2 replies to this topic

[tcguy]

Hello. I recently got a virus that bogged down my computer a bit with additional malware and the like. I removed most of it to the point where my computer runs smoothly except that I can't run MalwareBytes, Spybot, Avast!, HijackThis, and other apps even if I'm in safemode. What happens is, the program will start and I'll usually be given the option to scan my comp or something, but when I do, the program instantly closes and becomes locked (I can't rename it, delete it, etc.)

Unlocking it is no problem, but I still cant run it without it crashing.

I tried this (http://www.malwareby...showtopic=12709) tutorial and downloaded RootRepeal. When I try the regular method of scanning the C:\ drive, once it gets to a Windows folder (C:\WINDOWS\$hf_mig$ i think it is) the program will close and become locked. However, I tried the stealth scan option and this came up:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/10 22:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: UACf65c.tmpsgldvs.dll]
Process: svchost.exe (PID: 1176) Address: 0x00a80000 Size: 217088

Object: Hidden Module [Name: UACxvoqopbakx.dll]
Process: svchost.exe (PID: 1176) Address: 0x00a40000 Size: 77824

Object: Hidden Module [Name: UACtwcegxokmy.dll]
Process: svchost.exe (PID: 1176) Address: 0x00d60000 Size: 73728

Object: Hidden Module [Name: rotscxbbsqgexw.dll]
Process: svchost.exe (PID: 1176) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: UACxvoqopbakx.dll]
Process: Explorer.EXE (PID: 2652) Address: 0x00d60000 Size: 77824

Object: Hidden Module [Name: rotscxlaciydss.dll]
Process: Explorer.EXE (PID: 2652) Address: 0x10000000 Size: 32768





I'm pretty sure because of the UAC prefixes that they're my problems. Explorer is also using more memory than usual. Thing is, when I try to wipe/delete them, an error comes up saying "Invalid Path!".


Any potential solutions would be greatly appreciated.

[tcguy]

Update: So I scanned hidden services too and found the UAC.sys file (along with another). I wiped it as the tutorial said, rebooted, and AntiVir caught all of those dlls before my desktop even loaded.

But my programs still wont run.

So I checked again, and the dlls in the processes are gone, but the UAC.sys file still remains, as with the other

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/10 23:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Hidden Services
-------------------
Service Name: rotscxjduwbhxc
Image PathC:\WINDOWS\system32\drivers\rotscxxsautdiv.sys

Service Name: UACd.sys
Image PathC:\WINDOWS\system32\drivers\UACxjygscuifm.sys



I tried wiping them again and rebooting, but to no result. I tried force-deleting them, which I'm not sure was the best idea. After force-deleting, when I try to wipe them it says "Could not find file on disk!". I use a lot less memory now though which is a good thing I guess.

Still at a loss as to what to do here. I feel like I'm close.

[AdvancedSetup]

Scan and post logs - read note at bottom in green
If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.