Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTOSKRNL-HOOK infection


  • Please log in to reply
30 replies to this topic

#1 mapetrsn

mapetrsn

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 04 August 2009 - 05:35 PM

Running Vista. McAfee finds NTOSKRNL-HOOK infection every time I run it. Google results like FF Download are blocked. Blocking all my other antivirus programs. Won't let me run Malwarebyte, SmitfraudFix, drweb-cureit, or RootRepeal. Was able to run ATF-Cleaner, but that hasn't helped. Was able to download Superantispyware, but was blocked from installing it. Any help would be appreciated. I know you guys are volunteers. Thanks.

Edited by mapetrsn, 04 August 2009 - 05:37 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:42 AM

Posted 04 August 2009 - 08:17 PM

Let's start here:

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 mapetrsn

mapetrsn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 05 August 2009 - 11:04 AM

Done. Also, I use FF, but this keeps opening multiple IE windows in the background until it crashes. Report below:

C:\Windows\System32\net.net a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting - quarantined

Still can't turn on Securtiy Center or run any other antiviral programs.

Edited by mapetrsn, 05 August 2009 - 11:07 AM.


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:42 AM

Posted 05 August 2009 - 11:13 AM

Do you have access to another computer and a usb jump drive?

If you do run this immunization tool on both

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


You can download, extract, rename on the clean computer and then transfer to the usb drive
Chewy

No. Try not. Do... or do not. There is no try.

#5 mapetrsn

mapetrsn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 05 August 2009 - 02:22 PM

I was able to download it, but could not run it.

#6 mapetrsn

mapetrsn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 06 August 2009 - 11:18 AM

Renamed mabam and was able to run quick scan. Will now run a full scan. Log posted below:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6002 Service Pack 2

8/6/2009 12:12:27 PM
mbam-log-2009-08-06 (12-12-27).txt

Scan type: Quick Scan
Objects scanned: 101347
Time elapsed: 5 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av care (Rogue.AVCare) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Michael Peterson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\Family\Desktop\AV Care.lnk (Rogue.AVCare) -> Quarantined and deleted successfully.

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:42 AM

Posted 06 August 2009 - 11:47 AM

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • Click on the Files tab, then click the Scan button.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".
Chewy

No. Try not. Do... or do not. There is no try.

#8 mapetrsn

mapetrsn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 06 August 2009 - 01:04 PM

Thanks for the reply. When I run RootRepeal (with firewalls down, etc...), my computer locks up and I have to do a hard reboot. I ran the full scan with Mbam, log below:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6002 Service Pack 2

8/6/2009 1:30:07 PM
mbam-log-2009-08-06 (13-30-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 426480
Time elapsed: 1 hour(s), 10 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:42 AM

Posted 06 August 2009 - 01:09 PM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Chewy

No. Try not. Do... or do not. There is no try.

#10 mapetrsn

mapetrsn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 06 August 2009 - 04:52 PM

There wasn't anything there that it said should be deleted. Here are the Sophos results:


Sophos Anti-Rootkit Version 1.5.0 2009 Sophos Plc
Started logging on 8/6/2009 at 16:28:02 PM
User "Michael Peterson" on computer "MICHAELPETER-PC"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\UACvnmaetmrml.dat
Hidden: file C:\Windows\System32\UAChwraiitbir.dll
Hidden: file C:\Windows\Temp\UACe993.tmp
Hidden: file C:\Users\Michael Peterson\AppData\Local\Temp\UAC503b.tmp
Hidden: file C:\Windows\System32\drivers\UACxoxlherymr.sys
Hidden: file C:\Windows\System32\UACsyvplkbcpk.dll
Hidden: file C:\Windows\System32\UAChpfebfnfpw.dll
Hidden: file C:\Windows\Temp\UAC1e58.tmp
Hidden: file C:\Users\Michael Peterson\AppData\Local\Temp\nsn106A.tmp\UAC.dll
Hidden: file C:\Users\Michael Peterson\AppData\Local\Temp\nsn2AEC.tmp\UAC.dll
Hidden: file C:\Windows\System32\UACldamnvucix.dll
Hidden: file C:\Windows\System32\UACmecsyfvppq.db
Hidden: file C:\Windows\System32\UACbbciujertx.dll
Hidden: file C:\Windows\System32\uacinit.dll
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x126.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x127.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x229.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x232.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x239.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x315.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x331.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x395.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x398.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x400.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x401.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x402.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x403.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x404.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x405.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x406.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x408.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x410.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x411.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x412.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x414.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x415.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x416.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x417.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x418.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x419.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x420.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x421.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x422.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x423.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x425.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x427.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x428.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x429.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x430.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x431.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x434.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x435.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x436.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x437.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x438.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x440.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x441.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x442.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x443.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x444.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x445.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x446.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x447.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x448.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x449.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x450.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x451.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x452.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x453.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x454.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x455.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x456.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x457.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x458.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x459.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x461.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x462.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x463.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x464.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x465.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x466.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x467.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x468.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x469.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x470.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x471.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x472.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x473.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x474.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x475.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x476.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x477.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x478.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x479.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x480.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x481.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x482.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x483.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x484.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x485.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x486.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x487.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x488.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x489.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x490.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x491.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x492.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x493.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x494.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x496.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x497.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x498.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x499.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x64.xml
Hidden: file C:\Program Files\TurboTax\Basic 2007\Forms\App_07\dhtmlhelp\x79.xml
Hidden: file C:\PerfLogs\System\Diagnostics\20080828-0001\UAC Settings.xml
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_001.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_002.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_003.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_004.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_005.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_006.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_007.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_008.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_009.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_010.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_011.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_012.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_013.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_014.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_015.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_016.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_017.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_018.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_019.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_020.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_021.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_022.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_023.wav
Hidden: file C:\Users\Family\AppData\Roaming\Barbie™\Barbie™ In The 12 Dancing Princesses\GAME EXPORTS\audio\English\My Show Finale\MYSHFIN_024.wav
Info: Starting disk scan of D: (NTFS).
Stopped logging on 8/6/2009 at 17:37:34 PM

Edited by mapetrsn, 06 August 2009 - 04:55 PM.


#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:42 AM

Posted 06 August 2009 - 05:46 PM

Hidden: file C:\Windows\System32\UACvnmaetmrml.dat
Hidden: file C:\Windows\System32\UAChwraiitbir.dll
Hidden: file C:\Windows\Temp\UACe993.tmp
Hidden: file C:\Users\Michael Peterson\AppData\Local\Temp\UAC503b.tmp
Hidden: file C:\Windows\System32\drivers\UACxoxlherymr.sys
Hidden: file C:\Windows\System32\UACsyvplkbcpk.dll
Hidden: file C:\Windows\System32\UAChpfebfnfpw.dll
Hidden: file C:\Windows\Temp\UAC1e58.tmp
Hidden: file C:\Users\Michael Peterson\AppData\Local\Temp\nsn106A.tmp\UAC.dll
Hidden: file C:\Users\Michael Peterson\AppData\Local\Temp\nsn2AEC.tmp\UAC.dll
Hidden: file C:\Windows\System32\UACldamnvucix.dll
Hidden: file C:\Windows\System32\UACmecsyfvppq.db
Hidden: file C:\Windows\System32\UACbbciujertx.dll
Hidden: file C:\Windows\System32\uacinit.dll


Delete these with Sophos

Reboot and run a scan with MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#12 mapetrsn

mapetrsn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 07 August 2009 - 04:06 PM

Working better. IE is stable and google giving results, even on reboot. But still cannot turn on Sercurtiy Center. Mbam log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6002 Service Pack 2

8/7/2009 4:44:25 PM
mbam-log-2009-08-07 (16-44-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 405848
Time elapsed: 1 hour(s), 48 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:42 AM

Posted 07 August 2009 - 04:27 PM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Chewy

No. Try not. Do... or do not. There is no try.

#14 mapetrsn

mapetrsn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 07 August 2009 - 07:33 PM

Done, with one detection. Log follows:

GMER 1.0.15.15020 [f4re9t1f.exe] - http://www.gmer.net
Rootkit scan 2009-08-07 20:32:03
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8CD269BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8CD26958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8CD2696C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8CD269E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8CD26930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8CD26944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8CD269D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8CD26A10]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8CD269FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8CD269AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8CD26996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8CD2691C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8CD26982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwNotifyChangeKey 821D85B5 5 Bytes JMP 8CD269EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 821E2B82 5 Bytes JMP 8CD26986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82209D5D 5 Bytes JMP 8CD26920 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 8222D474 5 Bytes JMP 8CD2699A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82232E7D 7 Bytes JMP 8CD269D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8223509A 5 Bytes JMP 8CD26948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 82239B48 5 Bytes JMP 8CD26934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8225AD59 5 Bytes JMP 8CD269C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8226B7B2 5 Bytes JMP 8CD26A00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8226C9B6 5 Bytes JMP 8CD26A14 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 822AA74B 5 Bytes JMP 8CD2695C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822AA796 7 Bytes JMP 8CD26970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 822AB253 5 Bytes JMP 8CD269AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1212] kernel32.dll!LoadLibraryW 774F9362 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1212] kernel32.dll!LoadLibraryA 774F94DC 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\drivers\VIDEOPRT.SYS[watchdog.sys!WdMadeAnyProgress] [8C1C87D5] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\drivers\VIDEOPRT.SYS[watchdog.sys!WdCompleteEvent] [8C1C90D6] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\drivers\VIDEOPRT.SYS[watchdog.sys!WdGetLowestDeviceObject] [8C1C904A] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\drivers\VIDEOPRT.SYS[watchdog.sys!WdGetDeviceObject] [8C1C9016] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\drivers\VIDEOPRT.SYS[watchdog.sys!WdGetLastEvent] [8C1C9036] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdEnterMonitoredSection] [8C1C880F] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdExitMonitoredSection] [8C1C888B] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdFreeDeferredWatchdog] [8C1CD014] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStopDeferredWatch] [8C1C8972] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStartDeferredWatch] [8C1C86E1] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdAllocateDeferredWatchdog] [8C1CCF7A] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdSuspendDeferredWatch] [8C1C8763] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdResumeDeferredWatch] [8C1C8773] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74677817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [746CA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7467BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7466F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7466E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [746A8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7467DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7466FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7466FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [746FCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7469C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7466D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74666853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7466687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74672AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service system32\drivers\UACxoxlherymr.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACxoxlherymr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACxoxlherymr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UAChwraiitbir.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACbbciujertx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACvnmaetmrml.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACmecsyfvppq.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACldamnvucix.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACsyvplkbcpk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UAChpfebfnfpw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACxoxlherymr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACxoxlherymr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UAChwraiitbir.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACbbciujertx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACvnmaetmrml.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACmecsyfvppq.db
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACldamnvucix.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACsyvplkbcpk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UAChpfebfnfpw.dll

---- EOF - GMER 1.0.15 ----

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:42 AM

Posted 07 August 2009 - 08:02 PM

Service system32\drivers\UACxoxlherymr.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!


gmer

Hidden: file C:\Windows\System32\drivers\UACxoxlherymr.sys

Sophos, McAfee must have interfered, did you follow directions and disable McAfee?

McAfee us probably stipping RootReal also.

Repeat with Sophos and delete them again

After rebooting try to cleanup with MBAM
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users