Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help getting rid of trojan


  • This topic is locked This topic is locked
7 replies to this topic

#1 blade12

blade12

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 12 September 2009 - 10:36 PM

Hello, I am new around here and needed some help with a trojan that I had acquired.

I had "wscsvc32.exe" running in the task-manager earlier today. While I had that trojan/malware/whatever it is, I could not open up spybot search & destroy. I could not even install Malwarebytes or even AVG8 (basically disabled the anti-virus programs). I even tried running ComboFix just for testing purposes since none of the other things would work, but it would not load either (have not tried it again after removing wscsvc32.exe). I could not even use Mozilla (whenever I clicked on ANY link in google, it would go to some random websites). Along with that, I also kept getting popups of Security Center (I knew it was fake windows opening since I have Security Center disabled). I was finally able to get that wscsvc32.exe trojan file removed with Trendmicro House Call. Unfortunately, I am still experiencing problems. I scanned my entire computer with OfficeScan, and that did not find any infections. I still cannot load spybot s&d (it shows up under processes tab in task manager but never loads up). I even tried reinstalling Spybot s&d once, but it still would not load up so I have it uninstalled for now. perhaps if I can get the other installer.exe trojan (more on it below) removed, spybot s&d might work again and mozilla might become normal again

I am currently using Safari since Mozilla loads up so slowly (crashed my computer couple times when I had a bunch of tabs open); it also starts up some ScanningProcess.exe file using up quite a bit of cpu %. I even tried loading IE right after I removed wscsvc32.exe, but it got stuck at a white screen while freezing my entire computer (had to hard-boot). I did not open IE after that. Right now, I am scanning with this virus-scanner I found called ParetoLogic Anti-Virus Plus. So far, it is showing that some installer.exe has been found, along with 7 other files with very long names. 2 of them are located under Java\deployment\cache\6.0 folder..... Five others are backup files from Housecall (not too concerned about that - I can probably safely remove it). Unfortunately, I cannot use this ParetoLogic to remove those trojans/high risk files (would need to buy it).

My OS is windows XP SP2. Any ideas on what I should do next? I removed a few files using hijackthis that came up as bad on a Hijackthis log auto analyzer v2 page found through google.

Thanks guys.

One more thing - I just scanned again using Trend Micro HouseCall. It showed up some Rootkits file (labeled UACdlxrfqja~). I can't find anything on google with that file name..

Edited by blade12, 12 September 2009 - 11:06 PM.


BC AdBot (Login to Remove)

 


#2 blade12

blade12
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 12 September 2009 - 11:43 PM

Update:

Alright, forget the ScanningProcess.exe. It was with ParetoLogic Anti-Virus Plus. As soon as I disabled that, ScanningProcess.exe turned off on it's own. So I basically need to figure out what the rootkits thing is and also how to get rid of installer.exe. I tried to remove the rootkit with Trend Micro HouseCall, but it kept coming back when I rescanned after restarting computer. I am pretty sure "wscsvc32.exe" is gone; just dunno what I could use to make sure that it is gone for good.

#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:15 AM

Posted 13 September 2009 - 10:19 AM

Hello blade12 and :thumbsup: to BleepingComputer.

Let's see what we can do.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 blade12

blade12
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 13 September 2009 - 12:33 PM

Looks like the UAC rootkit files are still running as hidden/locked files with a lot of other junk that I don't even know. Great, sounds like fun lol

One more thing to note: It said "Error - Invalid PE image found!" when I first loaded up RootRepeal. I don't know if that matters or not since everything worked normally with rootrepeal after I closed that Error window. I had almost every thing disabled, including the internet. FYI, I had a total of 20 services running (including Safari.exe, and razerhid.exe and AppleMobileDeviceService.exe - all 3 safe).



ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/13 13:25
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xB7DCF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9429000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85E8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP8890
Image Path: \Driver\PCI_PNP8890
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB81A8000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwk.sys
Image Path: spwk.sys
Address: 0xB7EAA000 Size: 1036288 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\UACbwkmotfaka.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdlxrfqjavg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACturnkoehyi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd65b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACltltkklyxe.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Harsh\Local Settings\Temp\UAC3469.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Harsh\Local Settings\Temp\UAC3478.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Harsh\Local Settings\Temp\UAC3a16.tmp
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACturnkoehyi.dll]
Process: svchost.exe (PID: 1400) Address: 0x10000000 Size: 65536

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8acc61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x895079f0 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8a5b3500 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a7d4d90 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a7d4bd0 Size: 99

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8acc81f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a8921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a8921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a8921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a8921f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8ac581f8 Size: 121

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CLOSE]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_READ]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_WRITE]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_EA]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CLEANUP]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_POWER]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_PNP]
Process: System Address: 0x8a694ac0 Size: 99

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89d511f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89d511f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89d511f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89d511f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89d511f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89d511f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a8911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a8911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a8911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a8911f8 Size: 121

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x89dbfa80 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x89cc3620 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a527280 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89d531f8 Size: 121

Object: Hidden Code [Driver: Npfs€€’€€“, IRP_MJ_READ]
Process: System Address: 0x8aa3b498 Size: 11

Object: Hidden Code [Driver: Msfs€€€™€Ё€’€€“, IRP_MJ_READ]
Process: System Address: 0x8aa030f0 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x8aa79670 Size: 11

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_CREATE]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_CLOSE]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_READ]
Process: System Address: 0x8aa22588 Size: 11

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_CLEANUP]
Process: System Address: 0x8a9ce1f8 Size: 121

Object: Hidden Code [Driver: Cdfs€€ŽЁ€’€“ꍸ€’†€œ€“œ€“, IRP_MJ_PNP]
Process: System Address: 0x8a9ce1f8 Size: 121

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACltltkklyxe.sys

==EOF==

Edited by blade12, 13 September 2009 - 12:38 PM.


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:15 AM

Posted 13 September 2009 - 12:35 PM

Looks like the UAC rootkit files are still running as hidden/locked files.


Correct. You have an active rootkit on your machine. With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

Sorry I couldn't do more for you here; they'll be able to help in HJT.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 blade12

blade12
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 15 September 2009 - 09:08 PM

Looks like the UAC rootkit files are still running as hidden/locked files.


Correct. You have an active rootkit on your machine. With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

Sorry I couldn't do more for you here; they'll be able to help in HJT.

~Blade


I posted the thread btw. I forgot to post a note here

http://www.bleepingcomputer.com/forums/t/257362/infected-with-some-unknown-uac-rootkit/

I have one question though. Before I found out I had a rootkit, I logged into my email/facebook/college website/router-page/etc (had windows firewall, OfficeScan firewall and also my router firewall running while doing that). Do you think that all of those passwords will be logged by the rootkit and perhaps sent out to a third party?

One more thing - Whenever I click any redirect link in mozilla, it still redirects to some random advertisement websites. I really cannot use mozilla. I have to use Safari for everything since Safari is the only browser that works normally (Even IE still leads to random websites). I used Safari when logging into email/facebook/etc. Do you think Safari is safe for that since it does not seem like the rootkit effected Safari? My guess as to why Safari works normally is because it is a primarily a MAC browser. Mac OSX is much safer than Windows so maybe virus/trojan creators stick with the browsers most used with windows (mozilla, IE, etc).

Edited by blade12, 15 September 2009 - 09:35 PM.


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:15 AM

Posted 16 September 2009 - 08:51 AM

You should consider all passwords to be compromised. Change them using a clean computer. Better safe than sorry :thumbsup:

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:15 AM

Posted 25 September 2009 - 12:22 AM

Hello,

Now for the hard and frustrating part: waiting.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users