Re: Malware problem in globalroot\systemroot

gally · June 10, 2009, 8:56am

Quad,

I ran the rootrepeal and got a log which I have given below. Also I have pasted the log from GMER in http://pastebay.com/21223. I did not get a luck yesterday to login to my system as the login screen did not come up at all. I like to give the exact name of UAC*.dll but I could not login and scan through Symantec Antivirus.

The log from rootrepeal is

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:   2009/06/07 19:43
Program Version:  Version 1.2.3.0
Windows Version:  Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA87B000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AFF000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8C90000 Size: 45056 File Visible: No
Status: -

Name: UACdnkfrxllrmowqjk.sys
Image Path: C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys
Address: 0xAAAD1000 Size: 81920 File Visible: -
Status: Hidden from Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: winlogon.exe (PID: 916) Address: 0x00790000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: winlogon.exe (PID: 916) Address: 0x006d0000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: services.exe (PID: 964) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: services.exe (PID: 964) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: lsass.exe (PID: 976) Address: 0x00760000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: lsass.exe (PID: 976) Address: 0x00850000 Size: 49152

Object: Hidden Module [Name: UACyirwbwwostypehq.dll]
Process: svchost.exe (PID: 1144) Address: 0x00c10000 Size: 69632

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1144) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1144) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UAC5040.tmpwaboulhcsxt.dll]
Process: svchost.exe (PID: 1144) Address: 0x00ae0000 Size: 200704

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1144) Address: 0x02740000 Size: 45056

Object: Hidden Module [Name: UACsfsqwaboulhcsxt.dll]
Process: svchost.exe (PID: 1144) Address: 0x028e0000 Size: 200704

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1144) Address: 0x02ab0000 Size: 49152

Object: Hidden Module [Name: UACmpcxxnpkbpondir.dll]
Process: svchost.exe (PID: 1144) Address: 0x02b50000 Size: 53248

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1220) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1220) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1264) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1264) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: EvtEng.exe (PID: 1324) Address: 0x00ca0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: EvtEng.exe (PID: 1324) Address: 0x00d60000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: S24EvMon.exe (PID: 1416) Address: 0x00e10000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: S24EvMon.exe (PID: 1416) Address: 0x00ed0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: WLKeeper.exe (PID: 1472) Address: 0x00f10000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: WLKeeper.exe (PID: 1472) Address: 0x00fd0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SR_Service.exe (PID: 1536) Address: 0x00b10000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SR_Service.exe (PID: 1536) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SR_WatchDog.exe (PID: 1652) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SR_WatchDog.exe (PID: 1652) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1712) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1712) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1808) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1808) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ccSetMgr.exe (PID: 140) Address: 0x00720000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ccSetMgr.exe (PID: 140) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ccEvtMgr.exe (PID: 256) Address: 0x00670000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ccEvtMgr.exe (PID: 256) Address: 0x00730000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: spoolsv.exe (PID: 504) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: spoolsv.exe (PID: 504) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 572) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 572) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: CdfSvc.exe (PID: 620) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: CdfSvc.exe (PID: 620) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: DefWatch.exe (PID: 640) Address: 0x009a0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: DefWatch.exe (PID: 640) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: NICCONFIGSVC.exe (PID: 820) Address: 0x00a00000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: NICCONFIGSVC.exe (PID: 820) Address: 0x00ad0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: RadeSvc.exe (PID: 1100) Address: 0x00b20000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: RadeSvc.exe (PID: 1100) Address: 0x00be0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: RegSrvc.exe (PID: 1456) Address: 0x00780000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: RegSrvc.exe (PID: 1456) Address: 0x00850000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SavRoam.exe (PID: 1548) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SavRoam.exe (PID: 1548) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Rtvscan.exe (PID: 1588) Address: 0x00eb0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Rtvscan.exe (PID: 1588) Address: 0x00f80000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: WLTRYSVC.EXE (PID: 1508) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: WLTRYSVC.EXE (PID: 1508) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: bcmwltry.exe (PID: 1900) Address: 0x00e30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: bcmwltry.exe (PID: 1900) Address: 0x00f00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Explorer.EXE (PID: 2800) Address: 0x009c0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Explorer.EXE (PID: 2800) Address: 0x00d10000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: wmiprvse.exe (PID: 2936) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: wmiprvse.exe (PID: 2936) Address: 0x00960000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SR_GUI.Exe (PID: 3096) Address: 0x00c40000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SR_GUI.Exe (PID: 3096) Address: 0x00f20000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: WLTRAY.exe (PID: 3188) Address: 0x00bc0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: WLTRAY.exe (PID: 3188) Address: 0x00c80000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: stsystra.exe (PID: 3196) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: stsystra.exe (PID: 3196) Address: 0x00b70000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: quickset.exe (PID: 3216) Address: 0x00e30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: quickset.exe (PID: 3216) Address: 0x00f00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: hkcmd.exe (PID: 3268) Address: 0x009d0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: hkcmd.exe (PID: 3268) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: igfxpers.exe (PID: 3348) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: igfxpers.exe (PID: 3348) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ctfmon.exe (PID: 3476) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ctfmon.exe (PID: 3476) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: igfxsrvc.exe (PID: 3516) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: igfxsrvc.exe (PID: 3516) Address: 0x00a50000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ccApp.exe (PID: 3544) Address: 0x008d0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ccApp.exe (PID: 3544) Address: 0x009a0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: VPTray.exe (PID: 3664) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: VPTray.exe (PID: 3664) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: jusched.exe (PID: 3740) Address: 0x00cc0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: jusched.exe (PID: 3740) Address: 0x00bf0000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ZCfgSvc.exe (PID: 3992) Address: 0x00f80000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ZCfgSvc.exe (PID: 3992) Address: 0x01040000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ifrmewrk.exe (PID: 4016) Address: 0x00e80000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ifrmewrk.exe (PID: 4016) Address: 0x00f40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: DoScan.exe (PID: 152) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: DoScan.exe (PID: 152) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: realsched.exe (PID: 208) Address: 0x009a0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: realsched.exe (PID: 208) Address: 0x00a60000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: StartFX.exe (PID: 332) Address: 0x00970000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: StartFX.exe (PID: 332) Address: 0x00a30000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: NMBgMonitor.exe (PID: 1568) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: NMBgMonitor.exe (PID: 1568) Address: 0x00a50000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosBtMng.exe (PID: 2508) Address: 0x00e70000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosBtMng.exe (PID: 2508) Address: 0x00f40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Dot1XCfg.exe (PID: 3528) Address: 0x00d50000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Dot1XCfg.exe (PID: 3528) Address: 0x00ea0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosA2dp.exe (PID: 2296) Address: 0x00c60000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosA2dp.exe (PID: 2296) Address: 0x00d30000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosBtHid.exe (PID: 2324) Address: 0x003f0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosBtHid.exe (PID: 2324) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosBtHsp.exe (PID: 2280) Address: 0x00cb0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosBtHsp.exe (PID: 2280) Address: 0x00d90000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: iexplore.exe (PID: 2088) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: iexplore.exe (PID: 2088) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 3044) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 3044) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Iexplore.exe (PID: 2816) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Iexplore.exe (PID: 2816) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: iexplore.exe (PID: 3640) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: iexplore.exe (PID: 3640) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: iexplore.exe (PID: 2212) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: iexplore.exe (PID: 2212) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: RootRepeal.exe (PID: 2256) Address: 0x00c10000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: RootRepeal.exe (PID: 2256) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys

Re: Malware problem in globalroot\systemroot

Announcements