Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

last item to remove 'windows\system32\uacinit.dll


  • Please log in to reply
8 replies to this topic

#1 Kazzer09

Kazzer09

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 24 August 2009 - 07:48 AM

Hi

This is my first post ever but have been reading lots recently and found some excellent help with a roguekit I am stuck with.

My problem is went on hols with Norton 360 running and no problems and came back to find young relative had used and computer had 84 viruses and Norton 360 would not run and could not install malwarebytes. Norton wanted 69.95 as they said we had accepted a spoof virus program and it was not the fault of Norton.

After 6 hours later of renaming and retrying and the internet redirecting me to other sites I managed with the help of bleepingcomputer previous logs to get it down to 1 roguekit and with Norton 360 and Malwarebytes working but not deleting the last rogue kit.

Attached malwarebytes log:

Malwarebytes' Anti-Malware 1.40
Database version: 2683
Windows 5.1.2600 Service Pack 3

23/08/2009 19:52:01
mbam-log-2009-08-23 (19-52-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 196661
Time elapsed: 25 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot

Thanks in advance.

Edited by Kazzer09, 24 August 2009 - 07:51 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 24 August 2009 - 08:06 AM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Chewy

No. Try not. Do... or do not. There is no try.

#3 Kazzer09

Kazzer09
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 24 August 2009 - 02:51 PM

Thank you for your reply.

Downloaded and instaled Sophos Anti-Rootkit as instructed and disabled Norton then ran. No files were tagged to be removed but others there and said not to remove and noticed I should have deleted temporary files so removed these and re-ran but still nothing there for removal.

Anyway put Norton back on then went to your next instruction to get the log via Start>run and %temp%\sarscan.log and this is below;-

Sophos Anti-Rootkit Version 1.5.0 2009 Sophos Plc
Started logging on 24/08/2009 at 18:58:33
User "Owner" on computer "SN042982320398"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\UACpxgvphqofr.dat
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KU61MH75\UAC-rootkit-trojan-help-please-t246772[1].html
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\P8XP3J7R\UAC-rootkit-trojan-help-please-t246772[1].html%2526pid%253D1603681%2526st%253D15
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\J3AT647S\UAC-rootkit-trojan-help-please-t246772[1].html
Hidden: file C:\WINDOWS\system32\UACcdpqoeiqxe.dll
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1UGQT3QQ\UAC-rootkit-trojan-help-please-t246772[1].html&pid=1603681&st=15
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1UGQT3QQ\UAC-rootkit-trojan-help-please-t246772[1].htm
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KU61MH75\UAC-rootkit-trojan-help-please-t246772[1].html%2526pid%253D1603681%2526st%253D15
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1UGQT3QQ\uac.dll[1].htm
Hidden: file C:\WINDOWS\system32\UACxducbfamrq.dll
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2R3WYLMA\uac.dll_data[1].xml
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RY9CM2GK\UAC.DLL[1].htm
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\7A-7B MONWED Nat Dip Pub Services-2A 2B-Lucille Reed\Data Interpretation Lesson Plans Jan-Jun 07\Lesson 2 Data Int intro,primary-secondary,conclusions from\Summary offences handout for use with Powerpoint exercise.doc
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\6A-6B TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 17 OLD 13 - Database questions+import of database and reports\Lesson 14 - Database questions for 1-2 + database set up with import for 3.doc
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\6A-6B TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 17 OLD 13 - Database questions+import of database and reports\Files for use in Exercise 14 transfer to X drive\Students in CSV format.csv
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\6A-6B TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 17 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\EXAMPL~1.XLS
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\6A-6B TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 17 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\LESSON~2.DOC
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\6A-6B TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 17 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\LESSON~1.DOC
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\6A-6B TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 17 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\PRESEN~1.DOC
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\3A-3B-MON 9.00-BTEC Nat Dip Pub Services-IT+Data Int-Dav-Maurice\SOW & LESSON PLANS\Lesson Plans\Lesson 15-ITKS4U Mini Test+Ass 2 handout+explain+hypothesis&questionnaire\ASSIGNMENT 2 Data Interpretation-ver b.doc
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\1-MON 10.00-BTEC Nat Dip Health Studies-1st Yr-Dav-Jill-2 Semesters\SOW & LESSON PLANS\SOW & Lesson Plans\Lesson 16A - Database Intro -Sept 2006\Lesson 16a-Set up new travel database sort & query-NOT USED HERE.doc
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\1-MON 10.00-BTEC Nat Dip Health Studies-1st Yr-Dav-Jill-2 Semesters\Assignments\Possible ASSIGNMENT 3 ITEMS - ENVIRONMENTAL\Jills Assignment - ideas for data\Household waste recyling rates 1996-7-2004-5 wrfg16.xls
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\ENDS JAN 07 10A-10B THU FRI BTEC Nat Dip Health-IT-1H-2H 1N-2N\SOW & LESSON PLANS\1H-2H Lesson plans 06-07\Lesson 16A - Database Intro -Sept 2006\Lesson 16a - Setting up a new travel database, sorting and querying.doc
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\2006-7 WORK\7A-7B MONWED Nat Dip Pub Services-2A 2B-Lucille\Data Interpretation Lesson Plans Jan-Jun 07\Lesson 2 Data Int intro,primary-secondary,conclusions from\Lesson 2 Research Methodology - Introduction.ppt
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\2006-7 WORK\7A-7B MONWED Nat Dip Pub Services-2A 2B-Lucille\Data Interpretation Lesson Plans Jan-Jun 07\Lesson 2 Data Int intro,primary-secondary,conclusions from\Activity 1-Summary offences conclusions handout.doc
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\2006-7 WORK\7A-7B MONWED Nat Dip Pub Services-2A 2B-Lucille\Data Interpretation Lesson Plans Jan-Jun 07\Lesson 3 DI - Assignment 1 initial reqs P1\Lesson 3 - Research Methodology (PSD1) assignment 1 reqs + P1.ppt
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\2006-7 WORK\7A-7B MONWED Nat Dip Pub Services-2A 2B-Lucille\Data Interpretation Lesson Plans Jan-Jun 07\Lesson 4-DI-Assignment 1 P2-P3\Activity for averages, percentages, measures of dispersion and std deviation.doc
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\2006-7 WORK\7A-7B MONWED Nat Dip Pub Services-2A 2B-Lucille\Data Interpretation Lesson Plans Jan-Jun 07\Lesson 8-5 Mar 07-Ass 2 handout + explain + hypothesis & questionnaire\Assignment 2 - new folder files etc.doc
Hidden: file C:\Karen\U3 Backup 28-4-07\2006-7 WORK\8A-8B THUR Data Interp-Unit 7-1A+1B-Sue\SOW & LESSON PLANS\Lesson Plans\Lesson ... Research-types and sources of data\QUESTIONNAIRE EXAMPLES\A-B Activity 2+4-Mobile Phone activity for example questionnaires.doc
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\J3AT647S\uac-rootkit-hijack-log-and-malwarebytes-log-please-help-t1621[1].html
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ABA25ZPP\UAC-rootkit-troubles-t248815[1].html
Hidden: file C:\Karen\DISGO BACKUP 23-04-06\disgo (G)\E-KINGSTON COPY 20-2-06\Assignment 1 Start Sep 05\Care&Health-Assignment 1 related\A day in the life of a midwife\Ealing Hospital - Careers - Day in the life of a midwife - Maria Freebrey_files\Ealing_Background.gif
Hidden: file C:\Karen\DISGO BACKUP 23-04-06\disgo (G)\E-KINGSTON COPY 20-2-06\Assignment 1 Start Sep 05\Care&Health-Assignment 1 related\A day in the life of a midwife\Ealing Hospital - Careers - Day in the life of a midwife - Maria Freebrey_files\Link_Patient_Info.gif
Hidden: file C:\Karen\DISGO BACKUP 23-04-06\disgo (G)\E-KINGSTON COPY 20-2-06\Assignment 1 - Start Jan 06\Care&Health-Assignment 1 related\A day in the life of a midwife\Ealing Hospital - Careers - Day in the life of a midwife - Maria Freebrey_files\Ealing_Background.gif
Hidden: file C:\Karen\DISGO BACKUP 23-04-06\disgo (G)\E-KINGSTON COPY 20-2-06\Assignment 1 - Start Jan 06\Care&Health-Assignment 1 related\A day in the life of a midwife\Ealing Hospital - Careers - Day in the life of a midwife - Maria Freebrey_files\Link_Patient_Info.gif
Hidden: file C:\Karen\DISGO BACKUP 23-04-06\disgo (G)\E-KINGSTON COPY 20-2-06\Assignment 1 - Start Jan 06\Care&Health-Assignment 1 related\A day in the life of a midwife\Ealing Hospital - Careers - Day in the life of a midwife - Maria Freebrey_files\White_Filler(1).gif
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SOZRDLJY\UAC-rootkit-troubles-t248815[1].html
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UFMUUW6V\UAC-rootkit-troubles-t248815[1].html
Hidden: file C:\Karen\KINGSTON (E)\KINGSTON (E)\Copy of Lesson 12 - Intro to databases and dbse versus spreasheet plus Backing Up, Archiving, Email ,Spellcheck+grammer review+DATA PROTECTION ACT\Data privacy, security and the Data Protection Act_files\DataPrivacyTop.htm
Hidden: file C:\Karen\KINGSTON (E)\KINGSTON (E)\Copy of Lesson 12 - Intro to databases and dbse versus spreasheet plus Backing Up, Archiving, Email ,Spellcheck+grammer review+DATA PROTECTION ACT\Data privacy, security and the Data Protection Act_files\DataPrivacyMenu.htm
Hidden: file C:\Karen\KINGSTON (E)\KINGSTON (E)\Lesson 14 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\Lesson 6 - Handout on using word and importing excel spreadsheet with gridlines+adding border.doc
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NQS2FKJ9\UAC-rootkit-troubles-t248815[1].html
Hidden: file C:\Karen\E-KINGSTON COPY\Lesson 14 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\Lesson 6 - Handout on using word and importing excel spreadsheet with gridlines+adding border-MASTER.doc
Hidden: file C:\Karens Backup of USB on 9 June 07\CleverStuff (L)\Karens data here\1-MON 10.00-BTEC Nat Dip Health Studies-1st Yr-Dav-Jill-2 Semesters\SOW & LESSON PLANS\SOW & Lesson Plans\Lesson 6 - Driving school using Handout 3-Excel + picture\Driving1MASTER.xls
Hidden: file C:\Karens Backup of USB on 9 June 07\CleverStuff (L)\Karens data here\11A TUES Nat Dip Early Yrs IT Key Skills ONLY 1A\Lessons+SOW\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example- Level 3-with formulas hidden.xls
Hidden: file C:\Karens Backup of USB on 9 June 07\CleverStuff (L)\Karens data here\11A TUES Nat Dip Early Yrs IT Key Skills ONLY 1A\Lessons+SOW\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Level 3 portfolio 6512_level3_it see page 15-23.pdf
Hidden: file C:\Karen\DISGO BACKUP 8-10-06\Copy of Lesson 12 - Intro to databases and dbse versus spreasheet plus Backing Up, Archiving, Email ,Spellcheck+grammer review+DATA PROTECTION ACT\Data privacy, security and the Data Protection Act_files\DPA1998iSTPrinciple.htm
Hidden: file C:\Karen\DISGO BACKUP 8-10-06\2005-6 ASSIGNMENTS\Assignment 1 start Sept 05\Assignment 2 - Hints for designing effective questionnaires_ Frary, Robert B_files\Suggestions for assignment costing with if\Introduction to Excel - Part 4 - A Whole Application.htm
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temp\UACa629.tmp
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\3A-3B-MON-BTEC Nat Dip Pub Services-IT+Data Int-Dav-Maurice\SOW & LESSON PLANS\Lesson Plans\Lesson 15-ITKS4U Mini Test+Ass 2 handout+explain+hypothesis&questionnaire\Activity 3-matching words with explanations.doc
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example Level 1-2 - NO formulas.xls
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\sOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example Level 1-2 - with formulas and ROUNDUP.xls
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example Level 1-2 - with formulas.xls
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example- Level 3-with formulas hidden.xls
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example- Level 3-with formulas.xls
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Level 3 portfolio 6512_level3_it see page 15-23.pdf
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Lesson 14 - Database questions for 1-2 + database set up with import for 3-MASTER.doc
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Lesson 14 - Database questions for 1-2 + database set up with import for 3.doc
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\EXAMPL~1.XLS
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\LESSON~2.DOC
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\LESSON~1.DOC
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\PRESEN~1.DOC
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Files for use in Exercise 14 transfer to X drive\Students in CSV format.csv
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Files for use in Exercise 14 transfer to X drive\Validation Exercise.mdb
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\8A-8B WEDTHUFRI-Data Interp-Unit 7-1A+1B-Sue\SOW & LESSON PLANS\Lesson Plans\Lesson ... Research-types and sources of data\QUESTIONNAIRE EXAMPLES\A-B Activity 2+4-Mobile Phone activity for example questionnaires.doc
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\8A-8B WEDTHUFRI-Data Interp-Unit 7-1A+1B-Sue\SOW & LESSON PLANS\Lesson Plans\Lesson 22-23 week -Ass 2 handout + explain + hypothesis & questionnaire\Activity 2-Mobile Phone activity for quantitive-qualitative data.doc
Hidden: file C:\WINDOWS\system32\UACkilametdwy.dll
Hidden: file C:\WINDOWS\system32\drivers\UACtfuxdulkrv.sys
Hidden: file C:\WINDOWS\system32\uacinit.dll
Stopped logging on 24/08/2009 at 19:21:16


Sophos Anti-Rootkit Version 1.5.0 2009 Sophos Plc
Started logging on 24/08/2009 at 19:56:55
User "Owner" on computer "SN042982320398"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\UACpxgvphqofr.dat
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KU61MH75\UAC-rootkit-trojan-help-please-t246772[1].html
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\P8XP3J7R\UAC-rootkit-trojan-help-please-t246772[1].html%2526pid%253D1603681%2526st%253D15
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\J3AT647S\UAC-rootkit-trojan-help-please-t246772[1].html
Hidden: file C:\WINDOWS\system32\UACcdpqoeiqxe.dll
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1UGQT3QQ\UAC-rootkit-trojan-help-please-t246772[1].html&pid=1603681&st=15
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1UGQT3QQ\UAC-rootkit-trojan-help-please-t246772[1].htm
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KU61MH75\UAC-rootkit-trojan-help-please-t246772[1].html%2526pid%253D1603681%2526st%253D15
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1UGQT3QQ\uac.dll[1].htm
Hidden: file C:\WINDOWS\system32\UACxducbfamrq.dll
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2R3WYLMA\uac.dll_data[1].xml
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RY9CM2GK\UAC.DLL[1].htm
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\J3AT647S\uac-rootkit-hijack-log-and-malwarebytes-log-please-help-t1621[1].html
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ABA25ZPP\UAC-rootkit-troubles-t248815[1].html
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SOZRDLJY\UAC-rootkit-troubles-t248815[1].html
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UFMUUW6V\UAC-rootkit-troubles-t248815[1].html
Hidden: file C:\Karen\KINGSTON (E)\KINGSTON (E)\Copy of Lesson 12 - Intro to databases and dbse versus spreasheet plus Backing Up, Archiving, Email ,Spellcheck+grammer review+DATA PROTECTION ACT\Data privacy, security and the Data Protection Act_files\DataPrivacyTop.htm
Hidden: file C:\Karen\KINGSTON (E)\KINGSTON (E)\Copy of Lesson 12 - Intro to databases and dbse versus spreasheet plus Backing Up, Archiving, Email ,Spellcheck+grammer review+DATA PROTECTION ACT\Data privacy, security and the Data Protection Act_files\DataPrivacyMenu.htm
Hidden: file C:\Karen\KINGSTON (E)\KINGSTON (E)\Lesson 14 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\Lesson 6 - Handout on using word and importing excel spreadsheet with gridlines+adding border.doc
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NQS2FKJ9\UAC-rootkit-troubles-t248815[1].html
Hidden: file C:\Karen\E-KINGSTON COPY\Lesson 14 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\Lesson 6 - Handout on using word and importing excel spreadsheet with gridlines+adding border-MASTER.doc
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temp\UACa629.tmp
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\3A-3B-MON-BTEC Nat Dip Pub Services-IT+Data Int-Dav-Maurice\SOW & LESSON PLANS\Lesson Plans\Lesson 15-ITKS4U Mini Test+Ass 2 handout+explain+hypothesis&questionnaire\Activity 3-matching words with explanations.doc
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example Level 1-2 - NO formulas.xls
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example Level 1-2 - with formulas and ROUNDUP.xls
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example Level 1-2 - with formulas.xls
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example- Level 3-with formulas hidden.xls
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Budget example- Level 3-with formulas.xls
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\5A-MON-BTEC Nat Dip in Care-IT- B -Joanna\SOW & LESSON PLANS\Lesson 8-Cost spreadsheet for event\Lesson 22 - Enter costs to spreadsheet and add formulas+revision over easter\Level 3 portfolio 6512_level3_it see page 15-23.pdf
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\EXAMPL~1.XLS
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\LESSON~2.DOC
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\LESSON~1.DOC
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Lesson 6 - Word + excel gridlines & import of chart, spreadsheet\PRESEN~1.DOC
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Files for use in Exercise 14 transfer to X drive\Students in CSV format.csv
Hidden: file C:\Karen\2006-7 WORK - backup 12-11-06\6A-6B MON TUES-BTEC Nat Dip Early Yrs-Research Meth-Unit 9-2A+2B\Lessons+SOW\Lesson 19 OLD 13 - Database questions+import of database and reports\Files for use in Exercise 14 transfer to X drive\Validation Exercise.mdb
Hidden: file C:\WINDOWS\system32\UACkilametdwy.dll
Hidden: file C:\WINDOWS\system32\drivers\UACtfuxdulkrv.sys
Hidden: file C:\WINDOWS\system32\uacinit.dll
Stopped logging on 24/08/2009 at 20:17:46

Edited by Kazzer09, 24 August 2009 - 04:18 PM.


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 24 August 2009 - 03:03 PM

Hidden: file C:\WINDOWS\system32\drivers\UACtfuxdulkrv.sys

Use Sophos to delete this file then reboot and run another quick scan with MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#5 Kazzer09

Kazzer09
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 24 August 2009 - 05:01 PM

Update:

Machine had frozen so had to power it down, this closed Sophos so re-ran to enable file to be removed.

Rebooted but then Norton 360 restarted and said it was scanning and removing something and told me to reboot.

Rebooted again and then ran MBAM but said that the rogues,etc were back again and told me to reboot to remove them.

Re-ran MBAM again as a quick scan which was clean so re-ran a full scan just in case and no infections.

Wow - is this it and should I keep re-running all 3 reguarly from now on? I am really pleased and cannot thank you enough.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 24 August 2009 - 05:12 PM

Keep MBAM handy and updated

Let's look again for rootkits

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Chewy

No. Try not. Do... or do not. There is no try.

#7 Kazzer09

Kazzer09
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 25 August 2009 - 02:56 PM

Hi Chewy

Just for good measure re-ran MBAM and SOPHOS and nothing reported then ran GMER and noticed about halfway down the the log there was reported a hidden rootkit!

GMER 1.0.15.15077 [ytf72r6o.exe] - http://www.gmer.net
Rootkit scan 2009-08-25 20:37:05
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 86FBDA68 ZwAlertResumeThread
SSDT 870344E0 ZwAlertThread
SSDT 870BC428 ZwAllocateVirtualMemory
SSDT 86E30E40 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEDBC9020]
SSDT 86ED4590 ZwCreateMutant
SSDT 87078F10 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEDBC92A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEDBC9800]
SSDT 8702F130 ZwFreeVirtualMemory
SSDT 86EC9688 ZwImpersonateAnonymousToken
SSDT 870953C0 ZwImpersonateThread
SSDT 8707C9A8 ZwMapViewOfSection
SSDT 86EC7348 ZwOpenEvent
SSDT 871D0400 ZwOpenProcessToken
SSDT 86FCEDC8 ZwOpenThreadToken
SSDT 87028290 ZwResumeThread
SSDT 87053188 ZwSetContextThread
SSDT 86FF19F0 ZwSetInformationProcess
SSDT 87078C18 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEDBC9A50]
SSDT 870728B0 ZwSuspendProcess
SSDT 86A5E908 ZwSuspendThread
SSDT 86EEE208 ZwTerminateProcess
SSDT 87182AE0 ZwTerminateThread
SSDT 8700F178 ZwUnmapViewOfSection
SSDT 870BB860 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\9.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 024C9A00 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 024C9A38 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 024C9994 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 024C9943 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!AdjustWindowRectEx 7E42E7EA 5 Bytes JMP 024C9E11 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 024C99E5 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 024C995E C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 024C99AF C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 024C9979 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 024C99CA C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!AdjustWindowRect 7E431140 5 Bytes JMP 024C9D36 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3768] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 024C9928 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F783D380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F783D3F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F783D710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F783D750] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F783D710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F783D3F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F783D380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F783D380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F783D3F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F783D750] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F783D710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F783D710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F783D750] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F783D380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F783D3F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\UACtfuxdulkrv.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACtfuxdulkrv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACtfuxdulkrv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACkilametdwy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACcdpqoeiqxe.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpxgvphqofr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACxducbfamrq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACtfuxdulkrv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACtfuxdulkrv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACkilametdwy.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACcdpqoeiqxe.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpxgvphqofr.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACxducbfamrq.dll

---- EOF - GMER 1.0.15 ----


Thanks for your continued help.

Edited by Kazzer09, 25 August 2009 - 03:01 PM.


#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 25 August 2009 - 03:57 PM

The hidden service and reg keys look like broken remnants of the infection. MBAM may have caught more of them if Norton's hadn't stepped in at bootup when you killed the actual care file with Sophos.

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Go ahead and go thru the preparations for posting in the HJT forum so a final cleanup can be done.
Chewy

No. Try not. Do... or do not. There is no try.

#9 Kazzer09

Kazzer09
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 25 August 2009 - 05:34 PM

Thank you

I have now added to new forum as instructed and added reference to this one.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users