plscd.exe - worm - not detected by Avast

[corbism]

Just a head-us up to anyone else about this and Avast 4.7 home doesn't recognize this as a threat. But, it is.

Microsoft December Malicious Software Removal tool found:

backdoor:Win32/Rbot.gen    (detected, not removed)

After an hour or so researching this and running a virus scan with no results. I found out that there was an strange process running on my system:

plscd.exe

I found out this was a Read Only and Hidden file in the C:\Windows\System32\
There was also a registry entry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name: DRam prosessor (yes, misspelled)
Data: plscd.exe

I found a general lack of information on this with a google search, but all indicated this was definitely a worm.

I ended the running process.  Manually ran the Malicious software removal tool and it reported no infections.  If I manually launched plscd.exe or rebooted to get it running again, it would be detected by the Microsoft malicious software removal tool. So, it was only detected when the plscd.exe process was running, but couldn't remove it. This is how I figured out what was causing the Microsoft December Malicious Software Removal tool to find backdoor:Win32/Rbot.gen and able to associate the two.

Avast 4.7 anti-virus scans found nothing wrong with this file or anything running in memory.

Summary:
C:\Windows\System32\plscd.exe     (read only, hidden)
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name: DRam prosessor (yes, misspelled)
Data: plscd.exe

I deleted the file and deleted the registry entry.

[DavidR]

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

It does appear to be a good detection by the December MSRT, though you could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.

[corbism]

I zipped the file and sent it off to avast email. Thank you.

[corbism]

Here are the results from the VirusTotal site you recommended:

http://www.virustotal.com/resultado.html?15742abf42d6fa3445e28240766d4f03

[polonus]

Hi corbism,

This is part of WORM_R.BOT-CYA, so part of the R.BOT family. A technical description of this malware: alias Win32.Rbot.EEU is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.

This particular variant of Rbot is distributed as a 147,649 byte, Win32 executable that exhibits the following specific characteristics:

When executed this variant copies itself to the %System% directory as PLSCD.EXE and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DRam prosessor = "plscd.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\DRam prosessor = "plscd.exe"

Note: '%System%' and '%Windows%' are variable locations. The Worm determines the location of these folders by querying the operating system. The default location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

That is your beast for ye,

polonus

[DavidR]

I zipped the file and sent it off to avast email. Thank you.

Thanks for taking the time to do this, hopefully it will benefit other avast users and be analysed and added to the signatures soon.

Welcome to the forums.

[corbism]

I've gotten a bit paranoid recently over this incident. I've run numerous virus and spyware scans and haven't found anything else. I just ran a HijackThis scan and was wondering if anyone sees anything suspicious? I bolded a couple of lines that are suspicious to me.  Thanks.

--------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:58 AM, on 12/13/2007
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\CMS Products\BounceBack Professional\BBLauncher.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Seacor\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Steam] D:\Games\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Global Startup: BounceBack Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

[DavidR]

FiX:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Other than that I don't see anything obvious in what is a very small/tidy HJT log.

My only question is what is your firewall ?

I see this which one hijackthis analysis site believes is a firewall, but I'm not so sure a NetworkAccessManager would really be an effective firewall, considering you had that backdoor related infection. Is it on your system as a forewall or is it more of a router/hardware firewall ?
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

[corbism]

I have a Linksys router and also using Vista firewall.  I recently tried ZoneAlarm (to replace the vista firewall), but it's not optimized for Vista yet and actually slows down the browsing. Quite annoying.

NetworkAccessManager is apart of the Nvidia nForce chipset software/drivers.  Why would it say Unknown owner?

[DavidR]

Neither the Linksys router or Vista Firewall provide outbound protection. The Vista Firewall's outbound protection is disabled by default and when enabled doesn't provide any help in configuration.

Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0

ZA has an issue with Vista in that there is a bug which causes a short delay in all connections including local network connections. So that may be why you had the problems.

It is unknown because wherever HJT goes to seek this information doesn't have the Ownership details. This may be in the File Properties, Version, Company, perhaps.

[corbism]

Thanks for the assistance Dave. I'll check into that Vista firewall outbound modification.

One more hopefully last question regarding this whole thread...

When I was troubleshooting this issue from yesterday and after I had installed ZoneAlarm (my freaking out phase), I was doing a "ping localhost" to see if it would return 127.0.0.1.  ZoneAlarm halted the ping with a security alert.  The destination IP was that of a Microsoft range of IP addresses.  When I temporarily allowed PING access, I did receive a reply from 127.0.0.1.

Anyway, I just installed ZoneAlarm again for the outbound protection (will live with the response time issue for now).  I did another ping against localhost and ZoneAlarm reports the destination IP is 75.125.29.226:DNS (This is a Google IP address).  If I allow it, I do get my reply from 127.0.0.1.

Is this odd or normal?  Why would a ping against my localhost have anything to do with some other destination IP (yesterday Microsoft and today Google)?

[DavidR]

I honestly can't see the purpose in pinging the local host address (the IP of localhost by default is 127.0.0.1) ZA may firstly have though it suspicious.

I'm not to impressed with the current ZA but pinging localhost may return a strange result as the  ping seems to have been trying to resolve the domain of the 127.0.0.1 IP. The 75.125.29.226:DNS is a dns (Domain Name Server) connection. So I have no idea what is going on only that personally I would not spend time trying to find out why and not ping localhost.

Vista is proving a real challenge for many firewalls, many forum members are using comodo firewall, but that version 3.0 has also had a couple of hiccups.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php.