Jump to content

Can't install MBAM or HJT


Recommended Posts

Hi all,

I recently became infected with a nasty worm that went through all my ftp credentials, connected, and edited all the index files it found. Caused a lot of grief to myself as well as my boss. Using various programs I was able to remove it thinking it would end my troubles. Apparently I was pretty well infected since I still have a few problems. An iexplore process starts running every few minutes and starts playing an annoying voice ad. I also keep getting Google Installer error popups (those Windows ones where you can send the error report or not) though reading through other topics I think this may be unrelated.

If I try to install Malwarebytes or HijackThis I am unable to. I rename the files but still they wont install.

After reading a number of other topics with this same issue I've decided to post some logs. Let me know if there are any others you want. Thanks!

1. RootRepeal

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/19 01:42

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF22F7000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79DF000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB7F36000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf

Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\UACacricoodorjowlnba.db

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACaowyyybxrxmnklakp.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACeaehylkydxomdxkit.dat

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACeqnlpbcnmufsgghjk.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACgswqmrnpnhgheesel.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpjrbelmdjxkuyjnte.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyantcomwomybtxtod.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC86bf.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC9238.tmp

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eric\Recent\Win32kDiag.txt.lnk

Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\UACjtqphwbdwxsxekbvk.sys

Status: Invisible to the Windows API!

Path: c:\documents and settings\eric\local settings\temp\etilqs_30z03nmgpqyoe6siydee

Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\eric\local settings\temp\etilqs_4mhjbcdxnvntsurcmoyh

Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: C:\Documents and Settings\Eric\Local Settings\Temp\UAC3252.tmp

Status: Invisible to the Windows API!

Path: c:\documents and settings\eric\application data\skype\eric.famiglietti\etilqs_rt9cqedjmbhk1ejtlgbd

Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\eric\application data\skype\eric.famiglietti\etilqs_vpoh0bxe5tx4wxdmii0e

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\eric\local settings\application data\google\chrome\user data\default\current session

Status: Size mismatch (API: 32833, Raw: 29009)

Stealth Objects

-------------------

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: winlogon.exe (PID: 1496) Address: 0x007f0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: winlogon.exe (PID: 1496) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: services.exe (PID: 1544) Address: 0x008f0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: services.exe (PID: 1544) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: lsass.exe (PID: 1556) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: lsass.exe (PID: 1556) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: Ati2evxx.exe (PID: 1736) Address: 0x00c20000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: Ati2evxx.exe (PID: 1736) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAC9238.tmpcomwomybtxtod.dll]

Process: svchost.exe (PID: 1756) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACaowyyybxrxmnklakp.dll]

Process: svchost.exe (PID: 1756) Address: 0x00a30000 Size: 73728

Object: Hidden Module [Name: UACpjrbelmdjxkuyjnte.dll]

Process: svchost.exe (PID: 1756) Address: 0x00740000 Size: 81920

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: svchost.exe (PID: 1756) Address: 0x008f0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: svchost.exe (PID: 1756) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACpjrbelmdjxkuyjnte.dll]

Process: svchost.exe (PID: 1864) Address: 0x00740000 Size: 81920

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: svchost.exe (PID: 1864) Address: 0x008f0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: svchost.exe (PID: 1864) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UAC9238.tmpcomwomybtxtod.dll]

Process: svchost.exe (PID: 1864) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACpjrbelmdjxkuyjnte.dll]

Process: svchost.exe (PID: 344) Address: 0x00740000 Size: 81920

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: svchost.exe (PID: 344) Address: 0x008f0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: svchost.exe (PID: 344) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UAC9238.tmpcomwomybtxtod.dll]

Process: svchost.exe (PID: 344) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACpjrbelmdjxkuyjnte.dll]

Process: svchost.exe (PID: 788) Address: 0x00740000 Size: 81920

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: svchost.exe (PID: 788) Address: 0x008f0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: svchost.exe (PID: 788) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UAC9238.tmpcomwomybtxtod.dll]

Process: svchost.exe (PID: 788) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACpjrbelmdjxkuyjnte.dll]

Process: svchost.exe (PID: 312) Address: 0x00740000 Size: 81920

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: svchost.exe (PID: 312) Address: 0x008f0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: svchost.exe (PID: 312) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UAC9238.tmpcomwomybtxtod.dll]

Process: svchost.exe (PID: 312) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: AAWService.exe (PID: 960) Address: 0x00a20000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: AAWService.exe (PID: 960) Address: 0x00d20000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: spoolsv.exe (PID: 1052) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: spoolsv.exe (PID: 1052) Address: 0x00bf0000 Size: 49152

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: SCardSvr.exe (PID: 1120) Address: 0x00970000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: SCardSvr.exe (PID: 1120) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpjrbelmdjxkuyjnte.dll]

Process: svchost.exe (PID: 848) Address: 0x00740000 Size: 81920

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: svchost.exe (PID: 848) Address: 0x008f0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: svchost.exe (PID: 848) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UAC9238.tmpcomwomybtxtod.dll]

Process: svchost.exe (PID: 848) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: AppleMobileDeviceService.exe (PID: 904) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: AppleMobileDeviceService.exe (PID: 904) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpjrbelmdjxkuyjnte.dll]

Process: svchost.exe (PID: 916) Address: 0x00740000 Size: 81920

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: svchost.exe (PID: 916) Address: 0x008f0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: svchost.exe (PID: 916) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UAC9238.tmpcomwomybtxtod.dll]

Process: svchost.exe (PID: 916) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: mDNSResponder.exe (PID: 948) Address: 0x009c0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: mDNSResponder.exe (PID: 948) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: btwdins.exe (PID: 1164) Address: 0x009a0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: btwdins.exe (PID: 1164) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: cvpnd.exe (PID: 1384) Address: 0x00e00000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: cvpnd.exe (PID: 1384) Address: 0x00af0000 Size: 45056

Object: Hidden Module [Name: UAC9238.tmpcomwomybtxtod.dll]

Process: svchost.exe (PID: 2020) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACpjrbelmdjxkuyjnte.dll]

Process: svchost.exe (PID: 2020) Address: 0x00740000 Size: 81920

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: svchost.exe (PID: 2020) Address: 0x008f0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: svchost.exe (PID: 2020) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: jqs.exe (PID: 1996) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: jqs.exe (PID: 1996) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: SMAgent.exe (PID: 264) Address: 0x00950000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: SMAgent.exe (PID: 264) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACpjrbelmdjxkuyjnte.dll]

Process: svchost.exe (PID: 492) Address: 0x00740000 Size: 81920

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: svchost.exe (PID: 492) Address: 0x008f0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: svchost.exe (PID: 492) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UAC9238.tmpcomwomybtxtod.dll]

Process: svchost.exe (PID: 492) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: WMPNetwk.exe (PID: 868) Address: 0x009f0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: WMPNetwk.exe (PID: 868) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: unsecapp.exe (PID: 2168) Address: 0x00db0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: unsecapp.exe (PID: 2168) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: alg.exe (PID: 2200) Address: 0x00970000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: alg.exe (PID: 2200) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: wmiprvse.exe (PID: 2480) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: wmiprvse.exe (PID: 2480) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: Ati2evxx.exe (PID: 2600) Address: 0x00c20000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: Ati2evxx.exe (PID: 2600) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: asghost.exe (PID: 2648) Address: 0x00c60000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: asghost.exe (PID: 2648) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: Explorer.EXE (PID: 2728) Address: 0x00bc0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: Explorer.EXE (PID: 2728) Address: 0x00c70000 Size: 49152

Object: Hidden Module [Name: UACpjrbelmdjxkuyjnte.dll]

Process: Explorer.EXE (PID: 2728) Address: 0x10000000 Size: 81920

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: AGRSMMSG.exe (PID: 3040) Address: 0x00c70000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: AGRSMMSG.exe (PID: 3040) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: SMax4PNP.exe (PID: 3076) Address: 0x00bd0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: SMax4PNP.exe (PID: 3076) Address: 0x00eb0000 Size: 49152

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: atiptaxx.exe (PID: 3264) Address: 0x00c30000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: atiptaxx.exe (PID: 3264) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: tfswctrl.exe (PID: 3380) Address: 0x00950000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: tfswctrl.exe (PID: 3380) Address: 0x00c50000 Size: 49152

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: SynTPLpr.exe (PID: 3412) Address: 0x00be0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: SynTPLpr.exe (PID: 3412) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: SynTPEnh.exe (PID: 3444) Address: 0x00d00000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: SynTPEnh.exe (PID: 3444) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: EabServr.exe (PID: 3504) Address: 0x00b60000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: EabServr.exe (PID: 3504) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: HP Wireless Assistant.exe (PID: 3580) Address: 0x00c90000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: HP Wireless Assistant.exe (PID: 3580) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: iTunesHelper.exe (PID: 3628) Address: 0x00c20000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: iTunesHelper.exe (PID: 3628) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: fw1082panel.exe (PID: 3748) Address: 0x00c80000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: fw1082panel.exe (PID: 3748) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: cledx.exe (PID: 3760) Address: 0x00c30000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: cledx.exe (PID: 3760) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: WMPNSCFG.exe (PID: 3848) Address: 0x00b10000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: WMPNSCFG.exe (PID: 3848) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: BTTray.exe (PID: 4068) Address: 0x00ac0000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: BTTray.exe (PID: 4068) Address: 0x00db0000 Size: 49152

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: SetPoint.exe (PID: 4092) Address: 0x00dd0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: SetPoint.exe (PID: 4092) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: HPQWMI.exe (PID: 244) Address: 0x00960000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: HPQWMI.exe (PID: 244) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: vpngui.exe (PID: 420) Address: 0x00b10000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: vpngui.exe (PID: 420) Address: 0x00df0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: BTSTAC~1.EXE (PID: 1196) Address: 0x00d10000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: BTSTAC~1.EXE (PID: 1196) Address: 0x01010000 Size: 49152

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: iPodService.exe (PID: 2384) Address: 0x009e0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: iPodService.exe (PID: 2384) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: KHALMNPR.EXE (PID: 2632) Address: 0x00bf0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: KHALMNPR.EXE (PID: 2632) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: ipseclog.exe (PID: 2860) Address: 0x00bf0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: ipseclog.exe (PID: 2860) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: AAWTray.exe (PID: 3980) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: AAWTray.exe (PID: 3980) Address: 0x00c80000 Size: 49152

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: Skype.exe (PID: 1908) Address: 0x02370000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: Skype.exe (PID: 1908) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: skypePM.exe (PID: 3384) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: skypePM.exe (PID: 3384) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: chrome.exe (PID: 5624) Address: 0x00d00000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: chrome.exe (PID: 5624) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: chrome.exe (PID: 3440) Address: 0x00d50000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: chrome.exe (PID: 3440) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: chrome.exe (PID: 5504) Address: 0x00d50000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: chrome.exe (PID: 5504) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: RootRepeal.exe (PID: 4796) Address: 0x00d70000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: RootRepeal.exe (PID: 4796) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: Iexplore.exe (PID: 4444) Address: 0x00d40000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: Iexplore.exe (PID: 4444) Address: 0x00ad0000 Size: 45056

Object: Hidden Module [Name: UACyantcomwomybtxtod.dll]

Process: Iexplore.exe (PID: 4444) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACeqnlpbcnmufsgghjk.dll]

Process: chrome.exe (PID: 5944) Address: 0x00d50000 Size: 49152

Object: Hidden Module [Name: UACgswqmrnpnhgheesel.dll]

Process: chrome.exe (PID: 5944) Address: 0x10000000 Size: 45056

Hidden Services

-------------------

Service Name: UACd.sys

Image Path: C:\WINDOWS\system32\drivers\UACjtqphwbdwxsxekbvk.sys

==EOF==

2. Win32kDiag

Searching 'C:\WINDOWS'...

Finished!

Link to post
Share on other sites

  • Staff

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.