WinPC Fake AntiVirus and uacinit.dll

My dad is fairly computer literate, won’t click on unknown email attachments, popups, etc. So when he called me at 7:15 in the morning to ask for help, I knew I was in for a doozy.

When I checked his computer (windows XP), I noticed the following symptoms:

  • Computer would freeze after boot up
  • Windows Genuine Advantage tray (wgatray.exe) would crash after bootup
  • AVG crashed after bootup
  • Windows Defender crashed after bootup.
  • SuperAntiSpyware would crash when trying to launch
  • Malwarebytes would not launch
  • When trying to launch IE (Firefox would not launch at all), a popup would show up, indicating the PC was infected and that we would have to buy WinPC to fix it the problem

He definitely picked up something. And this trojan/virus had disabled all security programs and prevented us from going to any security website.

Well, I had two options, neither of which was quick and dirty [both options required an XP installation CD]. My best bet would’ve been to back  up his important files, wipe out the computer, and reinstall the OS. The second option, which I chose, involved booting the PC using a BART PE CD. I chose the second option because reinstalling the OS, along with the countless applications and drivers, would’ve been slightly easier but enormously time consuming – it was Memorial Day weekend and I didn’t want to stay indoors forever.

How to remove WinPC and uacinit.dll

1. From another, clean computer, get yourself a recent copy of Malwarebytes, SuperAntiSpyware, updated definitions, Avira Antivirus PE, CCleaner, and Windows Service Pack 3 (see links below). Save them to a USB drive or burn them to a CD/DVD.

2. If you don’t have one already, make yourself a BART PE CD or any other Windows Preinstalled Environment CD. You need this to be able to see the UAC files that need to be deleted. They don’t show up in Normal or Safe Mode.

3. Boot your computer using the BART PE CD. Search for and delete all files in your hard drive that begin with the letters UAC (search for UAC*.*). Most of the files are located in the C:\Windows\system32 directory. You may find some in the C:\Windows\system32\drivers directory.

4. Search for and delete files called asd.bat.

5. At this point, you should be able to install and run the real antispyware programs. Restart the computer into Normal Mode. Install and run CCleaner, to remove cookies and temporary files. Turn off System Restore. Install Malwarebytes and SuperAntiSpyware, along with their updated definitions.

6. Restart the computer into Safe Mode. Scan and clean using Malwarebytes.

7. Restart the computer into Safe Mode, delete anything quarantined by Malwarebytes. Scan and clean using SuperAntiSpyware.

8. Restart the computer into Safe Mode. Delete anything quarantined by SuperAntiSpyware.

9. Restart the computer into Normal Mode, scan and clean again using Malwarebytes.

10. Restart the computer into Normal Mode, scan and clean again using SuperAntiSpyware.

11. By this point, it should be clean however, repeat steps 6 through 10 if the reports come back with infections.

12. Install Service Pack 3 to repair any corrupted security files or registry settings.

13. Install and update Avira Antivirus PE. Scan and clean.

14. Update Flash and java (because you probably got the trojan through security holes present in previous versions of flash or java). Install your Windows Updates (patches).

That’s it!  Easy, right? Like I said, you are probably better off just starting from scratch.

Conficker Eye Chart

Worried you might have the Conficker virus? Here’s a quick and dirty way to check:

Conficker Eye Chart