gally
Visitor
gally
Posts: 7
Registered: ‎06-07-2009
Accepted Solution
Re: Malware problem in globalroot\systemroot

‎06-10-2009 01:56 AM

Quad,

 

I ran the rootrepeal and got a log which I have given below. Also I have pasted the log from GMER in http://pastebay.com/21223. I did not get a luck yesterday to login to my system as the login screen did not come up at all. I like to give the exact name of UAC*.dll but I could not login and scan through Symantec Antivirus.

 

The log from rootrepeal is

 

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:   2009/06/07 19:43
Program Version:  Version 1.2.3.0
Windows Version:  Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA87B000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AFF000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8C90000 Size: 45056 File Visible: No
Status: -

Name: UACdnkfrxllrmowqjk.sys
Image Path: C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys
Address: 0xAAAD1000 Size: 81920 File Visible: -
Status: Hidden from Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: winlogon.exe (PID: 916) Address: 0x00790000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: winlogon.exe (PID: 916) Address: 0x006d0000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: services.exe (PID: 964) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: services.exe (PID: 964) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: lsass.exe (PID: 976) Address: 0x00760000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: lsass.exe (PID: 976) Address: 0x00850000 Size: 49152

Object: Hidden Module [Name: UACyirwbwwostypehq.dll]
Process: svchost.exe (PID: 1144) Address: 0x00c10000 Size: 69632

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1144) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1144) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UAC5040.tmpwaboulhcsxt.dll]
Process: svchost.exe (PID: 1144) Address: 0x00ae0000 Size: 200704

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1144) Address: 0x02740000 Size: 45056

Object: Hidden Module [Name: UACsfsqwaboulhcsxt.dll]
Process: svchost.exe (PID: 1144) Address: 0x028e0000 Size: 200704

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1144) Address: 0x02ab0000 Size: 49152

Object: Hidden Module [Name: UACmpcxxnpkbpondir.dll]
Process: svchost.exe (PID: 1144) Address: 0x02b50000 Size: 53248

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1220) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1220) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1264) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1264) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: EvtEng.exe (PID: 1324) Address: 0x00ca0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: EvtEng.exe (PID: 1324) Address: 0x00d60000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: S24EvMon.exe (PID: 1416) Address: 0x00e10000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: S24EvMon.exe (PID: 1416) Address: 0x00ed0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: WLKeeper.exe (PID: 1472) Address: 0x00f10000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: WLKeeper.exe (PID: 1472) Address: 0x00fd0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SR_Service.exe (PID: 1536) Address: 0x00b10000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SR_Service.exe (PID: 1536) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SR_WatchDog.exe (PID: 1652) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SR_WatchDog.exe (PID: 1652) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1712) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1712) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 1808) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 1808) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ccSetMgr.exe (PID: 140) Address: 0x00720000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ccSetMgr.exe (PID: 140) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ccEvtMgr.exe (PID: 256) Address: 0x00670000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ccEvtMgr.exe (PID: 256) Address: 0x00730000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: spoolsv.exe (PID: 504) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: spoolsv.exe (PID: 504) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 572) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 572) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: CdfSvc.exe (PID: 620) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: CdfSvc.exe (PID: 620) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: DefWatch.exe (PID: 640) Address: 0x009a0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: DefWatch.exe (PID: 640) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: NICCONFIGSVC.exe (PID: 820) Address: 0x00a00000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: NICCONFIGSVC.exe (PID: 820) Address: 0x00ad0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: RadeSvc.exe (PID: 1100) Address: 0x00b20000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: RadeSvc.exe (PID: 1100) Address: 0x00be0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: RegSrvc.exe (PID: 1456) Address: 0x00780000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: RegSrvc.exe (PID: 1456) Address: 0x00850000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SavRoam.exe (PID: 1548) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SavRoam.exe (PID: 1548) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Rtvscan.exe (PID: 1588) Address: 0x00eb0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Rtvscan.exe (PID: 1588) Address: 0x00f80000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: WLTRYSVC.EXE (PID: 1508) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: WLTRYSVC.EXE (PID: 1508) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: bcmwltry.exe (PID: 1900) Address: 0x00e30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: bcmwltry.exe (PID: 1900) Address: 0x00f00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Explorer.EXE (PID: 2800) Address: 0x009c0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Explorer.EXE (PID: 2800) Address: 0x00d10000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: wmiprvse.exe (PID: 2936) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: wmiprvse.exe (PID: 2936) Address: 0x00960000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: SR_GUI.Exe (PID: 3096) Address: 0x00c40000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: SR_GUI.Exe (PID: 3096) Address: 0x00f20000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: WLTRAY.exe (PID: 3188) Address: 0x00bc0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: WLTRAY.exe (PID: 3188) Address: 0x00c80000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: stsystra.exe (PID: 3196) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: stsystra.exe (PID: 3196) Address: 0x00b70000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: quickset.exe (PID: 3216) Address: 0x00e30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: quickset.exe (PID: 3216) Address: 0x00f00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: hkcmd.exe (PID: 3268) Address: 0x009d0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: hkcmd.exe (PID: 3268) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: igfxpers.exe (PID: 3348) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: igfxpers.exe (PID: 3348) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ctfmon.exe (PID: 3476) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ctfmon.exe (PID: 3476) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: igfxsrvc.exe (PID: 3516) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: igfxsrvc.exe (PID: 3516) Address: 0x00a50000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ccApp.exe (PID: 3544) Address: 0x008d0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ccApp.exe (PID: 3544) Address: 0x009a0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: VPTray.exe (PID: 3664) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: VPTray.exe (PID: 3664) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: jusched.exe (PID: 3740) Address: 0x00cc0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: jusched.exe (PID: 3740) Address: 0x00bf0000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ZCfgSvc.exe (PID: 3992) Address: 0x00f80000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ZCfgSvc.exe (PID: 3992) Address: 0x01040000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: ifrmewrk.exe (PID: 4016) Address: 0x00e80000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: ifrmewrk.exe (PID: 4016) Address: 0x00f40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: DoScan.exe (PID: 152) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: DoScan.exe (PID: 152) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: realsched.exe (PID: 208) Address: 0x009a0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: realsched.exe (PID: 208) Address: 0x00a60000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: StartFX.exe (PID: 332) Address: 0x00970000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: StartFX.exe (PID: 332) Address: 0x00a30000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: NMBgMonitor.exe (PID: 1568) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: NMBgMonitor.exe (PID: 1568) Address: 0x00a50000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosBtMng.exe (PID: 2508) Address: 0x00e70000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosBtMng.exe (PID: 2508) Address: 0x00f40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Dot1XCfg.exe (PID: 3528) Address: 0x00d50000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Dot1XCfg.exe (PID: 3528) Address: 0x00ea0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosA2dp.exe (PID: 2296) Address: 0x00c60000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosA2dp.exe (PID: 2296) Address: 0x00d30000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosBtHid.exe (PID: 2324) Address: 0x003f0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosBtHid.exe (PID: 2324) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: TosBtHsp.exe (PID: 2280) Address: 0x00cb0000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: TosBtHsp.exe (PID: 2280) Address: 0x00d90000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: iexplore.exe (PID: 2088) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: iexplore.exe (PID: 2088) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: svchost.exe (PID: 3044) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: svchost.exe (PID: 3044) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: Iexplore.exe (PID: 2816) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: Iexplore.exe (PID: 2816) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: iexplore.exe (PID: 3640) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: iexplore.exe (PID: 3640) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: iexplore.exe (PID: 2212) Address: 0x00a30000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: iexplore.exe (PID: 2212) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: RootRepeal.exe (PID: 2256) Address: 0x00c10000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: RootRepeal.exe (PID: 2256) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys

 

Report Inappropriate Content
(3,459 Views)
Quads
Bot Obliterator
Quads
Posts: 13,932
Registered: ‎07-21-2008
Re: Malware problem in globalroot\systemroot (UAC)
[ Edited ]

‎06-10-2009 02:02 AM - last edited on ‎06-10-2009 02:25 AM by

Hi Gally, 

 

It is just about My bed time, I will study the logs, and tomorrow morning New Zealand time create the script and take it from there.

 

Quads

 

<<Edit: Edited the request to move the message to a new thread.>>


Message Edited by TomV on 06-10-2009 02:25 AM
Report Inappropriate Content
(3,445 Views)
gally
Visitor
gally
Posts: 7
Registered: ‎06-07-2009
Re: Malware problem in globalroot\systemroot (UAC)

‎06-10-2009 02:17 AM

Thanks Quad
Report Inappropriate Content
(3,441 Views)
Quads
Bot Obliterator
Quads
Posts: 13,932
Registered: ‎07-21-2008
Re: Malware problem in globalroot\systemroot (UAC)

‎06-10-2009 04:24 AM

Maybe I will get to bed now,

 

I have 2 scripts to create now, to grab all the rootkit files,  .sys, .dll, .log, tmp, and reg entries

 

Quads 

Report Inappropriate Content
(3,417 Views)
Quads
Bot Obliterator
Quads
Posts: 13,932
Registered: ‎07-21-2008
Re: Malware problem in globalroot\systemroot (UAC)
[ Edited ]

‎06-10-2009 01:36 PM - edited ‎06-10-2009 01:42 PM

Hi

 

Funny, solved already

 

If you have Spybot S&D uninstall it 

 

Now  go to this post, Download Avenger http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=53509#M53509

 

When you get to Number 3. use the script below

 

 

3. In the "Input script here:" copy and paste the script between the lines

 

Drivers to disable:

UACd.sys

 

Drivers to delete:

UACd.sys

 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\WINDOWS\system32\wJQs.exe

C:\WINDOWS\system32\drivers\UACakcfxublxbeheme.sys 

C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\UACfwqvovmrcwvqxae.log

C:\WINDOWS\system32\UAChnoverfffpbbojg.dll

C:\WINDOWS\system32\UACikjwipoxduxtobi.dll

C:\WINDOWS\system32\uacvymnbtboeayohhs.dll

C:\WINDOWS\system32\uacqciqunodfnlghrv.dll

C:\WINDOWS\system32\UACjhwhfownswugepx.dll

C:\WINDOWS\system32\UACmeuaqmivkbmnyrj.dll

C:\WINDOWS\system32\UACqrmyxiqpfquufol.dat

C:\WINDOWS\system32\UACwordlvukxekdgqo.dll 

C:\Documents and Settings\user\Local Settings\Temp\UAC8ff7.tmp

C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys

C:\WINDOWS\system32\UACfoasddwfxtmqvpx.dat 

C:\WINDOWS\system32\UAClwmkyhhientbiem.log

C:\WINDOWS\system32\UACmpcxxnpkbpondir.dll

C:\WINDOWS\system32\UACprqrqrqvsqjpwcv.dll

C:\WINDOWS\system32\UACsfsqwaboulhcsxt.dll

C:\WINDOWS\system32\UACxjpfmkusfwiswns.dll

C:\WINDOWS\system32\UACyirwbwwostypehq.dll 

C:\WINDOWS\Temp\UAC5040.tmp

C:\WINDOWS\Temp\UACa4bb.tmp

C:\WINDOWS\Temp\UACa93c.tmp

C:\WINDOWS\Temp\UACe204.tmp

C:\WINDOWS\system32\UACpragfvramewsyfs.log

C:\WINDOWS\system32\UACjpbdqtxaqanyrcb.log                                                                                                           

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys


Then carry on with the other post from the screenshot and below

 

Quads 

 

 

 

Message Edited by Quads on 06-11-2009 08:37 AM
Message Edited by Quads on 06-11-2009 08:42 AM
Report Inappropriate Content
(3,372 Views)
delphinium
Posts: 9,680
Kudos: 2,856
Solutions: 283
Registered: ‎11-21-2008
Re: Malware problem in globalroot\systemroot (UAC)

‎06-10-2009 01:46 PM

Our users know already that when Quads shows up the problem is SOLVED. 

 

The original poster does have the option of changing his solved solution to the one that was most helpful.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Report Inappropriate Content
(3,364 Views)
gally
Visitor
gally
Posts: 7
Registered: ‎06-07-2009
Re: Malware problem in globalroot\systemroot (UAC)

‎06-10-2009 03:10 PM

Quads,

 

 I did as you told and saw lot of files got deleted. After that I ran a quick scan by my Symantec Antivirus. It detected a virus

 

c:\windows\system32\adptifn.exe.

 

I could see the particular file in that path but I am not sure if I can delete it. Also I rerun the rootrepeal and found the following log

 

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:   2009/06/11 03:26
Program Version:  Version 1.2.3.0
Windows Version:  Windows XP SP2
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOCUME~1\user\LOCALS~1\Temp\aujasnkj.sys
Address: 0xA8EFF000 Size: 81664 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA79D000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AF3000 Size: 8192 File Visible: No
Status: -

Name: ezcak.sys
Image Path: C:\WINDOWS\system32\drivers\ezcak.sys
Address: 0xF77DD000 Size: 61440 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8FFE000 Size: 45056 File Visible: No
Status: -

Name: UACdnkfrxllrmowqjk.sys
Image Path: C:\WINDOWS\system32\drivers\UACdnkfrxllrmowqjk.sys
Address: 0xAAABB000 Size: 81920 File Visible: -
Status: Hidden from Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: winlogon.exe (PID: 944) Address: 0x00790000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: winlogon.exe (PID: 944) Address: 0x006d0000 Size: 45056

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: services.exe (PID: 992) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: services.exe (PID: 992) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACprqrqrqvsqjpwcv.dll]
Process: lsass.exe (PID: 1004) Address: 0x00760000 Size: 45056

Object: Hidden Module [Name: UACxjpfmkusfwiswns.dll]
Process: lsass.exe (PID: 1004) Address: 0x00850000 Size: 49152

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACoijxikibfsvravy.sys

 

 

 

Also I run the GMER and it highlighted one virus in red. It is

 

Service         system32\drivers\UACoijxikibfsvravy.sys (*** hidden *** )                                                           [SYSTEM] UACd.sys                                                                                          <-- ROOTKIT !!!

 

I have attached the log of Avenger in the following path

 

http://pastebay.com/21394

 

Is some serious virus still there in my system?

 

Gally

Report Inappropriate Content
(3,349 Views)
Quads
Bot Obliterator
Quads
Posts: 13,932
Registered: ‎07-21-2008
Re: Malware problem in globalroot\systemroot (UAC)
[ Edited ]

‎06-10-2009 03:14 PM - edited ‎06-10-2009 03:22 PM

Could you please post the Avenger log??  oh my bad, I see it. 

 

I will spend time looking over the Avenger log and new rootrepeal log, looks like anothee .sys file, (different name)

 

I will also script the .exe file you stated, the Exe file might be reloading the rootkit, with new names. 

 

Quads 

Message Edited by Quads on 06-11-2009 10:22 AM
Report Inappropriate Content
(3,346 Views)
gally
Visitor
gally
Posts: 7
Registered: ‎06-07-2009
Re: Malware problem in globalroot\systemroot (UAC)

‎06-10-2009 03:18 PM

Delphinium,

 

I am new to this community and I thought that the green Solution button is having some link to solution and I clicked that. I am happy to tick the original solution post once my problem is resolved.

 

But I am not sure still how to do that

 

Gally

Report Inappropriate Content
(3,342 Views)
gally
Visitor
gally
Posts: 7
Registered: ‎06-07-2009
Re: Malware problem in globalroot\systemroot (UAC)

‎06-10-2009 03:24 PM

Quad,

 

The avenger log is present in the path

 

http://pastebay.com/21394

 

Gally

Report Inappropriate Content
(3,339 Views)