Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personal AV originally; now C:\WINDOWS\system32\uacinit.dll


  • Please log in to reply
11 replies to this topic

#1 jwubw94

jwubw94

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 30 July 2009 - 11:26 AM

Hello! I'm a first-time poster here, and got to this site after trying to find a fix thru the Avira Forum. If you'd like to see the history of what's been done/suggested, the thread starts here: http://forum.avira.com/wbb/index.php?page=...79&pageNo=1

Long story short, I got some bug that downloaded Personal AV software. I believe that is gone, but MWBytes cannot get rid of two remnants, which I've seen posted here, but wanted to check with you first. Their latest suggestion is ComboFix. The two remnants which keep reappearing after MWBytes scan and reboot are:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC and
C:\WINDOWS\system32\uacinit.dll

Anytime I run Avira Scan in normal mode, I get BSOD. It runs fine in safe mode and only detected problems on the first scan. Often times in normal mode, Avira Scan starts without me telling it to, resulting in BSOD.

MWBytes runs after renaming it, but continues to detect the two files above, either in safe mode or normal mode.

I can connect to the internet, but prefer only having to do so if it's a must. Avira successfully updated yesterday and MSWindows updated security patches as well. I keep switching between safe and normal, and keep disabling/enabling System Restore when I switch between the two.

I have WindowsXP, use Avira Personal Edition, and scan regularly with MWBytes (latest update). I get suggestions while at work and try to fix at night when I get home, using a memory stick for transfer.

If you want, I have Avira scan logs, MWBytes logs, HJT logs, and one OTL log that I'm not familiar with.

I would greatly appreciate any help you could suggest.

Edited by The weatherman, 30 July 2009 - 11:38 AM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:31 PM

Posted 30 July 2009 - 12:24 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



I am sorry but I have very bad news:

IMPORTANT NOTE: uacinit.dll is related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker.


If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS please read this for more info:

When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards or that the removal will be successful. Let me know what you decide to do.
Computer Pro

#3 jwubw94

jwubw94
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 30 July 2009 - 12:47 PM

First, I'll be changing all passwords and cancelling credit cards, etc.

Second, I do have all important documents backed up to an external hard drive that I know was not connected at the time of the attack, and hasn't been connected since. I cannot be sure I didn't load some pictures to the main computer during that time, but I can live with the loss of those I suppose. Do I risk another backup to an infected computer?

We check our bank records online, we've made credit card transactions online, I do taxes online.

I know for a fact the computer got infected and was left on and connected to the internet for 5 hours, before I got home and shut it down and disconnected from the internet. Since then, a week has gone by, and I've connected to the internet for 5 minutes as a test, and to update Avira and grab the Windows security patch update.

So, I'm not sure what information was obtained during those 5 hours.

What do you recommend? Since we have our important stuff backed up, I don't foresee a problem with a reformat. When we purchased the computer, it already had XP on it, and I do not recall if we got Installation CDs with it, but I can check.

Thanks

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:31 PM

Posted 30 July 2009 - 12:53 PM

Yes I would reformat if I were you because it would be the only way to make sure that the infection is completely gone. But I would first check to make sure that you have all of your CD's.
Computer Pro

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:31 PM

Posted 30 July 2009 - 01:10 PM

Unless you are going to leave that computer off the internet until it's reloaded I would remove that rootkit.

http://www.malwarebytes.org/forums/index.php?showtopic=12709
Chewy

No. Try not. Do... or do not. There is no try.

#6 jwubw94

jwubw94
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 30 July 2009 - 01:40 PM

Chewy,

I'm under the assumption that I should not reconnect to the internet until everything is reloaded. Is this not correct?

From what Computer Pro said, there's no 100% guarantee I'll get everything off of there, and I'll still be at risk.

If I remove the rootkit and then clean the remnant files, and don't see anything on any scans I run with whatever software, can something still be hiding?

Thanks

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:31 PM

Posted 30 July 2009 - 01:49 PM

Let's assume you reload, lose all your updates and reinfect soon thereafter?

Will you be safe then?

The safest approach is reformat, reload, update and then take the necessary precautions to not reinfect.


I try to leave any infected computer disconnected from the internet. That's the best way to stop the infection from downloading updates or reinstalling parts we have cleaned.
Chewy

No. Try not. Do... or do not. There is no try.

#8 jwubw94

jwubw94
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 30 July 2009 - 01:55 PM

I think I understand. Basically, try and get rid of the infection as good as I can, and then proceed to reformat, reload, update, etc.?

Assuming I get your process to do it's thing (I've already downloaded the software to a memory stick and printed the instructions) when I get home tonight, what else can I do to report back in the morning?

Should I be doing this in safe mode, or does it matter?

I'm not planning on reconnecting to the internet anymore. I reconnected to grab the Windows security patches that came out a day or two ago.

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:31 PM

Posted 30 July 2009 - 02:01 PM

what else can I do to report back in the morning?


Download and run this immunization on the clean computer and the usb drive

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
Chewy

No. Try not. Do... or do not. There is no try.

#10 jwubw94

jwubw94
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 30 July 2009 - 02:07 PM

I tried that, but I get an on-access pop-up showing an infected file. I close that window, and the window behind says I don't have permission and should I discontinue the download.

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:31 PM

Posted 30 July 2009 - 02:13 PM

Try to immunize the usb drive with a computer not on a corporate setting.

It's protecting you
Chewy

No. Try not. Do... or do not. There is no try.

#12 jwubw94

jwubw94
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 30 July 2009 - 03:44 PM

OK, my wife "thinks" we have those CDs. Can I "wipe the drive clean, reformat and reinstall the OS" tonight? Can you point me to a tutorial? Is this something I should let someone more qualified attempt?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users