...but only 1 infected file found, "uacaqrtinraxqaosiq.dll"
Be aware that UAC
[random characters].*** is probably related to a backdoor Trojan
and a nasty variant of the TDSSSERV rootkit
, backdoor Trojans
, and IRCBots
are very dangerous
because they compromise system integrity
by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:
If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately
to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised
. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router
, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:
Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure
. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat
and reinstall the OS. Please read:
Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.If you cannot use the Internet or download any programs
, you are going to need access to another computer (family member, friend, etc) with an Internet connection.
Please download Dr.Web CureIt
and Malwarebytes Anti-Malware
, save to a flash (usb, pen, thumb, jump) drive or CD, transfer to the infected machine, then install and run the programs. If you cannot transfer to or install on the infected machine, try running the MBAM setup file directly from the flash drive or CD by double-clicking on mbam-setup.exe
so it will install on the hard drive. For Dr.Web CureIt you will only need to double-click on launch.exe
You will also need to, manually download the database updates
for MBAM, save and transfer them as well. After installing MBAM, just double-click on mbam-rules.exe
to install and update.
Mbam-rules.exe is not
updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref
) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system.
- XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
- Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
If you cannot see the folder, then you may have to Reconfigure Windows
to show it.
Print out and follow these Instructions for scanning with Dr.WebCureIt
in "safe mode
" after running ATF-Cleaner.
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply.
Print out and follow these Instructions for scanning with Malwarebytes Anti-Malware
and perform a Quick Scan
in normal mode.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
- Check all items found for removal.
- When removal is completed, a log report will open in Notepad.
- The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the contents of that report in your next reply and exit MBAM.
Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming
it and changing the file extension
. <- click this link if you do not see the file extension
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.
- Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
- Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
- If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
- Right-click on mbam.exe, rename it to myscan and change the .exe extension in the same way as noted above.
- Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.