---

TMDaines wrote:

 

1) Where did this "infection" likely come from?

 

2) How did this "infection" bypass Norton? Is it a new piece of malware or is Norton simply incapable of detecting and protecting against malware of this type?

 

3) Presumably just using Norton 360 isn't enough. What other pieces of anti-malware would you recommend that would give me a reasonable increase in the level of protection over that which I have now? Malwarebytes Anti-Malware is suggested repeatedly here. Anything else that would be consider must have?

 

---

1. I cannot say for certain how this one got into your system, but more than 50% of the threats in the wild today spreads through webpages using either bugs in various programs that have web support like Adobe Acrobat, Flash or Java or by simply tricking the user into accepting the installation. In your case it could be recommended to, after having the PC cleaned, check that any programs or plugins you might have are updated with the newest versions. It could also be as simple as that a popup blocker would have prevented the malicious page from opening and infecting your system.

2. Both actually. This infection has been an issue for Norton for a while now and it is not entirely know how it bypasses the security, but the engineers are working hard on it. It also comes out in a new, slightly updated version every now and then making the whole thing a bit harder.

3. Malwarebytes is a very good program, but unless you pay for it you will only get the option to scan the system, not the realtime protection. I myself only use Norton as active protection atm but I have other tools at my disposal also. Just keep in mind that having too many programs with realtime protection could actually cause more issues than it would protect you from.

jAW

Thank you for the responses.

Judging from your explanations and my own initial feelings I feel that it wasn't through any fault of my own which led to me receiving the rootkit. I do already use NoScript but most of the time I turn it off simply because it is overkill most of the time. I should probably get into the habit of manually trusting websites and globally forbidding otherwise.

Let's hope Quads can work some magic here.

Hi

We will start with the safer option

Now  (read carefully) If you have Spybot S&D uninstall it.

Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.

1. Download Avenger to your desktop,

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

3. In the "Input script here:" copy and paste the script between the lines

Drivers to disable:

UACd.sys

Drivers to delete:

UACd.sys

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\WINDOWS\system32\drivers\UACd.sys

C:\WINDOWS\system32\drivers\geyekrerbtrckm.sys

C:\WINDOWS\system32\geyekrxaevbvtm.dll

C:\WINDOWS\system32\uacinit.dll

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\UACd.sys 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\UACd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\UACd.sys

Here is a screenshot (script updated since shot)

Make sure the "Automatically disable any rootkits found" is NOT selected

4. Click "Execute"

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

5. Restart the PC again, then see if you can install  Update and run Malwarebytes

Quads  

OK. Avenger now running, let's see how this goes.

So on boot I run MalwareBytes and deal with whatever it finds?

You have a newer rootkit so avenger hopefully will get it after a double reboot.

Avenger will create a log when finished,  

If it is a variant on the likes of SKYNET or Hjg***  a different script is required.

Malwarebytes is just to mop up bits left over that are not the rootkit, after the rootkit is gone Malwarebytes and Norton etc should work correctly. 

Quads 

OK, so I ran Avenger, it automatically-rebooted, started to boot and then rebooted again as per your instructions. The Avenger log was there and seemingly it couldn't find many (if any) of the files. I then rebooted like requested and got spammed with,

"WerFault.exe - Bad Image

'globalroot\systemroot\system32\geyekrxaevbvtm.dll is either not designed to run on Windows or it contains an error....' "

upon loading the desktop and when opening any other file or application. I then ran MalwareBytes as requested (albeit just a quick scan to quickly check if it picks up the files as it did upon doing only quick scan last time). Whilst running this however Norton 360 popped up alerting me that it has detetced Trojan Horse again. However, the only thing Malware Bytes picked up during the quick scan was 'avenger.exe', thus surely a false positive.

Norton 360 is not working still. Only an asterisk appears when it should be scanning files.

Avenger log is attached.

Any more requests whilst I ran a full Malware Bytes scan?

Well that didn't work, could get the files

Now

1.  Download Combofix  to your Desktop, http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Don't use yet.

2. I have Personal Messaged you the script between the lines, look for the yellow envelope at the upper right hand side.   Copy the Script.

3.  Open Notepad and paste it in to notepad with the first line being killall::

4. Save the script as "CFScript.txt"       CFScript.txt is what you see on your desktop after saving.

5. Disable Nortons Auto-Protect and Firewall.

6.  Drag and drop CFScript.txt on top of Combofix.exe, like when you drop files into the recycle bin.

7. Combofix will start,  When it is scanning don't move the mouse cursor inside the box, can cause freezing.

Quads  

I did as you requested but got plagued by,

" 'globalroot\systemroot\system32\geyekrxaevbvtm.dll is either not designed to run on Windows or it contains an error....' "

about 50 times. Once I finally clicked through them all a command prompt style window opened titled Administrator before I bluescreened about two seconds later.

OK, rebooted now and no spam from the randomletters.dll file this time! Before I could turn my Norton 360 firewall and anti-virus auto-protect back on however Norton notified me that it had found a Packed.Generic.238. Norton's Virus and Spyware scan is still only showing an asterisk.

I hope this is at least progress!

OK, have you got the Combofix log there??

C:\Combofix.txt.

Quads 

The C:ComboFix file isn't specified as a filetype - nor will it let me "Open" it to attach it since apparently need to contactthe File Owner/Administrator (which is naturally me),

Is it a file that you are looking at not a folder??

Quads 

In the C: drive (of relevant interest) I have a ‘ComboFix’ file with no extension, an empty ‘logs’ folder and a new Qoobox folder - which by googling I understand is related to ComboFix.

In fact the ComboFix file seems to be a Computer Management file? I can right-click and select Manage from the right-click context menu.

Qoobox is Combofix's quarantine folder

Ok with the Combofix file, right click and rename the place the txt extension on the Combofix, to create combofix.txt

then you can attach it.  

Quads 

Already tried. Renaming ‘ComboFix’ to ‘ComboFix.txt’ doesn’t change the situation. Do I need to edit it elsewhere?

Interestingly enough, copying the file create it as a File Folder type but I still cannot attach it for the same reasons

What is combobox??  I said combofix.txt

Quads 

Sorry, I meant combofix.txt.

Would it be safe to run ComboFix again with that script? I’m asking because when I ran it before it did nothing like this: http://www.bleepingcomputer.com/combofix/how-to-use-combofix. As I said it bluescreened after I got spammed with messages from randomletters.dll.