Help With Malware/Virus [Closed]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

3 Pages

< 1 2 3 >

Help With Malware/Virus [Closed], Possibly WinPC Defender

Options

Dr. Cox View Member Profile	Jul 4 2009, 11:35 AM Post #16
Member Posts: 26 OS: Vista	QUOTE (Thunderbird1988 @ Jul 4 2009, 05:20 PM) Hello Dr. Cox, Please delete your copy of Combofix and do the following: Download Combofix from any of the links below. You must rename it to Thunderbird1988.exe before saving it. Save it to your desktop. ------------------------------------------------------------ Double click on Thunderbird1988.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt so we can continue cleaning the system. Renamed it before saving but when i run it i still get the same error:

Thunderbird1988 View Member Profile	Jul 4 2009, 11:53 AM Post #17
Trusted Helper Posts: 1,861 From: The Netherlands OS: Windows XP/Vista Dualboot	Open RootRepeal, if you get any errors just continue on Click the Drivers tab, click Scan, right click and select Wipe File on UACxvmylbqnbcxkisi.sys Click the Hidden/Locked Files tab, click Scan, right click and select Wipe File on C:\Windows\system32\drivers\UACxvmylbqnbcxkisi.sys C:\Windows\System32\uacinit.dll C:\Windows\System32\UACmyeiicusnvwuaet.dll C:\Windows\System32\UACpwfxombeippvtpo.dll C:\Windows\System32\UACryrerbwqibfktwr.dll C:\Windows\System32\UACvugysntfoxrqfpp.dll C:\Windows\System32\UACvvpeufduseqmsov.dat After that, please let me know how it went, and let me know if MBAM works. Thunderbird1988

Dr. Cox View Member Profile	Jul 4 2009, 11:59 AM Post #18
Member Posts: 26 OS: Vista	QUOTE (Thunderbird1988 @ Jul 4 2009, 05:53 PM) Open RootRepeal, if you get any errors just continue on Click the Drivers tab, click Scan, right click and select Wipe File on UACxvmylbqnbcxkisi.sys Click the Hidden/Locked Files tab, click Scan, right click and select Wipe File on C:\Windows\system32\drivers\UACxvmylbqnbcxkisi.sys C:\Windows\System32\uacinit.dll C:\Windows\System32\UACmyeiicusnvwuaet.dll C:\Windows\System32\UACpwfxombeippvtpo.dll C:\Windows\System32\UACryrerbwqibfktwr.dll C:\Windows\System32\UACvugysntfoxrqfpp.dll C:\Windows\System32\UACvvpeufduseqmsov.dat After that, please let me know how it went, and let me know if MBAM works. Thunderbird1988 Did the drivers tab part. On the hidden services tab only the first of the 7 show up. Tried to wipe that but it wouldn't let me. Same problem with MBAM.

Thunderbird1988 View Member Profile	Jul 4 2009, 12:09 PM Post #19
Trusted Helper Posts: 1,861 From: The Netherlands OS: Windows XP/Vista Dualboot	Hello Dr. Cox, Download avz4.zip from here Unzip it to your desktop to a folder named avz4 Double click on AVZ.exe to run it. Run an update by clicking the Auto Update button on the Right of the Log window: Click Start to begin the update Note: If you recieve an error message, chose a different source, then click Start again After the update, from the "File" menu, choose "Standard Scripts" Put a check next to item 2: Advanced System Investigation Click Execute selected scripts At the next prompt, click the OK button Let the scan run and click "OK" when the completion prompt pops up Now Close out of the Standard Scripts window, and exit AVZ Navigate to the avz4 folder and locate the folder LOG Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip Attach the Compressed file, virusinfo_syscheck.zip, to your next reply, along with a fresh HijackThis log

Dr. Cox View Member Profile	Jul 4 2009, 12:19 PM Post #20
Member Posts: 26 OS: Vista	Attached the log. Still can't get HiJackThis running so left that part... virusinfo_syscheck.zip ( 21.45K ) Number of downloads: 10

Thunderbird1988 View Member Profile	Jul 4 2009, 12:38 PM Post #21
Trusted Helper Posts: 1,861 From: The Netherlands OS: Windows XP/Vista Dualboot	Close all windows then double click on AVZ.exe Click File > Custom scripts Copy & paste the contents of the following codebox in the box in the program CODE begin SearchRootkit(true, true); SetAVZGuardStatus(True); DelBHO('{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}'); DelBHO('{7E853D72-626A-48EC-A868-BA8D5E23E045}'); DelBHO('{39fc2065-c9c7-49cd-8942-44cc2dedc844}'); BC_DeleteFile('\\?\globalroot\systemroot\system32\UACsycqbrtuaxhmcoknp.dll'); DeleteFile('C:\Windows\ieocx.dll'); BC_DeleteFile('C:\Windows\system32\drivers\UACxvmylbqnbcxkisi.sys'); BC_DeleteFile('C:\Windows\System32\uacinit.dll'); BC_DeleteFile('C:\Windows\System32\UACmyeiicusnvwuaet.dll'); BC_DeleteFile('C:\Windows\System32\UACpwfxombeippvtpo.dll'); BC_DeleteFile('C:\Windows\System32\UACryrerbwqibfktwr.dll'); BC_DeleteFile('C:\Windows\System32\UACvugysntfoxrqfpp.dll'); BC_DeleteFile('C:\Windows\System32\UACvvpeufduseqmsov.dat'); BC_ImportDeletedList; ExecuteSysClean; BC_Activate; RebootWindows(true); end. Note: When you run the script, your PC will be restarted Click Run Restart your PC if it doesn't do it automatically, and try if MBAM works Thunderbird1988

Dr. Cox View Member Profile	Jul 4 2009, 02:02 PM Post #22
Member Posts: 26 OS: Vista	That worked!:) Got rid of PCDefender for a start now. Here's the log for MBAM: Malwarebytes' Anti-Malware 1.38 Database version: 2297 Windows 6.0.6001 Service Pack 1 04/07/2009 20:57:06 mbam-log-2009-07-04 (20-57-06).txt Scan type: Quick Scan Objects scanned: 71740 Time elapsed: 2 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 8 Registry Values Infected: 3 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\wininetapp.wininet (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\wininetapp.wininet.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{4b66e1df-4de3-4cda-83b5-11673eadab0b} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{b360243e-09e8-402f-8721-00b6798089ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\WinPC Defender (Rogue.WinPCDefender) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysav (Rogue.PCDefender) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Users\Kev\AppData\Roaming\pcdefender.exe (Rogue.PCDefender) -> Quarantined and deleted successfully. c:\Users\Kev\Desktop\WinPC Defender.LNK (Rogue.WinPCDefender) -> Quarantined and deleted successfully. c:\Users\Kev\AppData\Roaming\microsoft\Windows\start menu\WinPC Defender.LNK (Rogue.WinPCDefender) -> Quarantined and deleted successfully. c:\Windows\System32\UACsycqbrtuaxhmcoknp.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Thunderbird1988 View Member Profile	Jul 4 2009, 02:14 PM Post #23
Trusted Helper Posts: 1,861 From: The Netherlands OS: Windows XP/Vista Dualboot	Hello Dr. Cox, Can you download a new copy of Combofix and try to run it? Thunderbird1988

Dr. Cox View Member Profile	Jul 4 2009, 02:25 PM Post #24
Member Posts: 26 OS: Vista	QUOTE (Thunderbird1988 @ Jul 4 2009, 08:14 PM) Hello Dr. Cox, Can you download a new copy of Combofix and try to run it? Thunderbird1988 Still getting the same error with ComboFix:

Thunderbird1988 View Member Profile	Jul 4 2009, 02:41 PM Post #25
Trusted Helper Posts: 1,861 From: The Netherlands OS: Windows XP/Vista Dualboot	Hello Dr. Cox, Can you download COmbofix again and while downloading, renaming it to Thunderbird1988.com, That might prevent Combofix from getting patched. Thunderbird1988

Dr. Cox View Member Profile	Jul 4 2009, 02:46 PM Post #26
Member Posts: 26 OS: Vista	QUOTE (Thunderbird1988 @ Jul 4 2009, 08:41 PM) Hello Dr. Cox, Can you download COmbofix again and while downloading, renaming it to Thunderbird1988.com, That might prevent Combofix from getting patched. Thunderbird1988 Exact same error when i do that.

Thunderbird1988 View Member Profile	Jul 4 2009, 02:54 PM Post #27
Trusted Helper Posts: 1,861 From: The Netherlands OS: Windows XP/Vista Dualboot	Hello Dr. Cox, Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, in the menu, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit.

Dr. Cox View Member Profile	Jul 4 2009, 07:52 PM Post #28
Member Posts: 26 OS: Vista	QUOTE (Thunderbird1988 @ Jul 4 2009, 08:54 PM) Hello Dr. Cox, Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, in the menu, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Did that - the 2nd scan took hours and hours... picked up 6 things in total. I went to file > Save report and i got a blue screen before my computer restarted. During the restart i also got a black screen saying 'checking C Drive' then it restarted again.

Thunderbird1988 View Member Profile	Jul 5 2009, 02:33 AM Post #29
Trusted Helper Posts: 1,861 From: The Netherlands OS: Windows XP/Vista Dualboot	Can you run Rootrepeal again like discribed in this post? Thunderbird1988

Dr. Cox View Member Profile	Jul 5 2009, 07:28 AM Post #30
Member Posts: 26 OS: Vista	QUOTE (Thunderbird1988 @ Jul 5 2009, 09:33 AM) Can you run Rootrepeal again like discribed in this post? Thunderbird1988 Ran the Dr. Web Cureit again and took a screenshot before it went to blue screen again.: Rootrepeal log: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Time: 2009/07/05 14:19 Program Version: Version 1.3.0.0 Windows Version: Windows Vista SP1 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\Windows\System32\Drivers\dump_atapi.sys Address: 0x8E9CE000 Size: 32768 File Visible: No Signed: - Status: - Name: dump_dumpata.sys Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys Address: 0x8E9C3000 Size: 45056 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0x9DE74000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{43e6c637-68cc-11de-9573-001fe250fdbb}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\Windows\Microsoft.NET\Framework\NETFXS~1.HKF Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\PORTAB~2.MOF Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\PRINTF~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6000.16830_none_29a6eeebde589a97\PRINTF~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6000.21023_none_2a3e34a2f76b9db7\PRINTF~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6001.18226_none_2b9dff39db71a7a1\PRINTF~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6001.22389_none_2be9bd5af4bd3b16\PRINTF~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~2.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~2.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~2.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~2.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6000.16720_none_9b31bbe79077558b\GROUPE~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6000.16720_none_a54ef540d05f91fc\ASPNET~1.UNI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6000.20883_none_8e870be4ea01d6ef\ASPNET~1.UNI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6001.18111_none_a529d9f6d0b19e9d\ASPNET~1.UNI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6001.22230_none_8e5e4a92ea5717b0\ASPNET~1.UNI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6000.20883_none_8469d28baa199a7e\GROUPE~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b 887\Microsoft.Interop.Security.AzRoles.config Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_defwsdlhlpgen_b03f5f7f11d50a3a_6.0.6000.16720_none_38b929534b68462d\DEFAUL~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_defwsdlhlpgen_b03f5f7f11d50a3a_6.0.6000.20883_none_21f13ff7650a8b20\DEFAUL~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_defwsdlhlpgen_b03f5f7f11d50a3a_6.0.6001.18111_none_38940e094bba52ce\DEFAUL~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_defwsdlhlpgen_b03f5f7f11d50a3a_6.0.6001.22230_none_21c87ea5655fcbe1\DEFAUL~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_personalization_sql_b03f5f7f11d50a3a_6.0.6000.16720_none_48d018cce81ec9cb\INSTAL~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_personalization_sql_b03f5f7f11d50a3a_6.0.6000.16720_none_48d018cce81ec9cb\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_personalization_sql_b03f5f7f11d50a3a_6.0.6000.20883_none_32082f7101c10ebe\INSTAL~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_personalization_sql_b03f5f7f11d50a3a_6.0.6000.20883_none_32082f7101c10ebe\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_personalization_sql_b03f5f7f11d50a3a_6.0.6001.18111_none_48aafd82e870d66c\INSTAL~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_personalization_sql_b03f5f7f11d50a3a_6.0.6001.18111_none_48aafd82e870d66c\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_personalization_sql_b03f5f7f11d50a3a_6.0.6001.22230_none_31df6e1f02164f7f\INSTAL~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_personalization_sql_b03f5f7f11d50a3a_6.0.6001.22230_none_31df6e1f02164f7f\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_pg_persnlization_sql_b03f5f7f11d50a3a_6.0.6000.16720_none_b898612ecd927be5\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_pg_persnlization_sql_b03f5f7f11d50a3a_6.0.6000.20883_none_a1d077d2e734c0d8\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_pg_persnlization_sql_b03f5f7f11d50a3a_6.0.6001.18111_none_b87345e4cde48886\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_pg_persnlization_sql_b03f5f7f11d50a3a_6.0.6001.22230_none_a1a7b680e78a0199\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.16720_none_7b4eba45cecd6936\IEEXEC~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.20883_none_6486d0e9e86fae29\IEEXEC~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.18111_none_7b299efbcf1f75d7\IEEXEC~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.22230_none_645e0f97e8c4eeea\IEEXEC~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-netfxsbs12_hkf_31bf3856ad364e35_6.0.6000.16720_none_0bca521ee450d037\NETFXS~1.HKF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-netfxsbs12_hkf_31bf3856ad364e35_6.0.6000.20883_none_0c16103ffd9c63ac\NETFXS~1.HKF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-netfxsbs12_hkf_31bf3856ad364e35_6.0.6001.18111_none_0dbc60fae16e5e8e\NETFXS~1.HKF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-netfxsbs12_hkf_31bf3856ad364e35_6.0.6001.22230_none_0e2f5da3fa9d1ce3\NETFXS~1.HKF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_membership_sql_b03f5f7f11d50a3a_6.0.6000.16720_none_6d8c18ba50aebc1f\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_membership_sql_b03f5f7f11d50a3a_6.0.6000.20883_none_56c42f5e6a510112\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_membership_sql_b03f5f7f11d50a3a_6.0.6001.18111_none_6d66fd705100c8c0\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_membership_sql_b03f5f7f11d50a3a_6.0.6001.22230_none_569b6e0c6aa641d3\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6001.18111_none_9b0ca09d90c9622c\GROUPE~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6001.22230_none_84411139aa6edb3f\GROUPE~1.XML Status: Locked to the Windows API! Path: C:\Program Files\Windows Media Player\Network Sharing\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASPNET~1.UNI Status: Locked to the Windows API! Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SYSTEM~1.DLL Status: Locked to the Windows API! Path: c:\windows\system32\logfiles\scm\scm.evm Status: Allocation size mismatch (API: 491520, Raw: 229376) Path: C:\Users\Kev\AppData\Roaming\Sports Interactive\Installer Launcher Status: Locked to the Windows API! Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config Status: Locked to the Windows API! Path: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\SYSTEM~1.DLL Status: Locked to the Windows API! Path: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PRESEN~1.CON Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Status: Locked to the Windows API! Path: c:\programdata\microsoft\search\data\applications\windows\gatherlogs\systemindex\systemindex.231.crwl Status: Allocation size mismatch (API: 552, Raw: 280) Path: c:\programdata\microsoft\search\data\applications\windows\gatherlogs\systemindex\systemindex.231.gthr Status: Allocation size mismatch (API: 327680, Raw: 294912) Path: c:\programdata\microsoft\search\data\applications\windows\projects\systemindex\systemindex.ntfy1039.gthr Status: Allocation size mismatch (API: 393216, Raw: 0) Processes ------------------- Path: System PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 1216 Status: Locked to the Windows API! SSDT ------------------- #: 194 Function Name: NtOpenProcess Status: Hooked by "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys" at address 0x8e99f8ac #: 334 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys" at address 0x8e99f812 Stealth Objects ------------------- Object: Hidden Module [Name: WinMgmtR.dll] Process: svchost.exe (PID: 1024) Address: 0x00700000 Size: 8192 Object: Hidden Module [Name: winlogon.exe] Process: svchost.exe (PID: 1024) Address: 0x01aa0000 Size: 323584 Object: Hidden Module [Name: winlogon.exe] Process: svchost.exe (PID: 1024) Address: 0x02350000 Size: 323584 Object: Hidden Module [Name: tquery.dll] Process: svchost.exe (PID: 1024) Address: 0x715c0000 Size: 1589248 Object: Hidden Module [Name: WinMgmtR.dll] Process: svchost.exe (PID: 1024) Address: 0x713f0000 Size: 8192 Object: Hidden Module [Name: dps.dll] Process: svchost.exe (PID: 1024) Address: 0x727c0000 Size: 139264 Object: Hidden Module [Name: profsvc.dll] Process: svchost.exe (PID: 1024) Address: 0x73a10000 Size: 163840 Object: Hidden Module [Name: wevtapi.dll] Process: svchost.exe (PID: 1024) Address: 0x754b0000 Size: 258048 Object: Hidden Code [ETHREAD: 0x84989d78] Process: System Address: 0x8ac60848 Size: 1977 Object: Hidden Code [ETHREAD: 0x8498cd78] Process: System Address: 0x81b3a928 Size: 2 Object: Hidden Code [ETHREAD: 0x8498c580] Process: System Address: 0x81b38e98 Size: 360 Object: Hidden Code [ETHREAD: 0x8498c2d8] Process: System Address: 0xabe41720 Size: 1105 Object: Hidden Code [ETHREAD: 0x8498d020] Process: System Address: 0x8498d214 Size: 3565 Object: Hidden Code [ETHREAD: 0x8498dd78] Process: System Address: 0x8d0d1160 Size: 1172 Hidden Services ------------------- Service Name: UACd.sys Image Path: C:\Windows\system32\drivers\UACevuklvbodbefxkkhi.sys ==EOF==

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

3 Pages

< 1 2 3 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Need help with Identifing a virus [CLOSED]	5 / 260	22nd August 2008 - 06:44 PM quix034 started - last by andrewuk
Virus, Spyware and Trojan Removal Need Help With Malware/Virus Removal	0 / 208	10th November 2008 - 10:45 PM lsu07 started - last by lsu07
Virus, Spyware and Trojan Removal Hijack This Log - Please help with Malware problem [Closed]	9 / 515	26th January 2009 - 09:34 AM JorgeH started - last by Rorschach112
Virus, Spyware and Trojan Removal Help with some virus [Closed]	6 / 149	15th July 2009 - 04:44 PM aryfkogel started - last by Rorschach112