Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Two suspicious processes

19 Mar 2011   #1
silenzer

Win7 Ultimate
 
 
Two suspicious processes

I tried googling them with no results.

A log of my whole startup is included as an attachment.
The two suspicious processes are:

Yes HKLM:Run x0ux9jD C:\Users\Gummi\AppData\Local\Temp\UmVQd.exe

and

Yes HKCU:Run ykfXkcM C:\Users\Gummi\AppData\Local\Temp\UmVQd.exe

http://img291.imageshack.us/img291/7940/capturetxr.png

What is the best virus scanner? I scanned with the Windows scanner but it showed no results.




Attached Files
File Type: txt startup.txt (3.0 KB, 15 views)
My System SpecsSystem Spec
.
19 Mar 2011   #2
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

You could try this, Norton Power Eraser. NOTE: You will have to connected online for this tool to function properly.

http://security.symantec.com/nbrt/npe.asp?lcid=1033
Quote:
Because the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.
There are also two free tools that you can use to explore these unknown processes with:

Process Explorer

Process Monitor

Quote:
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
My System SpecsSystem Spec
19 Mar 2011   #3
Hopalong X

Windows7 Pro 64bit SP-1; Windows XP Pro 32bit
 
 

Encyclopedia entry: Trojan:Win32/VB.XR - Learn more about malware - Microsoft Malware Protection Center

It is a Trojan.

Try downloading this if the above ideas won't work. Free is left button on the page. Update before running Full Scan.
http://www.malwarebytes.org/




Quote:
The following system changes may indicate the presence of this malware:
Presence of the following file/s:

c:\directory\cybergate\winbooterr\winbooterr.exe
My System SpecsSystem Spec
.

20 Mar 2011   #4
silenzer

Win7 Ultimate
 
 

Quote   Quote: Originally Posted by Hopalong X View Post
Encyclopedia entry: Trojan:Win32/VB.XR - Learn more about malware - Microsoft Malware Protection Center

It is a Trojan.

Try downloading this if the above ideas won't work. Free is left button on the page. Update before running Full Scan.
http://www.malwarebytes.org/





Quote:
The following system changes may indicate the presence of this malware:

Presence of the following file/s:

c:\directory\cybergate\winbooterr\winbooterr.exe
Thanks I scanned with Malwarebyte and it removed a whole bunch of stuff but I deleted the trojan startup entries, rebooted and they were back again. I take it it hasn't been removed then? The virus scan log is in this reply's attachment.


Attached Files
File Type: txt mbam-log-2011-03-20 (10-20-09).txt (2.1 KB, 19 views)
My System SpecsSystem Spec
20 Mar 2011   #5
marsmimar

Microsoft Community Contributor Award Recipient

 
 

You could also try running the scans in Safe Mode. And if you're comfortable in the Registry you could run separate searches for x0ux9jD, ykfXkcM, and UmVQd. Then delete any references. Two cautions: first, a wrong deletion from the registry could turn your computer into a paperweight; second, once a computer is infected you can never be 100% sure that all traces of the trojan, virus, etc have been removed or that they haven't moved into your other programs, documents, etc. You'd have to do a clean install of the operating system (and everything else.)
My System SpecsSystem Spec
20 Mar 2011   #6
Hopalong X

Windows7 Pro 64bit SP-1; Windows XP Pro 32bit
 
 

As marsmimar suggested run Malwarebytes in Safe Mode. This may allow it to be removed.
Safe Mode only uses base drivers so Trojan may not activate.
Safe Mode

Otherwise you will need to run Rkill which will deactivate and allow removal by Malwarebytes.
Bleeping Computer Downloads: RKill

You will need this one that says iExplore at top of page.

iExplore.exe download link.

How to use Rkill
RKill - What it does and What it Doesn't - A brief introduction to the program
My System SpecsSystem Spec
20 Mar 2011   #7
Orbital Shark

 
 

Here's 1 of the easier ways I've found to eradicate these types of infections...
  1. Boot your machine as normal and as soon as you get the chance open Task Manager (right-click the taskbar)
  2. Kill any/all processes that look suspicious
  3. Delete everything in the following locations...(best to type into the start search box). %userprofile%\Appdata\Local\Roaming\Temp and %systemroot%\Temp
  4. Run a full scan with MalwareBytes, restart if necessary
Note   Note
You will need to be quick when accessing Task Manager as a lot of suspicious software locks out most/all administrative functions

Also
You may want to check This out. It outlines a very similar process in a bit more detail
My System SpecsSystem Spec
20 Mar 2011   #8
Product FRED

Windows 7 Enterprise 64-bit
 
 

Firstly, disconnect yourself from the internet. You're probably removing the byproduct of the trojan and not the trojan itself. If you don't get rid of the trojan, it can re-download any files it needs. This has happened to me too in the past.
My System SpecsSystem Spec
20 Mar 2011   #9
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

Good point FRED. The way most viruses/malware are designed, if you're connected to the web and it "senses" you're trying to delete it, it calls for backup. It's happened to me a couple times too. You delete one part of it and all of a sudden it's back. I had one that kept coming back & back, turned out a single reg key was causing all the problems.

The one in question was so stubborn that even when I disconnected from the web (after noticing activity) and uninstalled, once I signed back on, there it was d/l itself again.....until I removed the reg keys it created
My System SpecsSystem Spec
20 Mar 2011   #10
Corrine

Windows 7 & Windows Vista Ultimate
 
 

More than that, it is a backdoor trojan that has modified registry entries to ensure that it executes at each Windows start.

Quote   Quote: Originally Posted by Hopalong X View Post
Otherwise you will need to run Rkill which will deactivate and allow removal by Malwarebytes.
RKill is only needed if the malware is preventing standard removal tools from running. MBAM was able to run but apparently did not get all of the registry entries.

A primary source of this trojan is via bundling with software/files from various torrent sites. The combination of "C:\Program Files (x86)\uTorrent\uTorrent.exe" in startup and MBAM's detection of c:\program files (x86)\Sony\vegas movie studio platinum 9.0\patch.exe as a trojan downloader strongly suggest that the infection was from a torrent download.

With the infection identified as a backdoor trojan, which allows hackers to remotely control your computer, steal critical system information and Download and Execute files, my advice is a reformat and fresh install. Because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. As described in the above-linked Encyclopedia article:

Quote:
Payload

Contacts remote host
Trojan:Win32/VB.XR may contact a remote host at cgate.no-ip.biz using port 82. Commonly, malware may contact a remote host for the following purposes:
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer
My System SpecsSystem Spec
Reply

 Two suspicious processes




Thread Tools




Similar help and support threads
Thread Forum
Suspicious E-Mail
I got a very suspicious e-mail. It's in my spam, fortunately but I was wondering if anyone knows anything about this phishing attempt?
Chillout Room
Suspicious IE pop-up message
When I tried to open a link from a Google search I got this pop-up message (see attachment). It seems the original link was broken and instead of showing a 404 message the link was hijacked and redirected to I tried to close it by clicking the Windows button but that opened another...
System Security
Suspicious file
OK. I need help. There is an unknown file on the desktop which wont go. If I delete, it comes back if I refresh the desktop. When I right click on this file, there are only 3 options: Cut, Create Shortcut and Delete. I have scanned my computer with Hitman Pro, MBAM, Windows Defender and...
System Security
Should I get suspicious?
:sarc: I'm getting this every once in a while in Resource Monitor - Network . It happens a little while after I open an IE window. Open the image and you'll understand what I mean. Is this normal???
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:49.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App