Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer seriously infected - trojan.agent & kwincy?


  • Please log in to reply
12 replies to this topic

#1 jav100

jav100

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 27 August 2009 - 01:05 AM

Hi,

I've been working on this laptop for a friend now and I managed to get it cleaned somewhat. It's a Toshiba Laptop running Vista 32-bit, 2GB's ram.

It wouldn't even start boot correctly until I downloaded Malwarebytes Anti-Malware, aparently the person who owns the computer download and installed Windows Antivirus Pro (which is ransomware I believe). That program wouldn't allow any .exe files to run. But i've since fixed that.

Anyhow, once I ran the anti-malware program and scanned the computer, it found 300 infections, and cleaned them, except these two:

c:\windows\system32\uacinit.dll (Trojan.Agent)
\\?\globalroot\systemroot\system32\UACfeyjwrfqqx.dll (this one gets removed, but seems to resinstall itself)

Another interesting thing is that I've tried to install adaware but it says that the program installation is corrupt. I tried to install spyware-doctor and it doesn't let me do that either.

I also notice it doesn't let me connect to the internet, it always tries to go to kwincy.com which I believe is another virus/mal-ware in itself.

What am I to do?

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:43 PM

Posted 27 August 2009 - 07:12 AM

Hello jav100 and :welcome to Bleepingcomputer!

We need to do a rootkit scan.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
  • Go HERE, HERE, or HERE and download RootRepeal.zip to your Desktop.
Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 jav100

jav100
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 27 August 2009 - 12:52 PM

Ok, I installed RootRepeal. However, I should note that when I first ran it (even though I used 'Run As Admin') it came up with the following message, "Could not read the boot sector. Try Adjusting the Disk Access Level in the Options Dialog". I then scan anyway but it gets stuck, should I adjust the Disk Access Level?

#4 jav100

jav100
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 27 August 2009 - 06:48 PM

Anybody have any other suggestions? I appreciate it.

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:43 PM

Posted 27 August 2009 - 08:24 PM

Have you tried adjusting the disk access level? If not, switch it to high, then try the scan again. If that fails. try this.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade


In your next reply, please include the following:
RootRepeal log and/or GMER log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 jav100

jav100
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 28 August 2009 - 03:45 PM

I downloaded GMER.ZIP and ran it, it starting scanning immeaditaly, about five minutes into the scan, it went to a dos-type screen and the computer then began to dump the physical memory, and then proceeded to restart. Oh boy - this sounds bad. Should I try to pause the scan and save the report before it does this?

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:43 PM

Posted 28 August 2009 - 04:27 PM

You BSOD'ed. . . You didn't happen to catch the STOP code on the blue screen did you? On the blue screen, you'll see somewhere on there the word STOP followed by four or 5 groups of numbers and/or letters. I need the first group to diagnose what caused this. If you didn't catch it, then don't worry about it for now.

I've got a new tool I want to try.

Please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
~Blade

In your next reply, please include the following:
Rooter log

Edited by Blade Zephon, 28 August 2009 - 04:27 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 jav100

jav100
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 28 August 2009 - 04:39 PM

I tried to get back to the blue screen, but now it does it again, but no blue screen, only a black screen with blue highlighted letters that indiciate its dumping the physical memory. I did manage to get the log from GMER right before it goes to blue screen. It's below. But I will also try the newer program you suggested as well. Thanks for your help!

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-28 17:22:43
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 85D8E500 ZwEnumerateKey
Code 85EBAFA8 ZwFlushInstructionCache
Code 85EB1755 IofCallDriver
Code 85EEEA26 IofCompleteRequest
Code 85F08E4D ZwSaveKey
Code 85E576DD ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 8244DFE2 5 Bytes JMP 85EEEA2B
.text ntkrnlpa.exe!ZwSaveKey 8246A664 5 Bytes JMP 85F08E52
.text ntkrnlpa.exe!ZwSaveKeyEx 8246A678 5 Bytes JMP 85E576E2
.text ntkrnlpa.exe!IofCallDriver 824CFF6F 5 Bytes JMP 85EB175A
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 825C630B 5 Bytes JMP 85EBAFAC
PAGE ntkrnlpa.exe!ZwEnumerateKey 8261BBA2 5 Bytes JMP 85D8E504

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\UACvcxqrpdskd.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACneesexvxkw.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfeyjwrfqqx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbluppcipuu.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACioevraxxiq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACneesexvxkw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfeyjwrfqqx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbluppcipuu.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACioevraxxiq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACneesexvxkw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfeyjwrfqqx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbluppcipuu.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACioevraxxiq.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACneesexvxkw.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfeyjwrfqqx.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbluppcipuu.dat
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACioevraxxiq.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACneesexvxkw.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfeyjwrfqqx.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbluppcipuu.dat
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACioevraxxiq.dll
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACneesexvxkw.dll
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfeyjwrfqqx.dll
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbluppcipuu.dat
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACioevraxxiq.dll
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACneesexvxkw.dll
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfeyjwrfqqx.dll
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbluppcipuu.dat
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACioevraxxiq.dll
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACneesexvxkw.dll
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfeyjwrfqqx.dll
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbluppcipuu.dat
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACioevraxxiq.dll
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvcxqrpdskd.sys
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACneesexvxkw.dll
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfeyjwrfqqx.dll
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbluppcipuu.dat
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACioevraxxiq.dll

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:43 PM

Posted 28 August 2009 - 04:43 PM

There's no need to run Rooter now. You have an active rootkit on your machine. With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 jav100

jav100
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 28 August 2009 - 05:03 PM

Thanks - is it fairly easy and sure that I can remove it, or will it be simpler to burn any files I need and reinstall the OS?

If I choose to burn some pictures and music to a DVD - will the rootkit carry over and spread?

Thanks for your help again

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:43 PM

Posted 28 August 2009 - 05:19 PM

If reformatting is a viable option for you, then that's what I would do.

IMPORTANT NOTE: One or more of the identified infections (UACvcxqrpdskd.sys) is related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed this kind of malware. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links previously provided. As I already said, in some instances an infection may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned, repaired or trusted. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Tips to protect yourself against malware and reduce the potential for re-infection:Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smrgsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

• Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:If you decide to reformat. . . let me know. I've got some more information that might prove useful to you.

~Blade

Edited by Blade Zephon, 28 August 2009 - 05:21 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 jav100

jav100
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 29 August 2009 - 05:39 PM

Hi,

I think I'm going with the reformat option, just to ensure it's completely gone. Two questions:

1.) Will backing up her files, such as picstures and MP3 to a dvd - cause me to spread the infection to the new computer (once I try to load those files back on?

2.) Will my computer be infected if I use a USB drive between the infected computer and my computer? (I'm running Avast, win vista, adaware, everything constantly up-to-date).

If you can send any tips and guides to reformat that would be great! Thanks

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:43 PM

Posted 29 August 2009 - 07:06 PM

I think I'm going with the reformat option, just to ensure it's completely gone.

In this situation I would say that's probably a wise decision. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action to take.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best procedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of information on this are
Reformatting Windows XP
Reinstall Windows Vista
Michael Stevens Tech

***************************************************

2 guidelines when backing up:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do NOT backup any applications/installers and Do NOT backup any files with the following extensions
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

***************************************************

2.) Will my computer be infected if I use a USB drive between the infected computer and my computer?


A preventative measure. This should be run on the clean computer and your flash drive.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users