TechSpot

GMER module removal

By samusxaran
Sep 12, 2011
  1. upon running GMER on my machine, i have discovered a hidden module, however upon right clicking it there is no option to remove, GMER said it has detected a rootkit(so im assuming this hidden module in red is it)
    how do i remove this module? what is a module?
    thanks






    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-09-12 09:57:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.PBBZ
    Running: u2hm3fn5.exe; Driver: C:\DOCUME~1\Bobbie\LOCALS~1\Temp\pfddqpob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xBA419738]
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA100B640]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xBA419878]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xBA419914]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!IoReuseIrp + 8B 804EF90D 7 Bytes CALL 8989CFC5
    .text iaStor.sys B9E8F997 7 Bytes CALL 89898C70
    .text imapi.sys!DdYzechRkpbxCvmzio B1E2D000 161 Bytes [83, 7D, FC, 00, 0F, 8C, C2, ...]
    .text imapi.sys!TmNbpnm + 88 B1E2D0A2 36 Bytes [F8, 63, 76, 26, F6, 05, 14, ...]
    .text imapi.sys!TmNbpnm + AD B1E2D0C7 154 Bytes [FF, FF, 89, 7D, FC, F6, 05, ...]
    .text imapi.sys!TmNbpnm + 148 B1E2D162 19 Bytes [F4, FF, FF, EB, 22, 56, 51, ...]
    .text imapi.sys!TmNbpnm + 15D B1E2D177 7 Bytes [EB, 10, 56, 51, E8, FC, 3A]
    .text imapi.sys!TmNbpnm + 165 B1E2D17F 30 Bytes [00, EB, 07, 56, 51, E8, 7D, ...]
    .text ...
    .text imapi.sys!DdYzechRkpbxCvmzio + 26 B1E2D1ED 101 Bytes [41, 14, 66, 3B, 41, 08, 72, ...]
    .text imapi.sys!DdYzechRkpbxCvmzio + 8C B1E2D253 3 Bytes [0E, D2, E2] {PUSH CS; SHL DL, CL}
    .text imapi.sys!DdYzechRkpbxCvmzio + 90 B1E2D257 121 Bytes [56, 8D, 5F, 40, 53, FF, 15, ...]
    .text imapi.sys!DdYzechRkpbxCvmzio + 10A B1E2D2D1 75 Bytes [FF, 55, 8B, EC, 8B, 55, 08, ...]
    .text imapi.sys!DdYzechRkpbxCvmzio + 156 B1E2D31D 69 Bytes [72, 04, C6, 46, 07, 0A, 80, ...]
    .text ...
    ? C:\WINDOWS\system32\DRIVERS\imapi.sys suspicious PE modification

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Real\RealPlayer\update\realsched.exe[10172] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \Driver\00001034 \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 8989B7C0
    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) B7F29000-B7F34000 (45056 bytes)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:200] 8989CFD5
    Thread System [4:204] B7F2E465
    Thread System [4:208] B7F2E465
    Thread System [4:212] 8989CFD5
    Thread System [4:216] 8989CFD5

    ---- EOF - GMER 1.0.15 ----
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! The GMER log is difficult to read when you don't know what to look for!

    Question: Why did you run GMER? Are you having system problems, search redirects, popups, etc?
    ========================================
    I need additional information. Note: You do not need to run GMER again at this time.

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. samusxaran

    samusxaran TS Rookie Topic Starter

    i used GMER because i saw a suspicious process in the task manager(both in normal and in safe mode) and saw that every time i tried to run malwarebytes or hijack this it kills the program. (also killed the antiviruses i tried to run)

    what is this module that gmer is picking up?
    avira notes the virus as W32/PatchloadgenA
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you had searched for what Avira found, you would have found this information about :W32/PatchloadgenA

    If you had search for information for the process in the Task Manager, you could have identified the 'suspicious' entry.

    File infectors will usually require a reformat/reinstall, rather than cleaning.

    Instead of wasting time, I strongly suggest you go ahead with this:I repeat: Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...