Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Save defense fake anti-spware+rootkit


  • This topic is locked This topic is locked
3 replies to this topic

#1 tred11

tred11

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 30 August 2009 - 12:47 PM

I seem to have on of the viruses that install the fake anti-virus software onto your computer this version is named savedefense. I have searched through the archives in this forum and have found some help, but I am still not able to get rid of this. It prevents Mbam and spybot from opening up, even in safe mode. It won't let my computer recognize usb flash drives. I have been able to disable some of the basics on startup so it doesn't keep showing up as the fake anti-virus, but it will freeze up the computer and prevent clicking on items with my mouse ( cursor moves across the screen but I can't select anything).

It would let me go to cnet and re-download mbam, but even with changing the extension it would not let me get thorough the entire installation. It would let the installation start and lockup the program at different points in the install depending on if I was running in safe or regular mode.
I have tried renaming the mbam.exe file to mbam.bat but it still wont let it open.

I was able to run AVG in the command prompt mode and it said that it quarentined the virus files, but they continue to appear.

I have attached GMER 1.0.15.15077 [3r7ggr6d.exe] - http://www.gmer.net
Rootkit scan 2009-08-28 13:26:00
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 89A82D08 ZwEnumerateKey
Code 89B0D728 ZwFlushInstructionCache
Code 8965D726 IofCallDriver
Code 89A3FFAE IofCompleteRequest
Code 89A77A55 ZwSaveKey
Code 89B6BE2D ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8965D72B
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 89A3FFB3
.text ntkrnlpa.exe!ZwSaveKey 80500D68 5 Bytes JMP 89A77A5A
.text ntkrnlpa.exe!ZwSaveKeyEx 80500D7C 5 Bytes JMP 89B6BE32
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 89B0D72C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 89A82D0C
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] WININET.dll!HttpAddRequestHeadersA 3D94CF40 5 Bytes JMP 00FB000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1560] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 010A000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] WININET.dll!HttpAddRequestHeadersA 3D94CF40 5 Bytes JMP 0103000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1744] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 0112000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [A9C17B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [A9C17930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [A9C18260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [A9C15E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [A9C15E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [A9C17B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [A9C17930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [A9C18260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [A9C17B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [A9C15E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [A9C18260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [A9C17930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [A9C18260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [A9C17930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [A9C17B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [A9C15E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [A9C17B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [A9C17930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [A9C18260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [A9C18260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [A9C17930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [A9C15E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [A9C17B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [A9C17B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [A9C15E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [A9C18260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [A9C17930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\Iexplore.exe[1744] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACnpfjxtqxxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [208] 0x10000000
Library \\?\globalroot\systemroot\system32\UACvdkrjefcbn.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [208] 0x00760000
Library \\?\globalroot\systemroot\system32\UACnpfjxtqxxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [668] 0x10000000
Library \\?\globalroot\systemroot\system32\UACvdkrjefcbn.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [668] 0x00760000
Library \\?\globalroot\systemroot\system32\UACnpfjxtqxxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1040] 0x10000000
Library \\?\globalroot\systemroot\system32\UACvdkrjefcbn.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1040] 0x00760000
Library \\?\globalroot\systemroot\system32\UACnpfjxtqxxo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1084] 0x10000000
Library \\?\globalroot\systemroot\system32\UACvdkrjefcbn.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1084] 0x00760000
Library \\?\globalroot\systemroot\system32\UACnpfjxtqxxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1176] 0x10000000
Library \\?\globalroot\systemroot\system32\UACvdkrjefcbn.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1176] 0x00760000
Library \\?\globalroot\systemroot\system32\UACnpfjxtqxxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1212] 0x10000000
Library \\?\globalroot\systemroot\system32\UACvdkrjefcbn.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1212] 0x00760000
Library \\?\globalroot\systemroot\system32\UACwdyembrvlb.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1532] 0x00D40000
Library \\?\globalroot\systemroot\system32\UACwdyembrvlb.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1560] 0x00B60000
Library \\?\globalroot\systemroot\system32\UACwdyembrvlb.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1744] 0x00F90000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACbchqfgntix.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACbchqfgntix.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACbchqfgntix.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACtrrdnnqwhx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACnpfjxtqxxo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACyqdcbxgriy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACqtmpmpyfwa.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACvdkrjefcbn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACwdyembrvlb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACbchqfgntix.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACbchqfgntix.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACtrrdnnqwhx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACnpfjxtqxxo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACyqdcbxgriy.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACqtmpmpyfwa.db
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACvdkrjefcbn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACwdyembrvlb.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Local Settings\Temp\UACeba6.tmp 343040 bytes executable
File C:\Documents and Settings\Administrator\Local Settings\Temp\UAC2913.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\UACbchqfgntix.sys 54784 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\uacinit.dll 6580 bytes
File C:\WINDOWS\system32\UACnpfjxtqxxo.dll 74240 bytes
File C:\WINDOWS\system32\UACqtmpmpyfwa.db 1390820 bytes
File C:\WINDOWS\system32\UACtrrdnnqwhx.dll 26624 bytes executable
File C:\WINDOWS\system32\UACvdkrjefcbn.dll 29696 bytes executable
File C:\WINDOWS\system32\UACwdyembrvlb.dll 19968 bytes executable
File C:\WINDOWS\system32\UACyqdcbxgriy.dat 174 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:01:27 PM

Posted 13 September 2009 - 04:29 PM

Hello, tred11.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:01:27 PM

Posted 16 September 2009 - 08:14 AM

Hello tred11
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:27 AM

Posted 18 September 2009 - 12:41 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users