Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

website hijack and freezing up


  • This topic is locked This topic is locked
18 replies to this topic

#1 mstelzer

mstelzer

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 09 August 2009 - 12:11 PM

Running XP with service pack 2 on brand new computer. Problem started out with computer freezing up after 10-15 minutes of inactivity. Turned off all the hibernation, sleep modes, screen savers etc. This did not fix problem. Problems just started to increase and now my intetnet browser is being redirected, I can get to my google home page but clicking on any link redirects me to bogus websites that starts out as http:\\windowsclick.com then redirects you to www.bestwebchoice.com no matter what you select from the GOOGLE results. Also yesterday the computer just randomly started playing music or some kind of news reports had to control alt delelte to end process for IExplorer.exe. HAd McAfee installed as part of new computer - could not find any problems so I removed it and Installed AVG Anti Virus free. Found a trojan horse called Clicker.AAJC and a registry key with reference to infected file C:\windows\system32\net.net. Those are in quarantine but I am still having the sames issues and so today I instlled hijackthis and did not know what to do with the reults I got from that so here I am.

Trying to get as much in before the system freezes and will not let me do anthing ese. Sorry getting nervous here is my DSS

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 11:49:39.42 on Sun 08/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1.#QNAN.2346 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp3.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-8 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-8 297752]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-2-28 576024]
S2 0056451249761280mcinstcleanup;McAfee Application Installer Cleanup (0056451249761280);c:\docume~1\admini~1\locals~1\temp\005645~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\005645~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

=============== Created Last 30 ================

2009-08-09 10:53 <DIR> --d----- c:\program files\Trend Micro
2009-08-08 15:06 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-08 14:57 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-08 14:57 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-08 14:57 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-08 14:57 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-08 14:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-08-08 14:57 <DIR> --d----- c:\program files\AVG
2009-08-08 14:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-08 14:55 434 a------- c:\windows\myClean.bat
2009-08-08 13:00 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVG8
2009-08-02 17:51 <DIR> --d----- c:\program files\IObit
2009-08-02 17:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\IObit
2009-08-02 12:32 <DIR> --d----- c:\windows\system32\appmgmt
2009-07-27 21:37 <DIR> --d----- c:\temp\HP_WebRelease
2009-07-27 21:37 <DIR> --d----- C:\temp
2009-07-27 21:19 38,867 -------- c:\windows\hpomdl03.dat
2009-07-24 17:15 512 a------- c:\windows\system32\pwd.dll
2009-07-24 17:13 <DIR> --d----- c:\windows\system32\NtmsData
2009-07-24 17:06 38,867 -------- c:\windows\hpomdl03.dat.temp
2009-07-24 17:06 29,232 -------- c:\windows\hpoins03.dat.temp
2009-07-17 03:11 118 a------- c:\windows\system32\MRT.INI

==================== Find3M ====================

2009-07-18 11:20 3,062,272 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 11:20 1,506,304 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-22 06:38 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 09:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 14:27 1,290,752 -------- c:\windows\system32\dllcache\quartz.dll

============= FINISH: 11:50:05.46 ===============

BC AdBot (Login to Remove)

 


#2 mstelzer

mstelzer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 09 August 2009 - 10:00 PM

Posted at noon today but did not receive any reply. Sorry to keep bothering you.

I have finally gotten Malwarebytyes to run on my computer in safe mode. 2 items that it could not remove but it said would remove on reboot. They are still there after reboot when I run the scan again
Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
and
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

These two keep showing up - complete file below.
Thanks for any assistance!
M


Database version: 2551
Windows 5.1.2600 Service Pack 2 (Safe Mode)

8/9/2009 9:50:54 PM
mbam-log-2009-08-09 (21-50-54).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 124188
Time elapsed: 6 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Attached Files


Edited by Orange Blossom, 10 August 2009 - 12:09 AM.


#3 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 August 2009 - 03:05 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#4 mstelzer

mstelzer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 21 August 2009 - 01:53 PM

I will be home tonight and will work on the items that you have requsted.
Thanks

#5 mstelzer

mstelzer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 22 August 2009 - 08:33 AM

Here is the DDS log you asked for
Thanks.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 8:29:41.14 on Sat 08/22/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2942.2457 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp3.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-8 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-8 297752]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-2-28 576024]
RUnknown unbxdug;unbxdug; [x]
S2 0056451249761280mcinstcleanup;McAfee Application Installer Cleanup (0056451249761280);c:\docume~1\admini~1\locals~1\temp\005645~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\005645~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

=============== Created Last 30 ================

2009-08-22 08:17 118,784 a------- c:\windows\system32\chg.exe
2009-08-17 08:01 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-17 08:00 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-17 07:57 655,872 -------- c:\windows\system32\dllcache\mstscax.dll
2009-08-09 22:13 0 a------- c:\documents and settings\administrator\settings.dat
2009-08-09 21:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-09 20:41 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 20:41 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-09 20:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-09 20:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 10:53 <DIR> --d----- c:\program files\Trend Micro
2009-08-08 15:06 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-08 14:57 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-08 14:57 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-08 14:57 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-08 14:57 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-08 14:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-08-08 14:57 <DIR> --d----- c:\program files\AVG
2009-08-08 14:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-08 14:55 434 a------- c:\windows\myClean.bat
2009-08-08 13:00 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVG8
2009-08-05 04:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 17:51 <DIR> --d----- c:\program files\IObit
2009-08-02 17:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\IObit
2009-08-02 12:32 <DIR> --d----- c:\windows\system32\appmgmt
2009-07-27 21:37 <DIR> --d----- c:\temp\HP_WebRelease
2009-07-27 21:37 <DIR> --d----- C:\temp
2009-07-27 21:19 38,867 -------- c:\windows\hpomdl03.dat
2009-07-24 17:13 <DIR> --d----- c:\windows\system32\NtmsData
2009-07-24 17:06 38,867 -------- c:\windows\hpomdl03.dat.temp
2009-07-24 17:06 29,232 -------- c:\windows\hpoins03.dat.temp

==================== Find3M ====================

2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-18 11:20 3,062,272 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 11:20 1,506,304 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 02:18 233,472 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 02:18 4,960,256 -------- c:\windows\system32\dllcache\wmp.dll
2009-06-25 13:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-22 06:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 06:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 06:49 117,248 -------- c:\windows\system32\dllcache\mqtgsvc.exe
2009-06-22 06:49 19,968 -------- c:\windows\system32\dllcache\mqbkup.exe
2009-06-22 06:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 06:49 4,608 -------- c:\windows\system32\dllcache\mqsvc.exe
2009-06-22 06:48 91,776 -------- c:\windows\system32\dllcache\mqac.sys
2009-06-22 06:38 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 09:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 06:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 06:50 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 06:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 06:50 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:21 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 01:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 01:32 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-05 02:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 14:27 1,290,752 -------- c:\windows\system32\dllcache\quartz.dll

============= FINISH: 8:29:50.26 ===============

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:46 AM

Posted 25 August 2009 - 04:29 PM

Hi mstelzer,

Again welcome to BC HijackThis forum and again sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#7 mstelzer

mstelzer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 26 August 2009 - 09:58 PM

Hi farbar,
Thanks for the help. I had some trouble getting the ComboFix to install and run. I renamed it to Combo-Fix on my desktop and was able to run. The program installed the Microsoft Windows Recovery Console and said it was successful and then started to scan but the screen went black almost immediatley and then a blue screen came up with white print - too much to read before it disappeared - something about a memory dump?? The computer rebooted and now says the system has recovered from a serious error a log has been created. - I tried to click on that and type here but the computer froze up twice and I have to reboot... AHHH I will try to capture that data after the next restart and send to you shortly.
Thanks!

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:46 AM

Posted 27 August 2009 - 06:33 AM

I believe the rootkit is making trouble here.

:)
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
***************************
:thumbup2:

When the computer crashes after restart the system makes dump files (Minixxxxx.dmp where x represent a number). I need to see the file to find the cause of the crash.
  • Set Windows to show hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

  • Use the windows search advanced options:
    • Go to start -> Search -> click All files and folders.
    • Click More advanced options.
    • Put a check mark in the box nest to search system folders, search hidden files and folders and search sub-folders.
    • Make sure Case Sensitive box in not checked.
    • Type mini*.dmp in the upper box and click on search.
  • Zip the file and attach the it to your reply. To attach the file:
    • When you press the ADDREPLY, under the reply window press Browse... show the path to the zip-file on your computer:
    • Highlight the zip-file and click Open then press the green UPLOAD button.
    Alternatively, instead of zipping and attaching, you can upload the file to the following site and give me the link to the file:
    http://www.mediafire.com/

    Note: The old mini dump files might have already been removed and you have to wait for the next crash and find the file before using cleanup utilities.


#9 mstelzer

mstelzer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 27 August 2009 - 11:07 AM

farbar,
Thanks for the quick reply - I will not be home again until Friday evening. Will send as soon as I can. Thanks again.
M

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:46 AM

Posted 27 August 2009 - 11:42 AM

Take you time and post the logs when ready mstelzer. Thanks for letting me know.

#11 mstelzer

mstelzer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 30 August 2009 - 02:35 PM

Farbar
Below is the txt from the Root Repaeal you asked me to run. When I searched for the Mini*.dmp it froze up after locating 175 files. I ran again this morning and stopped it after the first 50 came up. They all look the same, same name same time- not sure why it kept finding more. But I zipped and attached the only two different ones. Thanks and let me know what is next!


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/29 21:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6F50000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADDC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5968000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\combo-fix\progfile.dat
Status: Allocation size mismatch (API: 65536, Raw: 32768)

Path: C:\WINDOWS\system32\UACalvvmmswfdyirmwoy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACckeuohkfqwyonuquo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmrmslplyqi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACogvtctokoaqsmoqbj.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACosnfjxgwsaixxxmtl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpdwydqksie.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtkhynfvxygupesjlg.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwvkqirrackxryptjp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxeecichimvhceuowm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxnstymafwo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6135.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb94.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACbc11.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACbed0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACkfvdpryjqisutkmtk.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\UAC56cf.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\UACmd.exe
Status: Invisible to the Windows API!

Path: c:\documents and settings\all users\application data\pure networks\network magic\log\logfile.nmsrvc_exe.txt
Status: Size mismatch (API: 26460, Raw: 26326)

Stealth Objects
-------------------
Object: Hidden Module [Name: UACwvkqirrackxryptjp.dll]
Process: svchost.exe (PID: 920) Address: 0x008d0000 Size: 73728

Object: Hidden Module [Name: UACb94.tmpcichimvhceuowm.dll]
Process: svchost.exe (PID: 920) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACxnstymafwo.dll]
Process: Explorer.EXE (PID: 1836) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACxnstymafwo.dll]
Process: Iexplore.exe (PID: 1856) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACxnstymafwo.dll]
Process: iexplore.exe (PID: 456) Address: 0x10000000 Size: 49152

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACkfvdpryjqisutkmtk.sys

==EOF==

Attached Files



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:46 AM

Posted 31 August 2009 - 12:30 AM

This is a nasty rootkit that seems causing those system malfunction.

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Dirvers to delete:
    UACd.sys
    
    Files to delete:
    C:\WINDOWS\system32\drivers\UACkfvdpryjqisutkmtk.sys
    C:\WINDOWS\system32\UACalvvmmswfdyirmwoy.dll
    C:\WINDOWS\system32\UACckeuohkfqwyonuquo.dll
    C:\WINDOWS\system32\UACmrmslplyqi.dll
    C:\WINDOWS\system32\UACpdwydqksie.dll
    C:\WINDOWS\system32\UACtkhynfvxygupesjlg.db
    C:\WINDOWS\system32\UACwvkqirrackxryptjp.dll
    C:\WINDOWS\system32\UACxnstymafwo.dll
    C:\WINDOWS\Temp\UACbc11.tmp
    C:\WINDOWS\Temp\UACbed0.tmp
    C:\Documents and Settings\Administrator\Local Settings\Temp\UAC56cf.tmp
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.


#13 mstelzer

mstelzer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 31 August 2009 - 10:25 PM

Farbar,
I was able to run the avenger - had some errors until I realized Driver was mispelled in the code you sent. Once I corrected that I was able to run Avenger -- Log is below.
Thanks
Mstelzer


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Aug 31 22:08:34 2009

22:08:34: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Aug 31 22:09:22 2009

22:09:22: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACkfvdpryjqisutkmtk.sys" deleted successfully.
File "C:\WINDOWS\system32\UACalvvmmswfdyirmwoy.dll" deleted successfully.
File "C:\WINDOWS\system32\UACckeuohkfqwyonuquo.dll" deleted successfully.
File "C:\WINDOWS\system32\UACmrmslplyqi.dll" deleted successfully.
File "C:\WINDOWS\system32\UACpdwydqksie.dll" deleted successfully.
File "C:\WINDOWS\system32\UACtkhynfvxygupesjlg.db" deleted successfully.
File "C:\WINDOWS\system32\UACwvkqirrackxryptjp.dll" deleted successfully.
File "C:\WINDOWS\system32\UACxnstymafwo.dll" deleted successfully.
File "C:\WINDOWS\Temp\UACbc11.tmp" deleted successfully.
File "C:\WINDOWS\Temp\UACbed0.tmp" deleted successfully.
File "C:\Documents and Settings\Administrator\Local Settings\Temp\UAC56cf.tmp" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:46 AM

Posted 01 September 2009 - 03:03 AM

Driver was mispelled

My bad, I'm sorry for that.

Please now delete your copy of ComboFix from your desktop, download a fresh copy and run it with the same instructions as before and post the log.

#15 mstelzer

mstelzer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 01 September 2009 - 09:26 PM

Farbar,
Thanks again - I was not trying to point out the mispelled word, just the fact that I figured it out on my own! Well this time I was able to run ComboFix (named it Combo-Fix, if that matters) anyway I have attached my combofix.txt file.
Have a great day.
Monica

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users