Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows/System32/uacinit.dll Infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 theloniousmonk

theloniousmonk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 09 July 2009 - 07:38 PM

Dear helper,

I have recently been attempting to recover from a serious malware infection, and I seem to have controlled it, with MBAM and Adaware, but there is still a uacinit.dll Trojan that I have not been able to remove, I have followed other advice on this site, and used SuperANTISpyware and ATF cleaner in SafeMode to no avail, it requires a restart to eliminate, and it is there after every restart. I have attempted to use ComboFix, but it never runs when I try to use it, instead I get a message saying it is infected with the Vundo (I think) virus and cannot open. Also, I have had to rename most of my Anti-Spyware applications to get them to run, since otherwise they do not.

I thank anyone who can help me in advance.

Here is my DDS log (and my Malwarebytes log follows it):


DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Owner at 17:24:01.51 on Thu 07/09/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.244 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
svchost
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe C:\WINDOWS\TEMP\VRT4.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.gophersearch.com/
uSearch Bar = hxxp://www.gophersearch.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Page =
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearchAssistant = hxxp://www.gophersearch.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
BHO: 1 (0x1) - No File
BHO: {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [<NO NAME>] c:\windows\temp\fykl6rok.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - hxxp://download.movienetworks.com/install/US/altpmtscab.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} - hxxp://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab
DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D7A7442D-85A9-475F-82F9-65ED4110B4C5} - hxxp://gpstool.globaladserver.com/v30/gpstool.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} - hxxp://fdl.msn.com/public/investor/v13/ticker.cab
Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: ThreadingModel - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\2v1f7cx0.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo

============= SERVICES / DRIVERS ===============

R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
RUnknown jkcbft;jkcbft; [x]
S1 sysdrv;sysdrv;\??\c:\program files\sys\sys.sys --> c:\program files\sys\sys.sys [?]
S2 glykh;Manager Support;c:\windows\system32\svchost.exe -k netsvcs [2006-10-13 34304]
S2 kvbcyuypajxmdy;kvbcyuypajxmdy;c:\windows\system32\drivers\wrqbasfsioi.sys [2009-7-5 70656]
S2 sys;sys;c:\windows\system32\svchost.exe -k sys [2006-10-13 34304]
S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-09 17:23 0 a------- c:\windows\system32\8.tmp
2009-07-09 17:23 4,096 a------- c:\windows\system32\7.tmp
2009-07-09 17:23 1 a------- c:\windows\system32\6.tmp
2009-07-09 17:22 84 a------- c:\windows\system32\5.tmp
2009-07-09 11:45 17,408 a------- c:\windows\system32\perfc5932.dat
2009-07-09 11:45 1 a------- c:\windows\system32\perfc7683.dat
2009-07-08 23:11 77,312 a------- c:\windows\system32\2D.tmp
2009-07-08 23:11 1 a------- c:\windows\system32\2C.tmp
2009-07-08 23:11 84 a------- c:\windows\system32\2B.tmp
2009-07-08 22:59 <DIR> --d----- c:\program files\Atari
2009-07-08 22:38 77,312 a------- c:\windows\system32\28.tmp
2009-07-08 22:38 1 a------- c:\windows\system32\27.tmp
2009-07-08 22:38 84 a------- c:\windows\system32\26.tmp
2009-07-08 18:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-08 18:44 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-08 18:44 <DIR> --d----- c:\docume~1\hp_owner\applic~1\SUPERAntiSpyware.com
2009-07-08 18:43 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-08 18:20 <DIR> --d----- c:\program files\Trend Micro
2009-07-08 12:45 61,440 a------- c:\windows\system32\drivers\cgcyv.sys
2009-07-08 08:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 08:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-08 08:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-07 22:06 251,850 a------- C:\AnalysisLog.sr0
2009-07-07 18:52 120 a------- c:\windows\system32\32.tmp
2009-07-06 23:21 <DIR> --d----- c:\windows\LastGood.Tmp
2009-07-06 23:04 <DIR> --d----- c:\program files\SEGA
2009-07-06 11:25 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Malwarebytes
2009-07-06 11:13 <DIR> --d----- c:\program files\CCleaner
2009-07-06 09:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-05 20:04 <DIR> --d----- c:\program files\msn gaming zone
2009-07-05 19:54 257,536 a------- c:\windows\system32\resdll.dll
2009-07-05 18:51 360,320 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-05 18:40 96,332 a------- c:\windows\system32\drivers\8ce91c6a.sys
2009-07-05 18:27 70,656 a------- c:\windows\system32\drivers\wrqbasfsioi.sys
2009-07-05 17:48 1 a------- c:\windows\934fdfg34fgjf23
2009-07-05 17:48 2 a------- c:\windows\0101120101464849.dat
2009-07-01 05:19 2 a------- c:\windows\010112010146118114.dat
2009-07-01 05:18 242,688 -------- c:\windows\ld11.exe
2009-06-30 12:50 <DIR> --d----- c:\program files\Eidos Interactive
2009-06-30 02:08 <DIR> --d----- c:\windows\system32\CatRoot_bak

==================== Find3M ====================

2009-07-08 18:44 360,320 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-07-08 18:44 360,320 a------- c:\windows\system32\dllcache\TCPIP.SYS
2009-07-07 21:36 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-07 18:55 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 21:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 21:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 21:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 21:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-28 21:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-28 21:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 21:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 21:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 21:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 02:05 90,624 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 02:05 33,792 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 22:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-24 22:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 08:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 08:26 583,168 a------- c:\windows\system32\dllcache\rpcrt4.dll
2006-10-26 12:40 324 ac------ c:\docume~1\hp_owner\applic~1\wklnhst.dat
2009-03-21 07:18 162,516 a--shr-- c:\windows\system32\enznt.dll

============= FINISH: 17:24:29.43 ===============

and my Malwarebytes log:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/9/2009 5:14:01 PM
mbam-log-2009-07-09 (17-14-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 162269
Time elapsed: 25 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


m

#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 10 July 2009 - 03:21 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 theloniousmonk

theloniousmonk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 10 July 2009 - 08:30 AM

I followed your instructions on how to download ComboFix as Combo-Fix, but when I attempted to start it I receive this message:

Error

!! ALERT !! It is NOT SAFE to continue !

The contents of the ComboFix package has been compromised.
Please download a fresh copy from:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus 'Virut'



I attempted to download it again from that site, using the same instructions, but again it failed to run. My firewall tells me that it is off, and I don't have any anti-virus software running that I can see in my processes or on my bar...

I am also now receiving an error message whenever I run a MBAM scan and quarantine the files this has a countdown clock to restart and reads under the Error Message portion:

Windows must now restart because the DCOM Server Process Launcher service terminated unsuccessfully.

Edited by theloniousmonk, 10 July 2009 - 08:43 AM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 10 July 2009 - 09:00 AM

Erm.. I got lots of virut victims lately and its not fun :thumbup2:

A quote from an expert (sUBs)

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use this website > http://www.windowsreinstall.com/

Note: If you have to backup files, do so only for MS Office documents & any non executable file. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.


full reformat means, format on ALL partitions..


--------------------------------

I would advised you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar/.pif/.asp/.php/.iso files...

Make sure you back-up everything ONLY via CD or DVD (non-rewritable).. If you need to backup into external hard drive or thumbdrive, make sure it is EMPTY.. Meaning NO FILE inside it.. Format the external drive first before attach it to the infected computer.. A single .exe file inside the external drive may infected other computers as well


-------------------------------

I will let this topic open until you succesfully reformat the computer..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 theloniousmonk

theloniousmonk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 10 July 2009 - 09:07 AM

Well, I tried reformatting at first when these problems started occuring, but I could not get my bootdisk to load, so its between getting a new version of windows, or getting a new computer.

Thank you for your help.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 10 July 2009 - 10:39 AM

You are very welcome.. I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users