BleepingComputer.com: Infected with WIN32 Trojan Agent and WIN32 trojan TDSS

I have a nasty infection that has taken over my machine and which I cannot remove. The infection seems to hijack the google page and any links that I click from this page take me to what appears to be rogue websites, which want me to download their stuff.

I am currently running ESET Nod 32 and Ad-aware Anniversary Edition. Both these programs are picking up the trojan infections but are unable to clean.

I have tried to install malwarebytes but have been unable to do so. I did try changing the exe name of malwarebytes (as advised on this site) but the program does not fully complete the installation.

I have downloded the DDS tool, ran the scan and have now attached the lod to this post.

Also here is a copy of the Ad-aware scan log (I did not complete the scan due to the computer constantly crashing):

Logfile created: 10/06/2009 18:19:4
Lavasoft Ad-Aware version: 8.0.5
Extended engine version: 8.1
User performing scan: SYSTEM

*********************** Definitions database information ***********************
Lavasoft definition file: 148.49
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 70104
Objects detected: 7


Type Detected
==========================
Processes.......: 1
Registry entries: 0
Hostfile entries: 0
Files...........: 6
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Skipped items:
Description: C:\WINDOWS\SYSTEM32\DRIVERS\UAClxylbbevdpultow.sys Family Name: Win32.Trojan.Agent Clean status: Success Item ID: 823578 Family ID: 936
Description: \\?\globalroot\systemroot\system32\uacnoftqsmqhixryij.dll Family Name: Win32.Trojan.TDSS Clean status: Success Item ID: 888510 Family ID: 5401
Description: C:\WINDOWS\SYSTEM32\UACehqpcxeuyfwosth.dll Family Name: Win32.Trojan.TDSS Clean status: Success Item ID: 858868 Family ID: 5401
Description: C:\WINDOWS\SYSTEM32\UACidvujravcklxdap.dll Family Name: Win32.Trojan.TDSS Clean status: Success Item ID: 861471 Family ID: 5401
Description: C:\WINDOWS\SYSTEM32\UACkkoblphsrgjhtit.dll Family Name: Win32.Trojan.TDSS Clean status: Success Item ID: 888512 Family ID: 5401
Description: C:\WINDOWS\SYSTEM32\UACnoftqsmqhixryij.dll Family Name: Win32.Trojan.TDSS Clean status: Success Item ID: 888510 Family ID: 5401
Description: C:\WINDOWS\SYSTEM32\UACurhkgsrcaqvxewm.dll Family Name: Win32.Trojan.TDSS Clean status: Success Item ID: 888515 Family ID: 5401

Scan and cleaning complete: Stopped by request after 2591 seconds

*********************************** Settings ***********************************

Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value:
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: displaystatus, enabled:1, value: false
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: autodetectproxy, enabled:1, value: false
ID: useautoconfigscript, enabled:1, value: false
ID: autoconfigurl, enabled:0, value:
ID: useproxy, enabled:1, value: false
ID: proxyserver, enabled:0, value:
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Wed Jun 03 18:18:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Wed Jun 03 18:18:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: true
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: loadatstartup, enabled:1, value: true
ID: usespywareheuristics, enabled:0, value: true
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: ANNE
Processor name: Intel® Pentium® 4 CPU 2.80GHz
Processor identifier: x86 Family 15 Model 2 Stepping 9
Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 521, number of processors 1
Physical memory available: 250232832 bytes
Physical memory total: 534773760 bytes
Virtual memory available: 1936011264 bytes
Virtual memory total: 2147352576 bytes
Memory load: 53%
Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Windows startup mode:

Running processes:
PID: 796 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 920 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 944 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 992 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1004 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1192 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1300 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1312 name: C:\WINDOWS\system32\logonui.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1464 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1512 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1608 name: C:\WINDOWS\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1960 name: C:\WINDOWS\system32\LEXBCES.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 2004 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2012 name: C:\WINDOWS\system32\LEXPPS.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 296 name: C:\WINDOWS\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 328 name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 344 name: C:\Program Files\AskBarDis\bar\bin\AskService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 416 name: C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe owner: SYSTEM domain: NT AUTHORITY
PID: 440 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 472 name: C:\WINDOWS\system32\CTsvcCDA.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 516 name: C:\Program Files\ESET\ESET Smart Security\ekrn.exe owner: SYSTEM domain: NT AUTHORITY
PID: 680 name: C:\Program Files\Microsoft LifeCam\MSCamS32.exe owner: SYSTEM domain: NT AUTHORITY
PID: 968 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1884 name: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 1740 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2080 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4040 name: C:\WINDOWS\system32\logon.scr owner: SYSTEM domain: NT AUTHORITY
PID: 1392 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1564 name: C:\WINDOWS\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 572 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe owner: SYSTEM domain: NT AUTHORITY

Startup items:
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: UPnPMonitor
imagepath: {e57ce738-33e8-4c51-8354-bb4de9d215d1}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name: IgfxTray
imagepath: C:\WINDOWS\system32\igfxtray.exe
Name: HotKeysCmds
imagepath: C:\WINDOWS\system32\hkcmd.exe
Name: IntelMeM
imagepath: C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
Name: dla
imagepath: C:\WINDOWS\system32\dla\tfswctrl.exe
Name: VX3000
imagepath: C:\WINDOWS\vVX3000.exe
Name: YOP
imagepath: C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
Name: TkBellExe
imagepath: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Name: QuickTime Task
imagepath: "C:\Program Files\QuickTime\qttask.exe" -atboottime
Name: egui
imagepath: "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
Name: Ad-Watch
imagepath: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
Name: CTFMON.EXE
imagepath: C:\WINDOWS\System32\CTFMON.EXE
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Bootexecute items:
Name:
imagepath: autocheck autochk *
Name:
imagepath: stera
Name:
imagepath: lsdelete

Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: Apple Mobile Device
displayname: Apple Mobile Device
Name: ASKService
displayname: ASKService
Name: ASKUpgrade
displayname: ASKUpgrade
Name: AudioSrv
displayname: Windows Audio
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Bonjour Service
displayname: Bonjour Service
Name: Browser
displayname: Computer Browser
Name: Creative Service for CDROM Access
displayname: Creative Service for CDROM Access
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: ekrn
displayname: ESET Service
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: helpsvc
displayname: Help and Support
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LexBceS
displayname: LexBce Server
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: MSCamSvc
displayname: MSCamSvc
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: w32time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wuauserv
displayname: Automatic Updates
Name: WudfSvc
displayname: Windows Driver Foundation - User-mode Driver Framework
Name: WZCSVC
displayname: Wireless Zero Configuration

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  
• Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  
• If you did not have it installed, you will see the prompt below. Choose YES.
  
  
  
  
• When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  
  
• When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.

• Close all other open programs as there is a slight chance your computer will crash.
  
• Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  
• You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  
• Leaving the settings at default, click Scan.
  
• When the scan is complete, click Save and save the log onto your desktop.

Please include the log in your next reply.

---

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

Hi PP and thanks for helping me, it's much appreciated.

I have installed the combofix on my machine but when I try to run the .exe file nothing happens. Note that I tried to install malwarebytes previously and the same thing happened.

What do you suggest?

Andy

Hello.

Please delete that copy of ComboFix. Download a new copy.

In the Save As window, name it as ComboFix123.exe and try running it again.

With Regards,
The Panda

Hi Panda

I downloaded the GMER application yesterday and followed your instruction. The program was still scanning my system 2 hours later so I decided to leave it on scan overnight (sleepy eyes!).

In the morning the computer screen was blue with the message ' a problem has been detected on your computer and windows has been shutdown to prevent damage to your computer'.

Thankfully the computer started up again OK. I have since ran another scan with GMER but chose not to scan 'files' as I think this is why the scan took so long yesterday. I have attached the recent scan result.

I have also tried to install combofix and changed the name to combofix.123. This software is still not installing.

Thanks

Andy

Hello Andy.

There is a nasty rootkit infection in there.

Backdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.

• Please download erunt-setup.exe to your desktop.
  
• Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes only if you are using Windows XP. You can delete the installation file after use.
  
• Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished, you may, remove ERUNT using Add/Remove Programs.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.

• Right click avenger.zip and extract the contents to your desktop
  
• Start the Avenger.exe.
  
• Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
  

  Drivers to delete:
  UACd.sys
  
  Files to delete:
  C:\WINDOWS\system32\UACehqpcxeuyfwosth.dll
  C:\WINDOWS\system32\UACidvujravcklxdap.dll
  C:\WINDOWS\system32\UACkkoblphsrgjhtit.dll
  C:\WINDOWS\system32\UACkkpcwmbxfbjqkme.log
  C:\WINDOWS\system32\UACklvrbnyryxxuunr.dat
  C:\WINDOWS\system32\UACmqrrvlvucbwemwf.log
  C:\WINDOWS\system32\UACnoftqsmqhixryij.dll
  C:\WINDOWS\system32\UACurhkgsrcaqvxewm.dll
  C:\WINDOWS\system32\UACwnsriopaxmdkxem.log
  C:\WINDOWS\system32\drivers\UAClxylbbevdpultow.sys

  
  
• Click to paste the script from the clipboard.
  
• Check the Disable Rootkits automatically box.
  
• Click the Execute button
  
• Answer Yes twice when prompted.

The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:

• It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.

After, try running ComboFix again and post back the log if it runs.

With Regards,
The Panda

Hi Panda

Thanks for the advice.

The computer in question is actually my parents. I'll be advising them to re-install and re-format. The rootkit in question seems to be well hidden and I think may be difficult to fully remove.

I did not at all suspect that bank details may be at risk - that's probably the worst thing, so it would seem sensible to re-boot.

Again, cheers for your help ;)

Andy

Hello Andy.

That is a good decison.

Glad we could provide some kind of help.

Since this use will be reformatting, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda