Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cannot remove malware related to uacinit.dll


  • Please log in to reply
3 replies to this topic

#1 Siebel

Siebel

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 05 September 2009 - 08:50 AM

Hi,
I have a seemingly nasty piece of malware on my laptop, which I got on the 26 Aug. It would be great if anyone could help guide me through removing it; I am a technical person but I am aware that tools such as RootRepeal and ComboFix are beyond my knowledge!

It looks like this is similar to the issues in the post entitled http://www.bleepingcomputer.com/forums/t/248694/search-sites-hijacked-in-firefox/.

Thanks for your help in advance!

Chris


Laptop Configuration
---------------------------------------
  • Pentium 4 2.2 GHz 1Gb RAM
  • Windows XP SP2 with full updates
  • Norton AV installed at time of infection; now have McAfee as Norton had expired at start of Aug
  • Internet Explorer 6 is my main browser
The malware was installed when I clicked on a dodgy link, which took me to a blank webpage. Thereafter the symptoms below started.


Symptoms
--------------
  • Iexplore.exe starts in the background (not visible to user) when I first login and attempts to go to various sites
  • If I query Google, then click on the URL of a result, I instead go through to some arbitrary sites
  • McAfee failed to download its updates properly, even though it was trying, and so kept reporting that virus definitions were out of date
  • I was unable to start many executable, including AV programs and malware scanners
  • Occasionally another iexplore.exe process spawns itself (not visible to user, but can see it in Task Mgr) while I am doing other things
Steps so far
-------------------
  • Installed SysInternals Process Explorer
  • Disabled something called net.net which was appearing in msconfig. Deleted the file.
  • Ran online scanner (eset) which identified trojan as Kryptik.AHK and removed certain files
  • Was still unable to run mbam
  • Renamed mbam to winlogon.exe and rebooted
  • Was then able to run mbam; it identified 11 issues
  • Mbam removed some problems and attempted to remove others on reboot
  • Reran mbam multiple times, but certain elements remain, which seem to relate to the uacinit.dll (see reports below)
  • Still evidence of Trojan when using PC iexplore still attempts to run at startup, clicking on Google query results still redirects the browser to arbitrary sites
  • Ran RootRepeal; it identified various issues (see report below)
This is an example of the MBAM output where I attempt to remove the problems:

Malwarebytes' Anti-Malware 1.40
Database version: 2741
Windows 5.1.2600 Service Pack 2

04/09/2009 23:41:06
mbam-log-2009-09-04 (23-41-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 324715
Time elapsed: 1 hour(s), 48 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACmsgpcpasga.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACmsgpcpasga.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 Siebel

Siebel
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 05 September 2009 - 08:52 AM

Here is a subsequent MBAM log, showing that problems still remain:


Malwarebytes' Anti-Malware 1.40
Database version: 2741
Windows 5.1.2600 Service Pack 2

05/09/2009 14:30:04
malwarebytes_05092009.txt

Scan type: Full Scan (C:\|)
Objects scanned: 209595
Time elapsed: 1 hour(s), 17 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACmsgpcpasga.dll (Rootkit.TDSS) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACmsgpcpasga.dll (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

#3 Siebel

Siebel
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 05 September 2009 - 08:53 AM

The following is the Root Repeal output:



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/05 11:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3210000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C80000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7CC0000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFE43000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF740D000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\kbiwkmavyqjwsw.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmbitqskpt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmctruehdq.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmkvroxfqp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjodiouctvu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClebqqymkpc.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmsgpcpasga.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnbmlwhesdu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtmivqtusij.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyridmrfldf.db
Status: Invisible to the Windows API!

Path: c:\windows\temp\sqlite_nztheq8mlp4ustq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_fe6qoymtarikb5q
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_j4839vo8os6n9tc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_39l9g0vvidawf6b
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_aiwu5ursve4o13r
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\UAC4768.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC731b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb57d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb9fd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACc5d7.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACmupobawqpa.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\kbiwkmrrvwqoxj.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Chris\Local Settings\Temp\UACbe35.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\chris\local settings\application data\mozilla\firefox\profiles\n8ao3qb6.default\cache\_cache_001_
Status: Size mismatch (API: 766834, Raw: 676846)

Path: c:\documents and settings\chris\local settings\application data\mozilla\firefox\profiles\n8ao3qb6.default\cache\_cache_002_
Status: Size mismatch (API: 1189962, Raw: 784055)

Path: c:\documents and settings\chris\local settings\application data\mozilla\firefox\profiles\n8ao3qb6.default\cache\_cache_003_
Status: Size mismatch (API: 2650090, Raw: 2375766)

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\29AD712Fd01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\2E8A09C4d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\3E5ED75Ad01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\44D13E22d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\538CF78Ed01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\69A2A434d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\69E2A8B7d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\69FAA8A5d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\6A926882d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\6DB00AF6d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\702B4C4Dd01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\79BB0310d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\C48920A9d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\D0B93211d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\D6E9E601d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\EEC68B95d01
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: UACjodiouctvu.dll]
Process: svchost.exe (PID: 1112) Address: 0x00700000 Size: 73728

Object: Hidden Module [Name: kbiwkmkvroxfqp.dll]
Process: svchost.exe (PID: 1112) Address: 0x10000000 Size: 57344

Object: Hidden Module [Name: kbiwkmbitqskpt.dll]
Process: Explorer.EXE (PID: 836) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: kbiwkmbitqskpt.dll]
Process: firefox.exe (PID: 3636) Address: 0x007d0000 Size: 32768

Hidden Services
-------------------
Service Name: kbiwkmxodqvdll
Image Path: C:\WINDOWS\system32\drivers\kbiwkmrrvwqoxj.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACmupobawqpa.sys

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf34f8e70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf34f8f20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf34f8fe0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf34f7d60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf34f9250

==EOF==

#4 Siebel

Siebel
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 06 September 2009 - 07:04 AM

Dear Mods,

Please would you close this topic.

Thanks,
Chris




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users