Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with some unknown "UAC" rootkit


  • This topic is locked This topic is locked
4 replies to this topic

#1 blade12

blade12

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 13 September 2009 - 01:04 PM

Instead of typing all the information again, I thought it would be best to just link to my thread in the "Am I infected?" forums. Just keep in mind that the post is from yesterday night so if I said today, I meant yesterday (sept 12 was yesterday). Here's the link to that thread: http://www.bleepingcomputer.com/forums/t/257255/need-help-getting-rid-of-trojan/

Hello, I am new around here and needed some help with a trojan that I had acquired.

I had "wscsvc32.exe" running in the task-manager earlier today. While I had that trojan/malware/whatever it is, I could not open up spybot search & destroy. I could not even install Malwarebytes or even AVG8 (basically disabled the anti-virus programs). I even tried running ComboFix just for testing purposes since none of the other things would work, but it would not load either (have not tried it again after removing wscsvc32.exe). I tried a couple other anti-virus programs but ran into a similar problem. I could not even use Mozilla (whenever I clicked on ANY link in google, it would go to some random websites - it still does sometimes). Along with that, I also kept getting popups of Security Center (I knew it was fake windows opening since I have Security Center disabled). I was finally able to get that wscsvc32.exe trojan file removed with Trendmicro House Call. Unfortunately, I am still experiencing problems. I scanned my entire computer with OfficeScan, and that did not find any infections. I still cannot load spybot s&d (it shows up under processes tab in task manager but never loads up). I even tried reinstalling Spybot s&d once, but it still would not load up so I have it uninstalled for now. perhaps if I can get the other installer.exe trojan (more on it below) removed, spybot s&d might work again and mozilla might become normal again

I am currently using Safari since Mozilla loads up so slowly (crashed my computer couple times when I had a bunch of tabs open). I even tried loading IE right after I removed wscsvc32.exe, but it got stuck at a white screen while freezing my entire computer (had to hard-boot). I did not open IE after that. Right now, I am scanning with this virus-scanner I found called ParetoLogic Anti-Virus Plus. So far, it is showing that some installer.exe has been found, along with 7 other files with very long names. 2 of them are located under Java\deployment\cache\6.0 folder..... Five others are backup files from Housecall (not too concerned about that - I can probably safely remove it). Unfortunately, I cannot use this ParetoLogic to remove those trojans/high risk files (would need to buy it).

My OS is windows XP SP2. Any ideas on what I should do next? I removed a few files using hijackthis that came up as bad on a Hijackthis log auto analyzer v2 page found through google yesterday.

Thanks guys.

One more thing - I just scanned again using Trend Micro HouseCall. It showed up some Rootkits file (labeled UACdlxrfqja~). I can't find anything on google with that file name..


I was told to use RootRepeal (Logs are located in that thread - they clearly show a rootkit). I did not make any changes to my computer after that so those logs are up to date. I have those logs included in this post anyways.

Here is the DDS.txt file:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Harsh at 13:48:09.98 on Sun 09/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2712 [GMT -4:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {9AC2629D-D77E-4A61-9E41-C3603E4B7582}
AV: Norton AntiVirus Gaming Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Safari\safari.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\applemobiledeviceservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Harsh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [PeerGuardian] "c:\program files\peerguardian2\pg2.exe"
uRun: [EVEREST AutoStart] c:\documents and settings\harsh\desktop\everest-ultimate-edition-4.60.1601-hardal\everest.exe
mRun: [DeathAdder] "c:\program files\razer\deathadder\razerhid.exe"
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.23\RivaTuner.exe" /S
mRun: [Launch LgDevAgt] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\INetHTTPFilter.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\harsh\applic~1\mozilla\firefox\profiles\iocfi8gf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.gamespot.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\harsh\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\harsh\application data\mozilla\firefox\profiles\iocfi8gf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\harsh\application data\mozilla\firefox\profiles\iocfi8gf.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-26 64160]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2008-9-29 13560]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2008-12-7 15976]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-9-12 36368]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-9-27 22784]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-9-12 335888]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2009-9-1 17792]
R4 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-9-12 186128]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-9-28 26144]
S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2009-9-12 225296]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-15 24652]
S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [2009-1-31 37488]


If you need any extra information, let me know.

Thanks. :(

Attached Files


Edited by blade12, 13 September 2009 - 01:10 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:45 AM

Posted 28 September 2009 - 08:49 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 blade12

blade12
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 30 September 2009 - 02:49 PM

Hello syler.

I think I am good now. I used Malwarebytes' Anti-Malware to remove the rootkit. It would not go away the first time as I mentioned, so I decided to change the name of the entire exe file for Malwarebytes. The second time I load it up and try to remove the rootkit, it got removed. I scanned again using multiple virus scanners and also Malwarebytes. Malwarebytes came up clean but the virus scanners showed a couple viruses/trojans. I removed them all and then ran the virus scans again. Nothing came up again after that. IE works fine now and so does Mozilla, and I really do not see any problems atm. Spyware Search & destroy also works fine now. I really don't see any problems anymore after getting the rootkit removed. Do you think I should still scan with that RSIT program?

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:45 AM

Posted 30 September 2009 - 02:58 PM

Hi blade12,

Do you think I should still scan with that RSIT program?


That is up to you, if you are happy that your machine is clean then I can close the topic, if you would like me to have a look though that is no problem.

unite.jpg


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:45 AM

Posted 04 October 2009 - 09:55 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users