Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have a really bad infection - trojan uacinit.dll - Can anyone help?


  • Please log in to reply
3 replies to this topic

#1 Tequilla Sunrise

Tequilla Sunrise

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Earth 3rd Rock From the Sun
  • Local time:01:29 PM

Posted 04 July 2009 - 12:01 PM

I'm just about ready to introduce my computer to my hammer & smash every single circuit inside it! I've been trying to locate & remove /clean & fix for 3 weeks now & it just seems to get worse & worse. I just recently joined this forum although I've been here many times in the past - mainly to read & learn (as my computer knowledge is self taught). I didn't want to post a "help" in another thread (it's probably not allowed) so I'm starting a new one.

I noticed that Jat90 - helper was helping "djseanpc" with almost the same problem I am having with the difference that I've run iOrbit 360 as well as almost every function of Advance System Care. I also use CCleaner (I've found this file to be very helpful in the past) - it finds a lot of "dust" so to speak. Anyway I was following along with Jat90's instructions for djseanpc until the thread ended.

My scans have verified that I have uacinit.dll - trojan (there were more but I quarantined them & they seem to have disappeared. I've restarted my computer after every scan & finding - in hopes that the antivirus did it's job with no avail - this is one "Tough" bug! My computer if it starts up - sometimes takes me cold booting 3 or 4 times - gives me that blue screen of death. Most of the time the error message is:

The driver is attempting to access memory beyond the end of the allocation.

--- However last night I received this one: IRQL_NOT_LESS_OR_EQUAL ** only the once though.
The only way I can "get into" my computer is through the various safe modes - I'm currently using safe mode with networking. I really don't want to reformat as I have absolutely no CD's with this computer - I bought it a yard sale last summer. It's a cheap Lenovo 3000 J Series - came with Vista - but I down graded (to keep my family happy) to Windows XP home Edition - bought the CD from one of those 2nd hand thrift stores - the drive won't read it anymore. Also when it did it contained Windows XP - the registration key & drivers and stuff for a Dell Inspiron. I did the downgrade Last Aug. /08 - everything worked up until the last 3 weeks. :thumbsup:

I ran this "RootRepeal" tool as per Jat90's instructions for djseanpc and here's the results from that scan:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/04 08:56
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6AA7000 Size: 49152 File Visible: No Signed: -
Status: -

Name: UACfrkdlitpstvymnboy.sys
Image Path: C:\WINDOWS\system32\drivers\UACfrkdlitpstvymnboy.sys
Address: 0xF736F000 Size: 81920 File Visible: - Signed: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\wuapi(2).dll
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACiioyobjcttdmoldvi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjlipyisbyxcbpyetl.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmjapqeqeegreveyik.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnitbakxisoreqvabn.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACsmpjfjptwhdrdtbsw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxjblfcdlxlcxjaofe.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACykypawyltuhapdgxv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC9ad8.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa5d5.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa7a9.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa8d2.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa95f.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa9fb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACfrkdlitpstvymnboy.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Joey\Local Settings\Temp\UACbcfb.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\joey\local settings\temp\~df1634.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\joey\local settings\temp\~dffd6c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Joey\Local Settings\Temporary Internet Files\Content.IE5\ZXVA5GEC\UAC_Telus[1].gif
Status: Invisible to the Windows API!

Path: c:\documents and settings\joey\local settings\application data\mozilla\firefox\profiles\2elsk4rq.default\cache\_cache_002_
Status: Size mismatch (API: 2768014, Raw: 2763918)

Path: C:\Documents and Settings\Joey\Local Settings\Application Data\Microsoft\Messenger\bobo-139@hotmail.com\SharingMetadata\flanagan_25@hotmail.com\DFSR\Staging\CS{23F11F13-087F-098D-5799-30753509E8E5}\01\10-{23F11F13-087F-098D-5799-30753509E8E5}-v1-{EF528CC3-E11D-4662-B6E7-A438E1DC5942}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Joey\Local Settings\Application Data\Microsoft\Messenger\kooljustindude@hotmail.com\SharingMetadata\bobbymcconnell66@msn.com\DFSR\Staging\CS{C8369811-54C7-5DC3-134B-1BD6D2723361}\01\10-{C8369811-54C7-5DC3-134B-1BD6D2723361}-v1-{147D6044-BC2D-4ED4-B4C0-9782C6CE3E73}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Joey\Local Settings\Application Data\Microsoft\CD Burning\New Folder\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.resx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Joey\Local Settings\Application Data\Microsoft\CD Burning\New Folder\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.resx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACykypawyltuhapdgxv.dll]
Process: svchost.exe (PID: 1156) Address: 0x01010000 Size: 196608

Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll]
Process: svchost.exe (PID: 1156) Address: 0x01320000 Size: 45056

Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll]
Process: svchost.exe (PID: 1156) Address: 0x013c0000 Size: 49152

Object: Hidden Module [Name: UACa7a9.tmpobjcttdmoldvi.dll]
Process: svchost.exe (PID: 1156) Address: 0x10000000 Size: 73728

Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll]
Process: Explorer.EXE (PID: 1184) Address: 0x00cd0000 Size: 49152

Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll]
Process: Explorer.EXE (PID: 1184) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll]
Process: ctfmon.exe (PID: 1596) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll]
Process: ctfmon.exe (PID: 1596) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll]
Process: vzlogin.exe (PID: 1868) Address: 0x00dc0000 Size: 49152

Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll]
Process: vzlogin.exe (PID: 1868) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll]
Process: IObit Security 360.exe (PID: 1940) Address: 0x010d0000 Size: 49152

Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll]
Process: IObit Security 360.exe (PID: 1940) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll]
Process: IS360tray.exe (PID: 1980) Address: 0x00e60000 Size: 49152

Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll]
Process: IS360tray.exe (PID: 1980) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll]
Process: AWC.exe (PID: 212) Address: 0x01210000 Size: 45056

Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll]
Process: AWC.exe (PID: 212) Address: 0x01370000 Size: 49152

Object: Hidden Module [Name: UACmjapqeqeegreveyik.dll]
Process: firefox.exe (PID: 1224) Address: 0x00b90000 Size: 45056

Object: Hidden Module [Name: UACxjblfcdlxlcxjaofe.dll]
Process: firefox.exe (PID: 1224) Address: 0x00c40000 Size: 49152

Object: Hidden Module [Name: UACykypawyltuhapdgxv.dll]
Process: firefox.exe (PID: 1224) Address: 0x10000000 Size: 196608

Hidden Services
-------------------
Service Name: hjgruiuiyqbpjx
Image Path: C:\WINDOWS\system32\drivers\hjgruijcbrqpfx.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACfrkdlitpstvymnboy.sys

==EOF==

Are you able to help help - or at least point me in the right direction? I really do appreciate any & all time & assistance with this. This is the only computer I have and if it goes ... well hopefully we can work together & get it fixed.

In the meantime I'm going to do some research on this trojan & keep the forum files open.

Tequilla Sunrise

HS Tech Support HD Agentangel_not.gifangel_not.gif

 


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:29 PM

Posted 04 July 2009 - 12:24 PM

The simplest approach is to run Rootrepeal in File mode, you have to highlight the core rootkit file and right click and then choose wipe file. Immediately reboot and scan with an updated MBAM

Path: C:\WINDOWS\system32\drivers\UACfrkdlitpstvymnboy.sys
Status: Invisible to the Windows API!



Here's the general guide

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Edited by DaChew, 04 July 2009 - 12:26 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 Tequilla Sunrise

Tequilla Sunrise
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Earth 3rd Rock From the Sun
  • Local time:01:29 PM

Posted 04 July 2009 - 12:43 PM

Thank you for your time & assistance Chewy! - Going to follow your step by step directions now. Keeping fingers, toes & eyes crossed here.

Tequilla Sunrise

HS Tech Support HD Agentangel_not.gifangel_not.gif

 


#4 Tequilla Sunrise

Tequilla Sunrise
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Earth 3rd Rock From the Sun
  • Local time:01:29 PM

Posted 04 July 2009 - 02:33 PM

Thank you So Very Much Chewy! It's GONE!! Yaaa! :flowers: You are the Best! :trumpet:

I did the MBAM scan twice - as a precaution & just to make absolutely sure there were no traces left. My computer now boots up just like it did before the viral attack - still a little on the slow side - but to be expected from a computer I bought at a yard sale - which hasn't had a memory upgrade yet LOL. Been waiting to be able to afford a Laptop. Anyway followed your directions - learned alot (THank You Again! :huh: ) rebooted 3 times (1st to remove, 2nd after the 1st , MBAM scan & 3rd after the 2nd MBAM scan. Here's the results from both the 1st & 2nd MBAM scan:

1st -:
Malwarebytes' Anti-Malware 1.38
Database version: 2374
Windows 5.1.2600 Service Pack 3

7/4/2009 11:21:37 AM
mbam-log-2009-07-04 (11-21-37).txt

Scan type: Quick Scan
Objects scanned: 94263
Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\UACiioyobjcttdmoldvi.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACmjapqeqeegreveyik.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACykypawyltuhapdgxv.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxmlm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\hjgruinrwopxet.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\hjgruijcbrqpfx.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACfrkdlitpstvymnboy.sys (Trojan.Agent) -> Quarantined and deleted successfully.

2 -:
Malwarebytes' Anti-Malware 1.38
Database version: 2374
Windows 5.1.2600 Service Pack 3

7/4/2009 11:42:24 AM
mbam-log-2009-07-04 (11-42-24).txt

Scan type: Quick Scan
Objects scanned: 94167
Time elapsed: 8 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
****************************************************
Once Again Chewy - You Da Best :inlove: :thumbsup: Thanks Again!

- Tequilla Sunrise,
now off to learn more!

Tequilla Sunrise

HS Tech Support HD Agentangel_not.gifangel_not.gif

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users