Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windowsclick.go possible trojan


  • Please log in to reply
5 replies to this topic

#1 caskeyteched

caskeyteched

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 31 July 2009 - 08:58 PM

Ok,
Stupid me, no antivirus, going to pop up websites all was well until an accidental click and them BOOM. All of a sudden i hear music and a television advertisement playing in the background of my desktop, but there were no media players running. I knew something was fishy. The next day my wife calls and tell me that each link in her google search does not take her to the correct page. Instead we are being rerouted by a windowsclick.go window to something other than what we wanted. I ran adaware and did not get too far. I tried using malwarebytes but could not get it running. I finally got avira going and scanned in Safe mode and regular startup. An HTML virus keeps appearing.

I got malwarebytes running by renaming it MOO. It is currently running and when i am done i plan to post the log if you say so. Combofix seems like the solution but i would like your supervision. I am very computer savvy but feel that your assistance is needed. I already printed out the directions and await your help. This problem sucks and i want to fix it asap. I feel really stupid having this happen. Looking forward to your help.
-Caskeyteched

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 31 July 2009 - 09:06 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Yes, please make sure that you post your Malwarebytes log back here. And also, please DO NOT run Combofix as it can cause damage to your computer if not being used under the right circumstances
Computer Pro

#3 caskeyteched

caskeyteched
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 01 August 2009 - 06:08 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Yes, please make sure that you post your Malwarebytes log back here. And also, please DO NOT run Combofix as it can cause damage to your computer if not being used under the right circumstances



Here is my malwarebytes log. This little bastard now shuts down MS word as i am typing without warning. Please help!!!

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

8/1/2009 9:34:10 AM
mbam-log-2009-08-01 (09-34-10).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|H:\|)
Objects scanned: 240234
Time elapsed: 1 hour(s), 1 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 01 August 2009 - 06:12 PM

I am sorry but I have bad news:

IMPORTANT NOTE: uacinit.dll is related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker.


If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS please read this for more info:

When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards or that the removal will be successful. Let me know what you decide to do.
Computer Pro

#5 caskeyteched

caskeyteched
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 04 August 2009 - 08:26 AM

After that last post i freaked, shut down my system, disconnected it and replaced it. I plan to format the hard drive but still need to remove some documents from it. I also contacted my credit card companies and my bank to get all of my info secured. Thankyou for your advice on this problem. Is there any other steps i shopuld take to make sure that my data is secured? Please let me know. That was one nasty little SOB.

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 04 August 2009 - 12:17 PM

No, that is about all that is necessary. I am sorry that it had to end this way, but you made the wise choice.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users