ukkeegz.sys

Discussion in 'malware problems & news' started by kensaundm31, May 17, 2010.

Thread Status:
Not open for further replies.
  1. kensaundm31

    kensaundm31 Registered Member

    Joined:
    May 8, 2010
    Posts:
    17
    Hi,

    Malware keeps identifying c:\windows\system32\drivers\ukkeegz.sys as a rootkit agent.

    But I remember seeing it loading when you boot xp in logging mode so I think it is a valid system file.

    I added it to the ignore list.

    I just want to check that I am right. Am I?
     
  2. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567

    Of course it's loading on boot-up - that's the point of malwares' running, isn't it? ;) You're infected, just get rid of it. :D


    What detected this file? I suppose it's just a piece of a malware since there are no results on Google, only this post on Wilders.
     
  3. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    IMO, raven211 is right. I believe you are infected and that is not a good file.
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Upload it to Virustotal.com and see if any other vendor than yours
    detects it, if some others do then it's highly likely malware unfortunately.
     
  5. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe

    The same found I. I have not it in my system32\drivers; not a bad idea a scan with RootRepeal or GMER or similar real anti rootkits.
     
  6. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  7. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    When my friend had this kind of associated file I asked him to use Hitman Pro and Malwarebytes'. After that he didn't seem to have problems (that were malware related :D).
     
  8. kensaundm31

    kensaundm31 Registered Member

    Joined:
    May 8, 2010
    Posts:
    17
    Wow, thats scary, i honestly thought it was an xp file!

    I tried to upload it to that site but it would not allow itself to be imported/attached to an email.

    It also would not accept being zipped.

    So get rid and stay rid then...

    Thanks for the help.
     
  9. kensaundm31

    kensaundm31 Registered Member

    Joined:
    May 8, 2010
    Posts:
    17
    I cant get rid of it!!!!!

    Malware bytes says it will delete it on reboot.

    But as soon as i look it is back there. I do believe malwarebytes is deleting it because the date and time of the file is the same as when i just booted.

    So how is it re-establishing itself? What do i do?
     
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,128
    Location:
    USA
    .
    Try SuperAntiSpyware - it makes a point of targeting rootkits. You could also try creating a log with "HiJackThis" and uploading it to a tech forum for analysis. Sorry, I can't immediately recommend a forum but there are a number of them. I'm sure someone here can suggest one.
     
  12. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
  13. ace55

    ace55 Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    91
    Reformat and reinstall. You shouldn't trust a system after discovering it is compromised, as you can never be sure you have fully removed all infections.

    That said, burn a live CD on a separate computer. You can boot to it, use it to upload the file to virustotal, look around your machine and see what else you can find that is presumably hidden by this driver.
     
  14. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Give DrWeb Cureit! an opportunity to clean the critter.
     
  15. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    This. I agree. :isay:
     
  16. kensaundm31

    kensaundm31 Registered Member

    Joined:
    May 8, 2010
    Posts:
    17
    Well, I decided to boot from my other operating system as I have a dual-boot setup.

    I did this to see if i could copy or zip the file to send for analysis, because it wouldn't let me on the affected os.

    I did that but then I deleted it as well.

    I just booted again and it has stayed deleted...

    So I guess I'll send it for analysis.

    ESET has identified the moved ukkeegz.sys file as 'Win32/Bubnix.A'

    from another post:
    Steve123
    Member Join Date: Feb 2008
    Posts: 2,216

    Boot Bus Extender rootkit dwonloaded by Win32/Bubnix.A. trojan downloader

    --------------------------------------------------------------------------------

    This trojan will attempt to connect to the internet to download the VirTool: Win32/Rootkit.BV, which is a trojan rootkit. It will download the trojan rootkit at <system folder>\driver\<random>.sys location. To safeguard the rootkit from been deleted by the anti virus the rootkit is registered with the kernel driver service and named Boot Bus Extender.


    Whilst looking through the logs from some of the rootkit scanners i noticed 'boot bus extender'.

    Any way I sent the file to scan@virustotal.com




    Thanks for the help.
     
    Last edited: May 17, 2010
Thread Status:
Not open for further replies.