Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Did i clean up well enough?


  • Please log in to reply
9 replies to this topic

#1 Mc1970

Mc1970

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 04 March 2009 - 12:02 PM

Hello there,


I got infected with UACd trojan which redirected my google results to windowsclick.com.
After searching the net from another pc found the tools to remove the malware. Can anyone tell me how to find out if really everything is gone.
Running Windows XP, and used Drweb Cureit, Malwarebytes antimalware and Threatexpert Memory scanner.
Started off with Drwebs Cureit Quickscan since Mbam didnt start up, i found backdoor.trojan.tdds and removed it. Next scan was empty, then did reboot. Run Drweb again, with no infections found with quickscan, then did fullscan which found some more trojans, that were also removed. Rebooted then again full scan Drweb without anything found.
Nex program i used was Mbam, which found some more trojans and while scanning suddenly NOD32 came in action as well recognizing 2 of the 5 infections found by mbam.
After this and some more reboots, Drweb, mbam and Threatexpert memory scanner all find no more infections. What more steps can i make to make sure its all gone now?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 AM

Posted 04 March 2009 - 12:06 PM

How is your computer running now? Are there more reports/signs of infection such as unwanted pop-ups, bogus security alerts, browser redirection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Mc1970

Mc1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 04 March 2009 - 01:21 PM

It seems everything is fine, no strange behaviour so far.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 AM

Posted 04 March 2009 - 01:43 PM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Mc1970

Mc1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 04 March 2009 - 01:50 PM

OK will do that, i don't have to run some other programs or checks to make sure everything is gone? The software i used should be sufficient to have removed it all?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 AM

Posted 04 March 2009 - 02:09 PM

The software i used should be sufficient to have removed it all?

Based on what you describe, it appears so.

Although ThreatExpert Memory Scanner is a prototype tool (beta version) developed by the ThreatExpert team to detect high-profile threats that may be active in different regions of a computer’s memory, not remove them.

What is beta software?

After an initial round of in-house testing, software publishers often release new programs to be tested by the public. These pre-release versions are called beta software, usually denoted by a "b" in the version number, e.g., Netscape Navigator 2.0b5. Since the publisher couldn't possibly test the software under all possible conditions, it is reasonable to expect that wider use of the software may uncover problems that were not discovered during in-house testing. The publisher expects to be notified when users find such problems so that the program can be fixed before its official release.

In general, you should expect to run into bugs whenever using any piece of beta software. These bugs may range in severity from minor features that don't work to problems that cause your computer to crash. You should decide whether the benefit of new features in a beta program outweighs the risk of program instability before choosing to use a piece of beta software. You should also be aware that UITS will not have thoroughly tested beta software, nor will the software be guaranteed by its maker, so you should not expect the same level of support as you would receive for an official release version of the program.


Beta version software is useful for internal demonstrations, testing and previews to select customers, but may be unstable and not yet ready for a release candidate stage. The goal of a beta program is to collect information regarding the performance, quality, stability, and functionality of new products in order to iron out the bugs before they are released to the general public. If you choose to use a beta program, you use it at your own risk.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:If using Windows Vista, please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Mc1970

Mc1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 04 March 2009 - 02:26 PM

Well i am very careful on the net and this is the first time ever i got infected with such a thing. I only use known programs on this pc, only go to known webpages, i never open attachments or even mail that looks even a bit suspucious (My GF hates me for that when she sends me some ecard and i wont open it :thumbsup: ). The software is all legal, dont use P2P, torrents whatsoever. Don't have autorun enabled, even though i never use USB-stick.
Use Firefox only, which avoids the popups.
Since i really believed in avoiding is better then blocking, i only used NOD antivirus and windows built-in firewall, but no spyware blocker or other firewall then the built-in one.
After i found out i was infected i disconnected my pc from the internet and used another one to find a solution.
How long before i noticed the redirect in firefox can it already have been on my pc? or once its installed it immediatly will affect the google search results?
Well thanks a lot for the help and quick response.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 AM

Posted 04 March 2009 - 02:41 PM

You're welcome.

How long before i noticed the redirect in firefox can it already have been on my pc? or once its installed it immediatly will affect the google search results?

Depends on the type of malware and what other malicious files were downloaded afterwards. Generally the quicker you remove an infection, the less chance it has to download more garbage and cause more damage. The longer it remains the more time it has to be destructive and cause more symptoms along the way.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Mc1970

Mc1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 10 March 2009 - 12:31 PM

Just one more question to this topic:
When i did search in windows for files containg "uac*" i got the following results:
uactmp.db and UACvlaupeuj.db
any idea what this means?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 AM

Posted 10 March 2009 - 01:06 PM

They are more files related to the infection which were not detected by the tools and scans you performed. That's the problem with some of these infections because they include rootkit components and backdoor Trojan; the malware may leave so many remnants behind that security tools cannot find them all. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:You can try removing them with MBAM's built-in FileAssassin feature:
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file(s) to remove using the drop down box next to "Look in:" at the top.
  • When you find the file(s), click "Open".
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users