Greetings to you all,

 

First I'd like to thank you in advance for the assistance you've provided for all on this board.

 

Second I'd like some specific help about the globally et. al. Infections.  I've read and subscribed to 10 RSS feeds tracking what may be the same problem.  I am at a stage where I need guidance since I'd like to avoid killing my computer along with the virus I'm hunting down.

 

Steps I've taken :

 

Scanned several times in normal and safe mode with 

 

Symantec Antivirus v.10.1.5.5000 (client)

With scan engine 81.3.0.13. 

Each time updating definitions.

It came with the PC, but I've no disks 

 

I am considering getting a new version for 2 PC's in house but unsure which version I should choose... What is more I suspect there is an infection on the other computer as well... Perhaps even stemming from the latter being infected by a false virus scan Trojan.  Recommendations would will be gladly taken.

 

I scanned my PC at first because of a persistent message that a Bloodhound virus was infecting my PC but not being removed.  But now Trojan.Metajuan has infected my system and all scans instruct to reboot but SIN cannot to complete the disinfection.

 

I read the treads relating to Trojan.Metajuan but have only run one additional anti-malware software : Malawarebytes which was blocked at first but worked when renaming the file. 

 

I then discovered the a Rootkit infection similar to the one found in this posting, but now I'm completely I'm unsure which infection I have, if it is a singular infection and what procedure to take in order to disinfect the system.

 

I am attaching the 4 log files from MBAM FYI.

 

mbam-log-2009-08-24(17-58-45) was run in safemode after updates.

mbam-log-2009-08-24(19-45-30) was run again in safemode after restart.

mbam-log-2009-08-24(22-42-45) was run in safemode using administration login after updates.

mbam-log-2009-08-25(11-08-45) was run again in normal mode after restart.

 

Other particularities about my system if needed :

 

ADM Athlon 63 X2 Dual

Core Processor 5000+

 

Running MS XP

Professional

v.2002

Service Pack 3

 

On this PC I also have MySQL, PHP 5.0 and Apache 1.3 installations since I'm learning to develop in AMP  (if that is a consideration)

 

I have some experience successfully hunting for viruses but I am far from an expert.

 

I think I've prattled on too much already. I'd appreciate the help your help greatly, preferable before I start eating my keyboard, and using Bug Off on my hard drive.

 

Many thanks,

 

PatChe

 

P.S.

 

Forgot to mention the effects on my PC.  Browser hi-jacks on google searches, both EI and FF as well as persistent Google Updater crashes.  Once every 5 minutes.

 

Further note that USB is unaffected but getting Browser FF and IE hijacks and suspicious spam that had never occurred before due to ISP spam blocker and NIS and outlook filters...  But this may be unrelated to the problem.

 

Many thanks,

 

PatChe

 

 

Please note that this is a copy of a message that I posted at the end of the following tread.

http://community.norton.com/norton/board/message?board.id=Norton_360&thread.id=14205&view=by_date_ascending&page=4

 

I am reposting as a new message because of the resolved notice on the original post which I noticed after typing out my message.

PatChe:

 

See if you can run a GMER log for us to provide a list of logs and to make sure you haven't got more than one rootkit.

 

http://www.gmer.net/

After it is downloaded to your desktop, right click on the icon, go to properties, and click unblock and apply.

 

Please scan only, and do nothing else until our malware guru, Quads has a look at the log.  He will be along later due to time zone differences.

Hello Delphinium,

 

Many thanks for the prompt reply.

 

I downloaded the zip file from http://www.gmer.net/ and remamed it to be safe, then renamed (ghomer) and launched the exe. - not sure if necessary but what the hey ! Although I moved too quickly and did not unlock and apply... ?

 

GMER launched though, does the missing step make a difference ?  Should I lock it now ? What is more my OS is in French so when you mean by "lock" is Déblocker ?

 

 

 

Rootkit activity was detected.  Attached is the log file.

 

I suppose I just have to exit the program in order to ensure no further actions can be taken?

 

Thanks Delphinium,

 

PatChe

 

 

Hi PatChe:

 

That log is helpful.  Quads will have a look and decide if he needs anything further.  As long as the scanner worked, the unblocking is unnecessary.  For some, the latest Microsoft security hotfixes have changed how programs are opened.

Delphinium,

 

GMER seems to be a very interesting and enlightning program...  Like a task manager with muscle ? If you don't mind me asking what is UAC.sys and why in GMER is related to svchost.exe ?  What is more are there reference sites you can recommend that explain some of the "processes", "services", "modules", etc. that are shown in GMER ?

 

In the meantime I await Quads.

 

Thanks,

 

PatChe

PatChe:

 

GMER is interesting and enlightening, but it can also cause immense damage to the user's operating system in the hands of an inveterate tinkerer.  I highly recommend its removal at the end of the procedures.

 

UAC is the name of one of the rootkit infections.  Very nasty things requiring very careful removal.

Oh...

I see... 

 

I've tinkered a system or two to near death before.  I'll take that recommendation quite seriously then.

(Now where did I put that old PC ? ; )

 

Thanks.

I’ve been there, done that myself.  Quite the learning experience.

Hi

 

You do have these 2 files I have no idea what they are for

 

---

System32\Drivers\a1c1ccas.sys

System32\drivers\fxfopcki.sys

---

 

If you have Spybot S&D installed remove it 

 

Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.

 

1. Download Avenger to your desktop,

 

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

OR Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

 

3. In the "Input script here:" copy and paste the script between the lines

 

---

Drivers to disable:

UACd.sys

 

Drivers to delete:

UACd.sys

 

Files to delete:

C:\WINDOWS\system32\drivers\UACsyodhtixpe.sys

C:\WINDOWS\system32\UACxxykyhmpap.dll

C:\WINDOWS\system32\UAClldofojweq.dll

C:\WINDOWS\system32\UACpiewbeaelw.dll

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\UACepxalrqqaw.dat

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\UACd.sys 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\UACd.sys

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

---

 

Here is a screenshot (script updated since shot)

 

 

Make sure the "Automatically disable any rootkits found" is NOT selected

 

4. Click "Execute"

 

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

 

5. Restart the PC again, then see if you can install  Update and run Malwarebytes  http://www.filehippo.com/download_malwarebytes_anti_malware/

 

Quads   

Greetings Quads and Delphinum,

 

I've followed your instructions Quads. Please find attached both the Avenger and Malwarebytes logs.

 

Note : Spybot S&D or Startup repair programs are not installed on my PC. My OS  is Win XP professional (service pack 3).

 

1) I ran Avenger with your script using my default user with admin privileges - in normal mode. 

 

According to the Avenger log some files were disabled and deleted yet some were not found.  I hope this is a positive sign nonetheless.

 

2) It then Updated and ran Malwarebytes in normal mode and using my regular user (admin privileges but not Admin like in safe mode).  Nothing was detected afterward.

 

I had one hick-up though, since the beginning of this virus hunt I've had Symantec Anti-Virus 10.1.5.5000 run scans on start-up and I forgot to disable it during the process you have counseled me to execute in your last message.  SAV detected Trojan.Metajuan and transferred it from C:\Avenger\ to it's own quarantine folder. (see screen grab below).

 

Although I don't think this is a problem I thought it would be wise to mention it to you.

 

I hope this all makes sense and that it's a positive sign.

 

Is there any other steps you recommend ? 

 

----

 

As an aside, I am going to be replacing Symantec Anti-Virus with either NIS2009 or Norton 360 for both PCs in our household.  Are there any steps I should be taking before installing one of these new applications (considering that they both had instances of infection ?

 

I truly appreciate this help.

 

Thanks,

 

PatChe

 

Result from NAV scan following Avenger clean-up Script :

 

 

<<edit: Image cropped and resized for better viewing>>

Hi Patche:

 

It sounds like everything went well.  There are a lot of additional entries in the Avenger script to make sure nothing is missed.  When it comes back as failed, it just means that it wasn't there.

 

 

When you remove Symantec Antivirus from your system, you will need a special tool that is not available to us, because we just deal with the consumer end of things.  You will need to check in at the corporate forum to see what they recommend. 

 

Before you install a new Norton product ( I love my NIS2009) you should disable system restore, run a scan with SAV, run another scan with MBAM, disconnect from the net. 

 

Run the removal tool for SAV a couple of times with a reboot between, and then install the new product. You can either buy a disc, usually at a discount, download the latest version from the Symantec website, and use the key from the disc to activate.

 

www.symantec.com/connect        Corporate forum

 

 

If your antivirus didn't also remove Avenger from your system as well, that should be removed to prevent idle curiosity.

 

When you are sure you are free of malware, please go to the post that solved the problem and click on the green button, so that we know you are done.

 

Best wishes

 

 

 

Hi Delphinium,

 

Thanks for the response.  It was very informative, much appreciated and quite timely.  (Wish I had done it sooner) 

 

I am proceeding with additional scans with SAV and Malwarebytes to "Really" ensure that all is clear on my computer PC-A.

 

On another yet similar vein; I am running the same "first step" regiment that you and Quads instructed me to do on on the kids Computer PC-B. 

 

I have found a similar listings for UAC and other items using Malwarebytes (SAV - had not recognized it at all).

 

In the event that I the infection found on the kiddie-winkles computer PC-B is similar to PC-A should I post the results here as a continuation of this thread? 

 

If the log files from PC-B match, or have similar traces to PC-A will running the Avenger script be effective?

 

Futhermore I believe that my present issue stems from a "mishap" initiated on the PC-B... so considering that both PCs share the same DSL connection (trough a Linksys hub) would a a Trojan activated on that PC have been the source of infection for PC-A?  I'm thinking its likely but I'm looking for an opinion.

 

About NIS:

NIS2009 seems to be what I'm looking for.  Although I'm not too sure what added benefits Norton 360 would have I am inclined to invest in NIS.

 

Thanks,

 

 

Log from PC-B.  Thought it might not be such a bad idea after all.

 

 

Hi PatChe:

 

If you need to clear the second machine,  you will need to start with the Sysprot again to make sure there is only one.  Sometimes there are two, but with the same name, so it is hard to tell.

 

For that reason, the scripts may be different.  With rootkits, similar doesn't always cut it.  Best to start from square one.  You can continue on this thread.

 

It is more likely that the two computers have been to the same place rather than the rootkit accessing the other computer through the shared connection.

 

N360 has other utilities with it, such as free online backup,  It is more of a set and forget than NIS.  They share the same antivirus engine, so there is no difference in effectiveness.  NIS2009 is considered more easily customized to the user's preference.  Once NIS is set the way you want, it requires little to no attention.

Hi Delphinium,

 

When you say Syprot I'm assuming you mean GMER ?... In any case I reviewed my log Malwarebytes log and discovered to my embarrassment that it had actually removed the offending files.  I ran GMER to detect any hidden rootkits and nothing showed, so I think both systems are clean thanks to you and Quads.

 

I'll be scanning a one more time on both systems with SAV and Malwarebytes presently and will mark the problem solved as soon as it's done.

 

If you think that these are two separate incidences then I'm inclined to trust your word... now to find out who's been using my PC... Aaargh... kids. 

 

I'd say hope to ttys but I'd rather avoid having to return to fend off another invasion !

 

Many thanks for the guidance, recommendations, and solutions to you both.  You definitely get kudos from me (although I'm not certain how the system works what with those strict criteria).

 

P.S.. Thanks for your brief on 360 and NIS2009. I think NIS2009 will suite my purposes best. I hope the switch will be easy.  It seems to me that "the tool" I'm looking for is very difficult to acquire.  We'll see how it goes.

 

PatChe

Good luck PatChe.  Don’t forget to go to the post that solved it and click the green button.

Greetings Delphinium and/or Quads,

 

I have piggybacked this message because I am presently disinfecting the teens Dell laptop and have found what I beleive is the same root-kit activity.

I am disinfecting a DELL inspiron laptop running Windows Vista Family.

 

I was wondering if the avenger script that solved my issue will remove the rootkit found in the gmer log attached with this post ? (similar name UAC) ?

 

It appears to me that the titles in red are commands or sequence of command notations, and can be customized to include Drivers, files and reg-keys identified by the gmer.  But I can't be sure that I'm not simplifying thing, here.

 

My question: 

is the script below costomized to remove the UAC rootkit fount in the gmer log attached with this post.  Or is something missing ?

 

 

 

Drivers to disable:

UACd.sys

 

Drivers to delete:

UACd.sys

 

Files to delete:

C:\Users\User\AppData\Local\Temp\UAC33f0.tmp
C:\Windows\System32\drivers\UACxmoghwppekwhhcj.sys
C:\Windows\System32\uacinit.dll
C:\Windows\System32\UACliesipfptwywedx.dat
C:\Windows\System32\UACocoibpwheboegrj.dll
C:\Windows\System32\UACpvethdjsivtbamm.dll
C:\Windows\System32\UACrwauojpuynnpuuw.dll
C:\Windows\System32\UACtmcntdevbbxiasd.dll
C:\Windows\System32\UACwcjxknetqosmsnq.log
C:\Windows\System32\UACywkdjpqiglrdvnf.dll

 

Registry keys to delete:

HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys

HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules

HKLM\SYSTEM\ControlSet003\Services\UACd.sys

HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules

 

 Many thanks,

 

PatChe

 

PatChe:

 

Each script has to be custom to each machine.  It may not be suitable for others.  We do not recommend using any advanced tools without Quads' instructions, and we especially don't recommend using a script for one machine on another.  The actual drivers can be different, as can the controlsets.

 

I think we can leave this new post attached to the older one as you are the same poster and there shouldn't be any confusion.  I will advise Quads that you have returned for computer # 2.

Hi Delphinum,

 

I suspected so.  Didn't think the gung-ho approach was a good Idea; that's why I posted here.  (: )

 

I am including the Malwarebytes log in the present post for the Dell/VistaFam. FYI.

 

All scans were performed in Safemode.

 

Many Thanks again,

 

B.T.W. : Installed NIS2009 without a hitch.  It is working very well. 

Have to keep it in silent mode though because I have a constant pop-up because I asked NIS2009 to keep an eye on the svchost.exe process and I can't remembre how to deactivate or make the results silent at the moment.  What is more although I bought and installed the English version of NIS2009. It seems to have installed it in French so I have to do active translations of technical terms each time I try do additional configuration to the application.  LOL  Good practice for French troubleshooting though.

 

 

 

PatChe:

 

Since you now have NIS2009 on your system you are eligible for the free upgrade to NIS2010.  Don't make the change until the rootkit is cleared, though, and try to get the English version this time.

 

Download the new version to your desktop

 

http://www.symantec.com/redirects/norton/norton_com/nis10/

 

 

You would need to remove NIS2009 using the removal tool twice with a reboot each time.  Then instal 2010.  It should help a couple of different problems.

 

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&ssfromlink=true&sprt_cid=1a13409b-29db-4397-a286-9dec49f8e252&seg=hho&ct=us&lg=en&docurl=20080828154508EN

 

 

Quads has been advised regards the more serious issue.

Delphinium,

 

NIS2009 to 2010:

I’ll definitely look it up. I appreciate your advice. NIS10 I’m certain it will be worth my while… 

…despite the fact that I’ll have to make a backup of the download on disc and go through re-installation… on 2 PC’s Grrroan… (I liked having a version available on disk for a change - the NIS I had was corporate licencing so I had no Back-Ups)  It never ends does it ? 

It’s nerve-racking when I have 3 programming books to finish studying at the same time !

 

As far as both PC’s on my home/work network goes I think the solution you and Quads provided on this post cleared the rootkit.  But do your figure I should run a check with Malwarebytes and gmer again just to make sure?

 

Dell Laptop issue:

All this delousing of PC’s it makes me wonder why I’m fiddling with this Dell Laptop. (A morbid fascination I suppose).

F.Y.I : I’m not even sure what AV software was installed on it. I’m prtty sure it was AVG but it could have been AVAST.  The laptop is my sons friends, who it seems, promptly totalled it by installing a fake AV whilst surfing around “surreptitious sites”. 

If I can’t fix it, well… serves him right and chalk it up to a learning experience.

 

Your help has been indispensible.

 

Many thanks,