Jump to content

UACinit.dll Trojan Removal


Recommended Posts

Running Windows XP SP3 with all updates applied. Installed Malwarebytes 1.36 anti-malware software with updates and Avira 9.0.0.394 Anti-virus software with updates to remove the WinPC trojan. After much effort, I was able to get the software installed and the trojan removed with the execption of uacinit.dll. Malwarebytes reports the file but I cannot find the file on the hard drive. I've turn off 'Hide System Files' and 'Hide Protected Files' and still cannot find the file. Malwarebytes reports the file in C:\Windows\System32\. I installed HiJackThis to create the logs requested for examination. Here are the results from the scans:

Malwarebytes' Anti-Malware 1.36

Database version: 2139

Windows 5.1.2600 Service Pack 3

5/16/2009 12:51:34 AM

mbam-log-2009-05-16 (00-51-22).txt

Scan type: Quick Scan

Objects scanned: 98622

Time elapsed: 8 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

________________________________________________________________________________

______________________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:52:21 AM, on 5/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

c:\progra~1\emdeon~1\clinic~1\webmdc~4.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe

C:\Intergy\Installer.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\rmss\WIN_MONITOR.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\rmss\win_server.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Castelle\FaxPress\FaxTray.Exe

C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe

C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe

C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O4 - HKLM\..\Run: [CstlFaxTray] "C:\Program Files\Castelle\FaxPress\FaxTray.Exe" /s

O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe

O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwMkup.exe /Station

O4 - HKLM\..\Run: [FTPWRENV] C:\WINDOWS\Twain_32\Fjscan32\FTPWREVT\FTPWREVT.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\iexplore.exe.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AVScan] C:\Documents and Settings\user.INTERGY\Application Data\winav.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intergy.local

O17 - HKLM\Software\..\Telephony: DomainName = intergy.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{492D3431-4021-409A-981E-2D1DA87C1C32}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intergy.local

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = intergy.local

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Clinical Auto-Updater (ClinicalAutoUpdater) - - c:\progra~1\emdeon~1\clinic~1\webmdc~4.exe

O23 - Service: FJTWMKSV - PFU LIMITED - C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Intergy Installer - Unknown owner - C:\Intergy\Installer.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Remote Monitoring - Unknown owner - C:\Program Files\rmss\WIN_MONITOR.exe

--

End of file - 5484 bytes

Any and all help will be greatly appreciated.

Thank you.

Link to post
Share on other sites

**Update**

Used ComboFix mentioned in the forum and determined my system had a rootkit trojan. Was able to remove rootkit and subsequent scans finally cleared out the final remnants of the malware.

It would appear this trojan is a new variant designed to thwart MalwareBytes software. I had to rename the software to install the program. To run MalwareBytes, I had to open the program as soon as Windows would allow me to double-click on the icon otherwise the program failed to launch.

Thanks to all who post on this forum as the information provided allowed me to fix my system. Reloading Windows would have been a nightmare since this is a heavily configured system.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.