Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system security virus problem


  • This topic is locked This topic is locked
13 replies to this topic

#1 mroctober

mroctober

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 10 July 2009 - 07:13 PM

I am running Windows XP. Recently I acquired the System Security virus (not sure specifically which version of it). It caused serious problems including disabling Task Manager, messing with my internet connection, and not allowing me to run most .exe files including anything from
Run" in the start menu (when I try to open one it gives me the "Open With" dialog box). After following some advice somewhere online (can't remember where now), I found a folder located in C:/Documents and Settings/All Users/Application Data that was named a long string of numbers. Following the advice, I changed the name of the folder and the included files and restarted my computer. After doing so, I am now able to access the internet, but I still cannot open most .exe files and Task Manager is still disabled. I had downloaded the setup file for the Malwarebytes Anti-Malware program but couldn't get it to run so I tried installing the program to a flash drive and then running it on the infected computer but this didn't work. I got the same "Open With" dialog box. After trying a few of my own ideas, I found that I could open some .exe files by opening them with themselves. This worked for the latest AVG Free Edition software which I had installed about a week ago, so I scanned my computer with AVG and "healed" a ton of various trojan-related files. This, however, did not help with the .exe files or task manager. So I tried doing it with the Malwarebytes program but that did not work. I kept looking on the internet and eventually I found your System Security Virus Removal Guide, so I downloaded Process Explorer on another computer and used my flash drive to put it on the infected computer. I renamed it "explorer.exe" and then tried to open it, which led me to the same "Open With" dialog box, so I decided to try to open this program with itself. This got me to the window where I can choose to agree, so I did so. This led me to the following dialog box with process explorer in the heading "Usage: Process Explorer [/t] [/p:[r/h/l]] [/s:<PID>] /t Start minimized in the tray /p Run at priority: realtime ®, high (h), normal (n) or low (l) /s Select the specified process" My only options are to click OK or close the dialog box. After I do either, the program simply goes away. Halfway throught typing this post on the infected computer, what sounded like audio from an online video started coming out of my computer speakers. At this point I disconnected from the internet in order to type the rest of this post, at which time the audio stopped. I reconnected just long enough to post and am now moving to a safe computer. I am out of ideas myself and was wondering if anyone else has any idea on how I should proceed. Thanks in advance for any help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:47 PM

Posted 10 July 2009 - 08:01 PM

Hello have you tried .... Downloading Malwarebytes (MBAM) and before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

If that works or not try this next.

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mroctober

mroctober
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 10 July 2009 - 08:51 PM

Thanks for your timely help. Got Malwarebytes to run as zztoy. Should I now run a scan? Also, here is my RootRepeal report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/10 20:35
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xAB50B000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9614000 Size: 49152 File Visible: No Signed: -
Status: -

Name: UACwdebmscdertucfdtg.sys
Image Path: C:\WINDOWS\system32\drivers\UACwdebmscdertucfdtg.sys
Address: 0xB14FA000 Size: 81920 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xAB92D000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xABF16000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Status: Allocation size mismatch (API: 1, Raw: 0)

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmihsgeqaeaecbivab.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmlvroukqjhhqrifsm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmnlxlurmbogfipuyb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACunmmouxnixelhmofm.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACunrqorgfiopnftukj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACuvqnivxoskpauriur.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxnvxdnkncibbvtfrd.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC3258.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb798.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Installer\2bccb280.msi
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACwdebmscdertucfdtg.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Seth\Local Settings\Temp\UAC1071.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\ASHBY, M. F. (1998). Engineering Materials (2nd ed.) (2 vols.)\Volume 2 - An Introduction to Microstructures, Processing and Design
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\KIM, J.-K. (1998). Engineered Interfaces in Fiber Reinforced Composites\Engineered_Interfaces_in_Fiber_Reinforced_Composites.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\DIXON, S. L. (1998). Fluid Mechanics, Thermodynamics of Turbomachinery (4th ed.)\Fluid_Mechanics_and_Thermodynamics_of_Turbomachinery_4E.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\CAMPBELL, B. A. (1996). Introduction to Space Sciences and Spacecraft Applications\Intro_to_Space_Sciences_Spacecraft_Applications.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\BONNICK, A. W. M. (2001). Automotive Computer Controlled Systems - Diagnostic Tools and Techniques\Automotive_Computer_Controlled_Systems.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\WOODYARD, D. F. (2004). Pounder's Marine Diesel Engines and Gas Turbines (8th ed.)\POUNDER_Marine_Diesel_Engines_Gas_Turbines_8E.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\WU, Y.-S. (2001). Practical Design of Ships and Other Floating Structures (vol. 1)\Practical_Design_Ships_Floating_Structures_VOLUME1.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\SMITH, D. J. (2001). Reliability, Maintainability and Risk - Practical Methods for Engineers (6th ed.)\Reliability_Maintainability_Risk_6E.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\PAIDOUSSIS, M. P. (1998). Fluid-Structure Interactions - Slender Structures and Axial Flow (vol. 1)\Fluid-Structure_Interactions.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\AGRAWAL, K. C. (2001). Industrial Power Engineering and Applications Handbook\Industrial_Power_Engineering_Applications_Handbook.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\FUKUNAGA, K. (1990). Introduction to Statistical Pattern Recognition (2nd ed.)\Intro_to_Statistical_Pattern_Recognition_2E.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\ELLIOTT, D. F. (1987). Handbook of Digital Signal Processing - Engineering Applications\Handbook_of_Digital_Signal_Processing.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\DUNCAN, B. (1996). High Performance Audio Power Amplifiers for Music Performance and Reproduction\High_Performance_Audio_Power_Amplifiers.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\DYE, N. (2000). Radio Frequency Transistors - Principles and Practical Applications (2nd ed.)\Radio_Frequency_Transistors_2E.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\BALL, S. R. (2001). Analog Interfacing to Embedded Microprocessors - Real World Design\Analog_Interfacing_to_Embedded_Microprocessors.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\LIPOVSKI, G. J. (1999). Introduction to Microcontrollers - Architecture, etc. for the Motorola 68HC12\Intro_to_Microcontrollers.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\MARKVART, T. (2003). Practical Handbook of Photovoltaics - Fundamentals and Applications\Practical_Handbook_of_Photovoltaics.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\TRUNDLE, E. (2001). Newnes Guide to Television and Video Technology (3rd ed.)\Newnes_Guide_to_Television_and_Video_Technology_3E.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\SMITH, S. W. (2003). Digital Signal Processing - A Practical Guide for Engineers and Scientists\Digital_Signal_Processing.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\PEASE, R. A. (1991). Troubleshooting Analog Circuits - With Electronics Workbench Circuits\Troubleshooting_Analog_Circuits.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\SCHMITT, R. (2002). Electromagnetics Explained - A Handbook for Wireless-RF, EMC, and High-Speed Electronics\Electromagnetics_Explained.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\MIDDLETON, W. M. (2001). Reference Data for Engineers - Radio, Electronics, Computer, etc. (9th ed.)\Reference_Data_for_Engineers_9E.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\HUDSON, J. A. (2000). Engineering Rock Mechanics (2 vols.)\Part 1 - An Introduction to the Principles\Engineering_Rock_Mechanics_VOLUME1.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\HUDSON, J. A. (2000). Engineering Rock Mechanics (2 vols.)\Part 2 - Illustrative Worked Examples\Engineering_Rock_Mechanics_VOLUME2.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\ZIENKIEWICZ, O. C. (2000). The Finite Element Method (5th ed.) (3 vols.)\Volume 1 - The Basis\Finite_Element_Method_5E_VOLUME1.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\ZIENKIEWICZ, O. C. (2000). The Finite Element Method (5th ed.) (3 vols.)\Volume 2 - Solid Mechanics\Finite_Element_Method_5E_VOLUME2.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\ZIENKIEWICZ, O. C. (2000). The Finite Element Method (5th ed.) (3 vols.)\Volume 3 - Fluid Dynamics\Finite_Element_Method_5E_VOLUME3.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\RAWSON, K. J. (2001). Basic Ship Theory (5th ed.) (2 vols.)\Volume 1 - Hydrostatics and Strength\Basic_Ship_Theory_5E_VOLUME1.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\RAWSON, K. J. (2001). Basic Ship Theory (5th ed.) (2 vols.)\Volume 2 - Ship Dynamics and Design\Basic_Ship_Theory_5E_VOLUME2.pdf
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: winlogon.exe (PID: 1244) Address: 0x00780000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: winlogon.exe (PID: 1244) Address: 0x008d0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: services.exe (PID: 1292) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: services.exe (PID: 1292) Address: 0x008d0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: lsass.exe (PID: 1320) Address: 0x00900000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: lsass.exe (PID: 1320) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACb798.tmpdnkncibbvtfrd.dll]
Process: svchost.exe (PID: 1556) Address: 0x008d0000 Size: 204800

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: svchost.exe (PID: 1556) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: svchost.exe (PID: 1556) Address: 0x00aa0000 Size: 49152

Object: Hidden Module [Name: UACmlvroukqjhhqrifsm.dll]
Process: svchost.exe (PID: 1556) Address: 0x00c40000 Size: 81920

Object: Hidden Module [Name: UACmnlxlurmbogfipuyb.dll]
Process: svchost.exe (PID: 1556) Address: 0x00cf0000 Size: 73728

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: svchost.exe (PID: 1556) Address: 0x00f80000 Size: 45056

Object: Hidden Module [Name: UACxnvxdnkncibbvtfrd.dll]
Process: svchost.exe (PID: 1556) Address: 0x02c70000 Size: 204800

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: svchost.exe (PID: 1556) Address: 0x02ee0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: svchost.exe (PID: 1644) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: svchost.exe (PID: 1644) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACb798.tmpdnkncibbvtfrd.dll]
Process: svchost.exe (PID: 1644) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACb798.tmpdnkncibbvtfrd.dll]
Process: svchost.exe (PID: 1692) Address: 0x008d0000 Size: 204800

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: svchost.exe (PID: 1692) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: svchost.exe (PID: 1692) Address: 0x00aa0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: svchost.exe (PID: 1756) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: svchost.exe (PID: 1756) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACb798.tmpdnkncibbvtfrd.dll]
Process: svchost.exe (PID: 1756) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: svchost.exe (PID: 1880) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: svchost.exe (PID: 1880) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACb798.tmpdnkncibbvtfrd.dll]
Process: svchost.exe (PID: 1880) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: aawservice.exe (PID: 272) Address: 0x00c30000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: aawservice.exe (PID: 272) Address: 0x00fa0000 Size: 49152

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: spoolsv.exe (PID: 148) Address: 0x00cf0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: spoolsv.exe (PID: 148) Address: 0x00b40000 Size: 45056

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: acs.exe (PID: 484) Address: 0x00db0000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: acs.exe (PID: 484) Address: 0x00f00000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: svchost.exe (PID: 548) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: svchost.exe (PID: 548) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACb798.tmpdnkncibbvtfrd.dll]
Process: svchost.exe (PID: 548) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: avgwdsvc.exe (PID: 644) Address: 0x008c0000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: avgwdsvc.exe (PID: 644) Address: 0x00a50000 Size: 49152

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: dlcxcoms.exe (PID: 684) Address: 0x00bc0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: dlcxcoms.exe (PID: 684) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: FreeAgentService.exe (PID: 736) Address: 0x009c0000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: FreeAgentService.exe (PID: 736) Address: 0x00b30000 Size: 49152

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: Iaantmon.exe (PID: 788) Address: 0x008c0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: Iaantmon.exe (PID: 788) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: nvsvc32.exe (PID: 896) Address: 0x008d0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: nvsvc32.exe (PID: 896) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: avgrsx.exe (PID: 1100) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: avgrsx.exe (PID: 1100) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACb798.tmpdnkncibbvtfrd.dll]
Process: svchost.exe (PID: 1128) Address: 0x008d0000 Size: 204800

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: svchost.exe (PID: 1128) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: svchost.exe (PID: 1128) Address: 0x00aa0000 Size: 49152

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: wdfmgr.exe (PID: 1456) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: wdfmgr.exe (PID: 1456) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: Explorer.EXE (PID: 2384) Address: 0x00ba0000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: Explorer.EXE (PID: 2384) Address: 0x00d20000 Size: 49152

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: ctfmon.exe (PID: 2576) Address: 0x00bf0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: ctfmon.exe (PID: 2576) Address: 0x00a50000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: ctfmon.exe (PID: 3112) Address: 0x00bf0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: ctfmon.exe (PID: 3112) Address: 0x00a50000 Size: 45056

Object: Hidden Module [Name: UACxnvxdnkncibbvtfrd.dll]
Process: svchost.exe (PID: 608) Address: 0x00b60000 Size: 204800

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: svchost.exe (PID: 608) Address: 0x00ca0000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: svchost.exe (PID: 608) Address: 0x00d30000 Size: 49152

Object: Hidden Module [Name: UACxnvxdnkncibbvtfrd.dll]
Process: Iexplore.exe (PID: 3460) Address: 0x00c90000 Size: 204800

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: Iexplore.exe (PID: 3460) Address: 0x00ed0000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: Iexplore.exe (PID: 3460) Address: 0x00f80000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: avgnsx.exe (PID: 3364) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: avgnsx.exe (PID: 3364) Address: 0x00aa0000 Size: 49152

Object: Hidden Module [Name: UACxnvxdnkncibbvtfrd.dll]
Process: Iexplore.exe (PID: 3000) Address: 0x00c90000 Size: 204800

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: Iexplore.exe (PID: 3000) Address: 0x00ed0000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: Iexplore.exe (PID: 3000) Address: 0x00f80000 Size: 49152

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: b.exe (PID: 3756) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: b.exe (PID: 3756) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxnvxdnkncibbvtfrd.dll]
Process: iexplore.exe (PID: 2884) Address: 0x00c90000 Size: 204800

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: iexplore.exe (PID: 2884) Address: 0x00ed0000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: iexplore.exe (PID: 2884) Address: 0x00f80000 Size: 49152

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: WinRAR.exe (PID: 3284) Address: 0x00dc0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: WinRAR.exe (PID: 3284) Address: 0x00c20000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: RootRepeal.exe (PID: 2244) Address: 0x00e30000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: RootRepeal.exe (PID: 2244) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACunrqorgfiopnftukj.dll]
Process: mbam.exe (PID: 2296) Address: 0x010c0000 Size: 49152

Object: Hidden Module [Name: UACuvqnivxoskpauriur.dll]
Process: mbam.exe (PID: 2296) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACwdebmscdertucfdtg.sys

==EOF==

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:47 PM

Posted 10 July 2009 - 09:00 PM

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\drivers\UACwdebmscdertucfdtg.sys

C:\WINDOWS\system32\UACxnvxdnkncibbvtfrd.dll

C:\WINDOWS\system32\UACuvqnivxoskpauriur.dll

C:\WINDOWS\system32\UACunrqorgfiopnftukj.dll

C:\WINDOWS\system32\UACmnlxlurmbogfipuyb.dll

C:\WINDOWS\system32\UACmlvroukqjhhqrifsm.dll

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\uactmp.db

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mroctober

mroctober
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 10 July 2009 - 09:45 PM

Did everything as you said, worked great. Not sure exactly what you want me to post, the MBAM log from the scan before I rebooted or do I need to do a new scan and post the log of that? Also, after reboot after I ran MBAM, I got the following error messages:

Windows cannot find 'C:\WINDOWS\system32\mszbq.exe'. Make sure you typed the file name correctly, and then try again. To search for a file, click the Start button, and then click Search

Desktop
Could not load or run 'C:\WINDOWS\system32\mszbq.exe' specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:47 PM

Posted 10 July 2009 - 09:55 PM

Hi, great news. I just ned the quick scan now after the Rootrepeal.

Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
Credit to quietman7
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mroctober

mroctober
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 11 July 2009 - 10:28 AM

Sorry this took so long. Thanks for all the help. Here is the MBAM log:

Malwarebytes' Anti-Malware 1.38
Database version: 2405
Windows 5.1.2600 Service Pack 3

7/10/2009 9:32:39 PM
mbam-log-2009-07-10 (21-32-39).txt

Scan type: Quick Scan
Objects scanned: 94577
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 32
Registry Data Items Infected: 18
Folders Infected: 0
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Seth\Local Settings\Temp\734424015954mmx.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pcmstub (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sfx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sfx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sfx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sfx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sfxdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tedezotuhe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm8be8ff95 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88dbcc09 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf7husjnfg98gi498aejhiugjkdg4 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14259684 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LowRiskFileTypes (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\sfx (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.bat\(default) (Hijacked.BatFile) -> Bad: (csfile) Good: (batfile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.com\(default) (Hijacked.ComFile) -> Bad: (csfile) Good: (comfile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (csfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{46c166aa-3108-11d4-9348-00c04f8eeb71}\inprocserver32\(default) (Hijack.Hnetcfg) -> Bad: (\\?\globalroot\systemroot\installer\2bccb280.msi) Good: (hnetcfg.dll) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Seth\Local Settings\Temp\734424015954mmx.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\Documents and Settings\Seth\Local Settings\Temp\b.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wiwow64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tpsaxyd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\local settings\Temp\rasvsnet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\local settings\Temp\install.48349.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\local settings\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\local settings\Temp\c.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\local settings\Temp\a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\local settings\Temp\ydt7jidryhtmksxhsetjhsrtjr44.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\UAC3258.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\ODAJCD6Z\w[1].bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\ld12.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Program Files\sFX\SfX.DlL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Seth\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACmlvroukqjhhqrifsm.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACmnlxlurmbogfipuyb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACunrqorgfiopnftukj.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACuvqnivxoskpauriur.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACxnvxdnkncibbvtfrd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACwdebmscdertucfdtg.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:47 PM

Posted 11 July 2009 - 01:07 PM

Hi, still a lot of junk here so we wiil run these and we should see a big improvement.

Next run ATF and SAS:


Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM like this:in Normal mode

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mroctober

mroctober
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 11 July 2009 - 03:13 PM

Downloaded ATF and SUPER, changed SUPER settings and tried rebooting into safe mode, which gave me the blue screen of death which told me that a problem was detected and Windows shut down to prevent damage. It recommended that I check my computer for viruses :thumbsup:. The technical information from this screen was:

***STOP: 0x0000007B (0xF789E524, 0xC0000034, 0x00000000, 0x00000000)

Tried rebooting into safe mode again and got the same screen.

Should I run ATF and SUPER in regular mode or not?

Edited by mroctober, 11 July 2009 - 05:41 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:47 PM

Posted 11 July 2009 - 05:41 PM

OK we'll hold on that for now.. Did you install it from safe or Normal?
EDIT:
You may receive a "Stop 0x0000007B" error message if your computer is infected with a boot-sector virus. What antiVirus is installed?

Please rerun Roorepeal Step 1 only.. Post that log.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

***********************

Edited by boopme, 11 July 2009 - 05:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 mroctober

mroctober
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 11 July 2009 - 06:40 PM

It was installed in normal mode. I am running AVG's latest free edition. Here are the results from RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/11 18:30
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA6A0A000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA31A2000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Status: Locked to the Windows API!

Path: c:\documents and settings\seth\local settings\temp\etilqs_e4dgab2mhahsbpv6sdo7
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\ASHBY, M. F. (1998). Engineering Materials (2nd ed.) (2 vols.)\Volume 2 - An Introduction to Microstructures, Processing and Design
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\KIM, J.-K. (1998). Engineered Interfaces in Fiber Reinforced Composites\Engineered_Interfaces_in_Fiber_Reinforced_Composites.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\DIXON, S. L. (1998). Fluid Mechanics, Thermodynamics of Turbomachinery (4th ed.)\Fluid_Mechanics_and_Thermodynamics_of_Turbomachinery_4E.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\CAMPBELL, B. A. (1996). Introduction to Space Sciences and Spacecraft Applications\Intro_to_Space_Sciences_Spacecraft_Applications.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\BONNICK, A. W. M. (2001). Automotive Computer Controlled Systems - Diagnostic Tools and Techniques\Automotive_Computer_Controlled_Systems.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\WOODYARD, D. F. (2004). Pounder's Marine Diesel Engines and Gas Turbines (8th ed.)\POUNDER_Marine_Diesel_Engines_Gas_Turbines_8E.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\WU, Y.-S. (2001). Practical Design of Ships and Other Floating Structures (vol. 1)\Practical_Design_Ships_Floating_Structures_VOLUME1.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\SMITH, D. J. (2001). Reliability, Maintainability and Risk - Practical Methods for Engineers (6th ed.)\Reliability_Maintainability_Risk_6E.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\PAIDOUSSIS, M. P. (1998). Fluid-Structure Interactions - Slender Structures and Axial Flow (vol. 1)\Fluid-Structure_Interactions.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\AGRAWAL, K. C. (2001). Industrial Power Engineering and Applications Handbook\Industrial_Power_Engineering_Applications_Handbook.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\FUKUNAGA, K. (1990). Introduction to Statistical Pattern Recognition (2nd ed.)\Intro_to_Statistical_Pattern_Recognition_2E.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\ELLIOTT, D. F. (1987). Handbook of Digital Signal Processing - Engineering Applications\Handbook_of_Digital_Signal_Processing.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\DUNCAN, B. (1996). High Performance Audio Power Amplifiers for Music Performance and Reproduction\High_Performance_Audio_Power_Amplifiers.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\DYE, N. (2000). Radio Frequency Transistors - Principles and Practical Applications (2nd ed.)\Radio_Frequency_Transistors_2E.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD1\BALL, S. R. (2001). Analog Interfacing to Embedded Microprocessors - Real World Design\Analog_Interfacing_to_Embedded_Microprocessors.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\LIPOVSKI, G. J. (1999). Introduction to Microcontrollers - Architecture, etc. for the Motorola 68HC12\Intro_to_Microcontrollers.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\MARKVART, T. (2003). Practical Handbook of Photovoltaics - Fundamentals and Applications\Practical_Handbook_of_Photovoltaics.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\TRUNDLE, E. (2001). Newnes Guide to Television and Video Technology (3rd ed.)\Newnes_Guide_to_Television_and_Video_Technology_3E.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\SMITH, S. W. (2003). Digital Signal Processing - A Practical Guide for Engineers and Scientists\Digital_Signal_Processing.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\PEASE, R. A. (1991). Troubleshooting Analog Circuits - With Electronics Workbench Circuits\Troubleshooting_Analog_Circuits.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\SCHMITT, R. (2002). Electromagnetics Explained - A Handbook for Wireless-RF, EMC, and High-Speed Electronics\Electromagnetics_Explained.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\3-Electronics and Electrical Collection\CD2\MIDDLETON, W. M. (2001). Reference Data for Engineers - Radio, Electronics, Computer, etc. (9th ed.)\Reference_Data_for_Engineers_9E.rar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\HUDSON, J. A. (2000). Engineering Rock Mechanics (2 vols.)\Part 1 - An Introduction to the Principles\Engineering_Rock_Mechanics_VOLUME1.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD1\HUDSON, J. A. (2000). Engineering Rock Mechanics (2 vols.)\Part 2 - Illustrative Worked Examples\Engineering_Rock_Mechanics_VOLUME2.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\ZIENKIEWICZ, O. C. (2000). The Finite Element Method (5th ed.) (3 vols.)\Volume 1 - The Basis\Finite_Element_Method_5E_VOLUME1.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\ZIENKIEWICZ, O. C. (2000). The Finite Element Method (5th ed.) (3 vols.)\Volume 2 - Solid Mechanics\Finite_Element_Method_5E_VOLUME2.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\ZIENKIEWICZ, O. C. (2000). The Finite Element Method (5th ed.) (3 vols.)\Volume 3 - Fluid Dynamics\Finite_Element_Method_5E_VOLUME3.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\RAWSON, K. J. (2001). Basic Ship Theory (5th ed.) (2 vols.)\Volume 1 - Hydrostatics and Strength\Basic_Ship_Theory_5E_VOLUME1.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Seth\Desktop\stuff to sort out\rsifodc\science\t\ELSEVIER-Referex\2-Mechanical and Materials Collection\CD2\RAWSON, K. J. (2001). Basic Ship Theory (5th ed.) (2 vols.)\Volume 2 - Ship Dynamics and Design\Basic_Ship_Theory_5E_VOLUME2.pdf
Status: Locked to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa6c22df0

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACwdebmscdertucfdtg.sys

==EOF==

Running MBAM quick scan right now.

#12 mroctober

mroctober
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 11 July 2009 - 06:50 PM

MBAM quick scan detected no malicious items:

Malwarebytes' Anti-Malware 1.38
Database version: 2405
Windows 5.1.2600 Service Pack 3

7/11/2009 6:48:47 PM
mbam-log-2009-07-11 (18-48-47).txt

Scan type: Quick Scan
Objects scanned: 95727
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:47 PM

Posted 11 July 2009 - 08:05 PM

Hello the UAC rootkit is still alive.
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACwdebmscdertucfdtg.sys

I think the safest way to stop the service is to let the HJT team write you a script.
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:47 PM

Posted 11 July 2009 - 09:11 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/240757/uac-rootkit-wont-go-away/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users