Trojan.Metajuan - what do i do next?

I followed Quads instructions on how to remove the trojan from my computer. I'm not very computer litterate, but i did manage to follow the removal process with little complications. The method of which i'm talking about can be found on another thread:

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=68345&query.id=1505600#M68345

 

I ran avenger according to the script. After the reboot i downloaded mbam (malwarebytes). I installed, updated, and ran a full system scan. The part i'm not sure about is the log. In the link posted, user "pleasehelpmenow" was supposed to show their results of the scan with malwarebytes. I'm afraid i might neccessary files, so here's my results from my scan.

 

Thank you for the help and attention.

I followed Quads instructions on how to remove the trojan from my computer. I'm not very computer litterate, but i did manage to follow the removal process with little complications. The method of which i'm talking about can be found on another thread:

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=68345&query.id=1505600#M68345

 

I ran avenger according to the script. After the reboot i downloaded mbam (malwarebytes). I installed, updated, and ran a full system scan. The part i'm not sure about is the log. In the link posted, user "pleasehelpmenow" was supposed to show their results of the scan with malwarebytes. I'm afraid i might neccessary files, so here's my results from my scan.

 

Thank you for the help and attention.

What do you mean?

Each script is created specifically for each machine so as to prevent damage to the operating system, and to make certain it is all removed.  You may have caused yourself some serious problems by not asking for assistance.

so i wasn't supposed to use this?

 

 

 

Drivers to disable:

UACd.sys

 

Drivers to delete:

UACd.sys

 

Files to delete:

C:\WINDOWS\system32\drivers\UACaqgkoliqpx.sys

C:\WINDOWS\system32\UACbmqgunaybo.dll

C:\WINDOWS\system32\UACgftrwbwulr.dll

C:\WINDOWS\system32\UACmycijpyavh.dll

C:\WINDOWS\system32\UACppisrjpltp.dll

C:\WINDOWS\system32\UACspmyrodpxy.dll

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\UACmiheqwrlbt.db

C:\WINDOWS\system32\UACxvnrvkiqlj.dat

C:\WINDOWS\temp\UAC1e55.tmp

C:\Documents and Settings\Owner\Local Settings\Temp\UACb654.tmp

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\UACd.sys 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\UACd.sys

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

 

 

here's my log if needed.

 

According to the MBAM log, you have a completely different rootkit, which is removed in a different process, using different tools.  Did you allow MBAM to remove what it found?  Your log shows no action taken.

No, i did not allow MBAM to remove it yet. What should i do?

Leave it for the time being and try this to see if we can still salvage the situation.

 

Please run a SysProt log for us so we can check your system for rootkit activity. You will need to disable Norton auto-protect while you run the scan.

Once it is downloaded to your desktop, right click on the SysProt icon, go to properties, and click unblock and apply.

Choose log, check all the boxes except show hidden objects only and scan.

You will be able to post the log here using the "add attachments" link just below the orange post button.

http://homepages.slingshot.co.nz/~crutches/SysProt

Okay. Here’s the SysProt log.

Mlagunzad:

 

The rootkit is still active on your system.  Quads will contact with instructions.  There may be a bit of a wait as he seems to be somewhat buried in them today.  Please be patient, and don't do anything else until Quads has a look.

Thank you delphinium for walking me through. In advance, thank you Quads for lending your expertise to the community. I believe it to be safe to say on behalf on the forum community, we appreciate your help to the utmost.

Hi

 

I have sent you a Personal Message (PM) look for the yellow envelope near the upper right hand corner.

 

Quads 

Hi

 

Continuation of Stage 1,  File removal

 

Now the registry entries will be greyed out I think, will get them later.

 

Tick (check) these entries (little square box beside each entry) Only the entries below, not the others

 


C:\WINDOWS\system32\kbiwkmtkkwrbxr.dat
C:\WINDOWS\Temp\kbiwkmtewlrlitvn.tmp
C:\WINDOWS\system32\kbiwkmycpayofh.dll

C:\WINDOWS\system32\drivers\kbiwkmfvpqypiq.sys
C:\WINDOWS\system32\kbiwkmvdksrrvi.dll
C:\WINDOWS\system32\kbiwkmmovhxyme.dat



Then click the Clean items button

Follow the prompts to remove them and restart your computer.

After reboot, a dialog box displays the files you selected for removal and the action taken.

 

Step 2 after 

 

 

Quads 

Sorry for the extremely late responce. I was unaware that you had posted instructions for the second step on here. I was expecting another personal message. I deleted the files i was instructed to delete and rebooted my system. It seems i’m able to browse and clink links without any redirection to an unwanted site. What should i do next?

Step 2. Detect - Delete any buddies
 
Download, Install, Update the definitions and run a Full Scan with Malwarebytes  http://www.filehippo.com/download_malwarebytes_anti_malware/

By the way did you already have Norton install and everything running Ok before you got infected??


Quads 

I’m running a full scan with Malwarebytes. Yes, i had Nortons installed and everything ok before i obtained the virus. After the scan with Malwarebytes, am i to delete all entries or shall i post a log before deleting?

post log

 

Quads 

Have Malwarebytes remove all

 

Quads 

I deleted all the entries and had my computer restart to finish the removal process. What should the next step be?

You can post that removal log so that Quads can verify everything neccessary was successfully removed - it would be under logs from the MBAM main screen.

 

Matt