Rootkit keylogger: userinit, wJQs.exe, adv.exe, sysguard.exe, lowsec, sdra64.exe?

Hey guys,
I removed a pretty stealthy rootkit from a client's work machine today. She called me in the morning complaining of "lots of popups". I headed over there immediately and checked into it. She had NOD32, SuperAntiSpyware, Windows Firewall and XP SP3 installed, and her browser is Firefox 3.07 at the time of infection. So her system should have been reasonably secure!

Symptoms:
1) something had modified the HTTP proxy to "localhost" port 7171. She could not open www.google.com, it would throw up a connection error.
2) a process called "s.exe" was running in task manager and consuming 50% cpu. Checked it with ProcessExplorer running from my write-protected usb stick showed open TCP/HTTP connections from s.exe.
3) I also found various traces of malware with Autoruns. Interestingly, the NT logon UserInit section had been modified. I reverted it to default in Regedit and noticed something almost immediately changed it back.
4) Ran rootalyzer and saw this:
http://img408.imageshack.us/img408/3416/rootalyz.png

Removal
To get rid of that I booted up with my WinPE disc and deleted those files, I was then able to clean the rest of the malware off using various combinations of commandline tools, a fresh install of SaS and Spybot S&D. All checked out clean and I updated the NOD32 to v4.0 just for good measure. I created a mini-quarantine of these files for forensic purposes if anyone wants to have a look, I've zipped it up here:

~Link removed. No links to malware or potentially harmful files are to be posted on this forum.~

I also submitted those same files to VirusTotal and they came up 30-40% malware, and suggested possible keylogger activity (as did Google). I notified my client right away to change her passwords and check for any suspicious activity on her accounts even though the virus was only present and active on her system for a few hours. She informed me that she doesn't typically type in her passwords; she keeps them saved in autocomplete (that might be worse!!) so I don't know if these were compromised. As far as I know most keyloggers intercept the keystrokes but not a stored password although I suppose the malware could have easily transmitted her ProtectedStorage and decrypted her passwords. Not sure if Firefox is also vulnerable to this.

Bottom Line:
I am worried about it and was wondering if anyone's come across this beast, is it really a keylogger and if so, is there any way to tell what information might have leaked? Anyone got any more info to share? thanks

 

http://www.threatexpert.com/files/sysguard.exe.html
http://www.threatexpert.com/files/s.exe.html

Trojan and it looks like she probably had more than one.

edit heres the 64 one also
http://www.threatexpert.com/report.aspx?md5=7e98c199e9790a392c2f27cf38b8a6c2

 

LuckMan212, Did your client have SAS installed and running as resident, real-time protection? Do you know if your client had updated to the most current defs for her AV (I see she did not have the most current program version) and for her AS? And do you know if she was up to date with MS Critical Updates? These questions would concern me right off the bat.

 

Actually, she probably installed it herself. From what I see in the detection list, a lot of them are fraud tools, so she may have installed something rogue, and if NOD32 was not configured to detect PUA, then it can and will infect her system.

 

Yes SAS was running in resident-mode. She was fairly current, the defs were updated but the program version itself was 1 version behind I think.

NOD32 had the latest defs but she was running 3.0 not the newly released 4.0 - not sure that would have made a difference or not.

After talking with her some more, I am 90% sure that this trojan got in via the recent Acrobat PDF javascript exploit. I checked her system and found that her Acrobat Reader was configured (as most are) with javascript enabled. I also learned that she uses Windows Media Player to listen to "free internet radio" stations, and these stations are loaded with pop-up ads. So that could have been a vector as well. I have directed her towards Last.fm instead and disabled the rest, and advised her to change all her passwords and carefully check her banking and online shopping accounts for suspicious activity. Fingers crossed.

 

Another good one is Pandora Radio. Been using it for months with nary a pop-up at all.

 

I would tell her to run threatfire with her av.

 

Update: I returned to her machine and did some more forensics. I was able to determine with almost 100% certainty that the infection vector was the PDF javascript exploit, as I suspected. I also learned that she still had still been using Internet Explorer for some sites because "it has my passwords saved" (her words) GAH! So I examined her IE history and discovered the following 2 visited URLs:

(be careful with these links! they most likely are still infected)

~Links removed~

After that, I saw a bunch of requests for adserving sites including "c5.zedo.com", "tuneclub.com", "searchfeed.com" and "advancesoftwaretool.com" (VirusRemover2009). There was also a curious site called "buidnote.com" whose URL appeared to be followed by a base64-encoded string of considerable length. I am guessing that this may have been a site built to collect data from the keylogger, because when I visit the site, nothing at all is sent to the browser- no HTML or anything. So it appears to be some kind of data collector. The entry only appeared once and I tried to decrypt the data as base64 which returned some unreadable text so not exactly sure what that is. I would post the string here but I am a little worried that it may contain sensitive data.

The good news is that the rootkit appears to have been squashed, the popups have not returned.

 

Basically I need an answer if you have one, I was doing a security scan on my computer and something came up saying that A threat was detected, I googled the file name and this thread came up.

The name of it is buidnote.com and What I wanted to know is how I can get rid of it. What honestly confuses me is that the "threat name" is 'exploit lucky ecploit pack.' I have no idea what this is.

 

Last night my daughter who is using NOD32 V3 anti-virus appears to be infected with kaka.exe and sysguard.exe. Her NOD32 virus definitions are current.

Do you need to run more that one anti virus/spyware software your machine. Some of the different programs conflict if they are run on the same PC.

Thanks!

 

JRViejo -

Thanks for your reply. This issue is more difficult because my daughter in in Virginia and I am in Kansas City and I am trying to help her over the phone.

I will look at MBAM and SAS as you suggest. The other problem is that when ever she tries to get onto the Internet (to get these programs) apparently the virus or whatever is infecting her computer points Internet Explorer to a specific site and she can't type in the URL she wants.

Thanks again for your help,

 

hi bill

if she boots in safe mode prob F8 with networking that may not happen.
or search's with a different search engine
or try and download and install a different browser

she/or you could even watch a video from matt @ malware on youtube on MBAM on SAS and download and then run them herself. ( where I got my info ).

Main thing is not too panic - and have a think about what personal data may be gone. probably banking stuff would be the main risk , or credit cards , depending if they hold the customer liable or not.

Hope this helps
J

 

Joey and JR;

Thanks for your info - I'll keep you posted.