Ukash infection - malwarebytes doesnt detect it

[sqf]

Hi

I appear to have acquired the Ukash virus/trojan/something on a Windows XP machine but malwarebytes can't find it.

Symptoms: Splash screen warning appeared with Ukash payment demand. This was on an account with admin rights. When I restarted the PC and logged into a non-admin userid it did NOT activate. When I logged back into the admin account it re-activated. Just about everything was disabled, had to resort to soft power-off to force shutdown.

Safe mode: I then restarted PC, hit F8 and ran rkill followed by malwarebytes - rkill detected nothing, malwarebytes detected the following the first time:

C:\Documents and Settings\mark\Application Data\Sun\Java\Deployment\cache\6.0\5\15739945-37b86c46 (Trojan.Phex.THAGen2) -> Quarantined and deleted successfully.

C:\Documents and Settings\mark\Application Data\Sun\Java\Deployment\cache\6.0\63\7618757f-56fce015 (Trojan.Phex.THAGen2) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1084\A0101711.exe (Trojan.Agent.MOGen) -> Quarantined and deleted successfully.

C:\Documents and Settings\mark\0.05821468732988999.exe (Exploit.Drop.UR.2) -> Quarantined and deleted successfully.

However after a restart Ukash still locked up the admin account. Malwarbytes no longer detects anything.

Upon manual inspection I found the following folder appeared to contain related HTML/web code (ie. the graphic elements and HTML scripts of the Ukash screen):

C:\Documents and Settings\mark\Local Settings\Application Data\gzygwiirrvkfiav

I took a copy of the folder and removed it - upon restart the admin account still locks up but displays what appears to be a standard "cannot find web page". The screen and keyboard remain locked and again a soft power-down is the only option. I cannot find any reference to the folder I removed using "findstr" or regedit in safe mode.

Log files attached.

Many thanks for any help you can provide!

-Mark.

dds.txt

attach.txt

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[sqf]

Post back the report which should be located on your desktop.

Hi MrC

Many thanks for the quick reply and help. Report:

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Safe mode with network support

User : mark [Admin rights]

Mode : Scan -- Date : 09/10/2012 12:31:29

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : fciyipglrirkbyk (C:\Documents and Settings\All Users\Application Data\fciyipgl.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1843047913-345290432-184331730-1005[...]\Run : fciyipglrirkbyk (C:\Documents and Settings\All Users\Application Data\fciyipgl.exe) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD161HJ +++++

--- User ---

[MBR] fa0b91f9b6585bda439bcf6b8f37733f

[bSP] dfe4c0bfa859120fb83a6a1aa43abcee : MBR Code unknown

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 149158 Mo

2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 305572365 | Size: 3380 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKCU\[...]\Run : fciyipglrirkbyk (C:\Documents and Settings\All Users\Application Data\fciyipgl.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1843047913-345290432-184331730-1005[...]\Run : fciyipglrirkbyk (C:\Documents and Settings\All Users\Application Data\fciyipgl.exe) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~

Are you on a wireless network or network?

MrC

[sqf]

OK I have deleted those registry entries.

I am on a wireless network (my own wireless router) - I have 1 PC, 1 laptop and 1 printer on the same router usually.

[MrCharlie]

Please create a new system restore point before you run ComboFix.

If after running ComboFix you can't connect to the internet, please use that system restore point and that will correct the problem.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[sqf]

Please create a new system restore point before you run ComboFix.

Sorry I'm not sure what you mean by this - I'm running XP, is there some automated restore point utility I should use, or do you just mean I should manually backup files I need first? Thanks.

[MrCharlie]

The link below should explain how to create a new system restore point:

http://support.microsoft.com/kb/948247

MrC

[sqf]

The link below should explain how to create a new system restore point:

http://support.microsoft.com/kb/948247

Thanks, but I cannot get it to work - I never get the option to create a restore point, only to restore from an existing one.

Have tried various things, searched online (can't see anyone else ever had this issue), but cannot get it to let me create a restore point.

Is there any alternative to this, or will I have to skip it and rely on manually resetting the internet settings if it goes wrong?

[MrCharlie]

Download the attached restore.zip

Unzip it and double click on restore.vbs

Give the restore point a name

Click OK

It take a couple of minutes to create

When the hard drive stops flashing you'll know it's done.

Check to see that it has been created

If it was created > please run ComboFix now.

MrC

[sqf]

I'm afraid this doesn't seem to work either - at least when I go back in to System Restore, there's no restore point for today or with that name. I waited 30 minutes after running the script but still nothing there.

[MrCharlie]

How's the computer since we ran RogueKiller??

~~~~~~~~~~~~~~~~~~~~~~

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
    
  • Windows Defender
    

  [*]Press "Scan".

  [*]It will create a log (FSS.txt) in the same directory the tool is run.

  [*]Please copy and paste the log to your reply.

MrC

[sqf]

PC is OK since running RogueKiller, but then I'm just leaving it in safe mode and not doing anything apart from what you're telling me

FSS log:

Farbar Service Scanner Version: 06-08-2012

Ran by mark (administrator) on 10-09-2012 at 16:01:28

Running from "C:\Documents and Settings\mark\Desktop"

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Network

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

sharedaccess Service is not running. Checking service configuration:

The start type of sharedaccess service is set to Disabled. The default start type is Auto.

The ImagePath of sharedaccess service is OK.

The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:

The start type of netman service is OK.

The ImagePath of netman service is OK.

The ServiceDll of netman service is OK.

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".

The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".

Windows Autoupdate Disabled Policy:

============================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

aswTdi(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x09000000040000000100000002000000030000000900000008000000050000000600000007000000

IpSec Tag value is correct.

**** End of log ****

[MrCharlie]

System restore has to be working because the latest restore point made was yesterday:

RP1121: 09/09/2012 11:03:15 - System Checkpoint

~~~~~~~~~~~~~~~~~~~~~~

Reboot into normal mode and see how it is.

Then..............

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

MrC

[sqf]

OK I have rebooted into my admin account, all seems relatively normal...!

Updated MBAM and ran the quick scan but it didn't find anything... shouldn't the fciyipgl.exe referenced in the bad registry entries have been picked up?

Log:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.10.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

mark :: xxxxxxx [administrator]

10/09/2012 16:30:54

mbam-log-2012-09-10 (16-30-54).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 277891

Time elapsed: 25 minute(s), 2 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

Updated MBAM and ran the quick scan but it didn't find anything... shouldn't the fciyipgl.exe referenced in the bad registry entries have been picked up?

No, RogueKiller took care of it.

~~~~~~~~~~~~~~~

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

MrC

[sqf]

No, RogueKiller took care of it.

But the exe is still there? DIdn't RogueKiller just remove the bad registry entries?

[MrCharlie]

If it's there, please delete it, MrC

[sqf]

OK, I will delete it. I assume nobody wants copies of the exe or the html files/scripts then?

I will check everything thoroughly tonight then either report back on here if there are still issues or I will click on that PayPal button Thanks very much for all the quick help, it's really appreciated!

[MrCharlie]

Did you find the file??

If you did, zip it up and attach it.

It should be in the RogueKiller quarantine folder on tour desktop.

MrC

[sqf]

Strange, the file was in the quarantine folder, but it definitely didn't get deleted from the AllUsers\ApplicationData folder as I just deleted it manually from there.

I've attached the zipped quarantined folder, plus I have zipped the folder that contained all the web pages/scripts too.

gzygwiirrvkfiav.zip

RK_Quarantine.zip

[MrCharlie]

When you get a chance.....

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassoci...T-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

[sqf]

Logs attached.

OTL.Txt

Extras.Txt

[MrCharlie]

Please do this:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following

  
  :OTL
  [2011/05/18 22:25:28 | 000,013,902 | -HS- | C] () -- C:\Documents and Settings\mark\Local Settings\Application Data\ueu4ue45lg20w7c4ddf
  [2011/05/18 22:25:28 | 000,013,902 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf
  :Commands
  [EMPTYJAVA]
  [emptytemp]
  

  
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  
• Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  

MrC

[sqf]

Sorry for the delay doing this part, here is the log file:

All processes killed

========== OTL ==========

C:\Documents and Settings\mark\Local Settings\Application Data\ueu4ue45lg20w7c4ddf moved successfully.

C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf moved successfully.

========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: jo

->Java cache emptied: 655837 bytes

User: LocalService

User: mark

->Java cache emptied: 11956898 bytes

User: NetworkService

Total Java Files Cleaned = 12.00 mb

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 32768 bytes

->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Default User

->Temp folder emptied: 32768 bytes

->Temporary Internet Files folder emptied: 57257 bytes

->Flash cache emptied: 56475 bytes

User: jo

->Temp folder emptied: 392508767 bytes

->Temporary Internet Files folder emptied: 18811474 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 396419820 bytes

->Google Chrome cache emptied: 15047726 bytes

->Flash cache emptied: 30757 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 3345282 bytes

User: mark

->Temp folder emptied: 1411361599 bytes

->Temporary Internet Files folder emptied: 788343527 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 296860851 bytes

->Google Chrome cache emptied: 10674136 bytes

->Flash cache emptied: 2172164 bytes

User: NetworkService

->Temp folder emptied: 933888 bytes

->Temporary Internet Files folder emptied: 3663457 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2195181 bytes

%systemroot%\System32 .tmp files removed: 1262609 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 154452192 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10589163 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 4990202 bytes

RecycleBin emptied: 180828999 bytes

Total Files Cleaned = 3,524.00 mb

OTL by OldTimer - Version 3.2.61.3 log created on 09132012_224718

Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_734.dat not found!

File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

File\Folder C:\WINDOWS\temp\Perflib_Perfdata_114.dat not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...