I Have a really bad infection - trojan uacinit.dll

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Am I infected? What do I do?

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

I Have a really bad infection - trojan uacinit.dll - Can anyone help?, Moderator Jat90 was helping another member with a similar if not same

Options

Tequilla Sunrise View Member Profile	Jul 4 2009, 12:01 PM Post #1
New Member Group: Members Posts: 6 Joined: 3-July 09 Member No.: 348,063	I'm just about ready to introduce my computer to my hammer & smash every single circuit inside it! I've been trying to locate & remove /clean & fix for 3 weeks now & it just seems to get worse & worse. I just recently joined this forum although I've been here many times in the past - mainly to read & learn (as my computer knowledge is self taught). I didn't want to post a "help" in another thread (it's probably not allowed) so I'm starting a new one. I noticed that Jat90 - helper was helping "djseanpc" with almost the same problem I am having with the difference that I've run iOrbit 360 as well as almost every function of Advance System Care. I also use CCleaner (I've found this file to be very helpful in the past) - it finds a lot of "dust" so to speak. Anyway I was following along with Jat90's instructions for djseanpc until the thread ended. My scans have verified that I have uacinit.dll - trojan (there were more but I quarantined them & they seem to have disappeared. I've restarted my computer after every scan & finding - in hopes that the antivirus did it's job with no avail - this is one "Tough" bug! My computer if it starts up - sometimes takes me cold booting 3 or 4 times - gives me that blue screen of death. Most of the time the error message is: The driver is attempting to access memory beyond the end of the allocation. --- However last night I received this one: IRQL_NOT_LESS_OR_EQUAL ** only the once though. The only way I can "get into" my computer is through the various safe modes - I'm currently using safe mode with networking. I really don't want to reformat as I have absolutely no CD's with this computer - I bought it a yard sale last summer. It's a cheap Lenovo 3000 J Series - came with Vista - but I down graded (to keep my family happy) to Windows XP home Edition - bought the CD from one of those 2nd hand thrift stores - the drive won't read it anymore. Also when it did it contained Windows XP - the registration key & drivers and stuff for a Dell Inspiron. I did the downgrade Last Aug. /08 - everything worked up until the last 3 weeks. I ran this "RootRepeal" tool as per Jat90's instructions for djseanpc and here's the results from that scan: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Time: 2009/07/04 08:56 Program Version: Version 1.3.0.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF6AA7000 Size: 49152 File Visible: No Signed: - Status: - Name: UACfrkdlitpstvymnboy.sys Image Path: C:\WINDOWS\system32\drivers\UACfrkdlitpstvymnboy.sys Address: 0xF736F000 Size: 81920 File Visible: - Signed: - Status: Hidden from Windows API! Hidden/Locked Files ------------------- Path: C:\WINDOWS\system32\wuapi(2).dll Status: Locked to the Windows API! Path: C:\WINDOWS\system32\uacinit.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\UACiioyobjcttdmoldvi.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\UACjlipyisbyxcbpyetl.dat Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\UACmjapqeqeegreveyik.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\UACnitbakxisoreqvabn.db Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\UACsmpjfjptwhdrdtbsw.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\uactmp.db Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\UACxjblfcdlxlcxjaofe.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\UACykypawyltuhapdgxv.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\Temp\UAC9ad8.tmp Status: Invisible to the Windows API! Path: C:\WINDOWS\Temp\UACa5d5.tmp Status: Invisible to the Windows API! Path: C:\WINDOWS\Temp\UACa7a9.tmp Status: Invisible to the Windows API! Path: C:\WINDOWS\Temp\UACa8d2.tmp Status: Invisible to the Windows API! Path: C:\WINDOWS\Temp\UACa95f.tmp Status: Invisible to the Windows API! Path: C:\WINDOWS\Temp\UACa9fb.tmp Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\drivers\UACfrkdlitpstvymnboy.sys Status: Invisible to the Windows API! Path: C:\Documents and Settings\Joey\Local Settings\Temp\UACbcfb.tmp Status: Invisible to the Windows API! Path: c:\documents and settings\joey\local settings\temp\~df1634.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: c:\documents and settings\joey\local settings\temp\~dffd6c.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: C:\Documents and Settings\Joey\Local Settings\Temporary Internet Files\Content.IE5\ZXVA5GEC\UAC_Telus[1].gif Status: Invisible to the Windows API! Path: c:\documents and settings\joey\local settings\application data\mozilla\firefox\profiles\2elsk4rq.default\cache\_cache_002_ Status: Size mismatch (API: 2768014, Raw: 2763918) Path: C:\Documents and Settings\Joey\Local Settings\Application Data\Microsoft\Messenger\bobo-139@hotmail.com\SharingMetadata\flanagan_25@hotmail.com\DFSR\Staging\CS{23F11F13-087F-098D-5799-30753509E8E5}\01\10-{23F11F13-087F-098D-5799-30753509E8E5}-v1-{EF528CC3-E11D-4662-B6E7-A438E1DC5942}-v10-Downloaded.frx Status: Locked to the Windows API! Path: C:\Documents and Settings\Joey\Local Settings\Application Data\Microsoft\Messenger\kooljustindude@hotmail.com\SharingMetadata\bobbymcconnell66@msn.com\DFSR\Staging\CS{C8369811-54C7-5DC3-134B-1BD6D2723361}\01\10-{C8369811-54C7-5DC3-134B-1BD6D2723361}-v1-{147D6044-BC2D-4ED4-B4C0-9782C6CE3E73}-v10-Downloaded.frx Status: Locked to the Windows API! Path: C:\Documents and Settings\Joey\Local Settings\Application Data\Microsoft\CD Burning\New Folder\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.resx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Invisible to the Windows API! Path: C:\Documents and Settings\Joey\Local Settings\Application Data\Microsoft\CD Burning\New Folder\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.resx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Invisible to the Windows API! Stealth Objects ------------------- Object: Hidden Module [Name: UACykypawyltuhapdgxv.dll] Process: svchost.exe (PID: 1156) Address: 0x01010000 Size: 196608 Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll] Process: svchost.exe (PID: 1156) Address: 0x01320000 Size: 45056 Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll] Process: svchost.exe (PID: 1156) Address: 0x013c0000 Size: 49152 Object: Hidden Module [Name: UACa7a9.tmpobjcttdmoldvi.dll] Process: svchost.exe (PID: 1156) Address: 0x10000000 Size: 73728 Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll] Process: Explorer.EXE (PID: 1184) Address: 0x00cd0000 Size: 49152 Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll] Process: Explorer.EXE (PID: 1184) Address: 0x10000000 Size: 45056 Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll] Process: ctfmon.exe (PID: 1596) Address: 0x00a40000 Size: 49152 Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll] Process: ctfmon.exe (PID: 1596) Address: 0x10000000 Size: 45056 Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll] Process: vzlogin.exe (PID: 1868) Address: 0x00dc0000 Size: 49152 Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll] Process: vzlogin.exe (PID: 1868) Address: 0x10000000 Size: 45056 Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll] Process: IObit Security 360.exe (PID: 1940) Address: 0x010d0000 Size: 49152 Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll] Process: IObit Security 360.exe (PID: 1940) Address: 0x10000000 Size: 45056 Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll] Process: IS360tray.exe (PID: 1980) Address: 0x00e60000 Size: 49152 Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll] Process: IS360tray.exe (PID: 1980) Address: 0x10000000 Size: 45056 Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll] Process: AWC.exe (PID: 212) Address: 0x01210000 Size: 45056 Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll] Process: AWC.exe (PID: 212) Address: 0x01370000 Size: 49152 Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll] Process: firefox.exe (PID: 1224) Address: 0x00b90000 Size: 45056 Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll] Process: firefox.exe (PID: 1224) Address: 0x00c40000 Size: 49152 Object: Hidden Module [Name: UACykypawyltuhapdgxv.dll] Process: firefox.exe (PID: 1224) Address: 0x10000000 Size: 196608 Hidden Services ------------------- Service Name: hjgruiuiyqbpjx Image Path: C:\WINDOWS\system32\drivers\hjgruijcbrqpfx.sys Service Name: UACd.sys Image Path: C:\WINDOWS\system32\drivers\UACfrkdlitpstvymnboy.sys ==EOF== Are you able to help help - or at least point me in the right direction? I really do appreciate any & all time & assistance with this. This is the only computer I have and if it goes ... well hopefully we can work together & get it fixed. In the meantime I'm going to do some research on this trojan & keep the forum files open.

DaChew View Member Profile	Jul 4 2009, 12:24 PM Post #2
Visiting Alien Group: BC Advisor Posts: 9,346 Joined: 20-May 07 From: millenium falcon and rockytop Member No.: 131,963	The simplest approach is to run Rootrepeal in File mode, you have to highlight the core rootkit file and right click and then choose wipe file. Immediately reboot and scan with an updated MBAM QUOTE Path: C:\WINDOWS\system32\drivers\UACfrkdlitpstvymnboy.sys Status: Invisible to the Windows API! Here's the general guide http://www.malwarebytes.org/forums/index.php?showtopic=12709 Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop. alternate download link 1 alternate download link 2 If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy. Make sure you are connected to the Internet. Double-click on mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine. On the Scanner tab: Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen: Click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs* tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes. http://www.bleepingcomputer.com/forums/topic114351.html This post has been edited by DaChew: Jul 4 2009, 12:26 PM -------------------- Chewy

Tequilla Sunrise View Member Profile	Jul 4 2009, 12:43 PM Post #3
New Member Group: Members Posts: 6 Joined: 3-July 09 Member No.: 348,063	Thank you for your time & assistance Chewy! - Going to follow your step by step directions now. Keeping fingers, toes & eyes crossed here.

Tequilla Sunrise View Member Profile	Jul 4 2009, 02:33 PM Post #4
New Member Group: Members Posts: 6 Joined: 3-July 09 Member No.: 348,063	Thank you So Very Much Chewy! It's GONE!! Yaaa! You are the Best! I did the MBAM scan twice - as a precaution & just to make absolutely sure there were no traces left. My computer now boots up just like it did before the viral attack - still a little on the slow side - but to be expected from a computer I bought at a yard sale - which hasn't had a memory upgrade yet LOL. Been waiting to be able to afford a Laptop. Anyway followed your directions - learned alot (THank You Again! ) rebooted 3 times (1st to remove, 2nd after the 1st , MBAM scan & 3rd after the 2nd MBAM scan. Here's the results from both the 1st & 2nd MBAM scan: 1st -: Malwarebytes' Anti-Malware 1.38 Database version: 2374 Windows 5.1.2600 Service Pack 3 7/4/2009 11:21:37 AM mbam-log-2009-07-04 (11-21-37).txt Scan type: Quick Scan Objects scanned: 94263 Time elapsed: 8 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\UACiioyobjcttdmoldvi.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\UACmjapqeqeegreveyik.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\UACykypawyltuhapdgxv.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msxmlm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\WINDOWS\system32\hjgruinrwopxet.dll (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\drivers\hjgruijcbrqpfx.sys (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\drivers\UACfrkdlitpstvymnboy.sys (Trojan.Agent) -> Quarantined and deleted successfully. 2 -: Malwarebytes' Anti-Malware 1.38 Database version: 2374 Windows 5.1.2600 Service Pack 3 7/4/2009 11:42:24 AM mbam-log-2009-07-04 (11-42-24).txt Scan type: Quick Scan Objects scanned: 94167 Time elapsed: 8 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) **************************************************** Once Again Chewy - You Da Best Thanks Again! - Tequilla Sunrise, now off to learn more!

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 20th November 2009 - 06:05 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides