Sign In
Create Account
0
I am a network admin and do work on the side. I was given a laptop to examine which was infected for probably a week before they gave up and asked for help. I have managed to eradicate everything execpt Rootkit.Trace and Trojan.Agent which re-spawn on reboots. Sysinternals rootkit revealer shows the uacd.sys key in the registry and mbam finds the 2 monsters everytime I scan. I have poured through your forums and found instructions for combofix and other utilities along with endless logs attempting to track and kill this nasty variant. Most seem to terminate in dead ends where the poster probably gave up and quit posting. I am not in the mood to give up. Is there a vector of attack we can use against this problem? If so, I am all ears.
-
This topic is locked
Back to top
#2
Posted 07 June 2009 - 10:28 AM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Hi,
* Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
* Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
#3
Posted 10 June 2009 - 12:14 AM
-
- Members
-
- 3 posts
New Member
[quote name='miekiemoes' date='Jun 7 2009, 05:28 AM' post='87515']
Hi,
* Please visit this webpage for instructions for downloading and running ComboFix:
[url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url]
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. [url="http://www.bleepingcomputer.com/forums/topic114351.html"]Please visit HERE[/url] if you don't know how.
A big thanks for offering to help. I have a combofix log. It certainly showed more activity than any other tool I used to date. After lookiing at it I am hopeful that combofix did its job. What do you think?
Thanks again.
Hi,
* Please visit this webpage for instructions for downloading and running ComboFix:
[url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url]
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. [url="http://www.bleepingcomputer.com/forums/topic114351.html"]Please visit HERE[/url] if you don't know how.
A big thanks for offering to help. I have a combofix log. It certainly showed more activity than any other tool I used to date. After lookiing at it I am hopeful that combofix did its job. What do you think?
Thanks again.
Attached Files
-
ComboFix.txt 13.1K
21 downloads
#4
Posted 10 June 2009 - 12:58 AM
-
- Members
-
- 3 posts
New Member
I rebooted 3 times and scanned with mbam and found nothing. The system is running great with no DNS redirects. I am extremely grateful for the combofix suggestion. I had downloded this gem about a year ago and a virus scan did not like the file. I fully comprehend why some of the methods used by combo are considered risky but it seems to have done the job this time.
Again I thank you for the time. It takes a team to beat these guys.
Dosman
Again I thank you for the time. It takes a team to beat these guys.
Dosman
#5
Posted 10 June 2009 - 07:07 AM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Hi,
This looks OK again.
* Go to start > run and copy and paste next command in the field:
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
MalwareBytes actually detects this malware though, but the problem here is, the malware you were dealing with is "malwarebytes aware", so it blocks malwarebytes in a way when it's active. That's why we need other tools to deal with that so malwarebytes can then deal with the leftovers. It will only be a matter of how long it will take before this malware also targets other tools etc...
In anyway, malwarebytes as a real time scaner would have blocked the installation of this malware anyway.
Glad I could help.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
This looks OK again.
* Go to start > run and copy and paste next command in the field:
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
MalwareBytes actually detects this malware though, but the problem here is, the malware you were dealing with is "malwarebytes aware", so it blocks malwarebytes in a way when it's active. That's why we need other tools to deal with that so malwarebytes can then deal with the leftovers. It will only be a matter of how long it will take before this malware also targets other tools etc...
In anyway, malwarebytes as a real time scaner would have blocked the installation of this malware anyway.
Glad I could help.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
#6
Posted 20 June 2009 - 01:07 PM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
