Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit.trace uac [Moved]


  • This topic is locked This topic is locked
9 replies to this topic

#1 babyjo35

babyjo35

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 24 June 2009 - 08:17 PM

Hi all, my first time posting, as I am in dire need of help to remove this stubborn thing. I tried the combofix to be able to post with this and I have received this error:

Cannot Rename ComboFix as ComboFix[1]. Please use another name, preferably made up of alphanumeric characters.

Here is my last log from Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.38
Database version: 2327
Windows 5.1.2600 Service Pack 2

6/24/2009 8:11:49 PM
mbam-log-2009-06-24 (20-11-49).txt

Scan type: Quick Scan
Objects scanned: 95558
Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

I appreciate any help you can give me.

GOD Bless
Babyjo

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:16 AM

Posted 24 June 2009 - 08:33 PM

As the log you have posted is an MBAM log, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST OTHER LOGS<== unless a log is specifically requested.

I tried the combofix


Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.


From: http://www.bleepingcomputer.com/forums/ind...t&p=1159014

That said, please describe the issues you are experiencing with your computer: pop-ups, redirections, etc. Please be as specific as you can.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 24 June 2009 - 08:34 PM.
Added word. ~ OB

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 babyjo35

babyjo35
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 24 June 2009 - 10:19 PM

I apologize, I saw the disclaimer referencing the combofix after I did it and posted. I appreciate your help.

Problems at hand are:

Upon booting up, pc freezes after the Windows XP screen showing it loading. The screen goes to black with an active curser. This happens at random. As well as at times when rebooting a second time it doesn't work I hit F8 upon rebooting twice and hit last known working configuration. This gets me up and running.

Going on lnternet explorer sometimes doesn't work showing an error that it can not find the file. This happens at random. Also, when I do get online I get the "windowclick" problems of it opening a new window and going to some random sites. The only way to get on the site I want I have to go through the "cache" link. One other thing that comes to mind is when I'm online all of a sudden with no errors or anything internet explorer closes.

Malwarebytes won't run unless I rename the file to the extension bat. My Search and Destroy didn't work at all, though I have been able to re-install and get it running during cleaning and only without rebooting. Once I reboot, it's like starting all over again.

I am at random getting errors on the programs listed above towards the end of them scanning. I will write them down the next time they happen for you. I remember something about the windows nt having a write fail something....sorry if that doesn't make since. Like I said I will write them down next time.

I can't think of anything else that is going on at the moment. My regular microsoft office suite programs and any programs that doesn't have to do with the internet or spyware programs seem to be working fine.

Thanks again.

GOD Bless
Babyjo

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:16 AM

Posted 25 June 2009 - 09:43 PM

Update mbam and run a FULL scan
Please post the results

Then run ATF and SAS


ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 babyjo35

babyjo35
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 27 June 2009 - 04:43 PM

Thanks I will try it and get back to you. It may be a couple of days as this trojan has caused my internet explorer not to work. It only allows me to go to websites by their ip address and then I still can't use any links from there. Having use other's pc to transfer info.

GOD Bless and thanks again.

Babyjo

#6 babyjo35

babyjo35
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 27 June 2009 - 04:45 PM

BTW the link to the ATF is not pulling up.

#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:16 AM

Posted 27 June 2009 - 07:55 PM

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


You might just want to go ahead and submit a HJT/DDS log

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 babyjo35

babyjo35
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 29 June 2009 - 04:13 PM

Here is my MBAM LOG:

Malwarebytes' Anti-Malware 1.38
Database version: 2333
Windows 5.1.2600 Service Pack 2

6/27/2009 6:07:17 PM
mbam-log-2009-06-27 (18-07-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 194280
Time elapsed: 39 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

AND HERE IS THE SUPERANITSPYWARE LOG:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/27/2009 at 10:02 PM

Application Version : 4.26.1006

Core Rules Database Version : 3955
Trace Rules Database Version: 1894

Scan type : Complete Scan
Total Scan Time : 03:41:57

Memory items scanned : 237
Memory threats detected : 0
Registry items scanned : 7068
Registry threats detected : 45
File items scanned : 82204
File threats detected : 1

Adware.Vundo Variant
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3F6F4FE-85F6-4D0C-98DE-15324B09F149}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF49A2-94F3-42BD-F434-3604812C897D}
HKU\S-1-5-21-2156909272-2647230538-149132829-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3F6F4FE-85F6-4D0C-98DE-15324B09F149}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3F6F4FE-85F6-4D0C-98DE-15324B09F149}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF49A2-94F3-42BD-F434-3604812C897D}

Trojan.Unknown Origin
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#DeviceDesc
C:\P2HHR.BAT

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Optimization
HKLM\SOFTWARE\Microsoft\MS Optimization\me
HKLM\SOFTWARE\Microsoft\MS Optimization\me#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\me#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\me#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\me#LBL
HKLM\SOFTWARE\Microsoft\MS Optimization\me#MN
HKLM\SOFTWARE\Microsoft\MS Optimization\mm
HKLM\SOFTWARE\Microsoft\MS Optimization\mm#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\mm#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\mm#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\s4
HKLM\SOFTWARE\Microsoft\MS Optimization\s4#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\s4#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\s4#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\se
HKLM\SOFTWARE\Microsoft\MS Optimization\se#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\se#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\se#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\tr
HKLM\SOFTWARE\Microsoft\MS Optimization\zz
HKLM\SOFTWARE\Microsoft\MS Optimization\zz#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\zz#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\zz#CNT

Rogue.Component/Trace
HKLM\Software\Microsoft\2897EE7A
HKLM\Software\Microsoft\2897EE7A#2897ee7a
HKLM\Software\Microsoft\2897EE7A#Version
HKLM\Software\Microsoft\2897EE7A#289743fa
HKLM\Software\Microsoft\2897EE7A#28972a1f
HKU\S-1-5-21-2156909272-2647230538-149132829-1007\Software\Microsoft\FIAS4018
HKU\S-1-5-21-2156909272-2647230538-149132829-1007\Software\Microsoft\FIAS4051

I now have access to the internet through the library so I can check back here daily. I will go ahead with your suggestion for the HJT/DDS log now. Thanks for your help.

GOD Bless
Babyjo

#9 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:16 AM

Posted 29 June 2009 - 06:19 PM

I will go ahead with your suggestion for the HJT/DDS log now.


Yes, you need to do that
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:16 AM

Posted 30 June 2009 - 08:30 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/237861/rootkittrace-uac-infection/you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I see that you already have a response to your topic there. :flowers:

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users