Jump to content

uando malware


Go to solution Solved by AdvancedSetup,

Recommended Posts

I'm running Windows 10. I ran this thing by accident the other day: https://forums.malwarebytes.com/topic/265338-uando-malware/

 

A summary of events in order as best I can remember is:

- I scanned the file with Windows Defender and MalwareBytes. Neither one prompted a detection.

- I ran the file, which seemed to run as intended.

- After closing it, Defender popped up warning it as a trojan.

- I ran scans with both Defender and Malwarebytes, neither of which detected anything.

- I ran Sysinternals' Autoruns to look for suspicious entries and found the scheduled task pointing towards it in the Appdata\roaming\uando directory, upon which I deleted the task and file. Since the task to run it was scheduled to activate later in the day and every 5 minutes after that, I don't think it had run yet.

- I turned UAC back on.

- I ran HitmanPro, which didn't detect anything.

- I ran sfc /scannow and DISM, neither of which reported any errors.

- I combed through the entire lists of services and scheduled tasks manually checking that none of them appeared suspicious.

- I backed up everything I could and made a new restore point.

- At some point Defender stopped working and only displayed a blank screen when opening it; this was after it had already done its scan.

- My computer gradually became unresponsive and explorer.exe crashed and refused to start up again, at this point I could only restart. I had a BSOD a day prior to this, so I'm not sure if this is actually related to the virus.

- After restarting everything seemed normal.

- I checked all running processes and services, didn't find anything sus.

- I checked Defender again and it now worked fine, I noticed that the uando directory had been added to its list of excluded folders when scanning and removed it.

- I ran scans of the C drive with Defender and MalwareBytes again, and Hitman Pro again, and did a Defender offline scan again. No detections.

- I ran chkdsk which detected and fixed some issues. I ran sfc /scannow and DISM again which were still clear.

- I ran a full scan of all drives with MalwareBytes which returned one dodgy exe from a years old folder which I deleted manually. This is the attached log.

- I changed several passwords just in case.

 

Given how it tried to hide the uando folder from Defender I'm inclined to believe that was the only place the trojan set itself up, and I think I managed to clear it out before it really did anything, but I want to be as sure as I can that it isn't still hiding somewhere.

 

Edited by AdvancedSetup
Logs removed per request
Link to post
Share on other sites
  • Root Admin

Hello @CheckedIn

You have an old compromised version of Java on the computer. Please go to Control Panel, Programs, Programs and Features and uninstall it.

Java 8 Update 201

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Thanks for responding, just a few questions first then.

Will the removed data affect the browser session, in clearing what pages it opens on the next launch? Or is that just general advice that the browser will be force closed by running the fix?

Will the browser's stored passwords be removed? I'd considered doing this myself honestly, but I do need to set up a proper password manager first. I thought the browser's cookies being deleted would just remove the sites remembering me being logged in, rather than removing the passwords from the browser's storage.

Should I install the newest version of Java after removing the old one and before running the fix, or should I wait until after running the fix to install Java again?

Will UAC being on interfere with this at all?

I noticed the line "HKLM-x32\...\Run: [Genshin Impact Beta_Launcher] => [X]" in the document, what in particular would this do? I know Genshin Impact has a contentious anti-cheat driver with it, but I haven't seen any proof of it being abused. Would this remove Genshin Impact, or what?

Lastly, there's the line referencing " "D:\start.exe" ", but I don't have a D drive on this computer at all. Is that ok?

Link to post
Share on other sites
  • Root Admin

The fix will force closed browsers and apps.
It will not removed saved passwords, but clearing your Sync in Google Chrome (highly recommended) will. It removes cookies which often store the connection, not the actual password but once removed if you don't know the password it will need to be reset.

If at all possible you should really try to run your computer without Java. It is often one of the key ways where exploits over time have been found that allow someone to attack your computer.

The UAC will not affect the fix

It would remove the run entry not the file for Genshin, thus not auto launching every boot up

Then removing the D:\start entry is a good thing.

 

Link to post
Share on other sites
  • Root Admin

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

After the ESET scan has completed please run this Microsoft Safey Scan

 

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

Link to post
Share on other sites

Well the ESET scan took forever and mostly just complained about CheatEngine being a PUP. It did however also point out the Opera extension FlashVideoDownloader as malware, which apparently was updated at some point to track the user, so I've gone and removed that.

The MSS scan had I had a BSOD before it finished, so I had to run it again. The BSOD was a CRITICAL_SYSTEM_CORRUPTION: ntfs.sys one, but I had the same thing once about three months ago and both times it was when clicking on a browser tab, so I don't think it's related to this virus. I'll have to run memtest later to check in regards to that, but yeah. The MSS scan has a bunch of scan errors, but reports no viruses.

 

 

Edited by AdvancedSetup
Logs removed per request
Link to post
Share on other sites
  • Root Admin

Thank you for the log. Let me have you run FRST one more time and provide updated logs so that I can review

How is the computer running now?

Are there still any signs of an infection or issue?

 

Link to post
Share on other sites

Aside from that BSOD, I haven't noticed any issues since the computer becoming unresponsive on the first day. So hopefully that's it for virus problems, at least.

If you could remove these logs from the post after you've checked them that'd be great, since they still provide more info than I'm comfortable posting openly.

 

 

Edited by AdvancedSetup
Logs removed per request
Link to post
Share on other sites
  • Root Admin

You're quite welcome.

Take care and stay safe out there. The closing speech will include a link with information to help you better protect your data and privacy. I would recommend you bookmark and read as you have time. If you have questions please come back and make a new post and let us know.

Cheers

 

  • Thanks 1
Link to post
Share on other sites
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.