Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Definitely Infected


  • Please log in to reply
7 replies to this topic

#1 chamochampoo

chamochampoo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 18 September 2009 - 02:27 AM

Ok. So my computer has been infected with some some sort of virus. The virus does not let me open firefox or internet explorer. It also doesn't let me open spy bot or anti-malware. I've tried to run trend micro housecall in Opera but it has froze on me everytime. I should also say that I get a blue screen everytime i try to boot in safe mode. I don't know what to do anymore. Please help!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 18 September 2009 - 07:48 AM

Try to run this:

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 chamochampoo

chamochampoo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 20 September 2009 - 03:36 PM

Thanks so much for the help! I downloaded RootRepeal.exe and tried to open it but I get a error message that says: "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." What should I do?

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 21 September 2009 - 07:40 AM

If you are running Vista, be sure to run the program as an Adminitrator

If it runs, do not check the files option and run the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 chamochampoo

chamochampoo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 21 September 2009 - 02:11 PM

Sorry, I probably should have specified that I'm running XP.

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 21 September 2009 - 08:28 PM

Let's try an alternate program.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 chamochampoo

chamochampoo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 21 September 2009 - 09:29 PM

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-21 22:27:44
Windows 5.1.2600 Service Pack 3
Running: lu66xmkm.exe; Driver: C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\pxtdapoc.sys


---- System - GMER 1.0.15 ----

Code 86BD6B40 ZwEnumerateKey
Code 86BD6C18 ZwFlushInstructionCache
Code 86BD6426 IofCallDriver
Code 86BD634E IofCompleteRequest
Code 86BD880D ZwSaveKey
Code 86BDE2BD ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 86BD642B
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 86BD6353
.text ntkrnlpa.exe!ZwSaveKey 80500D68 5 Bytes JMP 86BD8812
.text ntkrnlpa.exe!ZwSaveKeyEx 80500D7C 5 Bytes JMP 86BDE2C2
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 86BD6C1C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 86BD6B44
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F66B28AC 5 Bytes JMP 86D7F1B8
? System32\Drivers\agai6rxm.SYS The system cannot find the path specified. !
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[504] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[504] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[504] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[552] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[552] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[552] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] USER32.DLL!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1332] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1332] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1428] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1428] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1428] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1504] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1504] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1504] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1828] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1828] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1828] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] WININET.dll!HttpAddRequestHeadersA 7805FB35 5 Bytes JMP 00FB000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[2036] WININET.dll!HttpAddRequestHeadersW 780CD015 5 Bytes JMP 010A000A
.text C:\WINDOWS\system32\svchost.exe[2072] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\svchost.exe[2072] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\system32\svchost.exe[2072] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\msa.exe[2188] USER32.DLL!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\msa.exe[2188] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\msa.exe[2188] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\ehome\mcrdsvc.exe[2476] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\ehome\mcrdsvc.exe[2476] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\WINDOWS\ehome\mcrdsvc.exe[2476] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Windows Media Connect 2\wmccds.exe[2576] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Windows Media Connect 2\wmccds.exe[2576] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\Windows Media Connect 2\wmccds.exe[2576] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\395C624E.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\395C624E.x86.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7326ABA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7326C00] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7326B82] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F732772E] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F7327604] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7339A9A] sptd.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Documents and Settings\Jorge Groenke\Desktop\lu66xmkm.exe[188] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jorge Groenke\Desktop\lu66xmkm.exe[188] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jorge Groenke\Desktop\lu66xmkm.exe[188] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jorge Groenke\Desktop\lu66xmkm.exe[188] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CreateWindowExW] [0041707E] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ShowWindow] [004170F8] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowPos] [004171AA] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [00417004] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [0041707E] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [004171AA] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [004170F8] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExA] [00417004] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExW] [0041707E] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!ShowWindow] [004170F8] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!CreateWindowExW] [0041707E] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe[1244] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowPos] [004171AA] C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe
IAT C:\WINDOWS\system32\svchost.exe[1332] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1332] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1828] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1828] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\system32\ctfmon.exe[1892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[1892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[1892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[1892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2016] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02D32DF0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2016] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02D32C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2016] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [02D32C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2016] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02D32C60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Internet Explorer\Iexplore.exe[2036] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\Program Files\Internet Explorer\Iexplore.exe[2036] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[2072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[2072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CreateWindowExW] [00419BF0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DialogBoxParamW] [00419D82] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ShowWindow] [00419C68] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowPos] [00419D16] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!MessageBoxW] [00419D8E] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!MessageBoxA] [00419D8E] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!MessageBoxIndirectW] [00419D7C] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamA] [00419D82] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamW] [00419D82] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [00419B78] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [00419BF0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxA] [00419D8E] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxW] [00419D8E] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxIndirectA] [00419D7C] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxIndirectW] [00419D7C] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [00419D16] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [00419C68] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExA] [00419B78] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExW] [00419BF0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] [00419D82] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!MessageBoxW] [00419D8E] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!ShowWindow] [00419C68] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\CRYPT32.dll [USER32.dll!MessageBoxW] [00419D8E] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\CRYPT32.dll [USER32.dll!MessageBoxA] [00419D8E] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!CreateWindowExW] [00419BF0] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!MessageBoxW] [00419D8E] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowPos] [00419D16] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\msa.exe[2188] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!DialogBoxParamW] [00419D82] C:\WINDOWS\msa.exe
IAT C:\WINDOWS\ehome\mcrdsvc.exe[2476] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\WINDOWS\ehome\mcrdsvc.exe[2476] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\Program Files\Windows Media Connect 2\wmccds.exe[2576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\Program Files\Windows Media Connect 2\wmccds.exe[2576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[3340] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\iTunes\iTunesHelper.exe[3340] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\iTunes\iTunesHelper.exe[3340] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\iTunes\iTunesHelper.exe[3340] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[3340] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\iTunes\iTunesHelper.exe[3340] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\395C624E.x86.dll
IAT C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[3700] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[3700] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[3700] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[3700] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[3748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[3748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[3748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[3748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[3944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[3944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[3944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[3944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F5E1D8
Device \FileSystem\Fastfat \FatCdrom 8663F1D8

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 86D7E1D8
Device \Driver\usbuhci \Device\USBPDO-1 86D7E1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86FD31D8
Device \Driver\dmio \Device\DmControl\DmConfig 86FD31D8
Device \Driver\dmio \Device\DmControl\DmPnP 86FD31D8
Device \Driver\dmio \Device\DmControl\DmInfo 86FD31D8
Device \Driver\usbuhci \Device\USBPDO-2 86D7E1D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{47E3C512-ADCE-4B00-A260-CA95D1CCEDC8} 86BC47F0
Device \Driver\usbuhci \Device\USBPDO-3 86D7E1D8
Device \Driver\usbehci \Device\USBPDO-4 86D511D8
Device \Driver\00000057 \Device\00000055 sptd.sys

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86F601D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86F601D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 86F601D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 86F601D8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86BC47F0
Device \Driver\NetBT \Device\NetbiosSmb 86BC47F0

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 86D7E1D8
Device \Driver\usbuhci \Device\USBFDO-1 86D7E1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8648D1D8
Device \Driver\usbuhci \Device\USBFDO-2 86D7E1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8648D1D8
Device \Driver\usbuhci \Device\USBFDO-3 86D7E1D8
Device \Driver\usbehci \Device\USBFDO-4 86D511D8
Device \Driver\Ftdisk \Device\FtControl 86F601D8
Device \Driver\agai6rxm \Device\Scsi\agai6rxm1 86CCD1D8
Device \Driver\agai6rxm \Device\Scsi\agai6rxm1Port2Path0Target0Lun0 86CCD1D8
Device \FileSystem\Fastfat \Fat 8663F1D8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 864C1980
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACfdlvrmrypl.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [368] 0x10000000
Library \\?\globalroot\systemroot\system32\UACftqymgjclf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [368] 0x00760000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [504] 0x35670000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [552] 0x35670000
Library \\?\globalroot\systemroot\system32\UACfdlvrmrypl.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [780] 0x10000000
Library \\?\globalroot\systemroot\system32\UACftqymgjclf.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [780] 0x00760000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\DOCUME~1\JORGEG~1\LOCALS~1\Temp\b.exe [1244] 0x35670000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1332] 0x35670000
Library \\?\globalroot\systemroot\system32\UACfdlvrmrypl.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1428] 0x10000000
Library \\?\globalroot\systemroot\system32\UACftqymgjclf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1428] 0x00760000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1428] 0x35670000
Library \\?\globalroot\systemroot\system32\UACfdlvrmrypl.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1504] 0x10000000
Library \\?\globalroot\systemroot\system32\UACftqymgjclf.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1504] 0x00760000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1504] 0x35670000
Library \\?\globalroot\systemroot\system32\UACfdlvrmrypl.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1588] 0x10000000
Library \\?\globalroot\systemroot\system32\UACftqymgjclf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1588] 0x00760000
Library \\?\globalroot\systemroot\system32\UACfdlvrmrypl.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1720] 0x10000000
Library \\?\globalroot\systemroot\system32\UACftqymgjclf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1720] 0x00760000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1828] 0x35670000
Library \\?\globalroot\systemroot\system32\UACuxmditltxj.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2016] 0x00D30000
Library \\?\globalroot\systemroot\system32\UACuxmditltxj.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [2036] 0x00B60000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [2036] 0x35670000
Library \\?\globalroot\systemroot\system32\UACfdlvrmrypl.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2072] 0x10000000
Library \\?\globalroot\systemroot\system32\UACftqymgjclf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2072] 0x00760000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2072] 0x35670000
Library \\?\globalroot\systemroot\system32\UACfdlvrmrypl.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2092] 0x10000000
Library \\?\globalroot\systemroot\system32\UACftqymgjclf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2092] 0x00760000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\WINDOWS\msa.exe [2188] 0x35670000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\WINDOWS\ehome\mcrdsvc.exe [2476] 0x35670000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\Program Files\Windows Media Connect 2\wmccds.exe [2576] 0x35670000
Library \\?\globalroot\Device\__max++>\395C624E.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [3340] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACqqowupxnsv.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFF 0x66 0xF3 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x97 0x91 0x76 0x35 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x42 0x30 0xC5 0xF0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACqqowupxnsv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACqqowupxnsv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACpxurqhbbgk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfdlvrmrypl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACreoaobqaoy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACcluomaqtmx.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACftqymgjclf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACuxmditltxj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFF 0x66 0xF3 0xE1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x97 0x91 0x76 0x35 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x42 0x30 0xC5 0xF0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFF 0x66 0xF3 0xE1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x97 0x91 0x76 0x35 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x42 0x30 0xC5 0xF0 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFF 0x66 0xF3 0xE1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x97 0x91 0x76 0x35 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x42 0x30 0xC5 0xF0 ...
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACqqowupxnsv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACqqowupxnsv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACpxurqhbbgk.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfdlvrmrypl.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACreoaobqaoy.dat
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACcluomaqtmx.db
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACftqymgjclf.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACuxmditltxj.dll
Reg HKLM\SOFTWARE\Classes\UACTLS.UAAddressBookButtonCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAAddressBookButtonCtrl.5@ UAAddressBookBttn Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAAddressBookButtonCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAAddressBookButtonCtrl.5\CLSID@ {C0E10003-001C-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAButtonCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAButtonCtrl.5@ UAButton Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAButtonCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAButtonCtrl.5\CLSID@ {C0E10003-0007-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UACheckBoxCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UACheckBoxCtrl.5@ UACheckBox Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UACheckBoxCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UACheckBoxCtrl.5\CLSID@ {C0E10003-0013-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UADropDwnCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UADropDwnCtrl.5@ UADropDown Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UADropDwnCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UADropDwnCtrl.5\CLSID@ {C0E10003-000A-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAEditCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAEditCtrl.5@ UAEdit Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAEditCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAEditCtrl.5\CLSID@ {C0E10003-0023-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryButtonCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryButtonCtrl.5@ UAGalleryBttn Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryButtonCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryButtonCtrl.5\CLSID@ {C0E10003-0010-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryCtrl.5@ UAGallery Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryCtrl.5\CLSID@ {C0E10003-0019-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGraphicDropDown.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGraphicDropDown.5@ UAGraphicDropDown Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGraphicDropDown.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGraphicDropDown.5\CLSID@ {C0E10003-0026-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAHelpCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAHelpCtrl.5@ UAHelp Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAHelpCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAHelpCtrl.5\CLSID@ {C0E10003-002F-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAPartsListCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAPartsListCtrl.5@ UAPartsList Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAPartsListCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAPartsListCtrl.5\CLSID@ {C0E10003-000D-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UARadioBttnCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UARadioBttnCtrl.5@ UARadioButton Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UARadioBttnCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UARadioBttnCtrl.5\CLSID@ {C0E10003-0016-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAScrapBookButtonCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAScrapBookButtonCtrl.5@ UAScrapBookBttn Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAScrapBookButtonCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAScrapBookButtonCtrl.5\CLSID@ {C0E10003-001F-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UATextCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UATextCtrl.5@ UAText Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UATextCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UATextCtrl.5\CLSID@ {C0E10003-002C-0005-C0E1-C0E1C0E1C0E1}

---- EOF - GMER 1.0.15 ----

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 22 September 2009 - 01:16 PM

You have a very nasty rootkit!

Two ways to go now. You can reformat/reload. That would guarantee removal of all bad files. -OR- You need to post a DDS log to the HJT forum. Please follow this guide from step (6). Post a DDS log to the HJT/Malware forum and a Team member will be along to help you as soon as possible.

Good luck and let me know if you need any help with the guide.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users