Jump to content

spywaresucks

Members
  • Posts

    6
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Malwarebytes' Anti-Malware 1.40 Database version: 2747 Windows 5.1.2600 Service Pack 2 6/09/09 22:16:44 mbam-log-2009-09-06 (22-16-44).txt Scan type: Full Scan (C:\|F:\|) Objects scanned: 235749 Time elapsed: 2 hour(s), 21 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 3 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: F:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. F:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. F:\Documents and Settings\All Users\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. Files Infected: F:\Qoobox\Quarantine\F\WINDOWS\system32\UACtheesqvbdx.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully. F:\Qoobox\Quarantine\F\WINDOWS\system32\UACyxuyrlfwmk.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. F:\System Volume Information\_restore{31B1763A-A2C0-44E2-8F10-8599A571FBFA}\RP733\A0178849.dll (Rootkit.TDSS) -> Quarantined and deleted successfully. F:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. F:\Program Files\PersonalAV\pav.exe (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. F:\Documents and Settings\All Users\Start Menu\PersonalAV\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. F:\Documents and Settings\All Users\Start Menu\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
  2. G'day Katana, combofix log... ComboFix 09-08-31.03 - Allen n 06/09/09 19:08.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.61.1033.18.1279.913 [GMT 10:00] Running from: f:\documents and settings\Allen\Desktop\Combo-Fix.exe Command switches used :: f:\documents and settings\Allen\Desktop\CFScript.txt AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB} AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6} * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . f:\windows\system32\mdm.exe . ((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 ))))))))))))))))))))))))))))))) . 2009-09-06 06:47 . 2009-09-06 06:47 -------- d-sh--w- f:\documents and settings\Troy\PrivacIE 2009-08-20 23:15 . 2008-12-10 22:38 159600 ----a-w- f:\windows\system32\drivers\pctgntdi.sys 2009-08-20 23:15 . 2009-04-03 00:18 130936 ----a-w- f:\windows\system32\drivers\PCTCore.sys 2009-08-20 23:15 . 2008-12-18 01:16 73840 ----a-w- f:\windows\system32\drivers\PCTAppEvent.sys 2009-08-20 23:15 . 2009-08-20 23:17 -------- d-----w- f:\program files\Common Files\PC Tools 2009-08-20 23:15 . 2008-12-10 01:36 64392 ----a-w- f:\windows\system32\drivers\pctplsg.sys 2009-08-20 23:14 . 2009-08-20 23:17 -------- d-----w- f:\program files\Spyware Doctor 2009-08-20 23:14 . 2009-08-20 23:14 -------- d-----w- f:\documents and settings\Tammy\Application Data\PC Tools 2009-08-20 23:14 . 2009-08-20 23:14 -------- d-----w- f:\documents and settings\All Users\Application Data\PC Tools 2009-08-20 22:59 . 2009-08-20 22:59 -------- d-----w- f:\program files\Common Files\Uninstall 2009-08-20 22:59 . 2009-08-20 22:59 -------- d-----w- f:\program files\PersonalAV 2009-08-13 10:20 . 2009-06-05 07:42 655872 -c----w- f:\windows\system32\dllcache\mstscax.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-06 08:53 . 2007-05-03 21:02 -------- d-----w- f:\documents and settings\Allen\Application Data\Skype 2009-09-06 07:03 . 2007-05-31 09:26 81984 ----a-w- f:\windows\system32\bdod.bin 2009-09-06 06:20 . 2008-10-08 21:00 -------- d---a-w- f:\documents and settings\All Users\Application Data\TEMP 2009-08-31 07:17 . 2006-05-28 03:11 65008 ----a-w- f:\documents and settings\Allen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-29 06:07 . 2007-01-12 19:57 -------- d-----w- f:\program files\Java 2009-08-29 05:38 . 2007-03-08 20:33 -------- d-----w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-29 05:38 . 2007-03-08 20:33 -------- d-----w- f:\program files\Spybot - Search & Destroy 2009-08-28 06:05 . 2008-05-03 10:22 -------- d-----w- f:\program files\Common Files\BitDefender 2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- f:\program files\MSBuild 2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- f:\program files\Reference Assemblies 2009-08-05 09:11 . 2003-03-31 12:00 204800 ----a-w- f:\windows\system32\mswebdvd.dll 2009-08-04 04:46 . 2008-09-29 05:56 -------- d-----w- f:\documents and settings\All Users\Application Data\NOS 2009-08-03 18:40 . 2008-09-29 05:56 -------- d-----w- f:\program files\NOS 2009-07-24 19:23 . 2008-11-30 09:48 411368 ----a-w- f:\windows\system32\deploytk.dll 2009-07-23 11:24 . 2009-07-23 11:24 -------- d-----w- f:\documents and settings\Tammy\Application Data\GRETECH 2009-07-23 11:15 . 2009-07-23 11:15 -------- d-----w- f:\program files\GNU 2009-07-23 11:13 . 2009-07-23 11:13 -------- d-----w- f:\documents and settings\Allen\Application Data\GRETECH 2009-07-23 11:12 . 2009-07-23 11:12 -------- d-----w- f:\program files\GRETECH 2009-07-23 11:04 . 2009-07-23 11:04 -------- d-----w- f:\program files\LD-Anime 2009-07-22 07:28 . 2008-01-05 09:06 -------- d-----w- f:\documents and settings\Allen\Application Data\CoreFTP 2009-07-17 18:55 . 2003-03-31 12:00 58880 ----a-w- f:\windows\system32\atl.dll 2009-07-13 00:08 . 2006-05-28 02:59 286720 ----a-w- f:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2003-03-31 12:00 915456 ----a-w- f:\windows\system32\wininet.dll 2009-06-25 08:44 . 2008-07-29 11:03 724480 ----a-w- f:\windows\system32\lsasrv.dll 2009-06-25 08:44 . 2008-07-29 11:03 133632 ----a-w- f:\windows\system32\msv1_0.dll 2009-06-25 08:44 . 2008-07-29 11:03 168448 ----a-w- f:\windows\system32\schannel.dll 2009-06-25 08:44 . 2003-03-31 12:00 59392 ----a-w- f:\windows\system32\wdigest.dll 2009-06-25 08:44 . 2003-03-31 12:00 56320 ----a-w- f:\windows\system32\secur32.dll 2009-06-25 08:44 . 2003-03-31 12:00 298496 ----a-w- f:\windows\system32\kerberos.dll 2009-06-22 11:34 . 2008-07-29 11:03 92544 ----a-w- f:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:55 . 2003-03-31 12:00 82432 ----a-w- f:\windows\system32\fontsub.dll 2009-06-16 14:55 . 2003-03-31 12:00 119808 ----a-w- f:\windows\system32\t2embed.dll 2009-06-12 11:50 . 2003-03-31 12:00 76288 ----a-w- f:\windows\system32\telnet.exe 2009-06-10 14:21 . 2003-03-31 12:00 84992 ----a-w- f:\windows\system32\avifil32.dll 2009-06-10 06:32 . 2008-07-29 11:03 132096 ----a-w- f:\windows\system32\wkssvc.dll 2007-08-16 10:48 . 2007-08-16 10:48 135680 ----a-w- f:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="f:\program files\Skype\Phone\Skype.exe" [2007-03-30 25263144] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVMixerTray"="f:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072] "RemoteControl"="f:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768] "QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2006-06-07 282624] "EPSON Stylus C67 Series"="f:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE" [2005-01-25 98304] "SMSTray"="f:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 126976] "MAAgent"="f:\program files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 57344] "EPSON Stylus C67 Series (Copy 1)"="f:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE" [2005-01-25 98304] "BitDefender Antiphishing Helper"="f:\program files\BitDefender\2008\IEShow.exe" [2007-10-09 61440] "BDAgent"="f:\program files\BitDefender\2008\bdagent.exe" [2009-08-28 368640] "Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="f:\windows\System32\CTFMON.EXE" [2004-08-03 15360] f:\documents and settings\Allen\Start Menu\Programs\Startup\ Capture Express 2000.lnk - f:\program files\Capture Express\capexp.exe [2007-3-19 891904] f:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - f:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 06:28 352256 ----a-w- f:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "f:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "f:\\WINDOWS\\system32\\dpvsetup.exe"= "f:\\Program Files\\Mozilla Firefox\\firefox.exe"= "f:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "f:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "f:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 PCTCore;PCTools KDS;f:\windows\system32\drivers\PCTCore.sys [21/08/09 09:15 130936] R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [3/09/08 14:07 8944] R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/09/08 14:07 55024] S3 BS_DEF;BS_DEF;\??\f:\windows\system32\drivers\BS_DEF.sys --> f:\windows\system32\drivers\BS_DEF.sys [?] S3 getPlus® Helper;getPlus® Helper;f:\program files\NOS\bin\getPlus_HelperSvc.exe --> f:\program files\NOS\bin\getPlus_HelperSvc.exe [?] S3 oflpydin;oflpydin;\??\f:\docume~1\Allen\LOCALS~1\Temp\oflpydin.sys --> f:\docume~1\Allen\LOCALS~1\Temp\oflpydin.sys [?] S3 SASENUM;SASENUM;f:\program files\SUPERAntiSpyware\SASENUM.SYS [3/09/08 14:07 7408] S3 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe [21/08/09 09:14 348752] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ scan [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "f:\windows\system32\rundll32.exe" "f:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-06 f:\windows\Tasks\Symantec NetDetect.job - f:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-05-28 23:04] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com.au/ uInternet Connection Wizard,ShellNext = iexplore Trusted Zone: qld.gov.au\www.qships.transport FF - ProfilePath - f:\documents and settings\Allen\Application Data\Mozilla\Firefox\Profiles\0stquyp2.default\ FF - prefs.js: browser.search.selectedEngine - Google.co.uk FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/ FF - component: f:\documents and settings\Allen\Application Data\Mozilla\Firefox\Profiles\0stquyp2.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - component: f:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll FF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: f:\program files\Mozilla Firefox\plugins\npmozax.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-06 19:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(644) f:\program files\SUPERAntiSpyware\SASWINLO.dll f:\windows\system32\WININET.dll . Completion time: 2009-09-06 19:22 ComboFix-quarantined-files.txt 2009-09-06 09:21 ComboFix2.txt 2009-09-05 01:07 Pre-Run: 18,474,184,704 bytes free Post-Run: 18,483,998,720 bytes free 187 --- E O F --- 2009-09-03 11:52
  3. G'day Katana. Nice work - you're making good progress - thanks. The two requested files attached. Cheers. ComboFix.txt Add_Remove_Programs.txt
  4. G'day Katana, Spot on with the need to rename the file. gmer.exe wouldn't run look.exe was fine. I tried to attach the file but got an error message stating I couldn't upload this type of file. Opted for cut and paste - hope that wroks for you. Cheers. GMER 1.0.15.15077 [look.exe] - http://www.gmer.net Rootkit scan 2009-09-03 21:13:32 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.15 ---- Code 89D5A0D8 ZwEnumerateKey Code 89DAA560 ZwFlushInstructionCache Code 89D952CE IofCallDriver Code 89D590D6 IofCompleteRequest ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 89D952D3 .text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 89D590DB PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 5 Bytes JMP 89D5A0DC PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP 89DAA564 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F77A9380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F77A93F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F77A9710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F77A9750] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F77A9710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F77A93F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F77A9380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F77A9710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F77A9750] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F77A9380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F77A93F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL) AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL) AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL) AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [316] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [872] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\system32\svchost.exe [940] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [1036] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [1092] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [1220] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [2708] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [3120] 0x10000000 ---- Services - GMER 1.0.15 ---- Service F:\WINDOWS\system32\drivers\UACbwwosrqrms.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACbwwosrqrms.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACbwwosrqrms.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACpllooqbpxo.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACmppdiqxhga.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyxuyrlfwmk.dll Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACbwwosrqrms.sys Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACbwwosrqrms.sys Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACpllooqbpxo.dll Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACmppdiqxhga.dat Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyxuyrlfwmk.dll ---- EOF - GMER 1.0.15 ----
  5. G'day Katana, Thanks for the advice. I downloaded Combofix but it wouldn't install either. I get the windows prompt that says the publisher isn't verified but then the install just stops. Am I heading towards format c:?
  6. Hi, MBAM and Hijackthis won't install. Spybot won't run. Browser (Firefox) redirects. Rootrepeal report attached. Cheers, RootRepeal_report_08_29_09__16_47_05_.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.