Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with UACd.sys, UACStalkrwbww.sys, rootkit.agent.ogd

  • This topic is locked This topic is locked
6 replies to this topic

#1 Mahrime


  • Members
  • 3 posts
  • Local time:02:49 PM

Posted 26 July 2009 - 04:39 AM

Malwarebytes: UACd.sys, UACStalkrwbww.sys
Nod32: rootkit.agent.ogd

Please help!

Edit: DDS did not copy right the first time. Fixed it (hopefully).

DDS (Ver_09-06-26.01) - NTFSx86
Run by Amy at 12:07:56.84 on Sat 07/25/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2045.1360 [GMT -7:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
svchost.exe C:\WINDOWS\TEMP\VRT2.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Amy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://join.123cashformula.com/track/NTI4MzEuNy42LjEyLjAuMC4wLjA
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {A36D2A01-00F3-42BD-F434-00BBC39C8953} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [pridl] "c:\documents and settings\amy\application data\pridl\pridl.exe" 61A847B5BBF72811329B385672FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: EditLevel = 0 (0x0)
dPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\lsp.dll
Trusted Zone: facebook.com\login
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://0-site.ebrary.com.ignacio.usfca.edu/lib/usflibrary/support/plugins/ebraryRdr.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {A36D2A01-00F3-42BD-F434-00BBC39C8953} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amy\applic~1\mozilla\firefox\profiles\oveprcig.default\
FF - plugin: c:\documents and settings\amy\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\amy\local settings\application data\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R3 SNPHV71;i-CAM VC USB Camera (MC-310);c:\windows\system32\drivers\snphv71.sys [2009-7-12 232320]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S2 wicubcgnikq;wicubcgnikq;\??\c:\windows\system32\drivers\dsdbvfnppplktg.sys --> c:\windows\system32\drivers\dsdbvfnppplktg.sys [?]
S3 jbridgep;jbridgep;\??\c:\docume~1\amy\locals~1\temp\jbridgep.sys --> c:\docume~1\amy\locals~1\temp\jbridgep.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\af36.tmp --> c:\windows\system32\AF36.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva020;XDva020;\??\c:\windows\system32\xdva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?]

=============== Created Last 30 ================

2009-07-25 12:02 84 a------- c:\windows\system32\4.tmp
2009-07-25 11:55 84,480 a------- c:\windows\system32\7.tmp
2009-07-25 11:55 84 a------- c:\windows\system32\3.tmp
2009-07-25 11:49 84,480 a------- c:\windows\system32\60.tmp
2009-07-25 11:48 84 a------- c:\windows\system32\1C.tmp
2009-07-25 11:08 25,088 a------- c:\windows\system32\5.tmp
2009-07-25 11:00 54,784 -------- c:\windows\system32\drivers\UACd.sys
2009-07-25 10:59 84 a------- c:\windows\system32\AB.tmp
2009-07-25 08:58 84 a------- c:\windows\system32\7A.tmp
2009-07-25 07:28 <DIR> --d----- c:\program files\Sophos
2009-07-25 07:00 40 a------- c:\windows\system32\C07.tmp
2009-07-25 06:20 84 a------- c:\windows\system32\14.tmp
2009-07-25 05:56 40 a------- c:\windows\system32\68A1.tmp
2009-07-25 04:53 <DIR> --d----- c:\program files\Trend Micro
2009-07-25 04:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\11883904
2009-07-25 04:49 84 a------- c:\windows\system32\73.tmp
2009-07-25 04:41 40 a------- c:\windows\system32\13.tmp
2009-07-25 04:33 <DIR> --d----- c:\program files\mIRC
2009-07-25 04:25 40 a------- c:\windows\system32\FC.tmp
2009-07-25 04:16 40 a------- c:\windows\system32\12.tmp
2009-07-25 04:04 <DIR> --d----- c:\program files\Mortal Online
2009-07-25 03:54 40 a------- c:\windows\system32\544F.tmp
2009-07-25 03:34 40 a------- c:\windows\system32\37BF.tmp
2009-07-25 02:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13828594
2009-07-25 02:31 88 a------- C:\Make Money Online.url
2009-07-25 02:31 70 a------- C:\Girls on your desktop.url
2009-07-25 02:30 206 a------- c:\windows\prxid93ps.dat
2009-07-24 17:25 664 a------- c:\windows\system32\d3d9caps.dat
2009-07-24 17:25 552 a------- c:\windows\system32\d3d8caps.dat
2009-07-21 17:03 <DIR> --d----- c:\docume~1\amy\applic~1\StarVault
2009-07-18 16:04 115,208 a------- C:\SNPHV71.RAW
2009-07-18 14:47 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-18 14:47 1,409 a------- c:\windows\QTFont.for
2009-07-12 20:27 120,879 a----r-- c:\windows\usnphv71.exe
2009-07-12 20:27 61,440 a----r-- c:\windows\system32\dsnphv71.dll
2009-07-12 20:27 49,152 a----r-- c:\windows\vsnphv71.exe
2009-07-12 20:27 49,152 a----r-- c:\windows\system32\vsnphv71.dll
2009-07-12 20:27 40,960 a----r-- c:\windows\dsnphv71.exe
2009-07-12 20:27 28,672 a----r-- c:\windows\system32\dsnphv71.ax
2009-07-12 20:27 15,553 a----r-- c:\windows\snphv71.ini
2009-07-12 20:27 12,827 a----r-- c:\windows\snphv71.src
2009-07-12 20:27 232,320 a----r-- c:\windows\system32\drivers\snphv71.sys
2009-07-02 11:55 41,808 a------- c:\windows\system32\xfcodec.dll
2009-07-01 16:58 2 a------- C:\808640392

==================== Find3M ====================

2009-07-25 11:50 94,208 a------- c:\windows\DUMP4ebc.tmp
2009-07-25 11:10 94,208 a------- c:\windows\DUMP54e6.tmp
2009-07-23 19:16 16,362 a------- c:\docume~1\amy\applic~1\wklnhst.dat
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-15 17:28 183,296 a------- c:\windows\system32\lsp.dll
2009-06-10 18:01 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 12:27 1,290,752 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 08:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 09:55 70,936 a------- c:\windows\system32\PhysXLoader.dll

============= FINISH: 12:09:35.62 ===============

Attached Files

Edited by Mahrime, 26 July 2009 - 05:17 AM.

BC AdBot (Login to Remove)



#2 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:49 AM

Posted 27 July 2009 - 07:35 AM

Hello Mahrime my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.

Your log will be analyzed and you will be instructed on what to do next as soon as possible.

~Semp :thumbup2:


You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#3 Mahrime

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:49 PM

Posted 27 July 2009 - 06:13 PM

Hi Sempai, thank you for responding but it seems my situation is getting worse. I am now infected with reader_s.exe and it has infected pretty much all of my system. Nod32 managed to quarantine/delete most of it but it cannot get rid of the virus so it keeps reinfecting my system. From what I have read, it seems my only option at this point is to reinstall windows. :thumbup2:

Edited by Mahrime, 27 July 2009 - 06:14 PM.

#4 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:49 AM

Posted 28 July 2009 - 07:05 AM

Hi Mahrime,

Since your computer is heavily infected, reformat / reinstalling windows will be the best choice. :thumbup2:

It would be wise for you to back up any files and folders that you don't want to lose before reformatting.

Do not backup any programs/applications/installers like .exe, .scr, .htm, .html, .xml, .zip/.rar files...
The reason for this is because these files may be infected also. If you replace them after the re installation of OS, it will surely reinfect you again.

Please read:

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:With regards,
~Semp :)


You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#5 Mahrime

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:49 PM

Posted 28 July 2009 - 03:38 PM

I have reinstalled windows and so far so good. Now I guess I cross my fingers and hope I dont reinfect myself copying my stuff back over from my external (I am pretty sure it is infected too). Anyway, thank you for your help and take care!

#6 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:49 AM

Posted 29 July 2009 - 07:37 AM

Hello Mahrime,

Please do the following to prevent your computer from reinfection:

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

2. Since your external hard drive is possibly infected, scanning it with an online scanner would be wiser. Connect the drive to your computer then perform an online scan with ESET.

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Glad we could help,
~Semp :thumbup2:


You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#7 kahdah


  • Security Colleague
  • 11,138 posts
  • Gender:Male
  • Location:Florida
  • Local time:05:49 PM

Posted 02 August 2009 - 11:28 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users