Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware on Windows 2003


  • This topic is locked This topic is locked
7 replies to this topic

#1 seanmc

seanmc

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 20 May 2009 - 10:18 PM

Hi, Hoping someone can help. I have read the stickies and cannot provide a dds.scr log. It does not appear to be supported on windows 2003. I cannot run combofix either.

I have run malwarebytes, spybot, norton corporate and have manged to clean up alot of the problems but uacinit.dll comes back after each restart requested by malwarebytes. Not sure what to do at this point. I can post a hijack this log if it would help?

Any insight or next steps would be greatly appreciated. Windows 2003 seems to limit the number of tools i can utilize.

[edit] dang tried to change the topic to Trojan.Agent but I dont see an option to change the topic title.

Thanks.

Edited by seanmc, 20 May 2009 - 10:20 PM.


BC AdBot (Login to Remove)

 


#2 seanmc

seanmc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 21 May 2009 - 08:12 AM

Here are the two items malwarebytes keeps finding after restarts.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

I should also add that enabling my internet connection stops me from being able to run malwarebytes and spybot sd.

Thanks again for your help.

#3 Silasjr

Silasjr

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brazil
  • Local time:08:39 AM

Posted 21 May 2009 - 10:02 AM

Click here for open Kaspersky online scanner site. Click on SCAN NOW. When Kaspersky online scanner Java applet has finished downloading you will see window similar to the one below.
Posted Image
Read requirements and limitations and press Accept button. You may see a prompt similar to the one below.

Posted Image
Java security warning

This is perfectly normal and safe and you can click on the Run button to continue.

Kaspersky online scanner will start downloading and installing the scanner and virus definitions.

Once the downloads have finished, click on Settings. Make sure the following is checked.

* Spyware, Adware, Dialers, and other potentially dangerous programs
* Archives
* Mail databases


Click on My Computer under Scan. Kaspersky online scanner will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

Good Lucky :thumbsup:

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:07:39 AM

Posted 21 May 2009 - 07:20 PM

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


I am sorry to say that what you have is almost impossible to thoroughly clean
Your best bet would be to reformat and reinstall

I have 2 other options to try since you cannot post a DDS scan:


If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 seanmc

seanmc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 22 May 2009 - 07:19 AM

RSIT Failed to run. With the exception when listing services and drivers:
Line-1: variable used without being declared

Kaspersky ran and only located items already listed in nortons quar. It did not find the uacinit.dll.

What should I do next?

Thanks for your help.

Kaspersky Snip:
\0BA40000.VBN</td><td>Infected: Trojan-Downloader.Win32.Tiny.fy
\0BA40001.VBN</td><td>Infected: Trojan-Downloader.Win32.Tiny.fy
\0BA40002.VBN</td><td>Infected: Trojan-Downloader.Win32.Tiny.fy
\0BAC0000.VBN</td><td>Infected: Exploit.HTML.IESlice.d
\0BB80000.VBN</td><td>Infected: Trojan-Downloader.Win32.Tiny.fy
\0BB80001.VBN</td><td>Infected: Trojan-Downloader.Win32.Tiny.fy
\0BC00000.VBN</td><td>Infected: Trojan-Downloader.Win32.Tiny.fy
\11300001.VBN</td><td>Infected: Trojan-Downloader.Java.OpenConnection.aj
\11300001.VBN</td><td>Infected: Exploit.Java.ByteVerify
\11300003.VBN</td><td>Infected: Trojan-Downloader.Java.OpenConnection.aj
\11300003.VBN</td><td>Infected: Exploit.Java.ByteVerify
\11300005.VBN</td><td>Infected: Trojan-Downloader.Java.OpenConnection.aj
\11300005.VBN</td><td>Infected: Exploit.Java.ByteVerify
\11300007.VBN</td><td>Infected: Trojan-Downloader.Java.OpenStream.c
\11300007.VBN</td><td>Infected: Trojan.Java.ClassLoader.h
\11300007.VBN</td><td>Infected: Trojan.Java.ClassLoader.d
\11300009.VBN</td><td>Infected: Trojan-Downloader.Java.OpenStream.c
\11300009.VBN</td><td>Infected: Trojan.Java.ClassLoader.h
\11300009.VBN</td><td>Infected: Trojan.Java.ClassLoader.d
\1130000B.VBN</td><td>Infected: Trojan-Downloader.Java.OpenStream.c
\1130000B.VBN</td><td>Infected: Trojan.Java.ClassLoader.h
\1130000B.VBN</td><td>Infected: Trojan.Java.ClassLoader.d


#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:07:39 AM

Posted 22 May 2009 - 08:24 PM

If you cannot get DDS to work, please try this instead.

Please download runscanner.zip and save to your desktop.
  • Create a new folder on your hard drive called Runscanner (C:\Runscanner) and extract (unzip) the file there.
    (click here if you're not sure how to do this.)
  • Double-click Runscanner.exe to launch.
  • Select Beginner mode and click Ok.
  • Select Do a full scan and save a log file (default is Full Scan) to start.
  • Please be patient and do not use your computer during the scan.
  • When the scan is complete, a window will open asking you to save runscanner.run. Click Cancel.
  • Another window will open asking you to save runscanner.log.
  • Save it to your desktop and "Save as type: Runscanner log file [*.log].
  • The log file will automatically open in Notepad.
  • Go to the top menu, click on "Format" and uncheck "Word Wrap" if checked.
  • Copy and paste the contents of the log file into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
  • Exit Runscanner when done.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If Runscanner did not work, then I stand by original statement

I will see if one of our experts, knowledgeable with servers can take a look at your problem

Edited by garmanma, 22 May 2009 - 08:28 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 seanmc

seanmc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 22 May 2009 - 11:03 PM

Thanks for your guidance. Any help is greatly appreciated. I have posted my log to my post here: http://www.bleepingcomputer.com/forums/t/228810/cant-get-rid-of-uacinitdll/

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,062 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:39 AM

Posted 23 May 2009 - 03:22 AM

Hello,

Now that you have posted your log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users