Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windowsclick.com redirect


  • Please log in to reply
5 replies to this topic

#1 rpsupporter

rpsupporter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 13 May 2009 - 09:54 AM

As an intro, I'm a EE with some CS background. As a EE have primarily been a PLC guy, writing & debugging (tons). Some assembler, C, C++, pascal (didn't know him personally). Fairly comfortable with PCs, but can be pretty stoopid.

Problem started yesterday. When I use a certain desktop shortcut (Google) and do a search a new window opens and I get redirected by windowsclick.com. I have Google search as my home page on 2 desktop shortcuts but only 1 seems affected. I have also gotten some errors with ZoneAlarm's updater (I think - UpdClient.exe) having an error. Also WGATRAY.exe & WGALOGON.dll have shown erros, along with a few others. Nothing repititous except UpdClient.exe. I have also experienced music playing without any effort on my part (nor my neighbors), and the system freezing after a few minutes, although the system only seems to freeze after I use that one shortcut. I know I'm just halucinating at this point.

Did a scan with ZoneAlarm but only 1 infected file found, "uacaqrtinraxqaosiq.dll". I selected to delete on restart but it was there for the next scan.

I'm running XP Pro SP3 on a newer Toshiba laptop. It is offline and I'm using my wife's desktop to reach the outside.

Woe is me.

Any help would be appreciated.
rpsupporter

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:26 PM

Posted 13 May 2009 - 10:18 AM

...but only 1 infected file found, "uacaqrtinraxqaosiq.dll"


Be aware that UAC[random characters].*** is probably related to a backdoor Trojan and a nasty variant of the TDSSSERV rootkit. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

If you cannot use the Internet or download any programs, you are going to need access to another computer (family member, friend, etc) with an Internet connection.

Please download Dr.Web CureIt and Malwarebytes Anti-Malware, save to a flash (usb, pen, thumb, jump) drive or CD, transfer to the infected machine, then install and run the programs. If you cannot transfer to or install on the infected machine, try running the MBAM setup file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive. For Dr.Web CureIt you will only need to double-click on launch.exe.

You will also need to, manually download the database updates for MBAM, save and transfer them as well. After installing MBAM, just double-click on mbam-rules.exe to install and update.

Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
If you cannot see the folder, then you may have to Reconfigure Windows to show it.

Print out and follow these Instructions for scanning with Dr.WebCureIt in "safe mode" after running ATF-Cleaner.
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply.

Print out and follow these Instructions for scanning with Malwarebytes Anti-Malware and perform a Quick Scan in normal mode.
  • Check all items found for removal.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
  • If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 rpsupporter

rpsupporter
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 13 May 2009 - 10:37 PM

Thanks quietman7.

I will reformat. A question...My other computer on my home network has shown no apparent signs of the infection, and a scan w/ZA security suite turns up nothing. What would you do to confirm that machine's condition? I'm new to the reformat but I'm sure I can find enough help, starting with your links. Can you provide some direction to find what files I can save? I've backed up some documents for my business but not up to date. Should I just be leary of anything active like executables? How about music? Pictures?

I sure appreciate the advice.

It's very nice of all of you generous people to help us in need.
Thanks,
rpsupporter

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:26 PM

Posted 14 May 2009 - 06:30 AM

That's the decision I would have made if this were my system.

Reformatting a hard disk deletes all data. You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.
Also see How to keep your Windows XP activation after clean install.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media.

If you need additional assistance with reformatting or have questions about multiple hard drives, you can start a new topic in the Windows XP Home and Professional forum. If you don't get a reply, please send me a PM and I will get someone to take a look.

My other computer on my home network has shown no apparent signs of the infection, and a scan w/ZA security suite turns up nothing. What would you do to confirm that machine's condition?

Perform additional scans using the two programs (MBAM and DrWeb) I mentioned above.

No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rpsupporter

rpsupporter
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 17 May 2009 - 10:46 PM

Hello quietman7,

I did scan my other machine (which has been working fine) and Dr Web's quick scan found it to be clean but the deep scan turned up quite a few concerns:

Adware (GDown & Spyware Storm)
Archive contains infected objects
Container contains infected objects
Probable DLOADER.Trojan
Probable Script.Virus
Probable STPage.Virus
Tool.ProcessKill
Trojan.Click2093

It performed the required solutions.

Then MBAM found 1 Registry Key and 2 data items infected.

All was cleaned/fixed.

Then I moved to my laptop(the problem) and ran Dr. Web & found:
4 infected & 4 suspicious (5 were uac*.dll)
all were deleted or quarantined.

MBAM found:
2 Registry keys infected. (adware.mywebsearch & uac rootkit.trace)
1 file uacinit.dll

The only thing that needed to be deleted on reboot was the file uacinit.dll.

After reboot I scanned again with both and the only thing found was uacinit.dll. Tried again 2 times. It won't go away. I tried going in to a dos window and it never shows in a directory. I thought if I could find it (and I found other hidden files) and delete it but no success.

I searched and found quite a few occurences in the security forum and they seem to have fixed the ones I reviewed(concerning uacinit.dll).
I have moved my business off of my laptop and that doesn't pose much of an incovenience at this point. All my passwords and such have been taken care of. So I'm thinking I'd like to try to eradicate this infection without reformatting (no time right now) since I have a ton of software that is a bugger to reload.
I'll isolate this from my home network and just keep watch over it, if I can get the help to try to clean it up.

So my question to you is, what's my next step? Do I move this to another forum?

I appreciate your opinion and assistance.
rpsupporter

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:26 PM

Posted 18 May 2009 - 07:00 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users