Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Andy OS Android Emulator Reportedly Installing a GPU Miner

Featured Deal: Get 98% off The Ultimate Backend Developer Bundle Deal

Photo

New WinPC Definder

Started by R454Duke , Mar 23 2009 10:37 PM

  • Please log in to reply
17 replies to this topic

#1 R454Duke

R454Duke

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 23 March 2009 - 10:37 PM

Here's the situation, I have WinPC Definder virus on my wife's computer and need to remove it. I think it may be a new version of the virus as I have Malwarebytes installed and it wouldn't let me run it. I then went to the program folder and added a .exe after the ikon and it executed. When I ran a scan it didn't find anything!

I clicked the update button in Malwarebytes and it downloaded a newer version but the virus prevented it from running. I then uninstalled Malwarebytes and downloaded the newest version from their website. I now have the setup icon on my desktop but when I get to the open file secutity warning to run/cancel I click run and the virus doesn't let me run it.

Help! I don't know what to do and I need to fix this asap. I go to the task manager and end the pcdefender.exe program but it still doesn't let me run the malwarebytes setup.

Thanks!

BC AdBot (Login to Remove)

 

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:08 AM

Posted 23 March 2009 - 10:45 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#3 R454Duke

R454Duke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 23 March 2009 - 10:54 PM

Thanks, doing this now...

#4 R454Duke

R454Duke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 23 March 2009 - 11:15 PM

Full scan is about 15% complete. Will post results tomorrow AM - Eastern Standard Time.

#5 R454Duke

R454Duke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 24 March 2009 - 06:21 AM

I'm back. Here is the log:

2kadiras.exe;c:\windows;Dialer.Adial;Incurable.Moved.;
Install_AIM.exe\data038;C:\Documents and Settings\Ryan Duke\My Documents\IT Programs\Install_AIM.exe;Adware.Aws;;
Install_AIM.exe;C:\Documents and Settings\Ryan Duke\My Documents\IT Programs;Archive contains infected objects;Moved.;
2kadiras.EXE;C:\Program Files\ADSL\StarModem ADSL USB MODEM\DrvBackup\WINDOWS;Dialer.Adial;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
WinVNC.exe;C:\Program Files\Common Files\Skyscape\Desktop;Program.WinVnc;Incurable.Moved.;
A0112606.dll;C:\System Volume Information\_restore{80EB0211-7A2A-421E-8B31-209F68D0A010}\RP974;Adware.Aws;Incurable.Moved.;


Please advise on next steps. The WinPC Definder virus still remains.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:08 AM

Posted 24 March 2009 - 06:28 AM

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Chewy

No. Try not. Do... or do not. There is no try.

#7 R454Duke

R454Duke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 24 March 2009 - 06:34 AM

I've downloaded GMER but it will not let me open the icon. I've tried double clicking, right click and open, and adding .exe in the name and opening. Norton is disabled.

Please advise.

Edit 1: Safemode will not let me run this either. Do you have a direct download link (non-zip) that I can try? I was able to load malwarebytes by not saving it to my desktop first. It is now installed but it won't let me open that either.

Thanks,

Edited by R454Duke, 24 March 2009 - 07:03 AM.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:08 AM

Posted 24 March 2009 - 07:06 AM

Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.
Did it extract to the desktop as gmer.exe?

Try to rename gmer.exe to test.exe and click test.exe.

Edited by DaChew, 24 March 2009 - 07:07 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#9 R454Duke

R454Duke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 24 March 2009 - 07:13 AM

Did not work. Still unable to open.

Edit 1: I deleted the file, restated the computer then downloaded and unziped it again. It didn't open but then I changed it to test.exe again and it is now running.

Wohoo!

Edited by R454Duke, 24 March 2009 - 07:18 AM.

#10 R454Duke

R454Duke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 24 March 2009 - 12:54 PM

Done. Here is the log. Please advise on next steps:

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-24 13:51:19
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 81CC9958 ZwEnumerateKey
Code 81D65958 ZwFlushInstructionCache
Code 81D35956 IofCallDriver
Code 8272EE56 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 81D3595B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 8272EE5B
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 5 Bytes JMP 81CC995C
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP 81D6595C

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[832] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AB000A
.text C:\WINDOWS\Explorer.EXE[832] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AC000A
.text C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe[880] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00CE000A
.text C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe[880] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00CF000A
.text C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe[936] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0081000A
.text C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe[936] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0082000A
.text C:\WINDOWS\system32\spoolsv.exe[1208] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\spoolsv.exe[1208] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\winlogon.exe[1256] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\winlogon.exe[1256] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\services.exe[1300] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\services.exe[1300] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0071000A
.text C:\WINDOWS\system32\lsass.exe[1312] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\lsass.exe[1312] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0072000A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1536] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006D000A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1536] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 006E000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1548] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0071000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1548] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0072000A
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1608] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B2000A
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1608] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B3000A
.text C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe[1632] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes JMP 0092000A
.text C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe[1632] ntdll.dll!LdrLoadDll + 4 7C9161CE 1 Byte [84]
.text C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe[1632] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0093000A
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1708] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A8000A
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1708] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A9000A
.text C:\WINDOWS\ATK0100\ATKOSD.exe[1772] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A5000A
.text C:\WINDOWS\ATK0100\ATKOSD.exe[1772] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\1XConfig.exe[1852] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B4000A
.text C:\WINDOWS\System32\1XConfig.exe[1852] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B5000A
.text C:\WINDOWS\System32\GEARSec.exe[1872] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006A000A
.text C:\WINDOWS\System32\GEARSec.exe[1872] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\ZCfgSvc.exe[1972] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0102000A
.text C:\WINDOWS\system32\ZCfgSvc.exe[1972] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0103000A
.text C:\WINDOWS\System32\RegSrvc.exe[2016] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\RegSrvc.exe[2016] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0080000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2056] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0094000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2056] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0095000A
.text C:\WINDOWS\System32\alg.exe[2136] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\alg.exe[2136] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0070000A
.text C:\WINDOWS\ATK0100\Hcontrol.exe[2176] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00DE000A
.text C:\WINDOWS\ATK0100\Hcontrol.exe[2176] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00DF000A
.text C:\WINDOWS\System32\igfxtray.exe[2184] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\igfxtray.exe[2184] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\hkcmd.exe[2192] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0097000A
.text C:\WINDOWS\System32\hkcmd.exe[2192] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0098000A
.text C:\WINDOWS\AGRSMMSG.exe[2200] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009F000A
.text C:\WINDOWS\AGRSMMSG.exe[2200] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A0000A
.text C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe[2224] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A5000A
.text C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe[2224] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A6000A
.text C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe[2292] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0097000A
.text C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe[2292] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0098000A
.text C:\Program Files\Winamp\winampa.exe[2308] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0096000A
.text C:\Program Files\Winamp\winampa.exe[2308] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0097000A
.text C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe[2316] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AD000A
.text C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe[2316] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AE000A
.text C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe[2324] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0102000A
.text C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe[2324] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0103000A
.text C:\WINDOWS\MXOALDR.EXE[2332] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0096000A
.text C:\WINDOWS\MXOALDR.EXE[2332] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0097000A
.text C:\Program Files\Microsoft IntelliType Pro\type32.exe[2356] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A9000A
.text C:\Program Files\Microsoft IntelliType Pro\type32.exe[2356] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AA000A
.text C:\Program Files\Microsoft IntelliPoint\point32.exe[2376] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B6000A
.text C:\Program Files\Microsoft IntelliPoint\point32.exe[2376] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B7000A
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE[2412] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE[2412] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0099000A
.text C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe[2436] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A7000A
.text C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe[2436] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A8000A
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE[2460] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE[2460] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0099000A
.text C:\Program Files\QuickTime\QTTask.exe[2504] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009D000A
.text C:\Program Files\QuickTime\QTTask.exe[2504] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009E000A
.text C:\Program Files\iTunes\iTunesHelper.exe[2528] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0099000A
.text C:\Program Files\iTunes\iTunesHelper.exe[2528] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009A000A
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2552] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009A000A
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[2552] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009B000A
.text C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe[2564] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A0000A
.text C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe[2564] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A1000A
.text C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2588] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009E000A
.text C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2588] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009F000A
.text C:\Program Files\ADSL\StarModem ADSL USB MODEM\dslmon.exe[2600] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A5000A
.text C:\Program Files\ADSL\StarModem ADSL USB MODEM\dslmon.exe[2600] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A6000A
.text C:\Palm\Hotsync.exe[2612] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B2000A
.text C:\Palm\Hotsync.exe[2612] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B3000A
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Palm\Hotsync.exe[2612] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Common Files\Skyscape\SmartUpdate.exe[2628] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0156000A
.text C:\Program Files\Common Files\Skyscape\SmartUpdate.exe[2628] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0157000A
.text C:\PROGRA~1\Webshots\webshots.scr[2652] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B6000A
.text C:\PROGRA~1\Webshots\webshots.scr[2652] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B7000A
.text C:\Program Files\Skyscape\Desktop\smARTalerts\smARTalerts.exe[2968] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009C000A
.text C:\Program Files\Skyscape\Desktop\smARTalerts\smARTalerts.exe[2968] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009D000A
.text C:\Documents and Settings\Ryan Duke\Desktop\test.exe[3340] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009E000A
.text C:\Documents and Settings\Ryan Duke\Desktop\test.exe[3340] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009F000A
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3444] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3444] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0080000A
.text C:\Program Files\iPod\bin\iPodService.exe[3556] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0073000A
.text C:\Program Files\iPod\bin\iPodService.exe[3556] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0074000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3760] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A8000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3760] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A9000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3760] WININET.dll!HttpAddRequestHeadersA 771C4092 5 Bytes JMP 00B4000C
.text C:\Program Files\Internet Explorer\Iexplore.exe[3760] WININET.dll!HttpAddRequestHeadersW 771CEECC 5 Bytes JMP 00BC000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3760] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00BDFC50 \\?\globalroot\systemroot\system32\UACkoehbdpk.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3760] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00BE0B00 \\?\globalroot\systemroot\system32\UACkoehbdpk.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3760] WS2_32.dll!send 71AB428A 5 Bytes JMP 00BE09E0 \\?\globalroot\systemroot\system32\UACkoehbdpk.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3760] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00BE0000 \\?\globalroot\systemroot\system32\UACkoehbdpk.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3760] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00BE0CC0 \\?\globalroot\systemroot\system32\UACkoehbdpk.dll
.text C:\WINDOWS\system32\wuauclt.exe[3960] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\wuauclt.exe[3960] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0098000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\UACqvrorudo.sys (*** hidden *** ) EE843000-EE856000 (77824 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [404] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [508] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [552] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [832] 0x00BB0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe [880] 0x00EA0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [900] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe [936] 0x009E0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1208] 0x00B30000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1256] 0x00710000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [1300] 0x008C0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1312] 0x008D0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1536] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1548] 0x008E0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1608] 0x00CF0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe [1632] 0x00AF0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Executive Software\Diskeeper\DkService.exe [1708] 0x00C40000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\ATK0100\ATKOSD.exe [1772] 0x00C20000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\1XConfig.exe [1852] 0x00D10000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\GEARSec.exe [1872] 0x00870000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\system32\ZCfgSvc.exe [1972] 0x010E0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1992] 0x008A0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\RegSrvc.exe [2016] 0x009B0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2056] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2136] 0x008B0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\ATK0100\Hcontrol.exe [2176] 0x00FB0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\igfxtray.exe [2184] 0x00B60000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\hkcmd.exe [2192] 0x00B40000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\AGRSMMSG.exe [2200] 0x00BB0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe [2224] 0x00C10000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2292] 0x00B30000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Winamp\winampa.exe [2308] 0x00B20000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe [2316] 0x00C90000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe [2324] 0x011F0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\MXOALDR.EXE [2332] 0x00B30000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Microsoft IntelliType Pro\type32.exe [2356] 0x00C50000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\point32.exe [2376] 0x00D20000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE [2412] 0x00B40000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe [2436] 0x00C30000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE [2460] 0x00B40000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\QuickTime\QTTask.exe [2504] 0x00B90000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [2528] 0x00B50000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2552] 0x00B60000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe [2564] 0x00BC0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2588] 0x00BA0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\ADSL\StarModem ADSL USB MODEM\dslmon.exe [2600] 0x00C10000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Palm\Hotsync.exe [2612] 0x00CE0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Common Files\Skyscape\SmartUpdate.exe [2628] 0x01720000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\PROGRA~1\Webshots\webshots.scr [2652] 0x00D20000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Skyscape\Desktop\smARTalerts\smARTalerts.exe [2968] 0x00B80000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Documents and Settings\Ryan Duke\Desktop\test.exe [3340] 0x00BB0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\System32\wbem\wmiapsrv.exe [3444] 0x009B0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [3556] 0x00900000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [3760] 0x00BD0000
Library \\?\globalroot\systemroot\system32\UACkoehbdpk.dll (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [3960] 0x00B30000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACqvrorudo.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACqvrorudo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACqvrorudo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwjkdabiq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACxabrrpix.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACnstjixmp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACjorwbuyk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACetoqxmla.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACkoehbdpk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACkyjkwnyr.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACwolvhjrw.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACnvpeaatk.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACqvrorudo.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACqvrorudo.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwjkdabiq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACxabrrpix.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACnstjixmp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACjorwbuyk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACetoqxmla.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACkoehbdpk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACkyjkwnyr.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACwolvhjrw.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACnvpeaatk.log

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Ryan Duke\Local Settings\Temp\UAC1ca1.tmp 343040 bytes executable
File C:\Program Files\Corel\Suite8\Shared\Help\uacc8en.hlp 15586 bytes
File C:\Program Files\Corel\Suite8\Shared\Help\UACC8EN.NLI 5905 bytes
File C:\Program Files\Corel\Suite8\Template\UACC8EN.AST 19078 bytes
File C:\Program Files\Corel\Suite8\Template\UACC8EN.DLL 125952 bytes executable
File C:\WINDOWS\system32\drivers\UACqvrorudo.sys 65536 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\UACetoqxmla.dll 18944 bytes executable
File C:\WINDOWS\system32\uacinit.dll 5497 bytes
File C:\WINDOWS\system32\UACjorwbuyk.dll 24576 bytes executable
File C:\WINDOWS\system32\UACkoehbdpk.dll 66048 bytes
File C:\WINDOWS\system32\UACkyjkwnyr.log 26546 bytes
File C:\WINDOWS\system32\UACnstjixmp.dll 27136 bytes executable
File C:\WINDOWS\system32\UACwjkdabiq.dll 31232 bytes executable
File C:\WINDOWS\system32\UACxabrrpix.dat 127 bytes
File C:\WINDOWS\Temp\UAC6fcc.tmp 66048 bytes

---- EOF - GMER 1.0.15 ----

#11 R454Duke

R454Duke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 24 March 2009 - 02:39 PM

I see Chewy is offline. I realize that it's probably not standard policy to have a second person jump in but I was hoping that if there is another something I need to download and run for the next step I could do it and have it ready by the time Chewy comes back online.

Thanks,
Duke

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:08 AM

Posted 24 March 2009 - 04:18 PM

This is an advanced technique best reserved for the experts

Part of the directions will be in a PM

File C:\WINDOWS\system32\drivers\UACqvrorudo.sys 65536 bytes executable <-- ROOTKIT !!!


This is the hidden driver we have to kill

If you can kill it run MBAM and post that log
Chewy

No. Try not. Do... or do not. There is no try.

#13 R454Duke

R454Duke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 24 March 2009 - 04:21 PM

I work in IT Databases so I may be able to figure it out with a little help. Checking PM now.

Thanks!

#14 R454Duke

R454Duke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 24 March 2009 - 05:15 PM

Okay, I download and open RootRepeal but I'mgetting an error saying:

Could not find kernal file on disk (C:\WINDOWS\system32\ntoskrnl.exe)!

Please advise.

#15 R454Duke

R454Duke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:02:08 AM

Posted 24 March 2009 - 06:07 PM

Rebuilding the ntoskrnl.exe file via this article online: http://www.computerhope.com/issues/ch000648.htm
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·