Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

uacinit.dll problems


  • Please log in to reply
12 replies to this topic

#1 Iron_Maiden87

Iron_Maiden87

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 03 August 2009 - 05:53 PM

Hi there, earlier today I seemed to get a virus out of nowhere. On the task manager processes tab I was getting msa.exe and some other strange things that I hadn't seen before (AV cure fake antivirus).

Basically as with other people i've read about, I cant get rid of uacinit.dll which I guess is the root of the problem. I've got Malware Bytes working again by adding a different extension (read off some other site).. got rid of a load of the viruses, and then rebooted to get rid of the uacinit.dll. This doesnt get rid of the bugger though, and it takes several attempts for me to get this far without crashing.

I've just run another MBytes quick scan and got rid of a load of crap again, except the uacinit.dll. This time I have not restarted the computer as asked.. here is the log file from the scan, any help would be greately appreciated.



Malwarebytes' Anti-Malware 1.39
Database version: 2551
Windows 5.1.2600 Service Pack 3

03/08/2009 23:48:01
mbam-log-2009-08-03 (23-48-01).txt

Scan type: Quick Scan
Objects scanned: 93957
Time elapsed: 10 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Huw Davies\Local Settings\Temp\a.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\huw davies\local settings\Temp\cxweasrmno.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\huw davies\local settings\Temp\maccsnet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\huw davies\local settings\Temp\ncaeomwsxr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\huw davies\local settings\Temp\nmscoxarwe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\huw davies\local settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\huw davies\local settings\Temp\ptimuicxvp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\huw davies\local settings\Temp\rasvsnet.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\huw davies\local settings\Temp\wnoxacmsre.tmp (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Huw Davies\Local Settings\Temp\alc23.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


Edited by Iron_Maiden87, 03 August 2009 - 05:54 PM.


BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 03 August 2009 - 05:56 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check the Files box: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Iron_Maiden87

Iron_Maiden87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 03 August 2009 - 06:02 PM

I've downloaded it and unzipped in a folder, when I try to open RootRepeal I get a message: Could not read the boot sector, try adjusting Disk Access Level in options.

After clicking ok about 4 times the program starts up and from what I can see works fine.. I'm running the scan now, jsut wondered if that message might prove a problem.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 03 August 2009 - 06:11 PM

It shouldn't be a problem. Post the log when the scan is finished.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Iron_Maiden87

Iron_Maiden87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 03 August 2009 - 06:19 PM

Ok, scan complete.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/04 00:03
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACgivdlmlqps.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjnbmyyuapr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACljoaoexyip.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpdvbvpyfio.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqdifndgwyk.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqvrdqppqsd.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACsrtuerqowf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtbcpbvjccr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtnlmtyksli.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwwbymflxsm.dat
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcmsc_ejlbvd76fgpfzlw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\UAC5762.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC60d8.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8b91.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC9c0c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACpjnbodtvbo.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Huw Davies\Local Settings\Temp\UACbf34.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Huw Davies\Local Settings\Temp\UACe79.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\huw davies\local settings\application data\mozilla\firefox\profiles\rndkx6ht.default\cache\7e995336d01
Status: Size mismatch (API: 82416, Raw: 82800)

Path: c:\documents and settings\huw davies\local settings\application data\mozilla\firefox\profiles\rndkx6ht.default\cache\_cache_001_
Status: Size mismatch (API: 644956, Raw: 640505)

Path: c:\documents and settings\huw davies\local settings\application data\mozilla\firefox\profiles\rndkx6ht.default\cache\_cache_002_
Status: Size mismatch (API: 976114, Raw: 966958)

Path: C:\Documents and Settings\Huw Davies\Local Settings\Application Data\Mozilla\Firefox\Profiles\rndkx6ht.default\Cache\697CB610d01
Status: Visible to the Windows API, but not on disk.

==EOF==



#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 03 August 2009 - 06:20 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\UACpjnbodtvbo.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes. Keep rebooting and running quick-scans with Malwarebytes until it shows zero infections. If after 3 scans it is still not clean post the final log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 Iron_Maiden87

Iron_Maiden87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 03 August 2009 - 07:42 PM

Just completed the second scan and its all clear, just wanted to say a big thanks for the very promt and amazingly effective help. :thumbsup: Its great the effort you guys put in here and like a lot of others I'm very appreciative!

Cheers :flowers:

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 03 August 2009 - 07:46 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 Iron_Maiden87

Iron_Maiden87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 03 August 2009 - 08:09 PM

Ok, i've sorted the restore points.

On the Add/remove programs page, I can see

JS2E Runtime Environment 5
JS2E Runtime Environment Update 6
JS2E Runtime Environment Update 9

I'm not sure if that's the right stuff to be looking for, I cant immediately see anything else Java related though.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 03 August 2009 - 08:11 PM

Those Java entries are out of date. You should remove them and then get the latest from here:

http://java.com/en/download/index.jsp
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 Iron_Maiden87

Iron_Maiden87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 04 August 2009 - 06:54 AM

Sorry for the late reply, I've updated my Java software now to the one on that link. Anything else I need to do..?

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 PM

Posted 04 August 2009 - 03:54 PM

Nothing else - you're good to go.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 Iron_Maiden87

Iron_Maiden87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 04 August 2009 - 04:57 PM

Ok, thanks a lot for your help :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users