Packed.Generic & uacinit.dll removed.....I think

[kjolly7]

Hey Guys,

First, I wanted to thank you for your time in hopefully helping me out with this issue.

My problems began on Sunday night, when I was on the internet and all of the sudden, nortan av says it has blocked packed.generic virus from infecting my computer. I tried running a scan with nortan av, and it would only scan about 6000 random files. Then my computer starts the whole "your computer is infected, please download this random scanner" thing. The moment I saw these popups, i turned off my computer and unhooked the internet connection.

After some research, I found this site and downloaded the Malwarebytes and SuperAntiVirus freeware and started scanning my computer. First, I ran Malwarebytes and it found some trajans, including "uacinit.dll". I could delete all of the files except for the uacinit.dll, and rebooted. I ran malwarebytes again and it found acouple more trojan files including the uacinit.dll. Then I ran Superantivirus software and it found 82 files infected, including uacinit.dll. Everything was sucessfully deleted except the uacinit.dll.

I decided to run malwarebytes again (my work "IT guy" said run it many times just in case) and this time it DID delete uacinit.dll. now I run either malwarebytes and superantispyware and they do not find anything. I tried to run my regular Nortan av and it still only scans 6000 files.

My questions is, How can I be sure my computer is in good shape? I have not connected to the internet (other than to update malwarebytes and superantispyware) since the original infection b/c i have been afraid to. Do you know why my Nortan av is not working properly? Should I uninstall and reinstall it.

Ant insight would be greatly appreciated.

Thanks,

Knox

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[kjolly7]

Hi Mieke,

I have run the combo fix, it ran fine, found some files to delete, and then rebooted. Now my computer is stuck on a blank, black screen.

What should I do. I never saw the log.

Knox

[miekiemoes]

Hi,

It's not supposed to do that. Did you disable your Antivirus before?

In anyway, from what I read here, your computer was severly infected and malware damages a lot. A reboot may cause the pc unbootable in a lot of cases because of the malware and damage already been made.

Can you reboot once again?

Also, you said you have used Combofix before. Never use Combofix without guidance, because the very first log it creates is really important for us to review. That log should also show with what exactly you are dealing and what actions to take.

Also, please try from Windows safe mode either.

Please remove any flashdrives / printer etc either (usb), virtual dvd/cd drives, because that may cause the same.

[kjolly7]

hey Mieke,

It finally booted back up and created the log. I have posted it below.

I want to make clear that the only software I have run to fix my computer is Malwarebytes and Superantispyware (recomendation from my IT guy).

I have not run Combofix before.

Here is the Log:

ComboFix 09-08-10.06 - KJOLLY 08/13/2009 12:13.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2704 [GMT -4:00]

Running from: c:\documents and settings\KJOLLY\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\NPROTECT

c:\windows\Installer\19d29.msi

c:\windows\Installer\19d2a.msi

c:\windows\Installer\5665561.msi

c:\windows\Installer\Rhino 4.0 Evaluation EN (20070220).msi

c:\windows\system32\SKYNETaveqqlta.dll

c:\windows\system32\SKYNETlqxmetjy.dat

c:\windows\system32\SKYNETqlbwempu.dll

c:\windows\system32\SKYNETycgliqoq.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SKYNETfwppbavh

-------\Service_SKYNETfwppbavh

((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))

.

2009-08-12 02:28 . 2009-08-12 02:28 -------- d-----w- c:\windows\ServicePackFiles

2009-08-12 00:47 . 2009-08-12 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2009-08-12 00:47 . 2009-08-13 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-12 00:47 . 2009-08-13 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-10 22:57 . 2009-08-11 21:25 117760 ----a-w- c:\documents and settings\KJOLLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-08-10 22:57 . 2009-08-10 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-08-10 22:57 . 2009-08-10 22:57 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-10 22:57 . 2009-08-10 22:57 -------- d-----w- c:\documents and settings\KJOLLY\Application Data\SUPERAntiSpyware.com

2009-08-10 22:35 . 2009-08-10 22:35 -------- d-----w- c:\windows\ERUNT

2009-08-10 22:33 . 2009-08-10 22:39 -------- d-----w- C:\SDFix

2009-08-10 22:33 . 2009-08-10 22:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-10 19:56 . 2009-08-10 19:56 -------- d-----w- c:\documents and settings\KJOLLY\Application Data\Malwarebytes

2009-08-10 19:45 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-10 19:45 . 2009-08-10 19:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-10 19:45 . 2009-08-10 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-10 19:45 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-15 00:51 . 2009-07-15 00:51 -------- d-----w- c:\documents and settings\KJOLLY\Application Data\WD

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-13 16:01 . 2007-07-21 18:36 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-13 16:00 . 2008-08-23 23:11 -------- d-----w- c:\program files\Norton AntiVirus

2009-08-13 16:00 . 2007-07-21 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-13 15:44 . 2008-09-15 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-08-11 22:34 . 2007-05-10 02:13 73304 ----a-w- c:\documents and settings\KJOLLY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-11 22:32 . 2007-07-31 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2009-08-11 22:31 . 2009-02-14 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2009-08-11 22:29 . 2007-08-23 23:58 -------- d-----w- c:\program files\Microsoft Works

2009-08-11 22:28 . 2008-01-15 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-11 22:16 . 2007-08-28 01:04 -------- d-----w- c:\program files\Yahoo!

2009-08-11 22:15 . 2007-08-28 01:47 -------- d-----w- c:\documents and settings\KJOLLY\Application Data\Yahoo!

2009-08-11 22:15 . 2007-08-28 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-08-11 21:31 . 2007-05-26 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-08-05 09:11 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 16:58 . 2008-10-09 03:08 -------- d-----w- c:\program files\RocketDock

2009-07-25 21:48 . 2007-07-22 16:40 -------- d-----w- c:\documents and settings\KJOLLY\Application Data\Apple Computer

2009-07-17 18:55 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-14 00:48 . 2009-07-14 00:45 -------- d-----w- c:\program files\Western Digital

2009-07-14 00:48 . 2009-07-14 00:48 -------- d-----w- c:\program files\Common Files\eSellerate

2009-07-14 00:48 . 2009-07-14 00:48 -------- d-----w- c:\program files\WD

2009-07-14 00:45 . 2009-07-14 00:45 -------- d-----w- c:\program files\Western Digital Corporation

2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-06-16 14:55 . 2006-02-28 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 11:50 . 2006-02-28 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:21 . 2006-02-28 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2006-02-28 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-10 04:09 . 2009-05-26 01:32 325112 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-06-05 07:42 . 2007-05-10 02:06 655872 ----a-w- c:\windows\system32\mstscax.dll

2009-06-03 19:27 . 2006-02-28 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-06-02 02:50 . 2008-05-26 03:59 1878984 ----a-w- c:\documents and settings\KJOLLY\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe

2007-10-24 01:37 . 2007-10-24 01:37 35972 ----a-w- c:\program files\setuplog.txt

2007-10-24 01:37 . 2007-10-24 01:37 37602 ----a-w- c:\program files\uninstal.log

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"SDFix"="c:\sdfix\RunThis.bat" [2008-11-06 964661]

c:\documents and settings\KJOLLY\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Symantec Core LC"=3 (0x3)

"PnkBstrA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"=

"c:\\Program Files\\Google\\Google SketchUp 6\\LayOut\\LayOut.exe"=

"c:\\Program Files\\Opera\\Opera.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=

"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=

"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=

"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=

"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=

"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]

R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [11/7/2008 3:20 PM 25824]

R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 5:36 PM 86016]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [7/24/2008 3:22 PM 102400]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

.

Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-15 08:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.metacrawler.com/crawler?general=%s

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-13 12:25

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1202660629-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1060284298-1202660629-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:b9,08,05,fb,b6,e4,26,95,8d,43,3d,3c,be,57,43,29,b4,33,7a,8e,b7,c0,35,

76,99,e7,96,f1,46,26,55,31,1c,f1,57,3d,3b,53,14,b5,34,6a,23,88,60,26,96,98,\

"??"=hex:cf,d1,cb,4a,36,2b,51,3e,0a,df,e5,af,6b,dc,cb,a5

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:45,0f,f0,21,70,b5,ff,f8,c7,48,00,9a,26,8f,0f,ea,22,6f,02,5f,92,

4c,6c,91,64,e6,90,18,80,89,57,92,07,47,9f,80,74,db,8a,91,2c,4b,18,1e,bf,42,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:45,0f,f0,21,70,b5,ff,f8,c7,48,00,9a,26,8f,0f,ea,22,6f,02,5f,92,

4c,6c,91,64,e6,90,18,80,89,57,92,07,47,9f,80,74,db,8a,91,2c,4b,18,1e,bf,42,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2968)

c:\windows\system32\WININET.dll

c:\program files\RocketDock\RocketDock.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Canon\IJPLM\ijplmsvc.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-13 12:29 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-13 16:29

Pre-Run: 68,810,645,504 bytes free

Post-Run: 69,645,156,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

213 --- E O F --- 2009-08-12 02:30

[miekiemoes]

Ok, I read for a second you used Combofix as well.

I see you used SDFix before as well which may also cause the startup delay since a script runs after reboot.

To delete the startup reference...

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SDFix"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[kjolly7]

so far, everything looks good!!!! This was the first time my Norton Antivirus has gotten past 6000 files. Scanning right now....

Thanks again for all of your help. You are a lif-saver.

Knox

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.