Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Remove KU6SpeedUpper.exe new Trojan


  • Please log in to reply
3 replies to this topic

#1 TekKnight

TekKnight

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 24 September 2009 - 12:51 PM

Hello Everyone,

I am hoping that someone can provide some guidance on the steps I can possibly take to cleaning/remove a new suspected trojan/malware from a friends computer. I am using Starup Control Panel 2.8 by Mike Lin, which shows the file loading in HKLM/Run and a path of C:\Program Files\(some chinese/japanese characters when the special characters are copied into the path window of an explorer window)\Ku6SpeedUpper.exe (Oh one thing she has the IME fully installed so the characters may not show correctly when pasted into the window if you do not have the IME installed, seems to be Unicode). So the directory seems to be hidden since if cannot be discovered when Unhidding protected operating system files, and selecting to show hidden files and folders. When deleting though Startup Control Panel the program immediately replaces itself, even when using HijackThis though you need to rescan with HijackThis to see that it has replaced itself. It also sends CPU usage to 100% and sets exceptions in the windows XP SP3 firewall and CA Personal Firewall setting itself as trusted which I have since denied. The denial do seem to stick and not get changed to trust allow again, at least at this point.

Posted Image

Posted Image

Using Glary Utilities, Ulocker, Spybot Search & Destroy, Spyware Blaster, CA Antivirus: all of no help since they cannot see the file they cannot help to delete or uninstall.

Using Windows XP SP3 search function with hidden and system checked does not find any result again it is very good at hiding, probably made copies of itself and infected a dll or two.

Ran Norman Malware Cleaner and still no go will try Combofix to see if it is detected.

The best and only useful information I have found on this file is at http://spywarefiles.prevx.com/RRFFED449662...DUPPER.EXE.html

Just do a search on google on the file name and you will see.

It seems to trick people into thinking it will speed up/cache the video feed from a site similar to YouTube but in China.

Will post screen shots of the file name as it is shown in Unicode and in the giberish, Done.

Posted Image

Any help would be appreciated.

Thank you.

Edited by TekKnight, 24 September 2009 - 03:33 PM.
Moved from XP to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:57 PM

Posted 24 September 2009 - 07:30 PM

Hi, i am not sure this is malware either. Except the info that there is,show it's actions may be. But it is new. So let's throw it at some 40 scanners if we can and see what comes back.

JOTTI and VT scan ..This is possibly a False positive. We should double check it before we take action.

Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TekKnight

TekKnight
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 24 September 2009 - 08:14 PM

Hello and thanks for the direction, the only problem is though as I wrote previously, the file is completely searchable. I have unhidden protected operating system files and directories as well as hidden files and folders. The problem, I believe, is that the directory name is in foreign characters and may somehow be keeping the directory hidden? The file definitely exists since it keeps replacing itself when deleted in Startup. My guess is it is creating duplicates of itself somewhere and it has at least one service running for it.

Might you know of a way to uncover it? Short of going to the website, Chinese, KU6.dot.com and redownloading and installing then uninstalling while running some tracing program to find out what the program is doing. Just my thoughts.

So the short answer is I do not have anything I can upload because I cannot find it in the first place.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:57 PM

Posted 24 September 2009 - 08:54 PM

I think the safest way to remove this the is thru HJT.

You will need to run HJT/DDS.
Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users