Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help with this situation.MOVED


  • Please log in to reply
6 replies to this topic

#1 BioRat

BioRat

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 20 March 2009 - 07:49 AM

I am working on a friends laptop that has a rootkit virus. It keeps starting iexlore.exe in the processess even tho no one is using internet explore.

I have tried anti-virus programs. They find files that start with UAC. I quarantine them but it leaves 2 that it can not move. I am asked to restart so it can remove them but it still does not remove them. I am doing this in Safe Mode. When I am not in safe mode the laptop freezes up and I have to do a hard reboot and use F8 to choose Safe Mode with Networking.

I have almost tried everything i can think of.

I did find a file in system32 folder called uactmp. I opened it with notepad and it has a large list of viruses and trojan names. It also has names of anti-viral programs. Could the rootkit be using this file for a reference to keep anti-virus programs from installing correctly or corrupting their installation? If so. Would it be wise to select it all and delete it and save? That would leave the rootkit defenseless unless it restores it on reboot.
I have tried to upload as an attachment but it is a large text file. 1.8mb. I will place the contects in another post if so directed to do so. But let me warn you. It is a lot to go thru!

I can not install anything unless I am in safe mode. So what can I do? It freezes in normal mode. Will HiJack This install properly in safe mode so I can post its results on here?

Right now I am using my PC which is secure. (Been up for years with no problems.)

Here's a list of files I find that may be part of this virus as all anti-viral programs finds these.

uactmp (Data Base File)
UACrnbotepp.dll
UACqboykseh.dll
UACpkkyavno.dll
UACivhjwupg.dll
UACirsnsvnd.dll
uacinit.dll
UACfghcamld.dll
UACeaxvdqmr.dll

These were found by Comodo Anti-virus. It still did not get rid of the problem as these files come back.

I download programs to use with my PC and then transfer them to my MP3 player to copy to the infected PC for installing. (Only in safe mode)

SO? If anyone can help me, latter I can help some here after I get recognized with some experience.

BioRat

Edited by garmanma, 20 March 2009 - 08:54 AM.


BC AdBot (Login to Remove)

 


#2 BioRat

BioRat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 20 March 2009 - 08:15 AM

There were other files I found that I did not list. They are as follows.

UACuwpikxet.dll
UACtprumobw.dll
UACivhjwug.txt (30kb)

#3 Guest_Abacus 7_*

Guest_Abacus 7_*

  • Guests
  • OFFLINE
  •  

Posted 20 March 2009 - 08:26 AM

Take it cool, Mate, I've asked someone to move this to where you will get the Help you need, just be patient and wait for them before you do any more?

:thumbsup:

#4 BioRat

BioRat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 20 March 2009 - 08:34 AM

Thanks.

#5 BioRat

BioRat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 20 March 2009 - 11:40 AM

Now that I have been moved, I guess I can say more.

Well. To tell you the truth, I think I got a handle on this. It is running stable now and iexplore.exe is no longer showing up in the process list.

I also did a reg clean up and almost messed up. The PC did a recovery on its own when I rebooted. (Wasn't paying attention.) Got that fixed. Boots up the way I want it now. Fast and secure.

BUT! Now Internet Explore will not open any sites. I quarantined most of those files I listed. I used Comodo Security Program. There is not Add/Remove Repair for Internet Explore. Unless it is named something else.
If you know how to fix this please post it in a reply.

Here's the name of the Virus.
TrojWare.Win32.Rootkit.TDSS and then some random stuff. So if anyone else gets this, maybe I can offer assistance getting rid of it using certain programs. But, let me tell you. It was not an easy task.

#6 BioRat

BioRat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 20 March 2009 - 04:29 PM

Yep! Got it fixed. Well, all but the internet explorer situation. Guess you can tell I am not a quiter.
The person that owns the laptop has not brought their XP CD for me to reinstall IE. I downloaded Firefox and installed and can go online with it no problem. Guess if they want IE then they will bring the laptop and CD back for me to fix for them. But this time i may charge them for it. God forbid they mess it up again and bring it back to me. Will really charge them as if they took it to a PC repair shop.

Latter

BioRat, over and out.

#7 BioRat

BioRat
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 20 March 2009 - 04:31 PM

Yep! Got it fixed. Well, all but the internet explorer situation. Guess you can tell I am not a quiter.
The person that owns the laptop has not brought their XP CD for me to reinstall IE. I downloaded Firefox and installed and can go online with it no problem. Guess if they want IE then they will bring the laptop and CD back for me to fix for them. But this time i may charge them for it. God forbid they mess it up again and bring it back to me. Will really charge them as if they took it to a PC repair shop.

Latter

BioRat, over and out.

To be or not to be is not a question. It is a choice!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users