Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UAC rootkit won't go away


  • Please log in to reply
1 reply to this topic

#1 mroctober

mroctober

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 11 July 2009 - 09:01 PM

Had trouble with multiple viruses including System Security, got rid of most of them using AVG Free Edition, MBAM, and RootRepeal, with the help of boopme, a moderator on this site. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/240486/system-security-virus-problem/ ~ OB Can't quite kick the UAC rootkit, however.
When trying to reboot into safe mode, I get the blue screen of death, which tells me that Windows shut down to prevent damage and that I should check my computer for viruses, with the following technical info:

***STOP: 0x0000007B (0xF789E524, 0xC0000034, 0x00000000, 0x00000000)

Tried rebooting into safe mode again with same result. Rebooting in normal mode works fine. MBAM can't detect anything at this point. My latest RootRepeal log, however, contains this at the end of the file, which I was told was the UAC rootkit:

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACwdebmscdertucfdtg.sys

Here is my DDS log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Seth at 20:28:15.59 on Sat 07/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1285 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
svchost
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Seth\Desktop\utorrent(2).exe
C:\Documents and Settings\Seth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070801
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [jswtrayutil] "c:\program files\netgear\wn111v2\jswtrayutil.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\seth\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\seth\application data\leadertech\powerregister\Seagate 2GEYKH3Z Product Registration.exe
StartupFolder: c:\docume~1\seth\startm~1\programs\startup\seagat~2.lnk - c:\documents and settings\seth\application data\leadertech\powerregister\Seagate Product Registration.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wn111v2\WN111V2.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: antimalwareguard.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {443BBAA3-7FEE-4517-A3E1-ACFABFDAEBD3} = 208.67.222.222,208.67.220.220
TCP: {F9BA1533-3D9B-4B1E-9F36-4174A6640911} = 192.168.254.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\pogimoso.dll c:\windows\system32\musutada.dll c:\windows\system32\boseseju.dll c:\windows\system32\dofoferu.dll,c:\docume~1\seth\locals~1\temp\734424015954mmx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\pogimoso.dll c:\windows\system32\musutada.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\seth\applic~1\mozilla\firefox\profiles\zv07v7qo.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-22 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-22 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-22 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 607576]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-22 298776]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [2007-8-1 107392]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
R3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [2008-9-30 453120]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-6-17 57408]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wn111v2\jswpsapi.exe [2008-2-27 360547]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
UnknownUnknown rootrepeal;rootrepeal; [x]

=============== Created Last 30 ================

2009-07-11 14:05 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-11 14:05 --d----- c:\program files\SUPERAntiSpyware
2009-07-11 14:05 --d----- c:\docume~1\seth\applic~1\SUPERAntiSpyware.com
2009-07-10 22:26 --d----- C:\Autoruns
2009-07-10 20:46 --d----- c:\docume~1\seth\applic~1\Malwarebytes
2009-07-10 20:27 0 a------- c:\documents and settings\seth\settings.dat
2009-07-10 20:18 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 20:18 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-10 20:18 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 20:18 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-09 16:40 --d----- c:\windows\pss
2009-07-09 15:08 3,976,714 a------- c:\windows\system32\uactmp.db
2009-07-09 15:02 --d----- c:\program files\sFX
2009-07-09 14:56 1,110,399 a------- c:\windows\system32\UACunmmouxnixelhmofm.db
2009-07-09 14:56 310 a------- c:\windows\system32\UACmihsgeqaeaecbivab.dat
2009-07-04 08:19 --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-07-04 07:31 --d----- c:\program files\DVDFab 5
2009-07-02 17:50 --d----- c:\program files\PFPortChecker
2009-07-01 20:26 4,194,346 a------- c:\windows\pfirewall.log.old
2009-06-28 17:34 --d----- c:\program files\Tag Support Plugin for Media Player
2009-06-28 17:33 --d----- c:\program files\FLAC
2009-06-23 17:53 --d-h--- C:\$AVG8.VAULT$
2009-06-22 23:59 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-22 23:59 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-22 23:59 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 23:59 --d----- c:\windows\system32\drivers\Avg
2009-06-22 23:59 --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-06-22 23:59 --d----- c:\program files\AVG
2009-06-22 23:59 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-17 17:13 --d----- c:\program files\Seagate
2009-06-17 17:13 --d----- c:\docume~1\alluse~1\applic~1\Seagate
2009-06-17 17:09 --dsh--- c:\windows\ftpcache
2009-06-17 16:59 --d-hr-- c:\docume~1\alluse~1\applic~1\Atheros
2009-06-17 16:57 57,408 a------- c:\windows\system32\drivers\wsimd.sys
2009-06-17 16:57 --d----- c:\program files\NETGEAR
2009-06-17 16:56 --d----- c:\docume~1\alluse~1\applic~1\NETGEAR
2009-06-17 16:56 --d----- c:\windows\Downloaded Installations
2009-06-16 22:48 --d----- c:\docume~1\seth\applic~1\Alarm

==================== Find3M ====================

2009-07-10 16:03 5,434 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-07-09 15:12 4 ----h--- c:\windows\fonts\mlog

============= FINISH: 20:28:26.75 ===============


Thanks in advance for any help.

Attached Files


Edited by Orange Blossom, 11 July 2009 - 09:11 PM.


BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 13 July 2009 - 06:01 PM

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the combofix log and a new HijackThis log as a reply to this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users