I have attempted several times to remove uacinit.dll this using malwarbyte and have been unsuccessful. It says it will be removed on reboot but when i rerun the scan it is still there.

Here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:52 PM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Hawking\Common\RaUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://whitesox.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HWDN2 Wireless Utility.lnk = C:\Program Files\Hawking\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108488196921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184710139390
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7478 bytes

and the mbam log:

Malwarebytes' Anti-Malware 1.37
Database version: 2273
Windows 5.1.2600 Service Pack 3

6/13/2009 10:35:32 PM
mbam-log-2009-06-13 (22-35-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130540
Time elapsed: 46 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

and I also ran ATF cleaned up all temp files and locations. Finally I ran rootrepeal and it listed UACD.sys as a hidden process:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/13 18:56
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAF395000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE04000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAF865000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sfc.SYS
Image Path: C:\WINDOWS\System32\Drivers\sfc.SYS
Address: 0xAD749000 Size: 12256 File Visible: No Signed: -
Status: -

Name: svmgiyhj.sys
Image Path: C:\WINDOWS\system32\drivers\svmgiyhj.sys
Address: 0xB0D40000 Size: 61440 File Visible: No Signed: -
Status: -

Name: UACnoxvkdujkdabijd.sys
Image Path: C:\WINDOWS\system32\drivers\UACnoxvkdujkdabijd.sys
Address: 0xB45AB000 Size: 77824 File Visible: - Signed: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\UACcnppfgnodbuyxwi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACehbqwgitweivosd.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClilwbwuiqnylibp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnvgcxxwuswafccs.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpqeewmgtprrgvjm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtethcvhelwpkvlt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvjmmjakqcxbownw.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC118a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC13fb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC15c0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC1e9a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC2011.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd15.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACnoxvkdujkdabijd.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\PCuser\Local Settings\Temp\UAC6e37.tmp
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: sfcfiles.dll]
Process: winlogon.exe (PID: 888) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: mssfc.dll]
Process: winlogon.exe (PID: 888) Address: 0x66700000 Size: 1622016

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: svchost.exe (PID: 1164) Address: 0x028d0000 Size: 45056

Object: Hidden Module [Name: UACpqeewmgtprrgvjm.dll]
Process: svchost.exe (PID: 1164) Address: 0x00a40000 Size: 53248

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: svchost.exe (PID: 1164) Address: 0x02970000 Size: 49152

Object: Hidden Module [Name: UAC13fb.tmpcvhelwpkvlt.dll]
Process: svchost.exe (PID: 1164) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: atiptaxx.exe (PID: 2180) Address: 0x009c0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: atiptaxx.exe (PID: 2180) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: DVDLauncher.exe (PID: 2416) Address: 0x009f0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: DVDLauncher.exe (PID: 2416) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: SHSTAT.EXE (PID: 1788) Address: 0x00970000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: SHSTAT.EXE (PID: 1788) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: UdaterUI.exe (PID: 2664) Address: 0x00910000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: UdaterUI.exe (PID: 2664) Address: 0x009d0000 Size: 49152

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: jusched.exe (PID: 3372) Address: 0x00bc0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: jusched.exe (PID: 3372) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: McTray.exe (PID: 3556) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: McTray.exe (PID: 3556) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: ZCfgSvc.exe (PID: 3588) Address: 0x00e50000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: ZCfgSvc.exe (PID: 3588) Address: 0x00f10000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: ifrmewrk.exe (PID: 184) Address: 0x00d70000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: ifrmewrk.exe (PID: 184) Address: 0x00e30000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: quickset.exe (PID: 3628) Address: 0x00d30000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: quickset.exe (PID: 3628) Address: 0x00df0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: tfswctrl.exe (PID: 3736) Address: 0x00920000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: tfswctrl.exe (PID: 3736) Address: 0x009f0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: iTunesHelper.exe (PID: 4004) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: iTunesHelper.exe (PID: 4004) Address: 0x00bb0000 Size: 49152

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: ctfmon.exe (PID: 4052) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: ctfmon.exe (PID: 4052) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: Dot1XCfg.exe (PID: 2248) Address: 0x00c00000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: Dot1XCfg.exe (PID: 2248) Address: 0x00d50000 Size: 49152

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: svchost.exe (PID: 2352) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: svchost.exe (PID: 2352) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: RaUI.exe (PID: 1692) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: RaUI.exe (PID: 1692) Address: 0x00b60000 Size: 49152

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: iPodService.exe (PID: 2676) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: iPodService.exe (PID: 2676) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: Copy of mbam.exe (PID: 2780) Address: 0x01320000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: Copy of mbam.exe (PID: 2780) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: jucheck.exe (PID: 500) Address: 0x01030000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: jucheck.exe (PID: 500) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: RootRepeal.exe (PID: 3112) Address: 0x00b10000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: RootRepeal.exe (PID: 3112) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: logon.scr (PID: 5700) Address: 0x008a0000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: logon.scr (PID: 5700) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClilwbwuiqnylibp.dll]
Process: wmiprvse.exe (PID: 4272) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACcnppfgnodbuyxwi.dll]
Process: wmiprvse.exe (PID: 4272) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACnoxvkdujkdabijd.sys

==EOF==

I looked for the files but was unable to find them. I have not run it in sae mode yet.

Any help you can give would be appreciated.

Thank you.

This post has been edited by ron_d: Jun 13 2009, 09:48 PM