« previous next »
Pages: [1]   Go Down

Author Topic: Windows worm in temp folder, xXx.xXx and uUu.uUu  (Read 11919 times)

0 Members and 1 Guest are viewing this topic.

jesfrant

  • Guest
Windows worm in temp folder, xXx.xXx and uUu.uUu
« on: May 15, 2010, 02:51:56 AM »
Hello;
I am new to the forums, but I've been using avast for awhile now, love the update by the way they've really out-done them selves with it. But anyways, recently, I've been hit by a Worm, the worm is: Win32/Rebhip.A. -

Worm:Win32/Rebhip.A may gather various information about the system, for example, details of which security software is installed on the system, and which processes or services are currently running. It may also log keystrokes and attempt to gather passwords. Worm:Win32/Rebhip.A sends its collected data to various remote hosts. For example, one variant was observed to contact sly.fcuked.me.uk for this purpose.
-- From the Microsoft Encyclopedia.

It states what it is how you get it BUT NOT HOW YOU REMOVE IT! :(
avast does NOT seem to be picking up anything and I am fearful it has gotten something important from my computer..

Logged

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Windows worm in temp folder, xXx.xXx and uUu.uUu
« Reply #1 on: May 15, 2010, 02:52:41 AM »
I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.
Logged
The best things in life are free.

jesfrant

  • Guest
Re: Windows worm in temp folder, xXx.xXx and uUu.uUu
« Reply #2 on: May 15, 2010, 03:02:19 AM »
Quote from: Tech on May 15, 2010, 02:52:41 AM
I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

 I do have log's from MBAB, and it said it was the files had some malware trace if you'd like to see them they said the following...



 Malwarebytes' Anti-Malware 1.44
Database version: 3838
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/14/2010 8:25:24 AM
mbam-log-2010-05-14 (08-25-24).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|Z:\|)
Objects scanned: 461380
Time elapsed: 2 hour(s), 29 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcu (Trojan.PWS) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\directory\CyberGate (Trojan.PWS) -> Quarantined and deleted successfully.
C:\directory\CyberGate\install (Trojan.PWS) -> Quarantined and deleted successfully.

Files Infected:
C:\directory\CyberGate\install\server.exe (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Users\Jesse\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Jesse\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Delete on reboot.


Even though it said Quarantined succesfully, I found that same file kept making more of it's self.
Logged

Saty

  • Guest
Re: Windows worm in temp folder, xXx.xXx and uUu.uUu
« Reply #3 on: May 15, 2010, 03:33:25 AM »
hello jesfrant,

you need to update your malwarebytes, as your log shows your using an old version. the current version I beleive is 1.46. If you cant update the progam in normal mode try safe mode networking.

After updating and rescanning please post the log, so others can see what other help is needed if any

Sat
Logged
Pages: [1]   Go Up
« previous next »