We have run across three customer systems recently that have a fake anti virus variant that installs a tough rootkit. It knows how to disable programs like Combofix and Malwarebytes, unless these tools .exe are renamed.
The first one I dealt with had a file I found named UACINIT.DLL. I had already done some cleaning on the system and thought I could start running further cleanup, but still had issues with suspect files showing back up, and various programs not being able to run. I used a boot cd to look at the drive and found numerous files in the windows\system32 folder that started with UACxxxxxx. Deleting these files at least enabled me to get combofix to run. It found another file with UAC in the title in the windows\system32\drivers folder. Once Combofix removed the UAC named files it found, other cleaning tools could be installed and run.
Superantispyware now seems to find it and can clean the remnants, but if you are already infected it will not let it be installed .
On all of the systems, suspect files have UAC in the name, there is a file in the system32\drivers folder, and you cannot see the files while booted into windows.
FWIW
The first one I dealt with had a file I found named UACINIT.DLL. I had already done some cleaning on the system and thought I could start running further cleanup, but still had issues with suspect files showing back up, and various programs not being able to run. I used a boot cd to look at the drive and found numerous files in the windows\system32 folder that started with UACxxxxxx. Deleting these files at least enabled me to get combofix to run. It found another file with UAC in the title in the windows\system32\drivers folder. Once Combofix removed the UAC named files it found, other cleaning tools could be installed and run.
Superantispyware now seems to find it and can clean the remnants, but if you are already infected it will not let it be installed .
On all of the systems, suspect files have UAC in the name, there is a file in the system32\drivers folder, and you cannot see the files while booted into windows.
FWIW
Facebook
Twitter