Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windowsclick.com (UACd.sys trojan) infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 Marc4473

Marc4473

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Montgomery, TX
  • Local time:09:31 AM

Posted 03 April 2009 - 04:28 PM

I have been pulling my hair out for the past 36 hours.

From researching the symptoms, I was sure I had picked up windowsclick.com but could not find any files named UAC*.* Then I discovered how to use my AVG v.8 for a rootkit scan and I found 10 infected files. These were reported as hidden files and not healed. I first started to delete them but AVG delivered a message asking if I was "SURE" and I decided not to delete but to research further. I found your site, read a post thread topic, then downloaded ComboFix. I had trouble running ComboFix, then posted the following.


http://www.bleepingcomputer.com/forums/t/216511/help-please-i-cant-get-combofix-to-run/

Unfortunately, i got impatient and "tricked" my system into running ComboFix by changing the name to "gethappy.exe" and everything ran normally. I wrote down the file names on paper as prompted, downloaded the recovery console, saved the log that generated at the end of ComboFix to my desktop as log.txt. Then recieved the fist reply (from rigel) to my post. Ooops, please forgive me. Hopefully, i haven't created more problems for myself.

I next loaded DDS and have saved the DDS.txt (generated afer runnnig ComboFix) and Attach.txt files to my desktop. I have attached the DDS.txt log to this post. Please let me know if you need log.txt (again generated at the completion of running ComboFix. I do not have a log prior to running ComboFix.

Thanks in advance...............Marc

Attached Files

  • Attached File  DDS.txt   21.85KB   2 downloads


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 11 April 2009 - 10:56 AM

Hello.

Please run Combofix again.

Once it's done a log will be produced. Post that log.

Also, navigate to your C:\Qoobox <- This folder.
Find a file called "ComboFix-quarantined-files.txt", post the contents of that log in your next reply as well.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Marc4473

Marc4473
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Montgomery, TX
  • Local time:09:31 AM

Posted 11 April 2009 - 07:05 PM

Hi Extreme,

It is 7PM in Montgomery, TX on 4/11/09 (Easter Eve)

I just ran ComboFix. After I stared it, I was informed that there was a more current version of ComboFix available and I was asked it I wanted to recieve the updated version, which I replied, "Yes". It appeared that the program updated itself and ran.

Attached is a .pdf screen shot of a message that I got after ComboFix finished. You didn't request it but at the same time I didn't expect it. Not sure if it is of any importance but I included it FYI.

Also attached is the log and the quarantine file you requested.

Thanks for your help.

Marc

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 11 April 2009 - 07:48 PM

Hello.

Thanks for the information :thumbup2:

I believe you know the nature of this rootkit/infection you had?

Take a read below.

This infection allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you want to continue follow the steps below.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Post back with:
-GMER log
-MBAM log
-New DDs log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Marc4473

Marc4473
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Montgomery, TX
  • Local time:09:31 AM

Posted 13 April 2009 - 08:51 AM

Hi EB,

Orange Blossom warned me that I should change passwords from a clean computer which I did about a week ago. Interesting that before I found BC.com I was running the Mircrosoft Maliciouis Software Removal Tool. It was the only application runninng. All of a sudden there was music playing on my computer. Sounded like a movie trailer and an advertisement for a video game. I could not figure out how it was playing. I knew the Microsoft app was not needing my wireless connection so I turned my wireless off and the music quit immediately.................scary.

So far, I have not seen any unusual activity on my accounts but am still monitoring. Also have notified institutions of the compromise.

I am short on time this morning but wanted to stay in touch................ I will be back this evening.

Thanks for your help.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 13 April 2009 - 12:10 PM

Okay.

Thanks for letting me know :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Marc4473

Marc4473
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Montgomery, TX
  • Local time:09:31 AM

Posted 13 April 2009 - 09:10 PM

OK EB,

It looks like the cleaning option may be less overall work compared to reinstalling the OS (correct me if I am wrong) and I am not sure what the best option is. So, let me ask you this.

1. If it were you in my shoes, would you attempt to clean or reinstall OS?

2. If I were to reinstall OS, I would want to save all of my data files, Outlook .pst files, etc. to an external hard drive then reload this data after the reinstall. In your opinion, what is the chance that my data is compromised and might transport the infection back?

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 14 April 2009 - 06:36 AM

Hello.

It looks like the cleaning option may be less overall work compared to reinstalling the OS (correct me if I am wrong) and I am not sure what the best option is.

No. Not necessarily more work but the problem is that it's no longer trusted. Do you trust a computer that is compromised? We can fix and remove it probably in a couple of days if we get a few replies in and if everything goes well.

1. If it were you in my shoes, would you attempt to clean or reinstall OS?

Yes, I will back everything up that is important and not executable onto an external hard-drive and format the computer.

If I were to reinstall OS, I would want to save all of my data files, Outlook .pst files, etc. to an external hard drive then reload this data after the reinstall. In your opinion, what is the chance that my data is compromised and might transport the infection back?

Outlook.pst files should be okay. They can't infect your computer. However, please be careful as some attachments within Outlook may be infected and by downloading that attachment and installing it you may be infected. However, just by transferring that file it can't do anything.

When backing up files and datas there are mainly 2 general guidelines:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Note: Some may want to be safe, wondering if their data files are infected or not so to make sure you should scan those files using an anti-virus scanner and an anti-malware/anti-spyware scanner making sure they are free from malware before transferring it to your new formatted computer. From what I have seen the results were always CLEAN, meaning they were not infected at all.

Hope this helps.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 16 April 2009 - 03:06 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users