Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Infected with YWJCRFUITUSQDA.EXE


  • Please log in to reply
1 reply to this topic

#1 CatLadyDi

CatLadyDi

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Winston-Salem, NC
  • Local time:11:25 AM

Posted 25 May 2011 - 09:19 PM

I'm a newbie here and am trying not to post anything to the wrong location, so please redirect me as appropriate.

OS is Windows XP. I have AVG free edition that I think supposedly runs in the background to alert to threats as they are encountered, but had not updated in a month or so. Using IE8 as browser.

After a thunderstorm, another user on my home PC found an "official-looking" window displayed that explained that the PC had critical errors and presented a scanner and fix to the errors. He assumed that the errors were the result of the T-storm and that the message was legit, so he ran the scan and "fixed" the errors. Of course, some appeared to be fixed but others required purchasing the full version of whatever this was. He is not very computer-savy so he did not go any further and asked me to take a look at it. It looked suspicious to me as I could not recall ever getting a message regarding critical errors without having run a scan, so I suspected malware of some sort . I also could not find any sort of identification related to the owner of the site/software I was "supposed" to buy.

At this point the scanner window would not go away and I could not access anything...desktop, programs, favorites, everything appeared to be gone. I restarted the computer and got the same "scanner" window with the message regarding critical errors. (Sorry, I did not think to write down the text.). I restarted the computer again in safe mode to see if I could get to anything that would help and evenually decided to restart in safe mode with networking. Tried to go to system restore but received this message:
"System Restore is not able to protect your computer. Please restart your computer, and then run system restore again."
Restarted computer and tried again in safe mode got the same message.

I was clicking around in the help and support section looking for something to try and although I'm not completely certain what I did or if AVG finally just kicked in, but I got a message from AVG that something had been detected and quarantined. This was identified as the YWJCRFUITUSQDA.EXE file. I then decided to update the AVG files and scan again.( I may have resarted in normal mode again by this time as I did turn the PC off and on a number of times.) One additional item was found and quarantined during the AVG scan that I requested, but I did not note the file name, thinking the removal of these files had saved me. I restarted the computer. The "scanning" screen no longer comes up, but I am still being directed to an apparently fake desktop that has nothing on the desktop and all program, files, etc seem to be gone. I know that they are, in fact, still there because I could see the program and files names flashing past during the AVG scan.

The above took me most of one eveing and the next morning before work. When I got to work, I did a search from my work computer on the YWJCRFUITUSQDA.EXE file and it appears to have only just surfaced this week. One threat related site indicated that this is malware that affects the root, task manager, and system restore. Advice was to go into support and disable system restore and then rescan so that the restore files will be clean, then restart and re-enable system restore. I was unable to disable the system restore, so I could not get this option to clean the root files. I guess this thing has taken over.

That is when, from safe mode with networking, I logged onto the internet for the first time under the system admin account and found this BC site. I have read through a lot of removal things posted, but none sounded exactly like what I experienced, although some were very similar and referenced rogue anti-spyware, fake scannersand ransoming of proper operation of Windows. I have gone through all of the things directed to do in the Preparation Guide for Use before Using Malware Removal Tools, including disabling CD emulator drivers and creation of all the logs and scans directed by BC. I saved all this to my desktop but really was not certain as to the proper procedure for posting the contents here. Should I just open these, copy the contents, and past here ? Or do I go to another forum to post the scan results? (By the way I acidentally closed the defogger window so don't know how to re-enable CD emulator drivers when the time comes).

Hopefully I have provided sufficient detail to allow someone more knowledgeable than me to suggest how to fix my problem and I thank you in advance for taking the time to read this and offer assistance.

CatLadyDi

BC AdBot (Login to Remove)

 


#2 CatLadyDi

CatLadyDi
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Winston-Salem, NC
  • Local time:11:25 AM

Posted 27 May 2011 - 05:43 PM

Well, I was desperate and with no replies in sight, I struck out on my own and implemented a variety of "fixes" that I found on other posts.

First, I saw a post referencing hidden files so I applied the fix for unhiding files. This was successful at restoring my ability to locate programs, desktop icons, files on my C drive; however, I'm not sure if there are now unhidden files that I should manually rehide. I did see that this could be an issue.

Next, I went step by step through the "Remove XP Anti-Spyware 2011, Vista Security 2011, and Win 7 Internet Security 2011 (Uninstall Guide)" as the description of this infection most closely matched my issue. This included applying FixNCR.reg, RKill (using the eXplorer.exe named version). running Malwarebytes' Aanti-Malware and removing infected files.

Followng these actions, things appear at this point to be back to normal. I am able to navigate to my programs and files, I am able to get to the internet and have not be stopped from accessing any sites that I have attempted to visit (including BC), task manager and system restore seem to be OK.

I am concerned that during the last three days while I have been trying to figure this thing out, I had disable the CR emulator drivers using defogger, but never saw anything instructing me to re-enable this and wasn't sure if I need to or how to.

I am extremely thankful for this guidance on this site and have already shared it with all my colleagues and friends.

If someone could shed some light on the unhidden system files that I may need to rehide and the CD emulator drivers, I will be happy and can close this topic.

CatLady Di




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users