Rootkit UAC - removed

Discussion in 'Software' started by dlb, Jun 27, 2009.

  1. dlb

    dlb MajorGeek

    As some of you folks out there in MG land may know, I like to occasionally post little tid-bits about viruses/malware that I've dealt with. Yesterday I removed the UAC rootkit for bazillionth time, but this time I took some screen shots of the file lists. So- this dude brings me his PC saying that he had a virus and "took it out" but now the ethernet driver is messed up and MB driver CD isn't working and it's all my fault because I sold and installed the motherboard (over 18 months ago). Being the nice guy that I am, I said "if it's a hardware problem, I'll warranty it even though the motherboard is no longer covered by the factory warranty". So I boot to WindowsXP, go straight to the Device Manager, and yes, the network driver is loaded correctly, but the PC is not going on line, will not run IPCONFIG, and other strangeness. I immediately think "malware" and rebooted to a PECD. I browsed straight to the System32 folder, and sure enough, we have the UAC rootkit (a very close relative of the TDSS rootkit). I deleted all the UAC files from the System32 folder; this rootkit usually drops a file or two in the System32\Drivers folder, so I went there and deleted the single file found. I then ran a search of drive C: for anything with a UAC in it (screen shot #2 below) and deleted the offending files. Once I found the first UAC file, identifying the others was easy because of the time and date. If any other files had a UAC, but a different date, chances are it's safe. To sum it up- after removing the files in a 'safe' preinstallation environment, I booted to the XP desktop again, and internet connectivity had been immediately restored by the simple fact that the UAC files had been deleted. I then ran deep scans with MBAM and SUPERantispyware and a couple others, and all is well.
    :cool

    [dlb]

    (in the first screen shot below, the 3rd file listed was in the System32\Drivers folder)
     

    Attached Files:

    dlb, Jun 27, 2009
    #1
  2. plodr

    plodr MajorGeek Super Extraordinaire Moderator Staff Member

    Was the person running any security programs? I see this has been around since at least March so I assume that most everything would now catch it.

    I know if you are one of the first to get infected with something, nothing will detect it until the vendors get a chance to look at the files and include things in the database.
     
    plodr, Jun 27, 2009
    #2
  3. evilfantasy

    evilfantasy Malware Fighter

    It's usually hard to block something with an antivirus when the person is persistent in installing it, warez/torrents. Rootkits are even harder for an antivirus to block as they are many times never even "seen" installing. Especially the newer ones.

     
    evilfantasy, Jun 27, 2009
    #3
  4. mastapoet

    mastapoet Private E-2

    after 2 hours of pissfarting around with malwarebytes and scanspyware finding and "removing" this stupid thing only to have it reappear i finally seem to be rid of it. thanks heaps!
     
    mastapoet, Sep 2, 2009
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    HI :) That's good but if you wish to check for remnants then please ensure you follow thru the whole of the R&R which includes attaching the logs from SAS/ MBAM and also logs from rootrepeal/combofix and MGTools
     
    Kestrel13!, Sep 2, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds