Hidden Module [Name: UAChowxduiduxuxeikuh.dll]
Process: svchost.exe (PID: 992) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: svchost.exe (PID: 1032) Address: 0x00820000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: svchost.exe (PID: 1032) Address: 0x008b0000 Size: 49152

Object: Hidden Module [Name: UAChowxduiduxuxeikuh.dll]
Process: svchost.exe (PID: 1032) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: svchost.exe (PID: 1112) Address: 0x00820000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: svchost.exe (PID: 1112) Address: 0x008b0000 Size: 49152

Object: Hidden Module [Name: UAChowxduiduxuxeikuh.dll]
Process: svchost.exe (PID: 1112) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: spoolsv.exe (PID: 1500) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: spoolsv.exe (PID: 1500) Address: 0x00b30000 Size: 49152

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: AppleMobileDeviceService.exe (PID: 1604) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: AppleMobileDeviceService.exe (PID: 1604) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: avgwdsvc.exe (PID: 1620) Address: 0x007f0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: avgwdsvc.exe (PID: 1620) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: mDNSResponder.exe (PID: 1648) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: mDNSResponder.exe (PID: 1648) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: jqs.exe (PID: 1724) Address: 0x007d0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: jqs.exe (PID: 1724) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: HPZipm12.exe (PID: 1764) Address: 0x007a0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: HPZipm12.exe (PID: 1764) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: SMAgent.exe (PID: 1836) Address: 0x00890000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: SMAgent.exe (PID: 1836) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: svchost.exe (PID: 1864) Address: 0x00820000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: svchost.exe (PID: 1864) Address: 0x008b0000 Size: 49152

Object: Hidden Module [Name: UAChowxduiduxuxeikuh.dll]
Process: svchost.exe (PID: 1864) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: symlcsvc.exe (PID: 1880) Address: 0x00c20000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: symlcsvc.exe (PID: 1880) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: wdfmgr.exe (PID: 1912) Address: 0x006c0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: wdfmgr.exe (PID: 1912) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: avgemc.exe (PID: 208) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: avgemc.exe (PID: 208) Address: 0x009a0000 Size: 49152

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: avgrsx.exe (PID: 256) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: avgrsx.exe (PID: 256) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: avgnsx.exe (PID: 300) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: avgnsx.exe (PID: 300) Address: 0x00840000 Size: 49152

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: avgcsrvx.exe (PID: 488) Address: 0x00850000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: avgcsrvx.exe (PID: 488) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: alg.exe (PID: 780) Address: 0x007b0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: alg.exe (PID: 780) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: Explorer.EXE (PID: 1548) Address: 0x00dc0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: Explorer.EXE (PID: 1548) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: SMax4PNP.exe (PID: 2188) Address: 0x00cc0000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: SMax4PNP.exe (PID: 2188) Address: 0x00e00000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: igfxtray.exe (PID: 2212) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: igfxtray.exe (PID: 2212) Address: 0x00b60000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: hkcmd.exe (PID: 2220) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: hkcmd.exe (PID: 2220) Address: 0x00b50000 Size: 49152

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: EabServr.exe (PID: 2244) Address: 0x00aa0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: EabServr.exe (PID: 2244) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: HP Wireless Assistant.exe (PID: 2276) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: HP Wireless Assistant.exe (PID: 2276) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: ybrwicon.exe (PID: 2292) Address: 0x00b40000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: ybrwicon.exe (PID: 2292) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: BTHelpNotifier.exe (PID: 2320) Address: 0x00e10000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: BTHelpNotifier.exe (PID: 2320) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: McciTrayApp.exe (PID: 2344) Address: 0x00c10000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: McciTrayApp.exe (PID: 2344) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: wmiprvse.exe (PID: 2412) Address: 0x008d0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: wmiprvse.exe (PID: 2412) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: realsched.exe (PID: 2424) Address: 0x00b40000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: realsched.exe (PID: 2424) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: ycommon.exe (PID: 2476) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: ycommon.exe (PID: 2476) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: avgtray.exe (PID: 2600) Address: 0x00da0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: avgtray.exe (PID: 2600) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: iTunesHelper.exe (PID: 2720) Address: 0x00c80000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: iTunesHelper.exe (PID: 2720) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: ctfmon.exe (PID: 2716) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: ctfmon.exe (PID: 2716) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: jusched.exe (PID: 2784) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: jusched.exe (PID: 2784) Address: 0x00d70000 Size: 49152

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: HPWuSchd2.exe (PID: 2880) Address: 0x00b20000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: HPWuSchd2.exe (PID: 2880) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: MsnMsgr.Exe (PID: 2920) Address: 0x01350000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: MsnMsgr.Exe (PID: 2920) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: SPUVolumeWatcher.exe (PID: 3032) Address: 0x00b40000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: SPUVolumeWatcher.exe (PID: 3032) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: hpqwmi.exe (PID: 3208) Address: 0x008a0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: hpqwmi.exe (PID: 3208) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: ymsgr_tray.exe (PID: 3552) Address: 0x00b40000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: ymsgr_tray.exe (PID: 3552) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: iPodService.exe (PID: 3676) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: iPodService.exe (PID: 3676) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: RootRepeal.exe (PID: 4028) Address: 0x00bb0000 Size: 49152

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: RootRepeal.exe (PID: 4028) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACrjsvepchjickhjkwk.dll]
Process: Iexplore.exe (PID: 1740) Address: 0x00c20000 Size: 45056

Object: Hidden Module [Name: UACgviuqhtpdyjbabwct.dll]
Process: Iexplore.exe (PID: 1740) Address: 0x00cd0000 Size: 49152

Object: Hidden Module [Name: UAChowxduiduxuxeikuh.dll]
Process: Iexplore.exe (PID: 1740) Address: 0x10000000 Size: 217088

Hidden Services
-------------------
Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSmhct.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACbekxillovyxtudevb.sys

==EOF==


Volume in drive C has no label.
Volume Serial Number is DC20-6BE4

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 01:12 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 01:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/08/2004 13:00 180,224 scecli.dll

Directory of C:\WINDOWS\system32

04/08/2004 13:00 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/08/2004 13:00 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\system32\dllcache

04/08/2004 13:00 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

04/08/2004 13:00 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

04/08/2004 13:00 55,808 eventlog.dll
3 File(s) 643,072 bytes

Total Files Listed:
9 File(s) 1,930,752 bytes
0 Dir(s) 25,503,916,032 bytes free


both logs as requested went smooth with no hickups

ps using XP home

cheers
Solar Wind and Biodiesel I am doing my bit to stop Climate change to this World but What have the British Government done?

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:26 PM

Posted 07 October 2009 - 04:59 PM

Now that you were successful in creating those two logs you need to post them in our HJT forum:
First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users