Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Security Alerts, Hidden IE, and more...


  • This topic is locked This topic is locked
22 replies to this topic

#1 HopefulDude

HopefulDude

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 02:49 PM

Hello,

First time poster...love the work you guys do...thanks for taking the time to read this.

I currently have some type of unwanted programs on my computer. This computer is used for work, so it contains sensitive information, so I would really love some help on removing this thing.

I am infected with a virus that adds the protection anti-virus to my computer, also gives me fake alerts using the wscsv32.exe file, along with some DLLs. Sometimes it adds porn icons to my desktop, such as porntube, nudetube, etc...And it also runs a hidden internet explorer window in the background. Sometimes that window plays podcasts or something, because interviews are going on until I shut down the hidden window.

Originally it tried blocking my internet, but I think I broke that part of it. I am also able to get the security alerts to stop popping up if I set the permissions to deny on everything, but there is still things going on in the background.

I have tried McAfee, Ad-Aware, Malware Bytes, Norton, AVG, SUPERAnti-spyware, + others I can't even remember the name of, and I was going to try Kaspersky but it wants me to remove anti-viruses such as McAfee and AVG. AVG gives me a registry error everytime I try to uninstall it, and I don't believe I even have McAfee on this computer anymore.

I have tried running quick, and full virus scans in normal, safe mode, and safe mode with networking. All of the scans have picked up something, and they seem to remove it, but it's back as soon as I boot into windows, which is Win XP Pro SP2, by the way.

Could someone please help me remove these files so I can work safelty and sanely again? I would truly appreciate it!

BC AdBot (Login to Remove)

 


#2 HopefulDude

HopefulDude
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 04:06 PM

Just wanted to add that I could probably work my way through some posts and figure some stuff out that's already been said, but I see many times where people say not to use combofix unless authorized. I have also seen, at times, where people have said that solutions were customized for that particular user. So I figured it was best to just start fresh with someone who knows what they are doing.

#3 HopefulDude

HopefulDude
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 07:19 PM

Is there a better section on this forum for this post? Notice I am not getting any responses...is this the right place?

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:58 AM

Posted 03 September 2009 - 07:36 PM

Hello HopefulDude and :flowers: to BleepingComputer

I appreciate your patience while waiting for a helper. We are all volunteers here, and very limited in number, so sometimes it takes some time to work through the flood of requests for help.

Just wanted to add that I could probably work my way through some posts and figure some stuff out that's already been said, but I see many times where people say not to use combofix unless authorized. I have also seen, at times, where people have said that solutions were customized for that particular user. So I figured it was best to just start fresh with someone who knows what they are doing.


You don't know how happy it makes me to hear that. . . I wish that more users had your wisdom. While the possibility certainly exists that following a fix designed for someone else might work, you could just as easily cause some serious, irreparable damage to your system. The warnings like the ones you mentioned are there for the protection of our readers because we're dead serious when we say you can end up with a beautiful $1500 doorstop if you follow fixes made for someone else or run tools like ComboFix without the guidance of a trained specialist. In short, good job! :thumbsup:

***************************************************

To start, please post the logs from the Malwarebytes and SUPERAntiSpyware Scans that you mentioned running. If you need help on retrieving those logs. . . let me know and I can direct you.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 HopefulDude

HopefulDude
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 07:45 PM

Thanks a lot for your reply! I removed the SUPERAnti-Spyware...I figured it probably wouldn't help the situation at all with 5 different scanners installed. I did leave Malware Bytes in. I will post the log below, but before I do...I don't think the .exe file I mentioned earlier is showing up on it. It only shows on some reports, and I don't even think it's running right now. I believe I killed the app and set the permissions to deny access awhile ago.

Malwarebytes' Anti-Malware 1.40
Database version: 2736
Windows 5.1.2600 Service Pack 2

9/3/2009 15:34:41
mbam-log-2009-09-03 (15-34-41).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 210080
Time elapsed: 36 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACpxsxminlxx.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\UACpxsxminlxx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:58 AM

Posted 03 September 2009 - 07:50 PM

That installer is probably the least of your worries. Let's have a look.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 HopefulDude

HopefulDude
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 08:00 PM

Might actually have a problem with this part of the reporting. I don't have admin access...it's a company owned computer. So it threw some error flags...

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/03 20:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA8C6D000 Size: 778240 File Visible: No Signed: -
Status: -

Name: pxscan.sys
Image Path: C:\WINDOWS\System32\drivers\pxscan.sys
Address: 0xA5FE4000 Size: 36864 File Visible: No Signed: -
Status: -

Name: pxsec.sys
Image Path: C:\WINDOWS\System32\drivers\pxsec.sys
Address: 0xA7110000 Size: 40960 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA878D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASENUM.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Address: 0xF77FF000 Size: 20480 File Visible: No Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xA8F3C000 Size: 151552 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACmtoxkkctqr.dll]
Process: svchost.exe (PID: 1244) Address: 0x10000000 Size: 65536

Object: Hidden Module [Name: UACsjklafture.dll]
Process: Explorer.EXE (PID: 3916) Address: 0x10000000 Size: 49152

==EOF==

#8 HopefulDude

HopefulDude
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 08:18 PM

Isn't there anyway to locate those DLLs? I can never find them...Would be nice if you could locate them and find a way to break them...Then at least the virus wouldn't work and you could work on deleting everything...

#9 HopefulDude

HopefulDude
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 08:32 PM

Ok, sorry for the multiple posts. I forgot I had the admin password from awhile ago. But even when I run it as an admin it gives me an error that says "Could not read the boot sector. Try adjusting the Disc Access Level in the options dialog." Then at the end it gives another error that states "Could not read system registry! Please contact author!"

It still produces the same exact log though.

Edited by HopefulDude, 03 September 2009 - 08:34 PM.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:58 AM

Posted 03 September 2009 - 08:36 PM

If this is a company owned computer. . . you should contact the company IT department as they may have special company policies and procedures for dealing with infected machines.

If you have admin access though. . . we can continue scanning.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade


In your next reply, please include the following:
GMER log

Edited by Blade Zephon, 03 September 2009 - 08:38 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 HopefulDude

HopefulDude
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 08:39 PM

I have admin access now. The reason I am avoiding going to tech is because I work remotely and am about 2 hours away. They will require me to bring the machine in and I might not get it back for 2 days, and I can't afford to lose the working time, nor am I in the position to drive that far...If you can't help, I'll understand, but is there anyway you could point me in a general direction? I am determined to work on this until the end of tomorrow before I give in. I can still work by bypassing the nag screens, and during scans, so I am not losing much time...just don't like this thing being on the machine.

#12 HopefulDude

HopefulDude
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 08:47 PM

Ok thanks again! I ran the log, it said that there is root activity...something like that? I didn't write it down. If you need the exact message that popped up I can run it again. Here is the log...

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-03 21:44:38
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 862EA198 ZwEnumerateKey
Code 862E8A18 ZwFlushInstructionCache
Code 867496F6 IofCallDriver
Code 862DB1BE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 867496FB
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 862DB1C3
PAGE ntoskrnl.exe!ZwEnumerateKey 80578EE4 5 Bytes JMP 862EA19C
PAGE ntoskrnl.exe!ZwFlushInstructionCache 805873DB 1 Byte [E9]
PAGE ntoskrnl.exe!ZwFlushInstructionCache 805873DB 5 Bytes JMP 862E8A1C
? C:\WINDOWS\system32\drivers\SafeBoot.sys The process cannot access the file because it is being used by another process.
? C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys The system cannot find the file specified. !
? C:\Program Files\SUPERAntiSpyware\SASENUM.SYS The system cannot find the file specified. !
? System32\drivers\pxscan.sys The system cannot find the path specified. !
? System32\drivers\pxsec.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[3968] kernel32.dll!WriteFile 7C810D97 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4112] USER32.dll!DialogBoxParamW 7E425F8F 5 Bytes JMP 3E1DF4B1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4112] USER32.dll!DialogBoxIndirectParamW 7E432062 5 Bytes JMP 3E35295F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4112] USER32.dll!MessageBoxIndirectA 7E43A06A 5 Bytes JMP 3E3528E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4112] USER32.dll!DialogBoxParamA 7E43B12C 5 Bytes JMP 3E352924 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4112] USER32.dll!MessageBoxExW 7E450750 5 Bytes JMP 3E35286C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4112] USER32.dll!MessageBoxExA 7E450774 5 Bytes JMP 3E3528A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4112] USER32.dll!DialogBoxIndirectParamA 7E456CD0 5 Bytes JMP 3E35299A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4112] USER32.dll!MessageBoxIndirectW 7E466425 5 Bytes JMP 3E20182A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4112] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E352B5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4232] USER32.dll!DialogBoxParamW 7E425F8F 5 Bytes JMP 3E1DF4B1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4232] USER32.dll!DialogBoxIndirectParamW 7E432062 5 Bytes JMP 3E35295F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4232] USER32.dll!MessageBoxIndirectA 7E43A06A 5 Bytes JMP 3E3528E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4232] USER32.dll!DialogBoxParamA 7E43B12C 5 Bytes JMP 3E352924 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4232] USER32.dll!MessageBoxExW 7E450750 5 Bytes JMP 3E35286C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4232] USER32.dll!MessageBoxExA 7E450774 5 Bytes JMP 3E3528A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4232] USER32.dll!DialogBoxIndirectParamA 7E456CD0 5 Bytes JMP 3E35299A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4232] USER32.dll!MessageBoxIndirectW 7E466425 5 Bytes JMP 3E20182A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4232] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E352B5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6604] USER32.dll!DialogBoxParamW 7E425F8F 5 Bytes JMP 3E1DF4B1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6604] USER32.dll!DialogBoxIndirectParamW 7E432062 5 Bytes JMP 3E35295F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6604] USER32.dll!MessageBoxIndirectA 7E43A06A 5 Bytes JMP 3E3528E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6604] USER32.dll!DialogBoxParamA 7E43B12C 5 Bytes JMP 3E352924 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6604] USER32.dll!MessageBoxExW 7E450750 5 Bytes JMP 3E35286C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6604] USER32.dll!MessageBoxExA 7E450774 5 Bytes JMP 3E3528A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6604] USER32.dll!DialogBoxIndirectParamA 7E456CD0 5 Bytes JMP 3E35299A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6604] USER32.dll!MessageBoxIndirectW 7E466425 5 Bytes JMP 3E20182A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6604] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E352B5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip asnttdi.sys (TDI Filter Driver/Aventail Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp asnttdi.sys (TDI Filter Driver/Aventail Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp asnttdi.sys (TDI Filter Driver/Aventail Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp asnttdi.sys (TDI Filter Driver/Aventail Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1036] 0x01840000
Library \\?\globalroot\systemroot\system32\UACpxsxminlxx.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1244] 0x01430000
Library \\?\globalroot\systemroot\system32\UACvpenedyaur.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1244] 0x014F0000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3916] 0x00F30000

---- EOF - GMER 1.0.15 ----

#13 HopefulDude

HopefulDude
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 09:14 PM

Hey, not trying to rush you by any means, just not sure if you will be able to help further?

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:58 AM

Posted 03 September 2009 - 09:21 PM

When it told you that there was root activity. . . did you tell it to run a full scan? If not, please run the scan again and do so. I see rootkit activity evident in the log. . . but there are pieces missing that we need to find. If you did have it run a full scan, let me know and we'll move to another tool.


Also. . . you mentioned you had sensitive information on that laptop. . . you should consider all that information to be compromised.

IMPORTANT NOTE: One or more of the identified infections (UAC* is related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed this kind of malware. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 HopefulDude

HopefulDude
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2009 - 09:32 PM

I manually ran the scan. The dialog did not pop-up until the end of the scan, and it only gave me the option to select "OK". Once I did the scan ended. I will read through the information you have posted. I would still like to try to remove this thing, if you don't mind.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users