Malware pretending to be User Account Control aieee
April 14, 2010 3:47 AM   Subscribe

My computer (XP SP2) is infected with malware that pretends to be User Account Control. Help!

Here's a screenshot of a message that pops up when I start up the computer or open a program. (the memory processes it cites are different each time.) If I press allow, it goes away. If I press allow too many times, the computer freezes up (and I have to restart.) If I press "scan system" it pretends to scan my system and find viruses, and then it says I need to purchase security software. And then there's an (uncloseable) window that asks for my address, and then credit card info. (And I have to restart.)

I've scanned my system with Malwarebytes, AVG Free, and Norton Free, and they don't catch it.

I've tried looking for a solution on google but can't find one.

I think the thing came from an ad on The Pirate Bay.

How do I take care of this?

Incidentally, not one but two nasties appeared on my system while I was visiting The Pirate Bay. I got rid of the other one with the help of myantispyware.com, and hopefully I'll get rid of this one with your guys' help. But now I'm wondering: what if there's more than two? Might there be undetectable spyware lurking on my system? Is there any way to check for that, besides programs like AVG and Malwarebytes?
posted by Praxis to Computers & Internet (32 answers total) 1 user marked this as a favorite
 
First thing to try: boot up in Safe Mode and see if it still appears. If it doesn't, it should be fairly straightforward to get rid of; post back for further instructions.

If it still appears in Safe Mode, the easiest way to remove it is going to involve booting from a live CD of some sort (Knoppix, Trinity Rescue Kit, BartPE, Ultimate Boot CD) and running an anti-malware tool against your hard disk from there.
posted by flabdablet at 3:59 AM on April 14, 2010


Hit my profile for the big ole instruction list and see if that does it for you.
posted by deezil at 4:33 AM on April 14, 2010 [2 favorites]


It doesn't show up in safe mode!
posted by Praxis at 5:03 AM on April 14, 2010


Then it's probably not doing anything terribly clever, and will simply have an auto-start value in one of the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Looking in both those places with Regedit should reveal the name of the executable that's being auto-started. Once you know that, just rename it from whatever.exe to whatever.exe.renamed, boot up again in normal mode and see if the thing auto-starts. If not, and everything else seems fine, that's probably all you need to do.

If your current anti-malware suite didn't detect it, reef it out and try installing Panda Cloud Antivirus instead.
posted by flabdablet at 5:26 AM on April 14, 2010


If you can't find it in those registry keys, then Autoruns will give you an exhaustive list of what is running when you boot.
posted by grouse at 6:56 AM on April 14, 2010


There's also a possibility that it's hijacked the .exe program association, so that it runs any time you start anything.

If that's the case, use the exe association fix from this bunch: http://www.dougknox.com/xp/file_assoc.htm
posted by Citrus at 9:09 AM on April 14, 2010


I really hate to say this but I had a similar problem recently and I just couldn't fix it. You might want to look at using a Knoppix CD or other LiveCD to fully backup and then do a reinstallation.
posted by alby at 10:14 AM on April 14, 2010


Thanks for all the suggestions. I tried everything on deezil's list to no avail. But then I tried Panda Cloud and that got rid of it!

Although now when I boot up I get a couple of error messages about dlls, hrm.
posted by Praxis at 1:10 PM on April 19, 2010


Panda Cloud Antivirus is quite good at stopping malware from running, but in my experience it's not as good at actually repairing the damage that malware leaves behind. For example, when it detects viruses it makes no attempt to remove them from the executable they're buried in - it just completely blocks execution of that program instead.

You might well find that the registry Run keys devoted to starting your malware are still in place, and that your DLL error messages stem from Windows being unable to start that stuff for you now that Panda has blocked it. If you're not comfortable with Regedit, then Spybot Search & Destroy has a handy System Startup tool that lets you temporarily disable or permanently remove auto-start entries.

If the error messages relate to system DLLs, then opening a cmd window and doing sfc /scannow might be enough to reinstall clean copies. This will usually require that a Windows setup CD is in the drive (it will prompt you if it needs that).
posted by flabdablet at 4:15 PM on April 19, 2010


The thing is there are lots and lots and lots of auto-start entries and I don't know which one is the bad one.

Also Fake User Account Control reared its head again today! But then I ran Panda Cloud and it disappeared again.
posted by Praxis at 6:05 PM on April 25, 2010


Knock it on the head again with Panda, then install Spybot Search & Destroy, then put SS&D into Advanced mode so you can see all the handy extra tools, then open its System Startup tool.

You will see that some startup entries are highlighted in green, some in yellow, and some in red, while others aren't highlighted at all. Disable (don't delete) all the red and yellow ones (reds are known malware, yellows are optional stuff you can typically do without). Then restart your box a few times and see if the thing shows up again.
posted by flabdablet at 3:56 AM on April 26, 2010


I've disabled all the yellows (there were no reds) but I'm still getting the error messages.

I'm guessing they are system dlls (one of them is C:\Documents and Settings\All Users\Microsoft\Windows\SharedLibraries\gdiplus.dll). I'd do the scannow thing but I don't have the Windows setup CD.

One more thing: I think Panda is telling me it found a few trojans that it wasn't able to neutralize. (Even though when I start it up, it says "There are no security problems.") The last time I scanned, it said there were two threats it couldn't neutralize. I restarted the computer, and then looked at Panda's event log, and it shows three un-neutralized trojans. Here's a screenshot.
posted by Praxis at 9:47 PM on April 26, 2010


Care to maximize that window, widen the "event" and "more details" columns so their whole contents are revealed, and repost?
posted by flabdablet at 10:05 PM on April 26, 2010


Here you go:

http://img231.imageshack.us/img231/9683/pandavirus.jpg
posted by Praxis at 11:23 AM on April 27, 2010


OK, so two of those are hiding in System Restore checkpoints (anything under C:\System Volume Information\_restore belongs to System Restore), one is in CesarFTP server (are you running an FTP server on purpose, or did malware install it?), three of them are inside a compressed .cab file whose UUID belongs to InterVideo, and the last one is in C:\Qoobox which is ComboFix's quarantine folder.

Turn System Restore off and on again to clear out all existing restore points.

Uninstall CesarFTP Server.

Uninstall any InterVideo products.

Delete C:\Qoobox\Quarantine\C\WINDOWS\system32\404fix.exe.vir.

Do another full scan with Panda. If it comes up clean, post the exact text of those DLL error messages and we'll work on getting rid of those. Once they're fixed, you can reinstall the FTP server and the InterVideo stuff if you still want them.
posted by flabdablet at 4:54 PM on April 27, 2010


Hrm, I can't remove Intervideo Launcher. When I press "Change/Remove" the uninstaller's taskbar button appears, but the uninstaller itself doesn't.
posted by Praxis at 6:48 PM on April 27, 2010


In that case, just delete C:\Program Files\InstallShield Installation Information\{F366D0C4-18F2-44A6-A4E7-7ED2DD37F3D3}\data1.cab by hand.
posted by flabdablet at 7:42 PM on April 27, 2010


Okay the Panda scan came up clean!

Here's the one dll error.
Here's the other.
(And here's one that showed up earlier but isn't showing up now.)
posted by Praxis at 4:31 PM on April 28, 2010


I would not expect C:\Documents and Settings\All Users\Microsoft to exist. It strikes me as a bogus place to put shared libraries. Also, gdiplus.dll is indeed the name of a Windows system file, but it's not something that would normally have parts of itself launched as an application via rundll.exe. So I think it's safe to assume that the missing DLL reports reflect failed attempts to auto-start some malware.

Use Spybot S&D to check your auto-start entries for things that reference rundll.exe and C:\Documents and Settings\All Users\Microsoft\Windows\SharedLibraries. I expect you'll find two, and I expect that disabling them will get rid of the DLL errors.
posted by flabdablet at 7:13 PM on April 28, 2010


The entries aren't there!

(There is an entry that references RUNDLL32.exe - I tried disabling it but after I restarted it was enabled again. Its name is NvCplDaemon.)

If it helps, here's the (12 page long!) list of startup entries.
posted by Praxis at 6:43 PM on April 29, 2010


Try searching the Registry for "\All Users\Microsoft\Windows\SharedLibraries" and post back the results.
posted by flabdablet at 9:38 PM on April 29, 2010


It came up with something called "Parameters" in My Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logon\0\0

Screenshot
posted by Praxis at 10:23 PM on April 29, 2010


Back out two levels, to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logon; export that key to a .reg file in case you want to restore it (I don't believe you will); then delete everything inside the Logon key (the 0 subkey plus whatever values are lying around loose), leaving it empty.
posted by flabdablet at 10:48 PM on April 29, 2010


I deleted everything - except "(Default)" - and restarted the computer, and...

No more error messages! Thank you so much! You're awesome!

Is there anything else I need to do?
posted by Praxis at 11:40 PM on April 29, 2010


One more thing, flabdablet: I think I'd like someone to look at a HijackThis log, to make sure everything's a-ok. Is that something you could do?
posted by Praxis at 11:59 PM on April 29, 2010


Sure, post it somewhere and I'll cast an eye over it. Your box is running a whole bunch of things I don't usually see running, so you may get false positives from me. But I've seen a lot of infected boxes, and my malware radar is pretty good.

Couldn't hurt to run a full Spybot Search & Destroy update followed by a "Search for Problems" scan, too.
posted by flabdablet at 5:07 PM on May 2, 2010


By the way, me looking at a HJT log is not going to prove that everything's A-OK. If you're running a Windows box, I actually know of no way to prove that.

It would probably pay you to turn on Spybot Search & Destroy's "Tea Timer" resident protection component, which will alert you when potentially unwanted changes are attempted to certain places in the Registry. Tea Timer is a resource hog, so turn it off after a couple of months if it hasn't found anything untoward. The "Internet Explorer Helper" resident component is unobtrusive, and worth leaving on if you're a committed IE flagellant.
posted by flabdablet at 5:25 PM on May 2, 2010


I will do as you suggest. Here's the HijackThis log.

(hmm, by "post it somewhere" did you mean I should post it to a forum that specializes in looking at HijackThis logs?)
posted by Praxis at 7:37 PM on May 3, 2010


Err, whoops, here's the correct link:

http://www.scribd.com/doc/30875051/Hijack-This#fullscreen:on
posted by Praxis at 7:39 PM on May 3, 2010


I can't see anything specifically malicious in there.

Personally I would not run AVG9 and Panda Cloud at the same time on the same box. I suggest uninstalling AVG9. Panda doesn't like sharing a sandbox with other kids.

I'd also uninstall WinZip and replace it with 7-Zip, because (a) if you're like most people you're using an unlicensed copy of WinZip, which is bad karma, and (b) 7-Zip is a better product as well as being open-source (c) 7-Zip doesn't run a useless "WinZip Quick Pick" in the system tray.
posted by flabdablet at 7:53 PM on May 3, 2010


Done and done. Thanks for all your help!
posted by Praxis at 5:59 PM on May 5, 2010


You're welcome.

If you feel like doing me a favor in return: bookmark this thread, and add a posting every month or so until it dies, that says whether or not your system is doing anything spontaneously weird. Odd processes starting up? Pop-Ups? Higher than expected Internet bandwidth consumption? Bank accounts hijacked?

What I'm interested in finding out is whether you now have more, less or about the same confidence in your system's safety as you did before you noticed this infection. I'm interested in finding out whether the "Nuke and pave! Nuke and pave!" crowd are promoting a method that doesn't actually help much (I already know that it often costs a great deal of time and occasionally causes irreparable data loss) and I'd like to use your experience as one more data point.
posted by flabdablet at 9:40 PM on May 5, 2010


« Older Help me find a lamp that will ...   |  Please recommend bands you fin... Newer »
This thread is closed to new comments.