Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Paladin Malware Infection


  • This topic is locked This topic is locked
4 replies to this topic

#1 Gadget_333

Gadget_333

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 25 February 2010 - 04:10 PM

Hi

Recently I was infected by Paladin and while I have been able to get rid of most of that infection by following advise from Rigel I was told I have a rootkit infection http://www.bleepingcomputer.com/forums/t/297813/paladin-antivirus-and-spyware-doctor/.

Rigel advised me to raise a new topic and post DDS and GMER logs to this forum for further help. Unfortunately I cannot download GMER or get it to run another scan as my browser keeps diverting to other websites.

I am hoping someone can help before I give up and re-build the machine.

The DDS logs follow:

DDS Log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Grant Stretch at 18:01:05.59 on 25/02/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.155 [GMT 0:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Paladin Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Grant Stretch\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uLocal Page = \blank.htm
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.tiscali.co.uk/products/startup_code.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Internet Explorer Plugin: {91844346-75a8-4ac0-be2c-c56e69d2f22b} - fjjjjebb.dll
BHO: CmjBrowserHelperObject Object: {ac41d38f-b56d-40ad-94e0-b493d130c959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [eventcreatexp.exe] c:\docume~1\grants~1\locals~1\temp\eventcreatexp.exe
uRun: [Paladin Antivirus] "c:\program files\paladin antivirus\pav.exe" -noscan
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://ve.ukie.capgemini.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\grants~1\applic~1\mozilla\firefox\profiles\dn7evt9z.default\
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-3 207792]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-1-3 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-1-3 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-1-3 233136]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2007-3-26 20352]
S2 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\spyware doctor\bdt\bdtupdateservice.exe" --> c:\program files\spyware doctor\bdt\BDTUpdateService.exe [?]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctssvc.exe --> c:\program files\spyware doctor\pctsSvc.exe [?]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 Httpisearis;Httpisearis; [x]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-1-31 14424]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-1-3 70408]
S3 stusb2ir;USB 2.0 IrDA Bridge;c:\windows\system32\drivers\stusb2ir.sys [2009-9-27 40856]
S3 SWNC8U50;Sierra Wireless MUX NDIS Driver (UMTS50);c:\windows\system32\drivers\swnc8u50.sys [2007-9-21 164480]
S3 SWUMX50;Sierra Wireless USB MUX Driver (UMTS50);c:\windows\system32\drivers\swumx50.sys [2007-9-21 140672]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-1-3 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]

=============== Created Last 30 ================

2010-02-25 17:58:56 0 ----a-w- c:\documents and settings\grant stretch\defogger_reenable
2010-02-23 13:09:54 0 d-----w- C:\New Folder
2010-02-23 11:25:59 389 ----a-w- c:\windows\system32\dzmdbi
2010-02-23 11:25:57 42496 ----a-w- c:\windows\system32\fjjjjebb.dll
2010-02-21 15:03:32 0 d-----w- c:\docume~1\grants~1\applic~1\Malwarebytes
2010-02-21 14:54:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-21 14:54:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-21 13:01:36 1048 ----a-w- c:\docume~1\alluse~1\applic~1\fiosejgfse.dll
2010-02-21 09:13:52 0 d-----w- c:\docume~1\grants~1\applic~1\AVG8
2010-02-21 00:55:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-20 13:18:40 9 ----a-w- c:\docume~1\alluse~1\applic~1\mswintmp.dat
2010-02-19 09:17:38 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-02-18 22:16:29 0 d-----w- c:\windows\system32\XPSViewer
2010-02-18 22:15:21 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-18 22:15:21 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-18 22:15:20 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-18 22:15:20 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-18 22:15:20 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-18 22:15:20 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-18 22:15:20 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-18 16:28:46 0 d-----w- c:\docume~1\grants~1\applic~1\Western DigitalTemp
2010-02-17 23:37:10 0 d-----w- c:\docume~1\grants~1\applic~1\Western Digital
2010-02-17 23:36:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2010-02-05 16:34:26 32411 ----a-w- c:\windows\SGTBox.INI
2010-01-31 09:52:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-31 09:52:22 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-01-31 08:58:29 0 d-----w- c:\program files\PeerBlock
2010-01-29 19:18:01 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-01-29 19:18:00 557056 ----a-w- c:\windows\system32\Netw2c32.dll

==================== Find3M ====================

2010-01-21 23:21:07 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 23:21:07 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 23:21:06 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 23:21:05 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-03 08:33:41 2560 ----a-w- c:\windows\system32\drivers\mchInjDrv.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-10-20 11:53:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102020081021\index.dat

============= FINISH: 18:02:06.12 ===============

Attach Log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 05/08/2006 16:54:19
System Uptime: 25/02/2010 17:41:33 (1 hours ago)
Processor: Intel® Pentium® M processor 1.73GHz | N/A | 1729/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 8.76 GiB free.
D: is FIXED (NTFS) - 30 GiB total, 16.723 GiB free.
E: is Removable
F: is CDROM ()
G: is FIXED (FAT32) - 75 GiB total, 33.807 GiB free.
I: is FIXED (NTFS) - 466 GiB total, 23.957 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP470: 31/01/2010 09:32:22 - Software Distribution Service 3.0
RP471: 31/01/2010 09:54:40 - Installed Windows Internet Explorer 8.
RP472: 31/01/2010 09:56:17 - Software Distribution Service 3.0
RP473: 01/02/2010 03:00:24 - Software Distribution Service 3.0
RP474: 04/02/2010 09:17:14 - System Checkpoint
RP475: 05/02/2010 10:35:15 - System Checkpoint
RP476: 06/02/2010 14:33:18 - System Checkpoint
RP477: 09/02/2010 23:23:55 - System Checkpoint
RP478: 10/02/2010 03:00:34 - Software Distribution Service 3.0
RP479: 11/02/2010 06:58:50 - System Checkpoint
RP480: 12/02/2010 09:11:05 - System Checkpoint
RP481: 16/02/2010 06:25:24 - System Checkpoint
RP482: 18/02/2010 22:06:58 - Software Distribution Service 3.0
RP483: 22/02/2010 23:43:02 - Software Distribution Service 3.0

==== Installed Programs ======================

µTorrent
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Advertising Center
Canon ScanGear Toolbox CS 2.5
Click to DVD 2.0.03 Menu Data
Click to DVD 2.5.00
Creative Centrale
Creative Software Update
Creative ZEN Mozaic EZ Series Documentation
Critical Update for Windows Media Player 11 (KB959772)
EPSON Easy Photo Print
EPSON Printer Software
ESD68 User's Guide
HDAUDIO SoftV92 Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
J2SE Runtime Environment 5.0 Update 5
Juniper Networks Host Checker
LAN-Express AS IEEE 802.11 Wireless LAN
mCore
mDriver
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Visio Standard 2003
Microsoft Office XP Professional with FrontPage
Microsoft Project 2000
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C Runtime
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mindjet MindManager Pro 6
mMHouse
Mozilla Firefox (3.6)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
Nero 9 Essentials
Nero ControlCenter
Nero Installer
Nero Online Upgrade
Nero StartSmart
Nero StartSmart OEM
neroxml
Nokia Connectivity Cable Driver
NVIDIA Drivers
OpenMG Limited Patch 4.3-05-10-05-01
OpenMG Secure Module 4.3.00
PC Cleaner v2.0
PC Connectivity Solution
PDF-XChange 3.0
PeerBlock 1.0.0 (r181)
Polar Precision Performance SW
QuickTime
Realtek High Definition Audio Driver
Registry Mechanic 8.0
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Setting Utility Series
Sony USB Driver
Sony USB Mouse
Sony Utilities DLL
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB 2.0 IrDA Bridge
VAIO Control Center
VAIO Entertainment Platform
VAIO Event Service
VAIO Power Management
VAIO Update 2
VLC media player 1.0.5
WebFldrs XP
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows XP Service Pack 3
Wireless LAN Starter
XP Codec Pack

==== Event Viewer Messages From Past Week ========

23/02/2010 16:56:22, error: System Error [1003] - Error code 1000000a, parameter1 00000018, parameter2 00000002, parameter3 00000000, parameter4 804f35a2.
23/02/2010 12:45:44, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
23/02/2010 10:01:08, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Kaspersky Internet Security service to connect.
23/02/2010 10:01:08, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
23/02/2010 10:01:08, error: Service Control Manager [7003] - The VAIO Entertainment Database Service service depends on the following nonexistent service: MSSQL$VAIO_VEDB
23/02/2010 10:01:08, error: Service Control Manager [7001] - The VAIO Entertainment File Import Service service depends on the VAIO Entertainment Database Service service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion.
23/02/2010 10:01:08, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The system cannot find the file specified.
23/02/2010 10:01:08, error: Service Control Manager [7000] - The PC Tools Auxiliary Service service failed to start due to the following error: The system cannot find the file specified.
23/02/2010 10:01:08, error: Service Control Manager [7000] - The Kaspersky Internet Security service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
23/02/2010 10:01:08, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
23/02/2010 09:38:37, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.
23/02/2010 09:29:36, error: Service Control Manager [7034] - The VAIO Event Service service terminated unexpectedly. It has done this 1 time(s).
23/02/2010 09:29:36, error: Service Control Manager [7034] - The VAIO Entertainment UPnP Client Adapter service terminated unexpectedly. It has done this 1 time(s).
23/02/2010 09:29:36, error: Service Control Manager [7034] - The Spectrum24 Event Monitor service terminated unexpectedly. It has done this 1 time(s).
23/02/2010 09:29:36, error: Service Control Manager [7034] - The RegSrvc service terminated unexpectedly. It has done this 1 time(s).
23/02/2010 09:29:36, error: Service Control Manager [7034] - The EvtEng service terminated unexpectedly. It has done this 1 time(s).
23/02/2010 09:29:36, error: Service Control Manager [7034] - The CT Device Query service service terminated unexpectedly. It has done this 1 time(s).
23/02/2010 09:29:36, error: Service Control Manager [7031] - The Nero BackItUp Scheduler 4.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 500 milliseconds: Restart the service.
23/02/2010 09:10:21, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume5'. It has stopped monitoring the volume.
23/02/2010 07:54:20, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume6'. It has stopped monitoring the volume.
23/02/2010 07:11:56, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================

GMER Log. This is a log previously run as GMER keeps falling over. I try to re run and post an updated log if needed.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-23 14:32:57
Windows 5.1.2600 Service Pack 3
Running: xeqqwiql.exe; Driver: C:\DOCUME~1\GRANTS~1\LOCALS~1\Temp\pxldapog.sys


---- System - GMER 1.0.15 ----

Code 82D4B080 ZwEnumerateKey
Code 82D4B158 ZwFlushInstructionCache
Code 82D4B046 IofCallDriver
Code 82D4AF36 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 82D4B04B
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 82D4AF3B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC6 5 Bytes JMP 82D4B15C
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB76 5 Bytes JMP 82D4B084

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3708] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3708] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01F6000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3708] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 01F5000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3708] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01F7000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 0155BCA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 0155BC50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 01557EA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 01559100
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0155AA10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 01559370
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 01559180
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0155A010
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0155B950
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0155B990
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 0155BD30
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0155B810
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0155A970
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 01559930
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 015592E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 01559660
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 0155C2B0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 0155A360
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0155A7D0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0155AE90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0155AC20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0155AE10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0155B2F0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0155B000
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 01559250
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 015597E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0155BA70
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0155AD60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0155A910
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 0155A790
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 0155AB20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 0155BD50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 0155AB60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 0155BFF0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 0155BF90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 0155C1E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 0155C280
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3204] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 0155C0B0

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

Device \Driver\usb_rndisx \Device\{1597EBC1-9C85-4816-A5B4-59D1885F96BF} RNDISMPX.SYS (Remote NDIS Miniport/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\_VOIDxxyjlkodwt.sys (*** hidden *** ) AAA63000-AAA81000 (122880 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\_VOIDxxyjlkodwt.sys (*** hidden *** ) [SYSTEM] _VOIDd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDxxyjlkodwt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDxxyjlkodwt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDfpljejdeav.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDuncoewwlsq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDrotinbaibq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDqllxcyxgsh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDxxyjlkodwt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDxxyjlkodwt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDfpljejdeav.dll
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDuncoewwlsq.dat
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDrotinbaibq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDqllxcyxgsh.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\18F6CF348E791D54983FE578EF60A65E\Usage@Program_Pro 1012340047

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\_VOIDkrl32mainweq.dll 1604 bytes
File C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll 10758 bytes
File C:\Documents and Settings\Grant Stretch\Local Settings\Temp\_VOIDe38a.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\_VOIDxxyjlkodwt.sys 42496 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\_VOIDfpljejdeav.dll 26624 bytes executable
File C:\WINDOWS\system32\_VOIDqllxcyxgsh.dll 45056 bytes executable
File C:\WINDOWS\system32\_VOIDrotinbaibq.dll 45056 bytes executable
File C:\WINDOWS\system32\_VOIDuncoewwlsq.dat 248 bytes

---- EOF - GMER 1.0.15 ----


Thanks for your help
Gadget

Edited by Gadget_333, 26 February 2010 - 04:14 AM.


BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:37 AM

Posted 27 February 2010 - 06:49 PM

Hello, Gadget_333.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 Gadget_333

Gadget_333
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 01 March 2010 - 02:40 AM

Hi

Unforrtunately the browser on my infected machine will not let me go to this website or to anything to do with GMER. I have downloaded GMER through another machine bu it will no run on the infected machine.

Whilst I appreciate the advise I have been given it will be easier and quicker to re-build the machine.

Regards
Gadget

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:37 AM

Posted 01 March 2010 - 03:38 AM

Hi!

Glad to be of help. smile.gif

If you would still like assistance with this, let me know and we can find a way to run the tools we need to fix. If not, I can just close this topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:37 AM

Posted 03 March 2010 - 09:01 AM

Since this problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please send me a PM with the address of this thread. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users