• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Anti Virus 2009 variant with nasty Rootkit

R

redbeard1

Diamond Member
We have run across three customer systems recently that have a fake anti virus variant that installs a tough rootkit. It knows how to disable programs like Combofix and Malwarebytes, unless these tools .exe are renamed.

The first one I dealt with had a file I found named UACINIT.DLL. I had already done some cleaning on the system and thought I could start running further cleanup, but still had issues with suspect files showing back up, and various programs not being able to run. I used a boot cd to look at the drive and found numerous files in the windows\system32 folder that started with UACxxxxxx. Deleting these files at least enabled me to get combofix to run. It found another file with UAC in the title in the windows\system32\drivers folder. Once Combofix removed the UAC named files it found, other cleaning tools could be installed and run.

Superantispyware now seems to find it and can clean the remnants, but if you are already infected it will not let it be installed .

On all of the systems, suspect files have UAC in the name, there is a file in the system32\drivers folder, and you cannot see the files while booted into windows.

FWIW
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top