Sunday, March 22, 2009

HKLM\Software\UAC* key prompt in RootKitRevealer

After about a month of troubled computing, I finally ran the rootkitrevealer and the first prompt that I got was that of the key HKLM\Software\UAC*
If you also get it, chances are that you have been rootkited by Win32:Rootkit-gen.
A lot of googling revealed nothing as the rootkit team was unaware of the origin of the key.

So, I just started XP in safe mode and started Avast! Antivirus (Free Edition) and it detected a trojan in my operating system memory and recommended a boot scan.

To see how to schedule a boot scan click here.

The bootscan revealed 9 files in system32 infected by the Trojan Horse "WIN32: Fasec" and it had infected dll files in the System32, Temp and System32/drivers folders which not to my surprise were named as UACqumepxb.dll , UACdnberxns.dll etc, so you see the names are like UAC*. I just moved all the files to Chest (although I was prompted that the files i am about to move are System Files) as I was pretty sure that the DLLs were generated by the trojan and wrere named like UAC followed by a random string.

And now another RootKitRevealer scan doesn't show those keys!

It also solved another problem. my C: was not being mounted in the RKR scan which is now being scanned as well.

This is what my Scan Report looked like, it can be found in C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.

03/22/2009 19:59
Scan of all local drives

File C:\WINDOWS\system32\drivers\UACbqumepxb.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\WINDOWS\system32\UACdnberxns.dll is infected by Win32:Fasec [Trj], Moved to chest
File C:\WINDOWS\system32\UACiorjdptm.dll is infected by Win32:Fasec [Trj], Moved to chest
File C:\WINDOWS\system32\UACqjbpjwbm.dll is infected by Win32:Fasec [Trj], Moved to chest
File C:\WINDOWS\system32\UACwpwcdooe.dll is infected by Win32:Fasec [Trj], Moved to chest
File C:\WINDOWS\Temp\UAC828d.tmp is infected by Win32:Fasec [Trj], Moved to chest
File C:\WINDOWS\Temp\UAC8608.tmp is infected by Win32:Fasec [Trj], Moved to chest
File C:\WINDOWS\Temp\UAC9e24.tmp is infected by Win32:Fasec [Trj], Moved to chest
Number of searched folders: 15607
Number of tested files: 148765
Number of infected files: 8
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)