Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UAC Trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 Desperateforhelp10

Desperateforhelp10

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 06 May 2009 - 09:11 PM

I have used Spybot Search and Destroy, MalwareBytes and Avira. All of these programs detected a UAC trogan. Every time they discovered the program, they would say file cannot be removed, reboot immediately to remove, but then it still is not removed. The Avira identifies the remaining part as TR/Rootkit.gen and the Spybot Search said Rootkit.trace. I have the logs if they are needed. I am pasting the Avirra log in as it identifies the virus files. Please help as I am a small business of 1 and projects are due!

AVIRA
Starting search for hidden objects.
The repair notes were written to the file 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\AVSCAN-20090505-222725-7F9B3EFD.avp'.
c:\windows\system32\drivers\uacthwekooe.sys
[INFO] The file is not visible.
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a6403fe.qua'!
c:\windows\system32\uacgbigwfrf.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/PCK.Tdss.F.2060 Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\uacinit.dll
[INFO] The file is not visible.
c:\windows\system32\uaclkmoynxs.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/PCK.Tdss.F.2062 Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\uacoqbprxdu.dat
[INFO] The file is not visible.
c:\windows\system32\uacoqurmqfq.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Alureon.BF Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\uacqptedmru.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/PCK.Tdss.F.2061 Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\uacvjslewft.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/PCK.Tdss.F.2164 Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\uacxuqlpilr.log
[INFO] The file is not visible.
c:\documents and settings\user\local settings\temp\uacce71.tmp
[INFO] The file is not visible.
[DETECTION] Is the TR/Patched.EQ Trojan
[INFO] No SpecVir entry was found!


DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 20:32:04.87 on Wed 05/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.91 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cobian Backup 9\Cobian.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\O09MGENY\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.sbc.com/dsl
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uWindows: load= HPLJSW.EXE
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Matrox Powerdesk] c:\windows\system32\pdesk\PDesk.exe /Autolaunch
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT ACR] c:\program files\acer display\edisplay management\DTHtml.exe -startup_folder
mRun: [SBAMTray] c:\program files\sunbelt software\vipre\SBAMTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - hxxp://zone.msn.com/bingame/trbo/default/ActiveLauncher.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238520289375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-5 11608]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-3-23 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-3-4 202928]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-5 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-5 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-5 55640]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-3-23 69936]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2009-3-17 894248]
S3 Adtalasstem;Adtalasstem; [x]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-22 92464]

=============== Created Last 30 ================

2009-05-06 19:05 <DIR> --d----- c:\program files\Cobian Backup 9
2009-05-06 17:06 993 a------- c:\windows\wininit.ini
2009-05-06 15:29 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-05-06 02:34 <DIR> --d----- c:\program files\CCleaner
2009-05-06 02:17 <DIR> --d----- c:\windows\pss
2009-05-06 01:36 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-06 01:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-06 01:15 <DIR> --d----- c:\program files\Trend Micro
2009-05-06 00:46 <DIR> --d----- c:\program files\Secalware
2009-05-06 00:33 <DIR> --d----- c:\windows\system32\KB905474
2009-05-06 00:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-06 00:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 00:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-06 00:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-05 22:39 118 a------- c:\windows\system32\MRT.INI
2009-05-05 14:03 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-05 14:03 <DIR> --d----- c:\program files\Avira
2009-05-05 14:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-05 13:18 106 a------- c:\docume~1\user\applic~1\netstat.bat
2009-04-20 13:46 <DIR> --d----- c:\program files\Microsoft
2009-04-20 13:43 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-20 13:43 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-18 16:06 <DIR> --d----- C:\swsetup
2009-04-17 00:38 283,648 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-17 00:38 60,416 -c------ c:\windows\system32\dllcache\colbact.dll
2009-04-17 00:38 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-17 00:38 616,960 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-17 00:38 473,088 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-17 00:38 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 00:38 399,360 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-17 00:38 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 00:38 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-17 00:36 1,193,414 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 00:36 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-30 23:48 2,608 a------- c:\windows\system32\d3d9caps.dat
2009-04-18 11:01 2,496 a------- c:\windows\system32\d3d8caps.dat
2009-03-17 13:26 65,320 a------- c:\windows\system32\sbbd.exe
2009-03-06 09:44 283,648 a------- c:\windows\system32\pdh.dll
2009-02-20 03:14 668,160 a------- c:\windows\system32\wininet.dll
2009-02-20 03:14 81,920 -------- c:\windows\system32\ieencode.dll
2009-02-09 05:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-06 12:24 2,180,480 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 12:14 110,592 a------- c:\windows\system32\services.exe
2009-02-06 11:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:49 2,057,728 a------- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 20:32:29.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 10 May 2009 - 07:23 PM

Hello.

I'm Extremeboy and I will help you with your log.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:IF YOU WISH TO CONTINUE FOLLOW THE STEPS BELOW


Download and Run ComboFix (Rename Before Saving)


Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.


Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 15 May 2009 - 07:48 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 17 May 2009 - 04:34 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users