Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

uacinit.dll: Please help remove malicous malware!


  • This topic is locked This topic is locked
4 replies to this topic

#1 perfectpawn909

perfectpawn909

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 06 June 2009 - 11:41 PM

Hello,

Jacoblloyd and Garmanma have been helping me with this malware problem, over in this thread:

http://www.bleepingcomputer.com/forums/t/231593/malware-virus-cant-open-or-run-programs/

Garmanma has discerned that I have a really bad malware, and his two suggestions are either removing it via Hijack This, or just resetting the PC. I'd like to remove it, so again following his advice, I've followed the DDS run and here is my info.

I've attached the ATTACH.txt, and pasted the DDS.txt below.

Any help is greatly appreciated.

Here is the DDS.txt document:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Joe at 23:31:06.93 on Sat 06/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.333 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?complete=0&hl=en
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\GetFlash.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-4-29 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-4-29 102463]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2004-9-22 28672]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2006-4-29 17456]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2006-4-29 670128]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2006-4-29 2041904]
S3 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2004-9-22 221191]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-4-29 108480]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2006-4-29 14924]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-06-05 22:10 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-05 22:09 --d----- c:\program files\SUPERAntiSpyware
2009-06-05 22:09 --d----- c:\docume~1\joe\applic~1\SUPERAntiSpyware.com
2009-06-05 22:08 --d----- c:\program files\common files\Wise Installation Wizard
2009-06-05 22:07 --d----- c:\program files\Windows Installer Clean Up
2009-06-05 22:07 --d----- c:\program files\MSECACHE
2009-06-04 22:46 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-04 22:46 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-04 22:46 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 23:32 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-03 23:31 --d----- c:\documents and settings\joe\.housecall6.6
2009-05-25 20:02 1,720,086 a------- c:\windows\system32\TmpA2069984
2009-05-23 02:38 225,280 a------- c:\windows\system32\rewire.dll
2009-05-23 02:38 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-05-23 02:35 --d----- c:\program files\Image-Line
2009-05-23 02:35 1,777,664 a------- c:\windows\system32\gdiplus.dll
2009-05-23 01:07 --d----- C:\ConverterOutput
2009-05-23 01:06 --d----- c:\program files\Cucusoft

==================== Find3M ====================

2009-03-29 20:46 249,856 a------- c:\windows\system32\pdfmona.dll
2009-03-29 20:46 51,716 a------- c:\windows\system32\pdf995mon.dll
2007-11-08 20:35 246 a------- c:\program files\common files\rybiv
2007-02-10 00:56 491,768 a------- c:\program files\ie6setup.exe
2009-02-03 14:37 152 ---shr-- c:\windows\system32\987C99206F.sys
2009-02-03 14:37 7,518 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 23:32:16.95 ===============


I have attached the ATTACH.txt as well.

Thanks everyone for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 perfectpawn909

perfectpawn909
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 07 June 2009 - 01:00 PM

Also, just did a google search on this issue, and found this forum posting:

http://forums.whatthetech.com/Can_t_Remove...ll_t103575.html

Would anyone recommend I just follow this? Looks like this poster suffered from the same problem -- uacinit.dll was the only malware left in her pc, and Malware Anti Bytes et al wouldn't remove it.

Thanks!

===========

Hello

No, DO NOT follow disinfection procedures provided for someone else. That would be akin to having someone perform a surgery on you that was prescribed for someone else. Every computer is unique in its mix of software and every batch of malware is unique in its mix. Following disinfection procedures for one computer on another could result in an inoperable computer. I've seen that happen.

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 07 June 2009 - 02:10 PM.


#3 perfectpawn909

perfectpawn909
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 07 June 2009 - 03:32 PM

Oh, I totally understand -- and I'm not hurrying anyone. I just did some quick research and thought it might be worth a shot. But I will wait, and thanks again to everyone for helping!

#4 perfectpawn909

perfectpawn909
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 11 June 2009 - 09:43 AM

Hello, could a moderator please close this thread? I'm trying to, but I seem to be unable. I'm getting assistance on this malware issue from the fantastically-helpful oldman960 over on http://forums.whatthetech.com/uacinit_dll_...010#entry567010.

Thanks!

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:38 PM

Posted 17 June 2009 - 09:22 AM

Thank you for letting us know. Good luck getting your computer issues resolved.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users