topic Re: Malware problem in globalroot\systemroot (UAC) in Norton Internet Security / Norton AntiVirus

Re: Malware problem in globalroot\systemroot

gally — Wed, 10 Jun 2009 08:56:22 GMT

Quad,

I ran the rootrepeal and got a log which I have given below. Also I have pasted the log from GMER in http://pastebay.com/21223. I did not get a luck yesterday to login to my system as the login screen did not come up at all. I like to give the exact name of UAC*.dll but I could not login and scan through Symantec Antivirus.

The log from rootrepeal is

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:   2009/06/07 19:43
Program Version:  Version 1.2.3.0
Windows Version:  Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA87B000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AFF000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8C90000 Size: 45056 File Visible: No
Status: -

Name: UACdnkfrxllrmowqjk.sys
Image Path: C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys
Address: 0xAAAD1000 Size: 81920 File Visible: -
Status: Hidden from Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: winlogon.exe (PID: 916) Address: 0x00790000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: winlogon.exe (PID: 916) Address: 0x006d0000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: services.exe (PID: 964) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: services.exe (PID: 964) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: lsass.exe (PID: 976) Address: 0x00760000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: lsass.exe (PID: 976) Address: 0x00850000 Size: 49152

Object: Hidden Module [Name: UACyirwbwwostypehq.dll]
Process: svchost.exe (PID: 1144) Address: 0x00c10000 Size: 69632

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1144) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1144) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UAC5040.tmpwaboulhcsxt.dll]
Process: svchost.exe (PID: 1144) Address: 0x00ae0000 Size: 200704

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1144) Address: 0x02740000 Size: 45056

Object: Hidden Module [Name: UACsfsqwaboulhcsxt.dll]
Process: svchost.exe (PID: 1144) Address: 0x028e0000 Size: 200704

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1144) Address: 0x02ab0000 Size: 49152

Object: Hidden Module [Name: UACmpcxxnpkbpondir.dll]
Process: svchost.exe (PID: 1144) Address: 0x02b50000 Size: 53248

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1220) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1220) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1264) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1264) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: EvtEng.exe (PID: 1324) Address: 0x00ca0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: EvtEng.exe (PID: 1324) Address: 0x00d60000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: S24EvMon.exe (PID: 1416) Address: 0x00e10000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: S24EvMon.exe (PID: 1416) Address: 0x00ed0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: WLKeeper.exe (PID: 1472) Address: 0x00f10000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: WLKeeper.exe (PID: 1472) Address: 0x00fd0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SR_Service.exe (PID: 1536) Address: 0x00b10000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SR_Service.exe (PID: 1536) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SR_WatchDog.exe (PID: 1652) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SR_WatchDog.exe (PID: 1652) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1712) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1712) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1808) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1808) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ccSetMgr.exe (PID: 140) Address: 0x00720000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ccSetMgr.exe (PID: 140) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ccEvtMgr.exe (PID: 256) Address: 0x00670000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ccEvtMgr.exe (PID: 256) Address: 0x00730000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: spoolsv.exe (PID: 504) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: spoolsv.exe (PID: 504) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 572) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 572) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: CdfSvc.exe (PID: 620) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: CdfSvc.exe (PID: 620) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: DefWatch.exe (PID: 640) Address: 0x009a0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: DefWatch.exe (PID: 640) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: NICCONFIGSVC.exe (PID: 820) Address: 0x00a00000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: NICCONFIGSVC.exe (PID: 820) Address: 0x00ad0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: RadeSvc.exe (PID: 1100) Address: 0x00b20000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: RadeSvc.exe (PID: 1100) Address: 0x00be0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: RegSrvc.exe (PID: 1456) Address: 0x00780000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: RegSrvc.exe (PID: 1456) Address: 0x00850000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SavRoam.exe (PID: 1548) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SavRoam.exe (PID: 1548) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Rtvscan.exe (PID: 1588) Address: 0x00eb0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Rtvscan.exe (PID: 1588) Address: 0x00f80000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: WLTRYSVC.EXE (PID: 1508) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: WLTRYSVC.EXE (PID: 1508) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: bcmwltry.exe (PID: 1900) Address: 0x00e30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: bcmwltry.exe (PID: 1900) Address: 0x00f00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Explorer.EXE (PID: 2800) Address: 0x009c0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Explorer.EXE (PID: 2800) Address: 0x00d10000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: wmiprvse.exe (PID: 2936) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: wmiprvse.exe (PID: 2936) Address: 0x00960000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SR_GUI.Exe (PID: 3096) Address: 0x00c40000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SR_GUI.Exe (PID: 3096) Address: 0x00f20000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: WLTRAY.exe (PID: 3188) Address: 0x00bc0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: WLTRAY.exe (PID: 3188) Address: 0x00c80000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: stsystra.exe (PID: 3196) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: stsystra.exe (PID: 3196) Address: 0x00b70000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: quickset.exe (PID: 3216) Address: 0x00e30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: quickset.exe (PID: 3216) Address: 0x00f00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: hkcmd.exe (PID: 3268) Address: 0x009d0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: hkcmd.exe (PID: 3268) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: igfxpers.exe (PID: 3348) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: igfxpers.exe (PID: 3348) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ctfmon.exe (PID: 3476) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ctfmon.exe (PID: 3476) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: igfxsrvc.exe (PID: 3516) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: igfxsrvc.exe (PID: 3516) Address: 0x00a50000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ccApp.exe (PID: 3544) Address: 0x008d0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ccApp.exe (PID: 3544) Address: 0x009a0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: VPTray.exe (PID: 3664) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: VPTray.exe (PID: 3664) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: jusched.exe (PID: 3740) Address: 0x00cc0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: jusched.exe (PID: 3740) Address: 0x00bf0000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ZCfgSvc.exe (PID: 3992) Address: 0x00f80000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ZCfgSvc.exe (PID: 3992) Address: 0x01040000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ifrmewrk.exe (PID: 4016) Address: 0x00e80000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ifrmewrk.exe (PID: 4016) Address: 0x00f40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: DoScan.exe (PID: 152) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: DoScan.exe (PID: 152) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: realsched.exe (PID: 208) Address: 0x009a0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: realsched.exe (PID: 208) Address: 0x00a60000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: StartFX.exe (PID: 332) Address: 0x00970000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: StartFX.exe (PID: 332) Address: 0x00a30000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: NMBgMonitor.exe (PID: 1568) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: NMBgMonitor.exe (PID: 1568) Address: 0x00a50000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosBtMng.exe (PID: 2508) Address: 0x00e70000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosBtMng.exe (PID: 2508) Address: 0x00f40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Dot1XCfg.exe (PID: 3528) Address: 0x00d50000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Dot1XCfg.exe (PID: 3528) Address: 0x00ea0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosA2dp.exe (PID: 2296) Address: 0x00c60000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosA2dp.exe (PID: 2296) Address: 0x00d30000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosBtHid.exe (PID: 2324) Address: 0x003f0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosBtHid.exe (PID: 2324) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosBtHsp.exe (PID: 2280) Address: 0x00cb0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosBtHsp.exe (PID: 2280) Address: 0x00d90000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: iexplore.exe (PID: 2088) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: iexplore.exe (PID: 2088) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 3044) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 3044) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Iexplore.exe (PID: 2816) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Iexplore.exe (PID: 2816) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: iexplore.exe (PID: 3640) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: iexplore.exe (PID: 3640) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: iexplore.exe (PID: 2212) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: iexplore.exe (PID: 2212) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: RootRepeal.exe (PID: 2256) Address: 0x00c10000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: RootRepeal.exe (PID: 2256) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys

Re: Malware problem in globalroot\systemroot (UAC)

Quads — Wed, 10 Jun 2009 09:25:44 GMT

Hi Gally,

It is just about My bed time, I will study the logs, and tomorrow morning New Zealand time create the script and take it from there.

Quads

<<Edit: Edited the request to move the message to a new thread.>>

Message Edited by TomV on 06-10-2009 02:25 AM

Re: Malware problem in globalroot\systemroot (UAC)

gally — Wed, 10 Jun 2009 09:17:04 GMT

Thanks Quad

Re: Malware problem in globalroot\systemroot (UAC)

Quads — Wed, 10 Jun 2009 11:24:26 GMT

Maybe I will get to bed now,

I have 2 scripts to create now, to grab all the rootkit files, .sys, .dll, .log, tmp, and reg entries

Quads

Re: Malware problem in globalroot\systemroot (UAC)

Quads — Wed, 10 Jun 2009 20:42:49 GMT

Funny, solved already

If you have Spybot S&D uninstall it

Now go to this post, Download Avenger http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=53509#M53509

When you get to Number 3. use the script below

3. In the "Input script here:" copy and paste the script between the lines

Drivers to disable:

UACd.sys

Drivers to delete:

UACd.sys

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\WINDOWS\system32\wJQs.exe

C:\WINDOWS\system32\drivers\UACakcfxublxbeheme.sys

C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\UACfwqvovmrcwvqxae.log

C:\WINDOWS\system32\UAChnoverfffpbbojg.dll

C:\WINDOWS\system32\UACikjwipoxduxtobi.dll

C:\WINDOWS\system32\uacvymnbtboeayohhs.dll

C:\WINDOWS\system32\uacqciqunodfnlghrv.dll

C:\WINDOWS\system32\UACjhwhfownswugepx.dll

C:\WINDOWS\system32\UACmeuaqmivkbmnyrj.dll

C:\WINDOWS\system32\UACqrmyxiqpfquufol.dat

C:\WINDOWS\system32\UACwordlvukxekdgqo.dll

C:\Documents and Settings\user\Local Settings\Temp\UAC8ff7.tmp

C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys

C:\WINDOWS\system32\UACfoasddwfxtmqvpx.dat

C:\WINDOWS\system32\UAClwmkyhhientbiem.log

C:\WINDOWS\system32\UACmpcxxnpkbpondir.dll

C:\WINDOWS\system32\UACprqrqrqvsqjpwcv.dll

C:\WINDOWS\system32\UACsfsqwaboulhcsxt.dll

C:\WINDOWS\system32\UACxjpfmkusfwiswns.dll

C:\WINDOWS\system32\UACyirwbwwostypehq.dll

C:\WINDOWS\Temp\UAC5040.tmp

C:\WINDOWS\Temp\UACa4bb.tmp

C:\WINDOWS\Temp\UACa93c.tmp

C:\WINDOWS\Temp\UACe204.tmp

C:\WINDOWS\system32\UACpragfvramewsyfs.log

C:\WINDOWS\system32\UACjpbdqtxaqanyrcb.log

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys

Then carry on with the other post from the screenshot and below

Quads

Message Edited by Quads on 06-11-2009 08:37 AM

Message Edited by Quads on 06-11-2009 08:42 AM

Re: Malware problem in globalroot\systemroot (UAC)

delphinium — Wed, 10 Jun 2009 20:46:53 GMT

Our users know already that when Quads shows up the problem is SOLVED.

The original poster does have the option of changing his solved solution to the one that was most helpful.

Re: Malware problem in globalroot\systemroot (UAC)

gally — Wed, 10 Jun 2009 22:10:32 GMT

Quads,

I did as you told and saw lot of files got deleted. After that I ran a quick scan by my Symantec Antivirus. It detected a virus

c:\windows\system32\adptifn.exe.

I could see the particular file in that path but I am not sure if I can delete it. Also I rerun the rootrepeal and found the following log

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:   2009/06/11 03:26
Program Version:  Version 1.2.3.0
Windows Version:  Windows XP SP2
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOCUME~1\user\LOCALS~1\Temp\aujasnkj.sys
Address: 0xA8EFF000 Size: 81664 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA79D000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AF3000 Size: 8192 File Visible: No
Status: -

Name: ezcak.sys
Image Path: C:\WINDOWS\system32\drivers\ezcak.sys
Address: 0xF77DD000 Size: 61440 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8FFE000 Size: 45056 File Visible: No
Status: -

Name: UACdnkfrxllrmowqjk.sys
Image Path: C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys
Address: 0xAAABB000 Size: 81920 File Visible: -
Status: Hidden from Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: winlogon.exe (PID: 944) Address: 0x00790000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: winlogon.exe (PID: 944) Address: 0x006d0000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: services.exe (PID: 992) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: services.exe (PID: 992) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: lsass.exe (PID: 1004) Address: 0x00760000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: lsass.exe (PID: 1004) Address: 0x00850000 Size: 49152

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACoijxikibfsvravy.sys

Also I run the GMER and it highlighted one virus in red. It is

Service system32\drivers\UACoijxikibfsvravy.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

I have attached the log of Avenger in the following path

http://pastebay.com/21394

Is some serious virus still there in my system?

Gally

Re: Malware problem in globalroot\systemroot (UAC)

Quads — Wed, 10 Jun 2009 22:22:48 GMT

Could you please post the Avenger log?? oh my bad, I see it.

I will spend time looking over the Avenger log and new rootrepeal log, looks like anothee .sys file, (different name)

I will also script the .exe file you stated, the Exe file might be reloading the rootkit, with new names.

Quads

Message Edited by Quads on 06-11-2009 10:22 AM

Re: Malware problem in globalroot\systemroot (UAC)

gally — Wed, 10 Jun 2009 22:18:33 GMT

Delphinium,

I am new to this community and I thought that the green Solution button is having some link to solution and I clicked that. I am happy to tick the original solution post once my problem is resolved.

But I am not sure still how to do that

Gally

Re: Malware problem in globalroot\systemroot (UAC)

gally — Wed, 10 Jun 2009 22:24:15 GMT

Quad,

The avenger log is present in the path

http://pastebay.com/21394

Gally

Re: Malware problem in globalroot\systemroot (UAC)

Quads — Wed, 10 Jun 2009 22:26:04 GMT

Yeah I updated my post just above above, my fault

Re: Malware problem in globalroot\systemroot (UAC)

gally — Wed, 10 Jun 2009 23:11:45 GMT

Quads,

Its almost 5 in the morning here and I haven't sleep still as I want to remove this virus desperately. Also I will be out of station for 3 days this weekend. I will be available only tommorrow.

Can you please advice me if there is anything else needs to be done. I will look at it in the morning and take action.

Gally

Re: Malware problem in globalroot\systemroot (UAC)

Quads — Thu, 11 Jun 2009 00:31:01 GMT

I have added the other "C:\WINDOWS\system32\drivers\UACoijxikibfsvravy.sys" file to the script and the "C:\windows\system32\adptifn.exe" file that seems to be a backdoor somewhat.

This is what Avenger deleted from the first script

Driver "UACd.sys" deleted successfully

File "C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys" deleted successfully.

File "C:\WINDOWS\system32\uacinit.dll" deleted successfully

File "C:\Documents and Settings\user\Local Settings\Temp\UAC8ff7.tmp" deleted successfully.

File "C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys" deleted successfully.

File "C:\WINDOWS\system32\UACfoasddwfxtmqvpx.dat" deleted successfully.

File "C:\WINDOWS\system32\UAClwmkyhhientbiem.log" deleted successfully.

File "C:\WINDOWS\system32\UACmpcxxnpkbpondir.dll" deleted successfully.

File "C:\WINDOWS\system32\UACprqrqrqvsqjpwcv.dll" deleted successfully.

File "C:\WINDOWS\system32\UACsfsqwaboulhcsxt.dll" deleted successfully.

File "C:\WINDOWS\system32\UACxjpfmkusfwiswns.dll" deleted successfully.

File "C:\WINDOWS\system32\UACyirwbwwostypehq.dll" deleted successfully.

File "C:\WINDOWS\Temp\UACa4bb.tmp" deleted successfully.

File "C:\WINDOWS\Temp\UACa93c.tmp" deleted successfully.

File "C:\WINDOWS\Temp\UACe204.tmp" deleted successfully.

Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\UAC" deleted successfully.

Here is the new updated script

Drivers to disable:

UACd.sys

UACdnkfrxllrmowqjk.sys

Drivers to delete:

UACd.sys

UACdnkfrxllrmowqjk.sys

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\WINDOWS\system32\adptifn.exe

C:\WINDOWS\system32\wJQs.exe

C:\WINDOWS\system32\drivers\UACoijxikibfsvravy.sys

C:\WINDOWS\system32\drivers\UACakcfxublxbeheme.sys

C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\UACfwqvovmrcwvqxae.log

C:\WINDOWS\system32\UAChnoverfffpbbojg.dll

C:\WINDOWS\system32\UACikjwipoxduxtobi.dll

C:\WINDOWS\system32\uacvymnbtboeayohhs.dll

C:\WINDOWS\system32\uacqciqunodfnlghrv.dll

C:\WINDOWS\system32\UACjhwhfownswugepx.dll

C:\WINDOWS\system32\UACmeuaqmivkbmnyrj.dll

C:\WINDOWS\system32\UACqrmyxiqpfquufol.dat

C:\WINDOWS\system32\UACwordlvukxekdgqo.dll

C:\Documents and Settings\user\Local Settings\Temp\UAC8ff7.tmp

C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys

C:\WINDOWS\system32\UACfoasddwfxtmqvpx.dat

C:\WINDOWS\system32\UAClwmkyhhientbiem.log

C:\WINDOWS\system32\UACmpcxxnpkbpondir.dll

C:\WINDOWS\system32\UACprqrqrqvsqjpwcv.dll

C:\WINDOWS\system32\UACsfsqwaboulhcsxt.dll

C:\WINDOWS\system32\UACxjpfmkusfwiswns.dll

C:\WINDOWS\system32\UACyirwbwwostypehq.dll

C:\WINDOWS\Temp\UAC5040.tmp

C:\WINDOWS\Temp\UACa4bb.tmp

C:\WINDOWS\Temp\UACa93c.tmp

C:\WINDOWS\Temp\UACe204.tmp

C:\WINDOWS\system32\UACpragfvramewsyfs.log

C:\WINDOWS\system32\UACjpbdqtxaqanyrcb.log

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys

Quads