Gmer Log
Code:GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-06-18 08:03:52 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.15 ---- Code 849F45B8 ZwEnumerateKey Code 849F4580 ZwFlushInstructionCache Code 84A52786 IofCallDriver Code 84A5408E IofCompleteRequest ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 84A5278B .text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 84A54093 ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[200] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0064000A .text C:\WINDOWS\system32\winlogon.exe[200] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0065000A .text C:\WINDOWS\system32\services.exe[248] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 006F000A .text C:\WINDOWS\system32\services.exe[248] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0071000A .text C:\WINDOWS\system32\lsass.exe[260] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 006F000A .text C:\WINDOWS\system32\lsass.exe[260] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0072000A .text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[580] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0061000A .text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[580] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0062000A .text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[684] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A1000A .text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[684] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A2000A .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A0000A .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A1000A .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 40A5178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 40A51710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 40A51754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 40A5169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 40A516D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 40A517CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] WININET.dll!HttpAddRequestHeadersA 7805FB4D 5 Bytes JMP 00DE000A .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] WININET.dll!HttpAddRequestHeadersW 780CD14D 5 Bytes JMP 00EC000A .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00F8F9F0 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00F908A0 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!send 71AB428A 5 Bytes JMP 00F90780 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00F8FDA0 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00F8FFD0 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll .text C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00F90A60 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll .text C:\Documents and Settings\Owner\Desktop\gmer\adkasd.exe[1272] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 009E000A .text C:\Documents and Settings\Owner\Desktop\gmer\adkasd.exe[1272] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 009F000A .text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00C0000A .text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C1000A .text C:\WINDOWS\system32\ctfmon.exe[1416] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0098000A .text C:\WINDOWS\system32\ctfmon.exe[1416] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0099000A ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\systemroot\system32\UACeoerrhuqspfsitu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [500] 0x00A00000 Library \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [500] 0x00AB0000 Library \\?\globalroot\systemroot\system32\UACeoerrhuqspfsitu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [664] 0x00A00000 Library \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [664] 0x00AB0000 Library \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1148] 0x00F80000 Library \\?\globalroot\systemroot\system32\UACeoerrhuqspfsitu.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1340] 0x00D00000 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\SKYNETrnfvcxxl.sys (*** hidden *** ) [SYSTEM] SKYNEToixjinix <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\UACvxdpmylyxmynsms.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix@imagepath \systemroot\system32\drivers\SKYNETrnfvcxxl.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix\main Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix\main\injector Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETrnfvcxxl.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix\modules@SKYNETcmd.dll \systemroot\system32\SKYNETnusjdriy.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvxdpmylyxmynsms.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvxdpmylyxmynsms.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACobqoikqxwnkoobr.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACkrgikjlhlpqtkba.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACqcqmltensqimoyp.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACjduiwsippaqwkjx.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACdthjvrndakqgxvv.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACvdsiqlhghkfkyxq.db Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACeoerrhuqspfsitu.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACslkllaltgfbekwf.log Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACgvpbifpfcidjtkq.log Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UAClxutahdmdrltrdy.log Reg HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix@start 1 Reg HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix@type 1 Reg HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix@group file system Reg HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix@imagepath \systemroot\system32\drivers\SKYNETrnfvcxxl.sys Reg HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix\main Reg HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix\main\injector Reg HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix\modules Reg HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETrnfvcxxl.sys Reg HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix\modules@SKYNETcmd.dll \systemroot\system32\SKYNETnusjdriy.dll Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1 Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1 Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvxdpmylyxmynsms.sys Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvxdpmylyxmynsms.sys Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACobqoikqxwnkoobr.dll Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACkrgikjlhlpqtkba.dat Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACqcqmltensqimoyp.dll Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACjduiwsippaqwkjx.dll Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACdthjvrndakqgxvv.dll Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACvdsiqlhghkfkyxq.db Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACeoerrhuqspfsitu.dll Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACslkllaltgfbekwf.log Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACgvpbifpfcidjtkq.log Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UAClxutahdmdrltrdy.log Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\UACvxdpmylyxmynsms.sys 53760 bytes executable <-- ROOTKIT !!! File C:\WINDOWS\system32\UACdthjvrndakqgxvv.dll 19456 bytes executable File C:\WINDOWS\system32\UACehjfenoeouudtkh.dll 66560 bytes File C:\WINDOWS\system32\UACeoerrhuqspfsitu.dll 30208 bytes executable File C:\WINDOWS\system32\uacinit.dll 6270 bytes File C:\WINDOWS\system32\UACjduiwsippaqwkjx.dll 17408 bytes executable File C:\WINDOWS\system32\UACkrgikjlhlpqtkba.dat 224 bytes File C:\WINDOWS\system32\UACobqoikqxwnkoobr.dll 25600 bytes executable File C:\WINDOWS\system32\UACqcqmltensqimoyp.dll 19968 bytes executable File C:\WINDOWS\system32\UACslkllaltgfbekwf.log 69362 bytes File C:\WINDOWS\system32\uactmp.db 3976714 bytes File C:\WINDOWS\system32\UACvdsiqlhghkfkyxq.db 1110399 bytes ---- EOF - GMER 1.0.15 ----
