Malware problem in globalroot\systemroot

Norton Security | Norton Internet Security
1

Hi all,

i have a malware problem that has embeded its self in the globalroot dir and i cant seem to get it off i have read several posts and tried malwarebytes, windows live one care, macafee. Malwarebytes with the name changes and still cant get it to run. it all stated when i got the go.google virus from a advertisement on a website that i had went to for over 4 years and never got a single thing from them untill now. i managed to clean some of the crap left behind by it but i know there is background crap that is still running. i have ad-aware AE and it keeps flag-ing the globalrootkit constantly.No means of deleting it seems to work can some one help. my ad-aware AD calls it

( \\?\globalroot\systemroot\system32\uachnoverfffpbbojg.dll ). I have used rootrepeal and saved the log if someone needs me to post it let me know please.

 

[edit: Renamed subject to reflect user issue.]

Message Edited by shannons on 06-07-2009 04:53 AM
2

Hi

 

We need a new Thread for this guys message.

 

Now I have your Rootrepeal log,   It shows you are infected by both the UAC and Kungsf Rootkit Trojan.   But doesn't show all the files linked to it.

 

Please download GMER http://www.gmer.net/  and do a Scan then Save the log, then Personal Message me the log, qiute possible in parts,  I will then script the files.

While I am scripting  Download Malwarebytes, Install Update the definitions then run a Full Scan and get that log. before or after asking Malwarebytes to remove. If Malwarebytes runs

 

Quads 

Message Edited by Quads on 06-07-2009 05:56 PM
3

Hi

 

If you find the Gmer log is so large, don't know why people are getting to 10 part PM's for it.

 

You could upload it to like http://pastebay.com/

 

use your Norton Name as the Name on thst site

 

Quads 

Message Edited by Quads on 06-08-2009 08:10 AM
4

I sent you the log and as i stated i cant run malwarebytes with out it freezing during install let me know if there is anything else you need

5

No

 

I have both Logs Transfered GMER log back to Notepad for easier reading for myself, I will probably have to split the removal by creating one script, to remove one then update it to remove the other, UAC is easier or should be

 

Could you please remove / uninstall Spybot S&D and AD-Aware.  (has one file still in it's quarantine).

 

Quads 

6

Hi

 

Pleas tell me when you have uninstalled Spybot and Ad-Aware

 

Thanks

 

Quads 

 

 

Message Edited by Quads on 06-08-2009 02:46 PM
7

Ok i uninstalld ad-aware and spybot S&D

8

Hi

 

Read Carefully

 

You have 2 Infections and we will take care of one at a time.  UAC first the the Kungsf hopefully

 

Take and CD's and DVD's out of your optical drives.

 

Now go to this thread and download Avenger  http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=53509#M53509

 

When you get to number 3 on the post use the Script below instead,

 

3. In the "Input script here:" copy and paste the script between the lines

Drivers to disable:

UACd.sys

gxvxcserv.sys

gaopdxserv.sys

gxvxcserv 

 

Drivers to delete:

UACd.sys

gxvxcserv.sys

gaopdxserv.sys

gxvxcserv 

 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\WINDOWS\system32\gbnlwyeh.dll

C:\WINDOWS\system32\cpuesjq.dll

c:\WINDOWS\system32\mbjsgsl.dll 

C:\WINDOWS\system32\wJQs.exe

C:\WINDOWS\system32\drivers\UACakcfxublxbeheme.sys

C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys

C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(1)

C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(2)

C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(3)

C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(4)

C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\uachnoverfffpbbojg.dll

C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\uachnoverfffpbbojg.dll(1) 

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\UACfwqvovmrcwvqxae.log

C:\WINDOWS\system32\UAChnoverfffpbbojg.dll

C:\WINDOWS\system32\UACikjwipoxduxtobi.dll    

C:\WINDOWS\system32\uacvymnbtboeayohhs.dll

C:\WINDOWS\system32\uacqciqunodfnlghrv.dll

C:\WINDOWS\system32\UACjhwhfownswugepx.dll

C:\WINDOWS\system32\UACmeuaqmivkbmnyrj.dll

C:\WINDOWS\system32\UACqrmyxiqpfquufol.dat

C:\WINDOWS\system32\UACwordlvukxekdgqo.dll

C:\WINDOWS\system32\UAC5b24.tmperfffpbbojg.dll   

C:\WINDOWS\system32\drivers\gxvxcserv.sys

C:\WINDOWS\system32\gxvxccounter

C:\WINDOWS\System32\drivers\gaopdxserv.sys

C:\WINDOWS\system32\gaopdxl.dll

C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys

C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll

C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys

C:\Windows\system32\drivers\gxvxcxiearhjspghonrxymbbiyubogpqitydm.sys

C:\WINDOWS\system32\gxvxcbinpbppwhtjxomtyumcthxvnfelpofrx.dll

C:\Windows\system32\drivers\gxvxcxrtfmrhquqmdvrtxediopecmpvcsyenm.sys

C:\WINDOWS\system32\gxvxclglkjccpdximixpvxhosscccyavumnsg.dll

C:\WINDOWS\system32\gxvxcsemsdfpsspjugtwlscubooyseravfcwb.dll

C:\WINDOWS\system32\gxvxctsossroyfpamddlctxslrvqwpvkiweqq.dll

C:\WINDOWS\System32\drivers\gxvxcwcorbswuncunpcjblpdonpfagxrpuqdp.sys 

C:\WINDOWS\Temp\UAC5f99.tmp

C:\WINDOWS\Temp\UACcf2c.tmp

C:\WINDOWS\Temp\UACf1b3.tmp

C:\WINDOWS\Temp\UACfa8e.tmp   

 

Folders to delete:

C:\resycled

D:\resycled

E:\resycled

F:\resycled

G:\resycled

H:\resycled

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx

HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc

HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys      

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys    

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys

 Then carry on with the other post from Screenshot and below.

 

Don't run Malwarebytes though.

 

I am crossing fingers that will break the UAC infection.

 

Quads 

9

ok i ran the script and here is what popd up after my computer restarted several times on its own //////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Jun 08 00:59:17 2009

00:59:17: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP



Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger



Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver “UACd.sys” disabled successfully.

Error:  could not open driver “gxvxcserv.sys”
Disablement of driver “gxvxcserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  could not open driver “gaopdxserv.sys”
Disablement of driver “gaopdxserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  could not open driver “gxvxcserv”
Disablement of driver “gxvxcserv” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist

Driver “UACd.sys” deleted successfully.

Error:  registry key “\Registry\Machine\System\CurrentControlSet\Services\gxvxcserv.sys” not found!
Deletion of driver “gxvxcserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  registry key “\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv.sys” not found!
Deletion of driver “gaopdxserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  registry key “\Registry\Machine\System\CurrentControlSet\Services\gxvxcserv” not found!
Deletion of driver “gxvxcserv” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\Autorun.inf” not found!
Deletion of file “C:\Autorun.inf” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “D:\Autorun.inf” not found!
Deletion of file “D:\Autorun.inf” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\gbnlwyeh.dll” not found!
Deletion of file “C:\WINDOWS\system32\gbnlwyeh.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\cpuesjq.dll” not found!
Deletion of file “C:\WINDOWS\system32\cpuesjq.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “c:\WINDOWS\system32\mbjsgsl.dll” not found!
Deletion of file “c:\WINDOWS\system32\mbjsgsl.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\wJQs.exe” not found!
Deletion of file “C:\WINDOWS\system32\wJQs.exe” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\drivers\UACakcfxublxbeheme.sys” not found!
Deletion of file “C:\WINDOWS\system32\drivers\UACakcfxublxbeheme.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  could not open file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys”
Deletion of file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist


Error:  could not open file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(1)”
Deletion of file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(1)” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist


Error:  could not open file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(2)”
Deletion of file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(2)” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist


Error:  could not open file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(3)”
Deletion of file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(3)” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist


Error:  could not open file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(4)”
Deletion of file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\UACakcfxublxbeheme.sys(4)” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist


Error:  could not open file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\uachnoverfffpbbojg.dll”
Deletion of file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\uachnoverfffpbbojg.dll” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist


Error:  could not open file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\uachnoverfffpbbojg.dll(1)”
Deletion of file “C:\RECYCLER\S-1-5-21-583907252-492894223-1343024091-1003\Dc1\uachnoverfffpbbojg.dll(1)” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist

File “C:\WINDOWS\system32\uacinit.dll” deleted successfully.
File “C:\WINDOWS\system32\UACfwqvovmrcwvqxae.log” deleted successfully.

Error:  file “C:\WINDOWS\system32\UAChnoverfffpbbojg.dll” not found!
Deletion of file “C:\WINDOWS\system32\UAChnoverfffpbbojg.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist

File “C:\WINDOWS\system32\UACikjwipoxduxtobi.dll” deleted successfully.

Error:  file “C:\WINDOWS\system32\uacvymnbtboeayohhs.dll” not found!
Deletion of file “C:\WINDOWS\system32\uacvymnbtboeayohhs.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\uacqciqunodfnlghrv.dll” not found!
Deletion of file “C:\WINDOWS\system32\uacqciqunodfnlghrv.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\UACjhwhfownswugepx.dll” not found!
Deletion of file “C:\WINDOWS\system32\UACjhwhfownswugepx.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\UACmeuaqmivkbmnyrj.dll” not found!
Deletion of file “C:\WINDOWS\system32\UACmeuaqmivkbmnyrj.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist

File “C:\WINDOWS\system32\UACqrmyxiqpfquufol.dat” deleted successfully.
File “C:\WINDOWS\system32\UACwordlvukxekdgqo.dll” deleted successfully.

Error:  file “C:\WINDOWS\system32\UAC5b24.tmperfffpbbojg.dll” not found!
Deletion of file “C:\WINDOWS\system32\UAC5b24.tmperfffpbbojg.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\drivers\gxvxcserv.sys” not found!
Deletion of file “C:\WINDOWS\system32\drivers\gxvxcserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\gxvxccounter” not found!
Deletion of file “C:\WINDOWS\system32\gxvxccounter” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\System32\drivers\gaopdxserv.sys” not found!
Deletion of file “C:\WINDOWS\System32\drivers\gaopdxserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\gaopdxl.dll” not found!
Deletion of file “C:\WINDOWS\system32\gaopdxl.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys” not found!
Deletion of file “C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll” not found!
Deletion of file “C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys” not found!
Deletion of file “C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\Windows\system32\drivers\gxvxcxiearhjspghonrxymbbiyubogpqitydm.sys” not found!
Deletion of file “C:\Windows\system32\drivers\gxvxcxiearhjspghonrxymbbiyubogpqitydm.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\gxvxcbinpbppwhtjxomtyumcthxvnfelpofrx.dll” not found!
Deletion of file “C:\WINDOWS\system32\gxvxcbinpbppwhtjxomtyumcthxvnfelpofrx.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\Windows\system32\drivers\gxvxcxrtfmrhquqmdvrtxediopecmpvcsyenm.sys” not found!
Deletion of file “C:\Windows\system32\drivers\gxvxcxrtfmrhquqmdvrtxediopecmpvcsyenm.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\gxvxclglkjccpdximixpvxhosscccyavumnsg.dll” not found!
Deletion of file “C:\WINDOWS\system32\gxvxclglkjccpdximixpvxhosscccyavumnsg.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\gxvxcsemsdfpsspjugtwlscubooyseravfcwb.dll” not found!
Deletion of file “C:\WINDOWS\system32\gxvxcsemsdfpsspjugtwlscubooyseravfcwb.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\system32\gxvxctsossroyfpamddlctxslrvqwpvkiweqq.dll” not found!
Deletion of file “C:\WINDOWS\system32\gxvxctsossroyfpamddlctxslrvqwpvkiweqq.dll” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  file “C:\WINDOWS\System32\drivers\gxvxcwcorbswuncunpcjblpdonpfagxrpuqdp.sys” not found!
Deletion of file “C:\WINDOWS\System32\drivers\gxvxcwcorbswuncunpcjblpdonpfagxrpuqdp.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist

File “C:\WINDOWS\Temp\UAC5f99.tmp” deleted successfully.
File “C:\WINDOWS\Temp\UACcf2c.tmp” deleted successfully.
File “C:\WINDOWS\Temp\UACf1b3.tmp” deleted successfully.

Error:  file “C:\WINDOWS\Temp\UACfa8e.tmp” not found!
Deletion of file “C:\WINDOWS\Temp\UACfa8e.tmp” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  folder “C:\resycled” not found!
Deletion of folder “C:\resycled” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  folder “D:\resycled” not found!
Deletion of folder “D:\resycled” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  could not open folder “E:\resycled”
Deletion of folder “E:\resycled” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist


Error:  could not open folder “F:\resycled”
Deletion of folder “F:\resycled” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist


Error:  could not open folder “G:\resycled”
Deletion of folder “G:\resycled” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist


Error:  could not open folder “H:\resycled”
Deletion of folder “H:\resycled” failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  –> bad path / the parent directory does not exist


Error:  registry key “HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys” not found!
Deletion of registry key “HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys” not found!
Deletion of registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  registry key “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys” not found!
Deletion of registry key “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys” not found!
Deletion of registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist

Registry key “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys” deleted successfully.
Registry key “HKEY_LOCAL_MACHINE\SOFTWARE\UAC” deleted successfully.

Error:  registry key “HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx” not found!
Deletion of registry key “HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  registry key “HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc” not found!
Deletion of registry key “HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Completed script processing.



Finished!  Terminate.



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP



Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger



Beginning to process script file:

Rootkit scan active.

Hidden driver “lrldzri” found!
Could not open driver lrldzri for rootkit scan.  Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist

Rootkit scan completed.


Error:  could not open driver “UACd.sys”
Disablement of driver “UACd.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  could not open driver “gxvxcserv.sys”
Disablement of driver “gxvxcserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  could not open driver “gaopdxserv.sys”
Disablement of driver “gaopdxserv.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Error:  could not open driver “gxvxcserv”
Disablement of driver “gxvxcserv” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  –> the object does not exist


Completed script processing.



Finished!  Terminate.

10

1. 

 

As to this

 

Platform: Windows XP (build 2600, Service Pack 2)
Mon Jun 08 00:59:17 2009

00:59:17: Error: Invalid script.  A valid script must begin with a command directive.

Aborting execution! 

 

Did you miss the first line of the script??

 

 

Services and files taken

 

Driver "UACd.sys" disabled successfully.

Driver "UACd.sys" deleted successfully.  (File "UACakcfxublxbeheme.sys" deleted as part of the image path)

 

File "C:\WINDOWS\system32\uacinit.dll" deleted successfully.

File "C:\WINDOWS\system32\UACfwqvovmrcwvqxae.log" deleted successfully.

File "C:\WINDOWS\system32\UACikjwipoxduxtobi.dll" deleted successfully.

File "C:\WINDOWS\Temp\UAC5f99.tmp" deleted successfully.
File "C:\WINDOWS\Temp\UACcf2c.tmp" deleted successfully.

File "C:\WINDOWS\Temp\UACf1b3.tmp" deleted successfully.

 

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\UAC" deleted successfully.

 

 

 Now this is strange, I have seen it before recently though

 

Hidden driver "lrldzri" found!

Could not open driver lrldzri for rootkit scan.  Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

 

Now di you empty the recycle bin, if not do so, also turn off System Restore

 

Then run Rootpeal again, "UACd.sys" should be gone

 

Quads 

 

11

Hi Quads,

 

I have similar problem with globalroot/systemroot/system32. Symantech is detecting a UACS**.dll file in this path but could not remove it. It asks for rebooting the system, but if I reboot it the login screen will not show up.

 

I have searched the net completely related to this and found your thread useful. I have taken the log using rootpeal but dont know what to do with it. I have sent the log to you. can you please help me with this as I could not login to my system unless I restart it for 10 - 15 times.

 

Gally

12

Ok i ran Rootrepeal from what i can see (noob perspective) it seems that got rid of both of them. here is the report.

 

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:            2009/06/08 09:28
Program Version:        Version 1.2.3.0
Windows Version:        Windows XP SP2
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOCUME~1\Bevo\LOCALS~1\Temp\aujasnkj.sys
Address: 0xF4998000    Size: 81664    File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6219000    Size: 98304    File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B04000    Size: 8192    File Visible: No
Status: -

Name: gvkmlnpc.sys
Image Path: gvkmlnpc.sys
Address: 0xF75E0000    Size: 61440    File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF4E58000    Size: 45056    File Visible: No
Status: -

Name: tpzkbc.sys
Image Path: tpzkbc.sys
Address: 0xF75F0000    Size: 61440    File Visible: No
Status: -

13

Hi

 

Now in your original Rootrepeal log you had

 

Drivers

-------------------

NameUACakcfxublxbeheme.sys
Image PathC:\WINDOWS\system32\drivers\UACakcfxublxbeheme.sys
Address0xF64B2000    Size81920    File VisibleNo
StatusHidden from Windows API!                                                                    Now Gone (UAC)

 

BUT this is what I need, the "hidden services" section, Original log had

 

 Hidden Services

-------------------
Service Namekungsfmonowbap                               Should still be there (kungsf) Haven't scripted for this one yet
Image PathC:\WINDOWS\system32\drivers\kungsfuupchtiv.sys

Service NameUACd.sys                                                                                Now should be gone (UAC)
Image PathC:\WINDOWS\system32\drivers\UACakcfxublxbeheme.sys

 


The kungsf should also still show up in GMER.
 
I split your GMER log into the 2 infections
 
UAC http://pastebay.com/20799 Should be gone 
 
Kungsf  http://pastebay.com/20797  I haven't touched yet
 
Quads 
Message Edited by Quads on 06-09-2009 09:02 AM
14

hi

 

i ran the rootrepeal but it didnt come up with anything in the hidden services the only thing that came up in the report was what i put in the previous post. i am running GMER at the moment ill post the results when its finished

15

ok

GMER finshed here is the report

 

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-08 17:44:59
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.15 ----

?               gvkmlnpc.sys                                                                                            The system cannot find the file specified. !
?               tpzkbc.sys                                                                                              The system cannot find the file specified. !
?               C:\WINDOWS\system32\drivers\rootrepeal.sys                                                              The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread          System [4:1192]                                                                                         F48F2B70
Thread          System [4:2108]                                                                                         F48E42E0

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SOFTWARE\Classes\CLSID\{651DB326-CDFB-5184-F035-6181DB1D4C50}\InProcServer32                      
Reg             HKLM\SOFTWARE\Classes\CLSID\{651DB326-CDFB-5184-F035-6181DB1D4C50}\InProcServer32@jaciegpgeiojlcopkljp  0x6A 0x61 0x6D 0x63 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{651DB326-CDFB-5184-F035-6181DB1D4C50}\InProcServer32@iacicfekikcgfhjmjn    0x6A 0x61 0x6D 0x63 ...

---- EOF - GMER 1.0.15 ----
 

16

Well something has altered,

 

Random .sys files and still those unknown reg entries.

 

On the web the only thing that returns with 2 of the .sys files and reg entries (seperate searches) is this thread between us.

 

Interesting.

 

Please download Hijackthis http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis  the .exe version to your desktop and run a scan creating log.

 

As for Kungsf don't know where it has gone, or changed, when removing UAC, maybe got frightened that it was The Quads  I still have the script for it and if it isn't there  Avenger won't find even the reg entries.

 

After Creating a Hijackthis log, can you then install Malwarebytes and or SuperAntispyware Free.?? 

 

Thanks 

 

Quads 

17
gally wrote:

Hi Quads,

 

I have similar problem with globalroot/systemroot/system32. Symantech is detecting a UACS**.dll file in this path but could not remove it. It asks for rebooting the system, but if I reboot it the login screen will not show up.

 

I have searched the net completely related to this and found your thread useful. I have taken the log using rootpeal but dont know what to do with it. I have sent the log to you. can you please help me with this as I could not login to my system unless I restart it for 10 - 15 times.

 

Gally

Gally Do you have NIS/NAV or N360??
We may have to have yours as a new thread as it is easier to see whos thread is finished and who is still infected.
 
Quads 

 

18

ok i ran HijackThis

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:19 PM, on 6/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SMSC\SetIcon.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bevo\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SetIcon] \Program Files\SMSC\SetIcon.exe
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243981491493
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5633/mcfscan.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Unknown owner - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3763 bytes
 

19

 Hi

 

Nothing in the Hijackthis log,

 

Though your D-Link has a "file Missing"

 

So NO Vundo, or others showing.

 

Oh where is you Security software, it doesn't show in the Hijackthis log?? 

 

Quads 

Message Edited by Quads on 06-09-2009 03:51 PM
20

Hi

 

i was able to install malwarebytes successfully and was able to run the program first log shows what it found the second log was after those were deleted as far as security software i uninstalld the ones i had since i was bouncing (macafee, windows live one care, etc) around trying everything i could think of to remove the problem, before i a friend told me about comming here and asking for help. i originally had macafee but when i got the malware it came with so much other crap i felt like a quaterback with no line men and the entire other team blitzed me. The Malware/trojan would lock my macafee completely from running at startup. It seemed like it took less than 2 minutes to completly OWN my antivrius and antispyware After that i used windows live one scanner which got some of the stuff but not all of it, found some like 68+ things only a few were taken care of with each successfull completion. The scan its self was an annoyance since the malware would crash my windows internet explorer so the safty scanner couldnt complete and cause mass pop ups every 3-5 minutes 4-6 windows would pop up, only 2 out of 5 scans ever completed (5 hour long scans). I have never incountered such a persistant (Pain in my ***) trojan/malware as this one i hope that is the end of it. If there is any other things i need to do please let me know. 

 

Thanks alot for your help you saved me hours of headaches and a possible reformat.

 

 

 Malwarebytes' Anti-Malware 1.37
Database version: 2250
Windows 5.1.2600 Service Pack 2

6/8/2009 10:18:08 PM
mbam-log-2009-06-08 (22-18-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111646
Time elapsed: 29 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\4Z678LGH\test2[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\QRGZ0JW9\166[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\rdl11A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\rdl13.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\rdl1F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

 

Second scan:

 

Malwarebytes' Anti-Malware 1.37
Database version: 2250
Windows 5.1.2600 Service Pack 2

6/8/2009 10:58:46 PM
mbam-log-2009-06-08 (22-58-46).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111634
Time elapsed: 28 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)