Two suspicious processes

[silenzer]

I tried googling them with no results.

A log of my whole startup is included as an attachment.
The two suspicious processes are:

Yes HKLM:Run x0ux9jD C:\Users\Gummi\AppData\Local\Temp\UmVQd.exe

and

Yes HKCU:Run ykfXkcM C:\Users\Gummi\AppData\Local\Temp\UmVQd.exe

http://img291.imageshack.us/img291/7940/capturetxr.png

What is the best virus scanner? I scanned with the Windows scanner but it showed no results.

 

[Borg 386]

You could try this, Norton Power Eraser. NOTE: You will have to connected online for this tool to function properly.

http://security.symantec.com/nbrt/npe.asp?lcid=1033

Because the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

There are also two free tools that you can use to explore these unknown processes with:

Process Explorer

Process Monitor

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

 

[Hopalong X]

Encyclopedia entry: Trojan:Win32/VB.XR - Learn more about malware - Microsoft Malware Protection Center

It is a Trojan.

Try downloading this if the above ideas won't work. Free is left button on the page. Update before running Full Scan.
http://www.malwarebytes.org/

The following system changes may indicate the presence of this malware:
Presence of the following file/s:

c:\directory\cybergate\winbooterr\winbooterr.exe​

 

[silenzer]

Encyclopedia entry: Trojan:Win32/VB.XR - Learn more about malware - Microsoft Malware Protection Center

It is a Trojan.

Try downloading this if the above ideas won't work. Free is left button on the page. Update before running Full Scan.
http://www.malwarebytes.org/

The following system changes may indicate the presence of this malware:

Presence of the following file/s:​

c:\directory\cybergate\winbooterr\winbooterr.exe​

Thanks I scanned with Malwarebyte and it removed a whole bunch of stuff but I deleted the trojan startup entries, rebooted and they were back again. I take it it hasn't been removed then? The virus scan log is in this reply's attachment.

 

[marsmimar]

You could also try running the scans in Safe Mode. And if you're comfortable in the Registry you could run separate searches for x0ux9jD, ykfXkcM, and UmVQd. Then delete any references. Two cautions: first, a wrong deletion from the registry could turn your computer into a paperweight; second, once a computer is infected you can never be 100% sure that all traces of the trojan, virus, etc have been removed or that they haven't moved into your other programs, documents, etc. You'd have to do a clean install of the operating system (and everything else.)

 

[Hopalong X]

As marsmimar suggested run Malwarebytes in Safe Mode. This may allow it to be removed.
Safe Mode only uses base drivers so Trojan may not activate.
http://www.sevenforums.com/tutorials/69585-safe-mode.html

Otherwise you will need to run Rkill which will deactivate and allow removal by Malwarebytes.
Bleeping Computer Downloads: RKill

You will need this one that says iExplore at top of page.

iExplore.exe download link.

How to use Rkill
RKill - What it does and What it Doesn't - A brief introduction to the program

 

[Orbital Shark]

Here's 1 of the easier ways I've found to eradicate these types of infections...

1. Boot your machine as normal and as soon as you get the chance open Task Manager (right-click the taskbar)
2. Kill any/all processes that look suspicious
3. Delete everything in the following locations...(best to type into the start search box). %userprofile%\Appdata\Local\Roaming\Temp and %systemroot%\Temp
4. Run a full scan with MalwareBytes, restart if necessary

   Note

You will need to be quick when accessing Task Manager as a lot of suspicious software locks out most/all administrative functions

Also
You may want to check This out. It outlines a very similar process in a bit more detail

 

[Product FRED]

Firstly, disconnect yourself from the internet. You're probably removing the byproduct of the trojan and not the trojan itself. If you don't get rid of the trojan, it can re-download any files it needs. This has happened to me too in the past.

 

[Borg 386]

Good point FRED. The way most viruses/malware are designed, if you're connected to the web and it "senses" you're trying to delete it, it calls for backup. It's happened to me a couple times too. You delete one part of it and all of a sudden it's back. I had one that kept coming back & back, turned out a single reg key was causing all the problems.

The one in question was so stubborn that even when I disconnected from the web (after noticing activity) and uninstalled, once I signed back on, there it was d/l itself again.....until I removed the reg keys it created

 

[Corrine]

Encyclopedia entry: Trojan:Win32/VB.XR - Learn more about malware - Microsoft Malware Protection Center

It is a Trojan.

More than that, it is a backdoor trojan that has modified registry entries to ensure that it executes at each Windows start.

Otherwise you will need to run Rkill which will deactivate and allow removal by Malwarebytes.

RKill is only needed if the malware is preventing standard removal tools from running. MBAM was able to run but apparently did not get all of the registry entries.

A primary source of this trojan is via bundling with software/files from various torrent sites. The combination of "C:\Program Files (x86)\uTorrent\uTorrent.exe" in startup and MBAM's detection of c:\program files (x86)\Sony\vegas movie studio platinum 9.0\patch.exe as a trojan downloader strongly suggest that the infection was from a torrent download.

With the infection identified as a backdoor trojan, which allows hackers to remotely control your computer, steal critical system information and Download and Execute files, my advice is a reformat and fresh install. Because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. As described in the above-linked Encyclopedia article:

Payload

Contacts remote host​

Trojan:Win32/VB.XR may contact a remote host at cgate.no-ip.biz using port 82. Commonly, malware may contact a remote host for the following purposes:​

• To report a new infection to its author
• To receive configuration or other data
• To download and execute arbitrary files (including updates or additional malware)
• To receive instruction from a remote attacker
• To upload data taken from the affected computer

 

[silenzer]

Replacing read only files?

Hi,

I'm trying to get rid of a virus by replacing it by another exe with the same filename (svchost.exe) but the virus is read only so I can't replace it. Any way to make the virus non-read only?

 

[Golden]

Hi,

Why don't you use something like Malwarebytes to get rid of the virus? Renaming it doesn't neccessarily prevent it from doing what is was designed to do, depending on what type of virus it is.

I suggest doing a scan with the above recommendation, opting to remove the virus, and then post the log here to see what you are dealing with. Some viruses require a "second course of medication" to completely kill them off, but we need to know exactly what you are delaing with.

Can you also list your existing anti-virus software that is installed on your system?

Regards,
Golden

 

[silenzer]

Thanks for the reply but I have already scanned the computer according to instructions from sevenforums and posted the log in another thread: http://www.sevenforums.com/system-security/151548-two-suspicious-processes.html

However I'm still in the dark

 

[Carolyn]

You really should follows Corrine's advice to format your hard drive and reinstall Windows. She replied to your other topic 2 weeks ago. Corrine's post was HERE.

 

[Capt.Jack Sparrow]

Thanks for the reply but I have already scanned the computer according to instructions from sevenforums and posted the log in another thread: http://www.sevenforums.com/system-security/151548-two-suspicious-processes.html

However I'm still in the dark

Hi there,

I would not recommend to follow advices from another thread when it comes to Malware removal. I would suggest you to run HijackThis HijackThis - Trend Micro USA and post the logs. I'll ask one of the security experts to look at it

 

[Carolyn]

Thanks for the reply but I have already scanned the computer according to instructions from sevenforums and posted the log in another thread: http://www.sevenforums.com/system-security/151548-two-suspicious-processes.html

However I'm still in the dark

Hi there,

I would not recommend to follow advices from another thread when it comes to Malware removal. I would suggest you to run HijackThis HijackThis - Trend Micro USA and post the logs. I'll ask one of the security experts to look at it

I agree, never use a fix that was proposed for another computer. However, in this case, this was his thread and Corrine identified that the computer was compromised by a Backdoor.

HijackThis is not designed for 64bit systems so the resulting log will not be of any use.

Please scan with DDS instead:
Please download DDS by sUBs from one of the links below, save it to your Desktop (It must be in this location).
http://[URL="http://download.bleepingcomputer.com/sUBs/dds.scr][b][u][color=#0000FFLink1
http://[URL="http://download.bleepingcomputer.com/sUBs/dds.com][b][u][color=#0000FFLink2
Please disable any anti-malware program that will block scripts from running before running DDS.

• Right-Click on dds.scr And select " Run as administrator "... and a command window will appear. This is normal.
• Shortly after two logs will appear:
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

 

[Corrine]

Hi, Carolyn! Its good to see you! (At All: Carolyn is trained in malware removal and very knowledgeable.)

It is rather strange to abandon a thread for two weeks and then start a new topic. I see if the Moderators want the topics merged.

 

[Carolyn]

It's good to see you too Corrine and thank you for those kind words!