Pesky Trojan (Confuscate) - Resolved

[Magnum596]

I've been working on a computer for a friend and have run up against a nasty trojan (by my standards).

Avast flags it in memory as the Win32:Confuscate.FVC [trJ].
I do a bootup scan and get the file "uacxijhel.dll" (I may be remembering the name wrong, it starts uac, ends hel and has x,i,j in the middle.  Definitly a dll.) Windows/system32 directory.  A google search brought up no hit on the file name.

Unfortunatly its still there when I try and scan again.  I did a HJT log and got rid of some bad entries (I'm an intermediate user--enough to get myself in trouble--most of them were host entries, also got rid of old norton entries.).  I also tried the Malwarebytes but cannot get it to run (unsure if it was the McAfee running in the background or the trojan).

For backup because i thought it may be a false positive, I did an avira scan and that caught a bunch of uac*.dlls in both the sys32 and driver folders.  Its been catching some TDSS.ror issues and the Dropper Trojan.  So now I'm conviced this thing is real and i am stuck. (I did look at the services and unhid processes, but found no rootkit) 

Finally I removed an earlier virus through the dsound3dd.dll file that my friend had quarunteed.

HJT file is in a follow up post.

[Jtaylor83]

Try scheduling a boot-time scan or use SuperAntiSpyware Free.

[Magnum596]

Unfortunatly SuperSpyware errors out on install.
The following dlls show up the error report that i recognize from the scans:
UACotjxihel.dll
UACiyyuoylu.dll


And a boot-time scan finds the file, deletes it, but it returns.

Here is my HJT Log

[scythe944]

Unfortunatly SuperSpyware errors out on install.

That could be from the virus.  You can try installing in safe mode, and then scanning.

[micky77]

Unfortunatly SuperSpyware errors out on install

Also if trying to install mbam and sas, first rename the set up files eg mbam setup.exe to magnum.exe and superantispyware.exe to magnumpi.exe 

Then try and update them

Then navigate to C/program files/malwarebytes antimalware > locate mbam.exe and rename that, same with SAS, double click on renamed files to start programs ( one at a time )

Also how many anti virus programs are you running 

[DavidR]

Unfortunatly SuperSpyware errors out on install.

That could be from the virus.  You can try installing in safe mode, and then scanning.

By default SAS won't install from safe mode, you need to make some changes in the registry to get it to install from safe mode. Something I wouldn't recommend for your average user. MBAM however, can be installed and run from safe mode.

[Magnum596]

Yeah I've done all those.  SO I went old skool on it and went after all those UACrandomletter.dlls  Rebooted from windows CD and manually deleted them.  Now installing and running MBAM, SuperSpy, etc...

Safe mode reboot gave me same problem of those dll's interference.

I am up to 3 virus checkers, but these folks use McAfee.  I used Avast, and then got Avira to confirm I wasn't seeing a false positive.  I try not to over do it  

I did disable the other 2 when using 1 though.  

[DavidR]

Unfortunately, just disabling a resident scanner doesn't stop low level drivers running for them and it is these that can cause conflicts as they are trying to hook files so they can be scanned.

[Magnum596]

Ok, so what is the proper way to disable them.  I did turn them off is services.msc.  My biggest worry is McAfee since this is apparently the owner's primary virus scan.  I have no issue uninstalling the others. (My personal computers all run avast).  It is not my normal practice to run multiple scanners.   One of the reasons I popped in here is that Avast would ID one of the dll's (UACotjxihel.dll) and ask for a boot time scan.  The boot time scan would delete ot quarantine (I did both), but the bad dll would appear back right away when i went for a follow up system scan.  McAfee was showing me nothing.  In order to "convince" myself I may have a false positive, I went to a 3rd scanner, which confirmed that the finding was real.  Avira also caught some other related files, but of course, cannot do a boot time scan.

However, i think the important point is that manually deleting the offending dll files allowed me to get started on MBAB and SUperspy.  I had to go back to work (i couldn't stand asking for help w/o my HJT file, as I knew everyone would ask for it--so I dashed home at lunch to post it) in the meantime. However, the positive sign is that Avast gave me a clean bill o health on the memory scan, so at least I have my foot in the door on this battle.  However, i also know Trojans like to hide and come back, so I want to be thorough.  This ain't over yet   

Once i get those mal ware cleaners finished, is there a further tool for cleanup, or should they remedy the issue.

[DavidR]

You can't easily turn them of, services aren't the low level drivers and are commonly in the legacy drivers sections of the registry and you don't really want to go playing in there as a temporary hack.

The short answer is you might get away with it, but a conflict could be a serious as not to boot, then you would have to try and sort it by uninstalling in safe mode. The only proper way to disable them is through an uninstall and even then McAfee often leaves remnants that require cleaning up too.

Ideally you shouldn't install multiple AVs in the first place and have to hack them to bits to avoid conflict.

So what needs to be discussed with the user is which AV he wants left on there as McAfee was a passenger in this crash, whilst avast at the very least made the detections that pointed in the right direction.

However, there was a hidden or undetected element restoring them as soon as avast had removed them. That is where the other tools come into there own in hopefully finding the other element restoring them.

I think if having removed anything found by SAS and MBAM, run another avast boot-time scan and then a thorough scan from normal mode and if they all come up clean, you should be in relatively good shape.

Whilst HJT does give an analysis it isn't that deep. - ComboFix, is a little more powerful and it also as the name suggests will also fix stuff, there I go getting technical again.

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[CharleyO]

***

The only thing notable in your HJT log are the entries for 3 AV services ... McAfee, Avast, & Avira.

As David posted above, this will cause more problems than good.


***

[Magnum596]

Assuming the Malware scans go well (which is fairly safe, since I had them both installed when I left for work and one of them running), I did manage to get a google hit on one of the files: uacinit.dll

Its mentioned that this is part of of a rootkit and part of a website re-director.  I recommended to my friend that since this is a potential rootkit, that if they did online transactions recently, it would be wise to get new credit cards and bank account numbers.  Is that overkill or legit action for this type of trojan?  (Again under the caveat ONLY if they did financial transactions on the computer when infected--they can pretty well locate when the problem started).

Thanks again all for your help and suggestions--

[DavidR]

New Credit Card isn't unreasonable, new account number may not necessary as you can change your user name and password required to logon.

I would also suggest changing the passwords of any other security/sensitive sites that you visit, the password should be at least 8 alphanumeric characters using upper and lower case.

[Magnum596]

Wrap up:  First thanks to all who put out suggestions or ideas.  Having a good community is part of making a valuable program.  Hopefully with this writeup people can search the forums for a good answer and use this as a guide.  Combofix got some old issues and SAS and MBAM got the rest once we got rid of the initial problem.

Here's what I did to eliminate the Win32:Confuscate-FVC trojan (as identified by Avast).  Avast was unable to eliminate it, but it flagged it, which is about the best any AV could do out there.
the main culprit file is UACinit.dll.  It appears this was part of a rootkit/trojan to redirect web browsers to Anti-Spyware 2009.

Symptoms included browser redirects, inability to install Malware Bytes Anti Malware, Combofix, SuperAntiSpyware programs.  When installing those programs and looking at the Windows XP error log, several of the virus files were involved of the type UACxxxxxxx.dll  where xxxxxxx appears to be an 8-10 diget sequence of random letters.

1) Turned off system restore.
2) Booted windows off of CD and went to the repair prompt.  Logged into the partition
3) Deleted UAC*.* from C:\windows\system32 and C:\windows\system32\drivers.  There were about 10 files.  Most were dlls with random letters following the "UAC" portion.  example: UACyyoutyy.dll  A google search for UACinit also mentions possible files in the C:\temp directory.  You must delete each file separately.  do a dir uac*.* to get the list in each directory.
4) Ran Supersantispyware (SAS) and Malwarebytes (MBAM).
5) Combofix
6) Full virus scan (Avast FTW!)
7) SAS and MBAM again
8.) Cleanup computer.

[DavidR]

You're welcome, thanks for the feedback.