Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Paladin Antivirus and Spyware Doctor


  • This topic is locked This topic is locked
7 replies to this topic

#1 Gadget_333

Gadget_333

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 22 February 2010 - 06:29 PM

Hi all

I suspect this is a bit of an old topic bu I haven't been able to find this exact solution - as a new member I am hoping someone can help.

Just the other day my PC got infected with Paladin Antivirus and after a fair bit of time and searching I thought I had got rid of it but during start up I got an error message about PCTBrowserDefender.dll and once started Paladin would kick off again

I finally tracked down the file to Spyware Doctor and Paladin seems to have replaced PCTBrowserDefender.dll and PCTLicReset.dll with new files.

I have tried unregistering the files (REGSVR32 /u) but get the error message Dllunregister in PCTBRowserDefender.dll failed. Return code was 0x8008801c, and

pctlicreset.dll was loaded, but the dllregisterserver entry point was not found - which I believe means thi is no a .dll file

I cannot delete the files as they are locked

I have been battling with this for a while and would prefer to beat the infection - please help.

Edited by Orange Blossom, 22 February 2010 - 09:09 PM.
Move to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:11 PM

Posted 22 February 2010 - 09:27 PM

Let's start here:

The procedure will have sevral steps, so you may wish to print this out.

:inlove: Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
:flowers: Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:thumbsup: Please download RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
:trumpet: Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Gadget_333

Gadget_333
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 23 February 2010 - 03:41 AM

Hi

Thanks for the reply. I have two laptops at home: one is for work and is uninfected, the infected laptop is my personal laptop.

So far using my work laptop I have downloaded TFC to an external hard drive and transferred it to my personal laptop and run it.

I then connected to the internet and tried to get to Superantivirus and Bleeping computer. Google finds the pages but my browser cannot open the pages.

Usin my work laptop I have downloaded Superantivirus to the hard drive and it will run on my work laptop. I have tried copying the .exe file to my dekstop and tried running it from my hard drive but it will not install or run on my infected laptop.

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:11 PM

Posted 23 February 2010 - 07:36 AM

See if this program will run.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Gadget_333

Gadget_333
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 23 February 2010 - 07:54 AM

I have installed RKill and used that. I have installed Malware AntiMalware and peformed a full scan, the scan found 5 infected objects but crashed after 27 mins.

I have re-run the scan as a quick scan which found 5 infected objects as below:

Malwarebytes' Anti-Malware 1.44
Database version: 3458
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

23/02/2010 12:42:24
mbam-log-2010-02-23 (12-42-24).txt

Scan type: Quick Scan
Objects scanned: 111385
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Adware Professional (Rogue.AdwarePro) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Grant Stretch\Local Settings\Temporary Internet Files\Content.IE5\1AEWX3XD\setup[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Adware Professional\noadware4_022210.na (Rogue.AdwarePro) -> Quarantined and deleted successfully.
C:\Program Files\Adware Professional\nutilities.dll (Rogue.AdwarePro) -> Quarantined and deleted successfully.

I have uninstalled MS IExplorer and installed Firefox but still cannot access SuperAntiSpyware website or bleeping computer. I also cannot install SuperAntiSpyware from an external hard drive

#6 Gadget_333

Gadget_333
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 23 February 2010 - 08:35 AM

This is the GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-23 14:32:57
Windows 5.1.2600 Service Pack 3
Running: xeqqwiql.exe; Driver: C:\DOCUME~1\GRANTS~1\LOCALS~1\Temp\pxldapog.sys


---- System - GMER 1.0.15 ----

Code 82D4B080 ZwEnumerateKey
Code 82D4B158 ZwFlushInstructionCache
Code 82D4B046 IofCallDriver
Code 82D4AF36 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 82D4B04B
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 82D4AF3B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC6 5 Bytes JMP 82D4B15C
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB76 5 Bytes JMP 82D4B084

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3708] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3708] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01F6000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3708] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 01F5000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3708] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01F7000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 0155BCA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 0155BC50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 01557EA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 01559100
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0155AA10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 01559370
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 01559180
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0155A010
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0155B950
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0155B990
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 0155BD30
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0155B810
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0155A970
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 01559930
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 015592E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 01559660
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 0155C2B0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 0155A360
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0155A7D0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0155AE90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0155AC20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0155AE10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0155B2F0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0155B000
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 01559250
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 015597E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0155BA70
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0155AD60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0155A910
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 0155A790
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 0155AB20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 0155BD50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 0155AB60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 0155BFF0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 0155BF90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 0155C1E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 0155C280
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 0155C0B0

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

Device \Driver\usb_rndisx \Device\{1597EBC1-9C85-4816-A5B4-59D1885F96BF} RNDISMPX.SYS (Remote NDIS Miniport/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\_VOIDxxyjlkodwt.sys (*** hidden *** ) AAA63000-AAA81000 (122880 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\_VOIDxxyjlkodwt.sys (*** hidden *** ) [SYSTEM] _VOIDd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDxxyjlkodwt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDxxyjlkodwt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDfpljejdeav.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDuncoewwlsq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDrotinbaibq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDqllxcyxgsh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDxxyjlkodwt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDxxyjlkodwt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDfpljejdeav.dll
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDuncoewwlsq.dat
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDrotinbaibq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDqllxcyxgsh.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\18F6CF348E791D54983FE578EF60A65E\Usage@Program_Pro 1012340047

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\_VOIDkrl32mainweq.dll 1604 bytes
File C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll 10758 bytes
File C:\Documents and Settings\Grant Stretch\Local Settings\Temp\_VOIDe38a.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\_VOIDxxyjlkodwt.sys 42496 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\_VOIDfpljejdeav.dll 26624 bytes executable
File C:\WINDOWS\system32\_VOIDqllxcyxgsh.dll 45056 bytes executable
File C:\WINDOWS\system32\_VOIDrotinbaibq.dll 45056 bytes executable
File C:\WINDOWS\system32\_VOIDuncoewwlsq.dat 248 bytes

---- EOF - GMER 1.0.15 ----


Regards
Grant

Edited by Gadget_333, 23 February 2010 - 10:37 AM.


#7 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:11 PM

Posted 24 February 2010 - 09:11 AM

You are infected by a rootkit that will need advanced tools to clean. Please follow this guide - skipping the parts we have already covered. Post a DDS log to the Malware Removal Forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:11 PM

Posted 25 February 2010 - 05:11 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/298531/paladin-malware-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users