Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot remove UACINIT.DLL infection


  • Please log in to reply
2 replies to this topic

#1 Siebel

Siebel

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 06 September 2009 - 07:01 AM

Hi, I have a piece of malware on my laptop, which I cannot remove. It would be great if anyone could help guide me through removing it! The details are below, but in summary it seems to boil down to something called uacinit.dll, which MBAM cannot remove.

It looks like this is similar to the issues in the post entitled http://www.bleepingcomputer.com/forums/t/248694/search-sites-hijacked-in-firefox/.

Thanks for your help in advance!

Cheers,
Chris


Laptop Configuration
---------------------------------------

Pentium 4 2.2 GHz 1Gb RAM
Windows XP SP2 with full updates
Norton AV installed at time of infection; now have McAfee as Norton had expired at start of Aug
Internet Explorer 6 is my main browser

The malware was installed when I clicked on a dodgy link, which took me to a blank webpage. Thereafter the symptoms below started.


Symptoms
--------------
  • Iexplore.exe starts in the background (not visible to user) when I first login and attempts to go to various sites
  • If I query Google, then click on the URL of a result, I instead go through to some arbitrary sites
  • McAfee failed to download its updates properly, even though it was trying, and so kept reporting that virus definitions were out of date
  • I was unable to start many executable, including AV programs and malware scanners
  • Occasionally another iexplore.exe process spawns itself (not visible to user, but can see it in Task Mgr) while I am doing other things
Steps so far
-------------------
  • Installed SysInternals Process Explorer
  • Disabled something called net.net which was appearing in msconfig. Deleted the file.
  • Ran online scanner (eset) which identified trojan as Kryptik.AHK and removed certain files
  • Was still unable to run mbam
  • Renamed mbam to winlogon.exe and rebooted
  • Was then able to run mbam; it identified 11 issues
  • Mbam removed some problems and attempted to remove others on reboot
  • Reran mbam multiple times, but certain elements remain, which seem to relate to the uacinit.dll (see reports below)
  • Still evidence of Trojan when using PC iexplore still attempts to run at startup, clicking on Google query results still redirects the browser to arbitrary sites
  • Ran RootRepeal; it identified various issues (see report below)
  • McAfee still identifies a generic Trojan but is unable to remove it

Logs
------------------------------------------------------------


This is an example MBAM log indicating that it tries to remove the infected files:


Malwarebytes' Anti-Malware 1.40
Database version: 2741
Windows 5.1.2600 Service Pack 2

04/09/2009 23:41:06
mbam-log-2009-09-04 (23-41-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 324715
Time elapsed: 1 hour(s), 48 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACmsgpcpasga.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACmsgpcpasga.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


------------------------------------------------------------
------------------------------------------------------------


The following is a subsequent log, showing the malware to still be in place:


Malwarebytes' Anti-Malware 1.40
Database version: 2741
Windows 5.1.2600 Service Pack 2

05/09/2009 14:30:04
malwarebytes_05092009.txt

Scan type: Full Scan (C:\|)
Objects scanned: 209595
Time elapsed: 1 hour(s), 17 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACmsgpcpasga.dll (Rootkit.TDSS) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACmsgpcpasga.dll (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.


------------------------------------------------------------
------------------------------------------------------------

The following RootRepeal log seems to indicate many more problems:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/05 11:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3210000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C80000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7CC0000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFE43000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF740D000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\kbiwkmavyqjwsw.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmbitqskpt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmctruehdq.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmkvroxfqp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjodiouctvu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClebqqymkpc.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmsgpcpasga.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnbmlwhesdu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtmivqtusij.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyridmrfldf.db
Status: Invisible to the Windows API!

Path: c:\windows\temp\sqlite_nztheq8mlp4ustq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_fe6qoymtarikb5q
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_j4839vo8os6n9tc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_39l9g0vvidawf6b
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_aiwu5ursve4o13r
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\UAC4768.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC731b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb57d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb9fd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACc5d7.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACmupobawqpa.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\kbiwkmrrvwqoxj.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Chris\Local Settings\Temp\UACbe35.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\chris\local settings\application data\mozilla\firefox\profiles\n8ao3qb6.default\cache\_cache_001_
Status: Size mismatch (API: 766834, Raw: 676846)

Path: c:\documents and settings\chris\local settings\application data\mozilla\firefox\profiles\n8ao3qb6.default\cache\_cache_002_
Status: Size mismatch (API: 1189962, Raw: 784055)

Path: c:\documents and settings\chris\local settings\application data\mozilla\firefox\profiles\n8ao3qb6.default\cache\_cache_003_
Status: Size mismatch (API: 2650090, Raw: 2375766)

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\29AD712Fd01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\2E8A09C4d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\3E5ED75Ad01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\44D13E22d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\538CF78Ed01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\69A2A434d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\69E2A8B7d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\69FAA8A5d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\6A926882d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\6DB00AF6d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\702B4C4Dd01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\79BB0310d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\C48920A9d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\D0B93211d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\D6E9E601d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\n8ao3qb6.default\Cache\EEC68B95d01
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: UACjodiouctvu.dll]
Process: svchost.exe (PID: 1112) Address: 0x00700000 Size: 73728

Object: Hidden Module [Name: kbiwkmkvroxfqp.dll]
Process: svchost.exe (PID: 1112) Address: 0x10000000 Size: 57344

Object: Hidden Module [Name: kbiwkmbitqskpt.dll]
Process: Explorer.EXE (PID: 836) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: kbiwkmbitqskpt.dll]
Process: firefox.exe (PID: 3636) Address: 0x007d0000 Size: 32768

Hidden Services
-------------------
Service Name: kbiwkmxodqvdll
Image Path: C:\WINDOWS\system32\drivers\kbiwkmrrvwqoxj.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACmupobawqpa.sys

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf34f8e70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf34f8f20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf34f8fe0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf34f7d60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf34f9250

==EOF==


Any help would be hugely appreciated! Thanks!

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:16 PM

Posted 06 September 2009 - 01:33 PM

Hello Siebel and :flowers: to BleepingComputer!

First I would just like to comment that I am very impressed by how you have organized and presented your information. The detail and clarity are particularly refreshing. Because of this, it is very easy to make a quick diagnosis as I don't have to dig out all the info I need. Excellent work! :thumbsup:

You have a rootkit on your machine that is hindering the malware's removal. With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

Sorry I couldn't do more for you here; they'll be able to help you in HJT.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Siebel

Siebel
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 07 September 2009 - 04:08 AM

Hi Blade,

Many thanks for your help and kind comments!

Hopefully I'll be able to follow the instructions you provided at some point in the coming few days!

Thanks again,

Chris

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users