Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Computer infected with Metajuan trojan horse.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » August 18th, 2009, 7:28 pm

Logfile of HijackThis v1.99.1
Scan saved at 00:23:50, on 19/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CyberLink\Shared

Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared

Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125

\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125

\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Virgin

Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Documents and Settings\Amy\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Amy\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Amy\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Bar = http://www.virgin.net/ie/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection

Wizard,ShellNext =

http://www.pjonline.com/Editorial/20060 ... 67students

question.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window

Title = Microsoft Internet Explorer provided by Virgin Net

Broadband
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32

\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-

EDD6AC9525F0} - C:\Program Files\Lexmark

Toolbar\toolband.dll
O2 - BHO: Visual Renderer - {16946E6F-C8B7-4D66-B97D-

785B7D6BF083} - C:\WINDOWS\system\brwptr32.dll (file

missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-

FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A}

- C:\WINDOWS\system32\cbxuvvu.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-

4787-AEEE-F4628F01010C} - C:\Program Files\Norton

AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045}

- (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638

-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: football365.com - {4dd6071a-038f-4806-9a54-

6ea74c49760c} - C:\Program

Files\football365Toolbar\insptbar.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-

EDD6AC9525F0} - C:\Program Files\Lexmark

Toolbar\toolband.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-

9F516DD69829} - (no file)
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ISTray] "C:\Program

Files\techguysctss\sscommon\common\snapins\toolkit_techguys\

bin\sdscanner\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program

Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [BVRPLiveUpdate] C:\Program

Files\Avanquest update\Engine\Setup.exe -s

/PATCH,/SRCUPDATEC:\DOCUME~1\ALLUSE~1\APPLIC~1\SONYER~1

\SONYER~1\LIVEUP~1\LISTOF~1.DAT
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program

Files\Virgin Broadband\advisor\Broadbandadvisor.exe"

/AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [adfwxaaa] C:\WINDOWS\system32

\adfwxaaa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32

\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program

Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program

Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe"

/systray /nologon
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe

-all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media

Player\WMPNSCFG.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Metacafe.lnk = C:\Program

Files\Metacafe\MetacafeAgent.exe
O8 - Extra context menu item: &AOL Toolbar search -

res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_03

\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-

4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-

11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-

00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1

\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-

3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-

f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

(file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-

F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook

Photo Uploader 5 Control) -

http://upload.facebook.com/controls/200 ... 5.8/Facebo

okPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook

Photo Uploader Control) -

http://upload.facebook.com/controls/Fac ... ploader.ca

b
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupda ... trols/en/x

86/client/wuweb_site.cab?1135208034546
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMe ... pDownloade

r.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}

(Performance Viewer Activex Control) -

https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-

8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-

8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: cbxuvvu - cbxuvvu.dll (file missing)
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32

\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-

94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC

- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) -

Unknown owner - C:\Program Files\Common Files\AOL\AOL

Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec

Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS)

(CLCapSvc) - Unknown owner -

c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) -

Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative

Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink -

C:\Program Files\CyberLink\Shared

Files\CLML_NTService\CLMLServer.exe
O23 - Service: Google Software Updater (gusvc) - Google -

C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) -

Eastman Kodak Company - C:\WINDOWS\system32

\drivers\KodakCCS.exe
O23 - Service: KService - Kontiki Inc. - C:\Program

Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LXCRCustomerConnect - Unknown owner -

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe

(file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32

\lxcrcoms.exe
O23 - Service: Norton AntiVirus - Unknown owner - C:\Program

Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe" /s

"Norton AntiVirus" /m "C:\Program Files\Norton

AntiVirus\Engine\16.0.0.125\diMaster.dll" /prefetch:1 (file

missing)
O23 - Service: Symantec RemoteAssist - Symantec, Inc. -

C:\Program Files\Common Files\Symantec Shared\Support

Controls\ssrc.exe
O23 - Service: WAN Miniport (ATW) Service

(WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm
Advertisement
Register to Remove

Re: Computer infected with Metajuan trojan horse.

Unread postby MWR 3 day Mod » August 22nd, 2009, 12:32 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Computer infected with Metajuan trojan horse.

Unread postby Cyborg » August 23rd, 2009, 10:43 am

Hi,
/// Welcome to MalWare Removal ///
My nickname is Cyborg, and I'll be helping you with your malware problems.
HijackThis logs can take a while to research, so please be patient.

I am currently under the guidance of the MRU teachers, everything I post to you, are being reviewed by them.
This will add some time to my responses, but not to a great extent.
.


Before we begin...please note the following important guidelines.
  • The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  • Please, if you have questions about something...ASK, don't guess or assume.
  • Only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  • Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  • Only- reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean"
User avatar
Cyborg
Regular Member
 
Posts: 1143
Joined: September 8th, 2007, 12:45 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » August 23rd, 2009, 11:13 am

Good to meet you Cyborg.

Thanks for helping out the technically-infirm like myself.

Ready and waiting for your help.
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Cyborg » August 24th, 2009, 10:54 am

Hi Johnny

It has come to my attention that you have posted for help with your computer at other forums.

http://www.bleepingcomputer.com/forums/topic248986.html

May I draw your attention to the Forum Guidelines on Multi-Posting

  • If you wish to continue here please notify the other forums so they can close your threads.
  • If you wish to be helped elsewhere let me know so I can close your thread here.

If I do not hear back from you on this matter within 24 hours this thread will be closed.
User avatar
Cyborg
Regular Member
 
Posts: 1143
Joined: September 8th, 2007, 12:45 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » August 24th, 2009, 11:45 am

I have notified Bleeping Computer to close the thread on their site so we can continue to work here on my problem.

I apologise for the multi-post.
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Cyborg » August 25th, 2009, 11:44 am

Hi,

Thanks for letting us know, I'll get back to you in a short while with further instructions.
User avatar
Cyborg
Regular Member
 
Posts: 1143
Joined: September 8th, 2007, 12:45 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Cyborg » August 25th, 2009, 11:56 am

Your computer has multiple infections, including a backdoor. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups
User avatar
Cyborg
Regular Member
 
Posts: 1143
Joined: September 8th, 2007, 12:45 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » August 25th, 2009, 12:43 pm

I don't have the resources to reinstall the OS (it came pre-installed on the computer) so if you're happy to try to clean the machine let's try that.

Since it became apparent that the computer was infected I haven't used it for any financial work and I have notified my bank of the situation. I'm already in the process of backing up all necessary data as I had a feeling I'd need to do that.
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Cyborg » August 26th, 2009, 12:12 pm

Hiya Johnny,


The version of HijackThis you have used to post the HijackThis log is old. Please use this instead :

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis. Please close it.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Now that your HijackThis 2.0.2 has been installed, please uninstall the old version by going to Start > Control Panel > Add/Remove Programs and selecting HijackThis 1.99.1 and then click Change/Remove

WordWrap
You HijackThis logfile is pretty much unreadable. This is caused by having Word Wrap checked.
  • Click Start > All Programs > Accessories > Notepad
  • On the menu bar in Notepad select Format and click on WordWrap so it appears unchecked.


Download and Run ComboFix

  • Please download ComboFix, and find instructions on how to properly run it from Here
    Make sure you install the recovery console if asked to.
    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time and can be a lifesaver later.
    Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • Run ComboFix as instructed by the tutorial. Normal scan time is 10-20 minutes. When ComboFix is finished running, a log will be opened. Include this log in your next reply.


SUMMARY

  • combofix.txt
  • A fresh HijackThis log using the updated HijackThis
User avatar
Cyborg
Regular Member
 
Posts: 1143
Joined: September 8th, 2007, 12:45 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » August 26th, 2009, 4:22 pm

I have put the HijackThis log below as requested but I can't get ComboFix to work. I have downloaded it as instructed and turned off all Anti-spyware/virus and firewalls but when I try to run Combofix nothing happens. Is there something I'm missing?


Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:21:34, on 26/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\QuickTime\QTTask.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.virgin.net/ie/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pjonline.com/Editorial/20060 ... stion.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin Net Broadband
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Visual Renderer - {16946E6F-C8B7-4D66-B97D-785B7D6BF083} - C:\WINDOWS\system\brwptr32.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\cbxuvvu.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: football365.com - {4dd6071a-038f-4806-9a54-6ea74c49760c} - C:\Program Files\football365Toolbar\insptbar.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\techguysctss\sscommon\common\snapins\toolkit_techguys\bin\sdscanner\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [BVRPLiveUpdate] C:\Program Files\Avanquest update\Engine\Setup.exe -s /PATCH,/SRCUPDATEC:\DOCUME~1\ALLUSE~1\APPLIC~1\SONYER~1\SONYER~1\LIVEUP~1\LISTOF~1.DAT
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [adfwxaaa] C:\WINDOWS\system32\adfwxaaa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5208034546
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: cbxuvvu - cbxuvvu.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LXCRCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10300 bytes
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Cyborg » August 28th, 2009, 8:44 pm

Hiya Johnny,

I'm really sorry about the late reply, I've been kinda busy...

I'm working out a fix for you, hang on.

Thanks,
Cyborg.
User avatar
Cyborg
Regular Member
 
Posts: 1143
Joined: September 8th, 2007, 12:45 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Cyborg » August 29th, 2009, 12:51 pm

Gmer

Please download Gmer by Gmer and save it to your desktop.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.
User avatar
Cyborg
Regular Member
 
Posts: 1143
Joined: September 8th, 2007, 12:45 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » August 29th, 2009, 7:10 pm

Here's the results from GMER



GMER 1.0.15.15077 [btcndcl0.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 00:09:00
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 89990BA0 ZwAlertResumeThread
SSDT 8990EC50 ZwAlertThread
SSDT 898A17B8 ZwAllocateVirtualMemory
SSDT 897FE108 ZwAssignProcessToJobObject
SSDT 898B1A20 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB6DD9020]
SSDT 89860C48 ZwCreateMutant
SSDT 89A36E30 ZwCreateSymbolicLinkObject
SSDT 89981CB8 ZwCreateThread
SSDT 899082E0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB6DD92A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB6DD9800]
SSDT 8989D7D8 ZwDuplicateObject
SSDT 898A4770 ZwFreeVirtualMemory
SSDT 8990AA48 ZwImpersonateAnonymousToken
SSDT 8997A210 ZwImpersonateThread
SSDT 89838108 ZwLoadDriver
SSDT 8977E1C0 ZwMapViewOfSection
SSDT 89898D28 ZwOpenEvent
SSDT 898B6A58 ZwOpenProcess
SSDT 89A65840 ZwOpenProcessToken
SSDT 8991D2F0 ZwOpenSection
SSDT 8989FB28 ZwOpenThread
SSDT 8994EE48 ZwProtectVirtualMemory
SSDT 89A4CC50 ZwResumeThread
SSDT 8998B758 ZwSetContextThread
SSDT 899E3988 ZwSetInformationProcess
SSDT 89921E30 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6DD9A50]
SSDT 897A5228 ZwSuspendProcess
SSDT 89912460 ZwSuspendThread
SSDT 89A522A8 ZwTerminateProcess
SSDT 899922C8 ZwTerminateThread
SSDT 899874E8 ZwUnmapViewOfSection
SSDT 898039D8 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 VolumeFilter.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 VolumeFilter.sys
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi@imagepath \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\main@aid 10002
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\main@sid 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\modules@SKYNETcmd.dll \systemroot\system32\SKYNETlixejynb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\modules@SKYNETlog.dat \systemroot\system32\SKYNETakstvuue.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnkqonxex.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETdefrqmwi\modules@SKYNET.dat \systemroot\system32\SKYNETyljapyah.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwfhlditqpx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACceptgoelwj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACcyuifontie.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACjrptgxqoke.db
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACqaikclytnt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACxlwpabdlqr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACngcvkadxmr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi@imagepath \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\main@sid 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\modules@SKYNETcmd.dll \systemroot\system32\SKYNETlixejynb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\modules@SKYNETlog.dat \systemroot\system32\SKYNETakstvuue.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnkqonxex.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETdefrqmwi\modules@SKYNET.dat \systemroot\system32\SKYNETyljapyah.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwfhlditqpx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACceptgoelwj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACcyuifontie.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACjrptgxqoke.db
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACqaikclytnt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACxlwpabdlqr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACngcvkadxmr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi@imagepath \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\main@sid 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\modules@SKYNETcmd.dll \systemroot\system32\SKYNETlixejynb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\modules@SKYNETlog.dat \systemroot\system32\SKYNETakstvuue.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnkqonxex.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETdefrqmwi\modules@SKYNET.dat \systemroot\system32\SKYNETyljapyah.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwfhlditqpx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACceptgoelwj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACcyuifontie.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACjrptgxqoke.db
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACqaikclytnt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACxlwpabdlqr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACngcvkadxmr.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi@imagepath \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\main@aid 10002
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\main@sid 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\modules@SKYNETcmd.dll \systemroot\system32\SKYNETlixejynb.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\modules@SKYNETlog.dat \systemroot\system32\SKYNETakstvuue.dat
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnkqonxex.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETdefrqmwi\modules@SKYNET.dat \systemroot\system32\SKYNETyljapyah.dat
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwfhlditqpx.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACceptgoelwj.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACcyuifontie.dat
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACjrptgxqoke.db
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACqaikclytnt.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACxlwpabdlqr.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACngcvkadxmr.dll
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi@imagepath \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\main@aid 10002
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\main@sid 1
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\modules@SKYNETcmd.dll \systemroot\system32\SKYNETlixejynb.dll
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\modules@SKYNETlog.dat \systemroot\system32\SKYNETakstvuue.dat
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnkqonxex.dll
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETdefrqmwi\modules@SKYNET.dat \systemroot\system32\SKYNETyljapyah.dat
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwfhlditqpx.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACceptgoelwj.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACcyuifontie.dat
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACjrptgxqoke.db
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACqaikclytnt.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACxlwpabdlqr.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACngcvkadxmr.dll
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi@imagepath \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\main@aid 10002
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\main@sid 1
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\modules@SKYNETcmd.dll \systemroot\system32\SKYNETlixejynb.dll
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\modules@SKYNETlog.dat \systemroot\system32\SKYNETakstvuue.dat
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnkqonxex.dll
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETdefrqmwi\modules@SKYNET.dat \systemroot\system32\SKYNETyljapyah.dat
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwfhlditqpx.dll
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACceptgoelwj.dll
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACcyuifontie.dat
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACjrptgxqoke.db
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACqaikclytnt.dll
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACxlwpabdlqr.dll
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACngcvkadxmr.dll
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi@imagepath \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\main@aid 10002
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\main@sid 1
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\modules@SKYNETcmd.dll \systemroot\system32\SKYNETlixejynb.dll
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\modules@SKYNETlog.dat \systemroot\system32\SKYNETakstvuue.dat
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnkqonxex.dll
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETdefrqmwi\modules@SKYNET.dat \systemroot\system32\SKYNETyljapyah.dat
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwfhlditqpx.dll
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACceptgoelwj.dll
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACcyuifontie.dat
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACjrptgxqoke.db
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACqaikclytnt.dll
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACxlwpabdlqr.dll
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACngcvkadxmr.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi@imagepath \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\main@aid 10002
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\main@sid 1
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaldgwkvj.sys
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\modules@SKYNETcmd.dll \systemroot\system32\SKYNETlixejynb.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\modules@SKYNETlog.dat \systemroot\system32\SKYNETakstvuue.dat
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnkqonxex.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETdefrqmwi\modules@SKYNET.dat \systemroot\system32\SKYNETyljapyah.dat
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACeagufqsmsm.sys
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwfhlditqpx.dll
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACceptgoelwj.dll
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACcyuifontie.dat
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACjrptgxqoke.db
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACqaikclytnt.dll
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACxlwpabdlqr.dll
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACngcvkadxmr.dll

---- EOF - GMER 1.0.15 ----
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Bio-Hazard » September 2nd, 2009, 9:33 am

Hello!

Sorry for the delay. Cyborg is busy so i will be taking over this log.


Download and Run ComboFix

  • ComboFix SHOULD NOT be used unless requested by a forum helper.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
  • Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2

    Image


    Image

  • Double click on Combo-Fix.exe and follow the prompts.
  • When finished, it will produce a report for you (C:\ComboFix.txt )
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Combofix should never take more that 20 minutes including the reboot if malware is detected.

    IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.

    Next Reply

    Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware