ukkeegz.sys

kensaundm31 · #1 May 17th, 2010, 10:39 AM

Hi,

Malware keeps identifying c:\windows\system32\drivers\ukkeegz.sys as a rootkit agent.

But I remember seeing it loading when you boot xp in logging mode so I think it is a valid system file.

I added it to the ignore list.

I just want to check that I am right. Am I?

raven211 · #2 May 17th, 2010, 11:04 AM

Quote:

Originally Posted by kensaundm31

Hi,

Malware keeps identifying c:\windows\system32\drivers\ukkeegz.sys as a rootkit agent.

But I remember seeing it loading when you boot xp in logging mode so I think it is a valid system file.

I added it to the ignore list.

I just want to check that I am right. Am I?

Of course it's loading on boot-up - that's the point of malwares' running, isn't it?

You're infected, just get rid of it.

What detected this file? I suppose it's just a piece of a malware since there are no results on Google, only this post on Wilders.

HAN · #3 May 17th, 2010, 11:14 AM

IMO, raven211 is right. I believe you are infected and that is not a good file.

SweX · #4 May 17th, 2010, 11:42 AM

Upload it to Virustotal.com and see if any other vendor than yours
detects it, if some others do then it's highly likely malware unfortunately.

blacknight · #5 May 17th, 2010, 02:41 PM

Quote:

Originally Posted by raven211

What detected this file? I suppose it's just a piece of a malware since there are no results on Google, only this post on Wilders.

The same found I. I have not it in my system32\drivers; not a bad idea a scan with RootRepeal or GMER or similar real anti rootkits.

Cudni · #6 May 17th, 2010, 02:55 PM

that sounds very much like malware. use help from dedicated volunteer sites listed
http://www.wilderssecurity.com/showp...81&postcount=3

raven211 · #7 May 17th, 2010, 03:47 PM

When my friend had this kind of associated file I asked him to use Hitman Pro and Malwarebytes'. After that he didn't seem to have problems (that were malware related

).

kensaundm31 · #8 May 17th, 2010, 06:23 PM

Wow, thats scary, i honestly thought it was an xp file!

I tried to upload it to that site but it would not allow itself to be imported/attached to an email.

It also would not accept being zipped.

So get rid and stay rid then...

Thanks for the help.

kensaundm31 · #9 May 17th, 2010, 06:51 PM

I cant get rid of it!!!!!

Malware bytes says it will delete it on reboot.

But as soon as i look it is back there. I do believe malwarebytes is deleting it because the date and time of the file is the same as when i just booted.

So how is it re-establishing itself? What do i do?

doktornotor · #10 May 17th, 2010, 06:55 PM

Quote:

Originally Posted by kensaundm31

So how is it re-establishing itself? What do i do?

Help: I Got Hacked. Now What Do I Do?

IOW: rootkit -> game over.

Victek123 · #11 May 17th, 2010, 07:03 PM

Quote:

Originally Posted by kensaundm31

I cant get rid of it!!!!!

Malware bytes says it will delete it on reboot.

But as soon as i look it is back there. I do believe malwarebytes is deleting it because the date and time of the file is the same as when i just booted.

So how is it re-establishing itself? What do i do?

.
Try SuperAntiSpyware - it makes a point of targeting rootkits. You could also try creating a log with "HiJackThis" and uploading it to a tech forum for analysis. Sorry, I can't immediately recommend a forum but there are a number of them. I'm sure someone here can suggest one.

kjdemuth · #12 May 17th, 2010, 07:16 PM

Emsisoft has a good group of folks. Go over to the support section. They have a malware removal section. Excellent, step by step help. You can also try running hijackthis and going over to http://hjt-data.trendmicro.com/hjt/a...this/index.php.

ace55 · #13 May 17th, 2010, 07:17 PM

Reformat and reinstall. You shouldn't trust a system after discovering it is compromised, as you can never be sure you have fully removed all infections.

That said, burn a live CD on a separate computer. You can boot to it, use it to upload the file to virustotal, look around your machine and see what else you can find that is presumably hidden by this driver.

Buster_BSA · #14 May 17th, 2010, 07:23 PM

Give DrWeb Cureit! an opportunity to clean the critter.

Konata Izumi · #15 May 17th, 2010, 07:31 PM

Quote:

Originally Posted by ace55

Reformat and reinstall. You shouldn't trust a system after discovering it is compromised, as you can never be sure you have fully removed all infections.

That said, burn a live CD on a separate computer. You can boot to it, use it to upload the file to virustotal, look around your machine and see what else you can find that is presumably hidden by this driver.

This. I agree.

kensaundm31 · #16 May 17th, 2010, 09:02 PM

Well, I decided to boot from my other operating system as I have a dual-boot setup.

I did this to see if i could copy or zip the file to send for analysis, because it wouldn't let me on the affected os.

I did that but then I deleted it as well.

I just booted again and it has stayed deleted...

So I guess I'll send it for analysis.

ESET has identified the moved ukkeegz.sys file as 'Win32/Bubnix.A'

from another post:
Steve123
Member Join Date: Feb 2008
Posts: 2,216

Boot Bus Extender rootkit dwonloaded by Win32/Bubnix.A. trojan downloader

--------------------------------------------------------------------------------

This trojan will attempt to connect to the internet to download the VirTool: Win32/Rootkit.BV, which is a trojan rootkit. It will download the trojan rootkit at <system folder>\driver\<random>.sys location. To safeguard the rootkit from been deleted by the anti virus the rootkit is registered with the kernel driver service and named Boot Bus Extender.

Whilst looking through the logs from some of the rootkit scanners i noticed 'boot bus extender'.

Any way I sent the file to scan@virustotal.com

Thanks for the help.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search