multiple infection!!!!!

[sasin44]

hi
2 days ago i scanned my system with AVG anti-spyware and i found a memory resident totjan named
"downloader.agent.uj"
i took a look at the processes and found that there was no active process running..
after self analysing the HIJACKTHIS log i found some thing really weird...
all i could make out of it was that it was a dll infection ...
 it was rpcc.dll in system32 folder

could search its reg entries as

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc
Asynchronous=1

Impersonate=1
and

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc
Startup
Startup

this is my first .dll infection and i dont know how to go about deleting this one cont...

[sasin44]

i scanned it with virus total and here is wat i got...

Complete scanning result of "rpcc.dll"

Antivirus Version Update Result
AhnLab-V3 2007.6.20.1 06.20.2007 Win-Trojan/Dlena.31232.L
AntiVir 7.4.0.34 06.20.2007 TR/Proxy.Dlena.CQ.4
Avast 4.7.997.0 06.20.2007  no virus found
AVG 7.5.0.467 06.19.2007 Proxy.NJQ
BitDefender 7.2 06.20.2007 Worm.P2P.AB
CAT-QuickHeal 9.00 06.19.2007 TrojanProxy.Dlena.cq
ClamAV devel-20070416 06.20.2007 Trojan.Proxy-653
NOD32v2 2341 06.20.2007 Win32/TrojanProxy.Dlena 
Prevx1 V2 06.20.2007 Generic.Malware
Sunbelt 2.2.907.0 06.09.2007 SpamTool.Win32.Agent.h
Symantec 10 06.20.2007 Trojan.Packed.9
TheHacker 6.1.6.136 06.20.2007 Trojan/Proxy.Dlena.cq
Webwasher-Gateway 6.0.1 06.20.2007 Trojan.Proxy.Dlena.CQ.4

[sasin44]

i decided to ignore the dll infection and take help from u guys after my exams..
since it was not effecting my band width anyway.
but now i got another infection now..i clicked on a 2.56mb .exe file after scanning it with AVG n AVAST which detected nothing
then i saw that my mozilla firefox was running as process i knew i was infected right away..
but
then i could terminate the process and it would come right back in 30 seconds .
i managed to rename firefox.exe to 1firefox.exe...
but unfortunately there was some hidden process running which used 70% of the CPU and my comp became very slow.............
i had disabled access to regedit thru AVG-antispyware >>tools
so i figured that if i reboot the malware in my system would not be able to autostart itself ..
but it was able to do auto start now i have two firefox.exe running in process..

[sasin44]

LOG before reboot

Logfile of HijackThis v1.99.1
Scan saved at 12:11:53 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\softwares\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E594B39C-D9A5-4E09-B363-7CBDDD2066EE}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O20 - Winlogon Notify: hggedbx - hggedbx.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\.exe (file missing)

[sasin44]

log file after reboot
Logfile of HijackThis v1.99.1
Scan saved at 1:13:14 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\softwares\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E594B39C-D9A5-4E09-B363-7CBDDD2066EE}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O20 - Winlogon Notify: hggedbx - hggedbx.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\.exe (file missing)

[sasin44]

i was using IEXPLORER when taking the HIJACKTHIS LOG....
do u guys want be to treminate the firefox.exe processes
and rename firefox.exe as 1firefox.exe
and take out another log and post it?
 if i do the renaming my system starts to slow down since there is another invisinble process running
which is trying the start the firefox.exe process and eats up my CPU

[FreewheelinFrank]

You have a DNS redirection infection. See here:

http://forum.avast.com/index.php?topic=24967.msg206445#msg206445

These can be associated with a rootkit, so try some rootkit scans, or the anti-rootkit tool mentioned in the thread, if you see the signs of that rootkit.

rpcc.dll is bad.

Try the usual suspects. (Here follows cut and paste advice.)

Look for and remove rootkit (hidden malware) scans:

http://www.pandasoftware.com/products/antirootkit/]Panda Antirootkit

http://www.f-secure.com/blacklight/]Blacklight

http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5]AVG Anti-Rootkit

Try a boot time scan with avast!? Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.

Try the usual free adware/spyware scanners?

AVG Anti-Spyware (Requires Win2k/XP)
a-Squared Free
Ad-Aware
Spybot Search & Destroy

Download, install and update all the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

[sasin44]

so can i boot in safe mode and remove rpcc.dll infection........
by deleting the reg entries i mentioned above ??

[FreewheelinFrank]

If the scanners I mentioned fail to remove rpcc.dll, try SUPERAntiSpyware: it has a write up and should fix it.

http://www.fileresearchcenter.com/R/RRPC.DLL-9305.html

I think Winlogon processes run even in SafeMode, so you will need a process injecting killing anti-malware program: AVG Anti-Spyware is another option, or a boot time scan with avast! if it detects this file.

You will also need to remove the DNS hijack entries with HijackThis! If they come back, it means a rootkit, so you will need to scan for rootkits, or maybe use FixWareout (see thread).

Check the 017 entries and if they are domains associated with a DNS hijack, fix them.

Good luck!

[sasin44]

hi frank fsecure backlight so the work till some extent
it picked up a hidden process which rootkitreavler didi not pick up.
Hidden file: c:\WINDOWS\system32\cswxl.exe

i renamed it an and rescanned with avg anti root kit and fsecure again
nothing alse was found...
but the firefox.exe keeps running 
i just suspended the prccess with process explorer..
and the virus total analysis for cswl.exe was suprisingly sad...
and as i expressed by inablity to send malware to avast thru the chest i am helpless
and even if i send the malware thru e-mail using 7z and password protected(even encrypt the name while zipping)
there has been no detections for the malware i sent

AhnLab-V3 2007.6.21.1 06.21.2007  no virus found
AntiVir 7.4.0.34 06.21.2007 TR/Dldr.DNSChanger.Gen
Authentium 4.93.8 06.21.2007 could be a corrupted executable file
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007 Downloader.Agent.KQC
BitDefender 7.2 06.21.2007 Trojan.Peed.Gen
CAT-QuickHeal 9.00 06.21.2007 TrojanDownloader.Agent.uj
ClamAV devel-20070416 06.21.2007  no virus found
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.21.2007 Win32.Agent.uj
eTrust-Vet 30.8.3731 06.21.2007 Win32/Alureon!generic
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.21.2007  no virus found
Fortinet 2.91.0.0 06.21.2007 Agent.BC!tr.spy
F-Prot 4.3.2.48 06.21.2007 W32/new-malware!Maximus
F-Secure 6.70.13030.0 06.20.2007 Trojan-Downloader.Win32.Agent.uj
Ikarus T3.1.1.8 06.21.2007 Trojan-Downloader.Win32.Agent.uj
Kaspersky 4.0.2.24 06.21.2007 Trojan-Downloader.Win32.Agent.uj
McAfee 5058 06.21.2007 Spy-Agent.bc
Microsoft 1.2607 06.21.2007 Trojan:Win32/Alureon.A
NOD32v2 2343 06.21.2007 a variant of Win32/Small.FB
Norman 5.80.02 06.21.2007 W32/DNSChanger.CJL
Panda 9.0.0.4 06.21.2007 Trj/Ruins.MB
Sophos 4.18.0 06.21.2007 Mal/Behav-027
Sunbelt 2.2.907.0 06.21.2007 Bloodhound.Packed.7
Symantec 10 06.21.2007 Downloader
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.21.2007 MalwareScope.Trojan.DnsChange.1
VirusBuster 4.3.23:9 06.21.2007 
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Dldr.DNSChanger.Gen

gee i have accumulated a lot of malware which avast does not detect but i am helpless

[DavidR]

@ sasin44
Don't forget to send samples to avast, it may help others.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

[sasin44]

yes after 4 recent infections i will dropmyrights from now on..
and dravid can u help me with this not able to send samples to avast prob??
 i downloaded thunderbird guessing that it is needed to send the samples but it says POP3 in not enabled for my gmail account
so got to look into it i hope i will be able to send samples to avast soon
and any suggessions on how to stop firefox.exe

[sasin44]

and here is the link from where i got the malware....
http://rapidshare.com/files/37754284/RapidShare_Premium_Accounts_Generator.zip.html


and it does not generate any valid keys

i guess 2.56 mb is packed with multiple malware one of them a root kit which fsecure detected and the other yet undetected one which has my firefox running.
some one pass it on to avast... godknows how many malware i am infected
 with..

[Lisandro]

and dravid can u help me with this not able to send samples to avast prob??
i downloaded thunderbird guessing that it is needed to send the samples but it says POP3 in not enabled for my gmail account

Avast mail scanner doesn't support SSL (Secure Socket Layer) connections and does not scan Gmail as it. But take a look here: http://forum.avast.com/index.php?topic=10428.0 to see how to set up secure email with avast!.

The solution is to pass e-mail in and out un-encrypted from your client (Outlook Express, Thunderbird, ...) to a proxy program (Stunnel) that does the actual ssl or tls encryption/decryption of the pop3/smtp e-mail and communicates directly with the ISP server on the appropriate ports. Download here: http://www.stunnel.org/download/binaries.html

and any suggessions on how to stop firefox.exe

What do you mean?

[sasin44]

the firefox.exe is run by the malware i am using Iexplorer ..
i have mozilla installed on my system but i did not cick on it.its autostarting and running by itself ..
and even the browser window is not showing ...........

and i am 100% sure that the link i gave u has a virus.. cos 45 seconds after i clicked the .exe file all the things happend
ok one ultimate test extract the file and try to generate a account for ur self
jus kidding.. i am sure it is some kinda super advanced malware. by be the first of its kind ..
fsecure backlight light jus found the rootkit....component..
the firefox u see in my hijack log is mostly  a dialer

and can i know which software u use to get snapshots of ur window ??