Trojan.fakeav.ki Disinfect Failed

deathglow · May 2009

As the title suggests I have a trojan i cant remove from my system. It keeps opening up ie and trying to go to a websight (http://browser-security.microsoft.com/block.php?r=17.3), and it block malware tools i have tried to install to get rid of it.

<?xml version="1.0" encoding="utf-8"?>

<?xml-stylesheet type="text/xsl" href="C:\Program Files\BitDefender\BitDefender 2009\uiscan_log.xsl"?>

<ScanOptions

showWarnings="1"

>

</ScanPaths>

<ScanObjects

scanViruses="1"

scanAddware="1"

scanSpyware="1"

scanApplications="1"

scanDialers="1"

scanRootkits="1"

/>

<TargetSelection

heuristicScan="1"

scanArchives="1"

scanRegistryKeys="1"

scanRegistry="1"

scanCookies="1"

memoryProcesses="1"

scanBootSectors="1"

scanEmail="0"

scanAllFiles="1"

scanPackedFiles="1"

scanSubfolders="1"

includeExtensions=""

excludeExtensions=""

/>

<TargetProcessing

infectedAction="3"

suspiciousAction="1"

hiddenAction="1"

encrInfectedAction="1"

encrSuspiciousAction="1"

passProtAction="20"

/>

</ScanOptions>

<EngineSummary

archivePlugins="45"

mailPlugins="6"

scanPlugins="13"

totalSignatures="2955099"

systemPlugins="5"

unpackPlugins="7"

/>

<ScanSummary

scannedItems="138685"

passProtItems="8"

archiveBombs="0"

infectedItems="7"

suspiciousItems="0"

resolvedItems="0"

unresolvedItems="15"

scannedArchives="897"

bootSectorCount="1"

scannedDirectories="4266"

inputOutputErrors="0"

virusesNumber="7"

scanTime="00:24:42"

filesPerSecond="92"

>

<FileSummary

scanned="137735"

archives="897"

packed="4473"

infected="7"

suspicious="0"

resolved="0"

deleted="0"

moved="0"

copied="0"

/>

<RegistryKeySummary

scanned="871"

infected="0"

suspicious="0"

/>

<CookieSummary

scanned="41"

infected="0"

suspicious="0"

/>

<ProcessSummary

scanned="38"

infected="0"

suspicious="0"

/>

<MailSummary

scanned="0"

infected="0"

suspicious="0"

/>

</ScanSummary>

</ScanDetails>

</ScanSession>

hnyaji · May 2009

Hi

clear all files in C:\Documents and Settings\Deathglow\Local Settings\Temp and delete UACluxwdciqpqwvxov.dll.

This dll is a virus file!

Hemanth

alexcrist · May 2009

Hello deathglow,

First of all, please follow the steps presented here: How To Find Hidden Malware

After that, go to:

C:\windows\system32

find the file called UACluxwdciqpqwvxov.dll and detele it (also remove it from Recycle Bin).

If BitDefender prevents you from removing the file, temporarily disable the Realtime Protection, remove the file, and re-enable BitDefender again.

As for the other objects, found in Documents and settings/..., those files don't represent any risk. They are only password-protected files which couldn't be scanned.

Cris.

deathglow · May 2009

the problem was the virus was hiding that file from me. I was finally able to get a malware remover installed by renaming the file so the virus didnt reconize it. Thanks everyone for the help.

charliethered · May 2009

Hey guys...

BitDefender shows this same virus for me. I've followed the directions in this thread and I still can't find those infected files.

I cleared out my temporary folder as instructed, and while it's no longer trying to install anything via Internet Explorer, it clearly still has some element of control on my computer (can't run ComboFix or SpyEraser, closes Internet Explorer when attempting to download updates).

Any help would be greatly appreciated.

Here's my BD log.

<?xml version="1.0" encoding="utf-8"?>

<?xml-stylesheet type="text/xsl" href="C:\Program Files\BitDefender\BitDefender 2009\uiscan_log.xsl"?>

<ScanOptions

showWarnings="1"

>

</ScanPaths>

<ScanObjects

scanViruses="1"

scanAddware="1"

scanSpyware="1"

scanApplications="1"

scanDialers="1"

scanRootkits="1"

/>

<TargetSelection

heuristicScan="1"

scanArchives="1"

scanRegistryKeys="1"

scanRegistry="1"

scanCookies="1"

memoryProcesses="1"

scanBootSectors="1"

scanEmail="1"

scanAllFiles="1"

scanPackedFiles="1"

scanSubfolders="1"

includeExtensions=""

excludeExtensions=""

/>

<TargetProcessing

infectedAction="3"

suspiciousAction="1"

hiddenAction="1"

encrInfectedAction="1"

encrSuspiciousAction="1"

passProtAction="20"

/>

</ScanOptions>

<EngineSummary

archivePlugins="45"

mailPlugins="6"

scanPlugins="13"

totalSignatures="2967516"

systemPlugins="5"

unpackPlugins="7"

/>

<ScanSummary

scannedItems="558500"

passProtItems="0"

archiveBombs="0"

infectedItems="9"

suspiciousItems="0"

resolvedItems="0"

unresolvedItems="9"

scannedArchives="4178"

bootSectorCount="0"

scannedDirectories="24182"

inputOutputErrors="0"

virusesNumber="9"

scanTime="02:17:58"

filesPerSecond="67"

>

<FileSummary

scanned="557263"

archives="4178"

packed="51968"

infected="9"

suspicious="0"

resolved="0"

deleted="0"

moved="0"

copied="0"

/>

<RegistryKeySummary

scanned="1157"

infected="0"

suspicious="0"

/>

<CookieSummary

scanned="32"

infected="0"

suspicious="0"

/>

<ProcessSummary

scanned="48"

infected="0"

suspicious="0"

/>

<MailSummary

scanned="0"

infected="0"

suspicious="0"

/>

</ScanSummary>

</ScanDetails>

</ScanSession>

And a HiJackThis Log as well (renamed HJT so I could run it, but that method doesn't work with ComboFix):

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:59:38 PM, on 5/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\LOGI_MWX.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Saitek\SD6\Software\ProfilerU.exe

C:\Program Files\Saitek\SD6\Software\SaiMfd.exe

C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Opera\opera.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\Iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.utm.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe

O4 - HKLM\..\Run: [saiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')

O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - http://i.dell.com/images/global/js/scanner/SysProExe.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160143727234

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160143779671

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) - https://baninb.utm.edu/forms90/java/jre-1_5...dows-i586-p.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{EF43B046-806E-42D5-BA81-6637CAD11AF7}: NameServer = 170.215.126.3,170.215.184.3

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--

End of file - 12789 bytes

Could use some help. This virus is annoying the ###### out of me.

charliethered · May 2009

Hey guys...here's a more up to date scan of just that directory. Now it shows 11 instances of the virus as opposed to 9.

Product : BitDefender Total Security 2009

Version : BitDefender UIScanner v.12

Scanning task : Windows

Log date : 5/13/2009 10:10:36 PM

Log path : C:\Documents and Settings\Charlie The Red\Application Data\BitDefender\Desktop\Profiles\Logs\user_0001\1242270636_1_02.xml

Scan Paths:Path 0000: C:\WINDOWS\system32

Scan Options:Scan for viruses : Yes

Scan for adware : Yes

Scan for spyware : Yes

Scan for applications : Yes

Scan for dialers : Yes

Scan for rootkits : Yes

Target Selection Options:Scan registry keys : Yes

Scan cookies : Yes

Scan boot sectors : Yes

Scan memory processes : Yes

Scan archives : Yes

Scan runtime packers : Yes

Scan emails : Yes

Scan all files : Yes

Heuristic Scan : Yes

Scanned extensions :

Excluded extensions :

Target Processing:Default action for infected objects : Disinfect

Default action for suspicious objects : None

Default action for hidden objects : None

Default action for encrypted infected objects : None

Default action for encrypted suspicious objects : None

Default action for password-protected objects : Log as not scanned

Scan engines summaryNumber of virus signatures : 2967516

Archive plugins : 45

Email plugins : 6

Scan plugins : 13

System plugins : 5

Unpack plugins : 7

Overall scan summaryScanned items : 4805

Infected items : 11

Suspicious items : 0

Resolved items : 0

Unresolved items : 11

Password-protected items : 0

Overcompressed items : 0

Individual viruses found : 11

Scanned directories : 588

Scanned boot sectors : 0

Scanned archives : 26

Input-output errors : 13

Scan time : 00:04:27

Files per second : 13

Scanned processes summaryScanned : 45

Infected : 0

Scanned registry keys summaryScanned : 1155

Infected : 0

Scanned cookies summaryScanned : 52

Infected : 0

Remaining issues:Object Name Threat Name Final Status

\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed

I could really use some help on this.

charliethered · May 2009

So I was finally able to get ComboFix to run.

I had eleven rootkits on my system. No clue how they got there, but they're there. Combofix took care of it.

alexcrist · May 2009

Does anyone of you two have any other problems?

charliethered · May 2009

As of right now, no more problems that I can see.

What I can tell you is that, whatever put these rootkits on my computer, I got it from an outdated Flash player.

I'll give a brief summary for posterity's sake in case anyone else has this problem.

Last week, BitDefender detected brastia on my computer. I was able to remove it with HJT. After the next restart, BitDefender blocked Waledac and Koobface. Koobface likes to stick close to Facebook.com, and since I was playing a lot of FarmTown with Flash, I probably got the virus from one of those flash advertisements on that site. Things seemed pretty dormant until yesterday...

ld08, winarps32, sdra64 and zlob were all on my computer. I was able to remove all of these with HJT (which I had to rename, following the directions in this thread), but it still didn't totally resolve the problems with Internet Explorer and Firefox.

I couldn't find the threats on my system for the life of me, and after renaming ComboFix twice it still wouldn't work. I was able to get the necessary windows updates via opera, then I renamed ComboFix yet again to "BillMurray.exe" and it worked. Within seconds it found all of the rootkits and cleaned them, along with other files that I hadn't caught.

I then disabled system restore after restart, uninstalled combofix and rebooted yet again, removing everything it quarantined.

As of right now, I've scanned with BitDefender twice and still nothing found. It seems like whatever problem I had, I was able to fix.

BitDefender labels this virus as "Trojan.FakeAV.KI." This is the Windowsclick.com (UACd.sys) rootkit which is pretty well known on google and has a variety of fixes. Here are some links in case anyone else has this problem.

Removal:

http://www.myantispyware.com/2009/01/24/ho...uacdsys-trojan/

http://www.antionline.com/showthread.php?t=278009

If someone has this virus, run Opera for web browsing if you have it. You can still use Firefox, although you have to paste the URLs of google results into your address bar instead of clicking them otherwise you'll be redirected. If you try and download Windows Updates out of Internet Explorer, IE will automatically close once you reach the Installation page.

Furthermore, running HiJackThis to find this is futile because it won't find it. ComboFix is pretty much your best bet.

Trojan.fakeav.ki Disinfect Failed

Comments

All Time Leaders

Categories

Defenders of the month