Just a head-us up to anyone else about this and Avast 4.7 home doesn’t recognize this as a threat. But, it is.
Microsoft December Malicious Software Removal tool found:
backdoor:Win32/Rbot.gen (detected, not removed)
After an hour or so researching this and running a virus scan with no results. I found out that there was an strange process running on my system:
plscd.exe
I found out this was a Read Only and Hidden file in the [b]C:\Windows\System32[/b]
There was also a registry entry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name: DRam prosessor (yes, misspelled)
Data: plscd.exe
I found a general lack of information on this with a google search, but all indicated this was definitely a worm.
I ended the running process. Manually ran the Malicious software removal tool and it reported no infections. If I manually launched plscd.exe or rebooted to get it running again, it would be detected by the Microsoft malicious software removal tool. So, it was only detected when the plscd.exe process was running, but couldn’t remove it. This is how I figured out what was causing the Microsoft December Malicious Software Removal tool to find backdoor:Win32/Rbot.gen and able to associate the two.
Avast 4.7 anti-virus scans found nothing wrong with this file or anything running in memory.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
It does appear to be a good detection by the December MSRT, though you could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.
This is part of WORM_R.BOT-CYA, so part of the R.BOT family. A technical description of this malware: alias Win32.Rbot.EEU is an IRC controlled backdoor (or “bot”) that can be used to gain unauthorized access to a victim’s machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.
This particular variant of Rbot is distributed as a 147,649 byte, Win32 executable that exhibits the following specific characteristics:
When executed this variant copies itself to the %System% directory as PLSCD.EXE and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:
Note: ‘%System%’ and ‘%Windows%’ are variable locations. The Worm determines the location of these folders by querying the operating system. The default location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
I’ve gotten a bit paranoid recently over this incident. I’ve run numerous virus and spyware scans and haven’t found anything else. I just ran a HijackThis scan and was wondering if anyone sees anything suspicious? I bolded a couple of lines that are suspicious to me. Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:58 AM, on 12/13/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
FiX:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Other than that I don’t see anything obvious in what is a very small/tidy HJT log.
My only question is what is your firewall ?
I see this which one hijackthis analysis site believes is a firewall, but I’m not so sure a NetworkAccessManager would really be an effective firewall, considering you had that backdoor related infection. Is it on your system as a forewall or is it more of a router/hardware firewall ?
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
I have a Linksys router and also using Vista firewall. I recently tried ZoneAlarm (to replace the vista firewall), but it’s not optimized for Vista yet and actually slows down the browsing. Quite annoying.
NetworkAccessManager is apart of the Nvidia nForce chipset software/drivers. Why would it say Unknown owner?
Neither the Linksys router or Vista Firewall provide outbound protection. The Vista Firewall’s outbound protection is disabled by default and when enabled doesn’t provide any help in configuration.
ZA has an issue with Vista in that there is a bug which causes a short delay in all connections including local network connections. So that may be why you had the problems.
It is unknown because wherever HJT goes to seek this information doesn’t have the Ownership details. This may be in the File Properties, Version, Company, perhaps.
Thanks for the assistance Dave. I’ll check into that Vista firewall outbound modification.
One more hopefully last question regarding this whole thread…
When I was troubleshooting this issue from yesterday and after I had installed ZoneAlarm (my freaking out phase), I was doing a “ping localhost” to see if it would return 127.0.0.1. ZoneAlarm halted the ping with a security alert. The destination IP was that of a Microsoft range of IP addresses. When I temporarily allowed PING access, I did receive a reply from 127.0.0.1.
Anyway, I just installed ZoneAlarm again for the outbound protection (will live with the response time issue for now). I did another ping against localhost and ZoneAlarm reports the destination IP is 75.125.29.226:DNS (This is a Google IP address). If I allow it, I do get my reply from 127.0.0.1.
Is this odd or normal? Why would a ping against my localhost have anything to do with some other destination IP (yesterday Microsoft and today Google)?
I honestly can’t see the purpose in pinging the local host address (the IP of localhost by default is 127.0.0.1) ZA may firstly have though it suspicious.
I’m not to impressed with the current ZA but pinging localhost may return a strange result as the ping seems to have been trying to resolve the domain of the 127.0.0.1 IP. The 75.125.29.226:DNS is a dns (Domain Name Server) connection. So I have no idea what is going on only that personally I would not spend time trying to find out why and not ping localhost.
Vista is proving a real challenge for many firewalls, many forum members are using comodo firewall, but that version 3.0 has also had a couple of hiccups.