I tried googling them with no results.
A log of my whole startup is included as an attachment.
The two suspicious processes are:
Yes HKLM:Run x0ux9jD C:\Users\Gummi\AppData\Local\Temp\UmVQd.exe
and
Yes HKCU:Run ykfXkcM C:\Users\Gummi\AppData\Local\Temp\UmVQd.exe
http://img291.imageshack.us/img291/7940/capturetxr.png
What is the best virus scanner? I scanned with the Windows scanner but it showed no results.
You could try this, Norton Power Eraser. NOTE: You will have to connected online for this tool to function properly.
http://security.symantec.com/nbrt/npe.asp?lcid=1033
There are also two free tools that you can use to explore these unknown processes with:Because the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.
Process Explorer
Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
Encyclopedia entry: Trojan:Win32/VB.XR - Learn more about malware - Microsoft Malware Protection Center
It is a Trojan.
Try downloading this if the above ideas won't work. Free is left button on the page. Update before running Full Scan.
http://www.malwarebytes.org/
The following system changes may indicate the presence of this malware:
Presence of the following file/s:
c:\directory\cybergate\winbooterr\winbooterr.exe
You could also try running the scans in Safe Mode. And if you're comfortable in the Registry you could run separate searches for x0ux9jD, ykfXkcM, and UmVQd. Then delete any references. Two cautions: first, a wrong deletion from the registry could turn your computer into a paperweight; second, once a computer is infected you can never be 100% sure that all traces of the trojan, virus, etc have been removed or that they haven't moved into your other programs, documents, etc. You'd have to do a clean install of the operating system (and everything else.)
As marsmimar suggested run Malwarebytes in Safe Mode. This may allow it to be removed.
Safe Mode only uses base drivers so Trojan may not activate.
Safe Mode
Otherwise you will need to run Rkill which will deactivate and allow removal by Malwarebytes.
Bleeping Computer Downloads: RKill
You will need this one that says iExplore at top of page.
iExplore.exe download link.
How to use Rkill
RKill - What it does and What it Doesn't - A brief introduction to the program
Here's 1 of the easier ways I've found to eradicate these types of infections...
- Boot your machine as normal and as soon as you get the chance open Task Manager (right-click the taskbar)
- Kill any/all processes that look suspicious
- Delete everything in the following locations...(best to type into the start search box). %userprofile%\Appdata\Local\Roaming\Temp and %systemroot%\Temp
- Run a full scan with MalwareBytes, restart if necessary
NoteYou will need to be quick when accessing Task Manager as a lot of suspicious software locks out most/all administrative functions
Also
You may want to check This out. It outlines a very similar process in a bit more detail
Firstly, disconnect yourself from the internet. You're probably removing the byproduct of the trojan and not the trojan itself. If you don't get rid of the trojan, it can re-download any files it needs. This has happened to me too in the past.
Good point FRED. The way most viruses/malware are designed, if you're connected to the web and it "senses" you're trying to delete it, it calls for backup. It's happened to me a couple times too. You delete one part of it and all of a sudden it's back. I had one that kept coming back & back, turned out a single reg key was causing all the problems.
The one in question was so stubborn that even when I disconnected from the web (after noticing activity) and uninstalled, once I signed back on, there it was d/l itself again.....until I removed the reg keys it created
More than that, it is a backdoor trojan that has modified registry entries to ensure that it executes at each Windows start.
RKill is only needed if the malware is preventing standard removal tools from running. MBAM was able to run but apparently did not get all of the registry entries.
A primary source of this trojan is via bundling with software/files from various torrent sites. The combination of "C:\Program Files (x86)\uTorrent\uTorrent.exe" in startup and MBAM's detection of c:\program files (x86)\Sony\vegas movie studio platinum 9.0\patch.exe as a trojan downloader strongly suggest that the infection was from a torrent download.
With the infection identified as a backdoor trojan, which allows hackers to remotely control your computer, steal critical system information and Download and Execute files, my advice is a reformat and fresh install. Because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. As described in the above-linked Encyclopedia article:
Payload
Contacts remote hostTrojan:Win32/VB.XR may contact a remote host at cgate.no-ip.biz using port 82. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Quote