Jump to content

Recommended Posts

I'm not sure if this is the right place for this, but I'll try here first. I spent many hours cleaning a PC for a friend and I think it's more or less done, but I'm not sure. I cleaned off some trojans and a rootkit called UACd using various tools, but I was wondering if someone might look at these logs and let me know if there is anything still lurking about. I forgot to get the GMER log from their PC which still had some references to the UACd.sys thing, but here's the HJT and Combofix logs. Apologies if this is the wrong place for this.

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:44:05 AM, on 6/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\WINDOWS\SYSTEM32\Brmfrmps.exe

C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\BRMFRSMG.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

--

End of file - 3414 bytes

Combofix Log

ComboFix 09-06-26.02 - Flavia 06/28/2009 0:50.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.397 [GMT -4:00]

Running from: c:\av stuff\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Flavia\Start Menu\WinPC Defender.LNK

c:\windows\f49f4daa.dat

c:\windows\ieocx.dll

c:\windows\system32\bszip.dll

c:\windows\system32\drivers\fad.sys

c:\windows\system32\UAChekkluotvrmbbkf.dat

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjqjnkfcpbooclrh.dll

c:\windows\system32\UACphvmvpkyxgltaki.dll

c:\windows\system32\UACxefajrfjndekyqp.dll

c:\windows\system32\UACxqrfttkarrrkqae.dll

.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))

.

2009-06-27 03:12 . 2009-06-27 03:12 -------- d-----w- c:\windows\system32\scripting

2009-06-27 03:12 . 2009-06-27 03:12 -------- d-----w- c:\windows\l2schemas

2009-06-27 03:12 . 2009-06-27 03:12 -------- d-----w- c:\windows\system32\en

2009-06-27 03:12 . 2009-06-27 03:12 -------- d-----w- c:\windows\system32\bits

2009-06-27 03:10 . 2009-06-27 03:10 -------- d-----w- c:\windows\ServicePackFiles

2009-06-27 03:03 . 2009-06-27 03:03 -------- d-----w- c:\windows\EHome

2009-06-27 02:49 . 2009-06-27 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-06-26 19:52 . 2009-06-26 19:52 -------- d-----w- c:\documents and settings\Flavia\Application Data\Serif

2009-06-26 19:50 . 2009-06-26 19:50 -------- d-----w- c:\program files\Serif

2009-06-26 05:18 . 2009-06-26 05:18 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-06-26 05:16 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\Flavia\Application Data\U3\temp\cleanup.exe

2009-06-26 05:13 . 2009-06-28 04:45 -------- d-----w- C:\AV Stuff

2009-06-26 05:12 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Flavia\Application Data\U3\temp\Launchpad Removal.exe

2009-06-26 05:12 . 2009-06-27 02:48 -------- d-----w- c:\documents and settings\Flavia\Application Data\U3

2009-06-26 03:50 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe

2009-06-26 03:49 . 2009-06-26 03:50 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-06-26 03:47 . 2009-06-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-06-26 03:47 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe

2009-06-26 03:46 . 2009-06-26 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2009-06-17 19:32 . 2009-06-17 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-17 19:29 . 2009-06-17 19:30 -------- d-----w- c:\program files\QuickTime

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-27 15:07 . 2005-01-05 16:44 36824 ----a-w- c:\documents and settings\Flavia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-27 05:35 . 2009-06-27 05:35 -------- d-----w- c:\program files\Trend Micro

2009-06-27 03:35 . 2004-12-13 06:37 -------- d-----w- c:\program files\Common Files\AOL

2009-06-27 03:35 . 2006-12-30 22:39 -------- d-----w- c:\program files\Apple Software Update

2009-06-27 03:15 . 2004-08-10 19:13 77939 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat

2009-06-27 02:55 . 2006-05-01 15:29 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-06-27 02:55 . 2006-05-01 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-06-26 04:55 . 2006-05-01 17:54 -------- d-----w- c:\program files\Norton AntiVirus

2009-06-26 04:50 . 2008-12-23 17:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-06-26 03:44 . 2008-12-24 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-05-26 02:12 . 2009-05-26 02:09 19968 ----a-w- c:\windows\system32\UACplfsxhncrfamsty.dll

2009-05-26 02:10 . 2009-05-26 02:09 0 ----a-w- c:\documents and settings\Flavia\Application Data\~ygw.tmp

2009-05-07 15:32 . 2004-08-04 11:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:46 . 2004-08-04 11:00 666624 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:46 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-04-17 12:26 . 2004-08-04 11:00 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2004-08-04 11:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2002-09-11 14:26 . 2005-01-05 16:56 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf

2005-07-01 20:11 . 2005-07-01 20:09 56 --sh--r- c:\windows\SYSTEM32\CCDFAF4DD7.sys

2008-10-12 20:45 . 2005-07-01 20:09 1682 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]

R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]

R3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [1/12/2005 1:40 PM 2944]

R3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [1/12/2005 2:09 PM 61952]

R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [1/12/2005 1:40 PM 11008]

R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [1/12/2005 1:34 PM 10368]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]

S4 DHCP Client (Dhcp) ;DHCP Client (Dhcp) ;c:\program files\tintinyproxyy\tinyproxy.exe --> c:\program files\tintinyproxyy\tinyproxy.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - aujasnkj

*Deregistered* - PROCEXP113

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.dell4me.com/myway

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

FF - ProfilePath - c:\documents and settings\Flavia\Application Data\Mozilla\Firefox\Profiles\kxfrh36q.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\documents and settings\Flavia\Application Data\Mozilla\Firefox\Profiles\kxfrh36q.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll

FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-28 00:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1958075824-33202566-2454855625-1007\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_982C2F88C92FA63E\0000]

@DACL=(02 0000)

"Service"="982C2F88C92FA63E"

"Legacy"=dword:00000001

"ConfigFlags"=dword:00000000

"Class"="LegacyDriver"

"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

"DeviceDesc"="982C2F88C92FA63E"

"Capabilities"=dword:00000000

.

Completion time: 2009-06-28 1:00

ComboFix-quarantined-files.txt 2009-06-28 05:00

Pre-Run: 51,623,006,208 bytes free

Post-Run: 53,872,893,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

162 --- E O F --- 2009-06-27 03:45

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
DHCP Client (Dhcp)
File::
c:\program files\tintinyproxyy\tinyproxy.exe
c:\windows\SYSTEM32\CCDFAF4DD7.sys
Folder::
c:\program files\tintinyproxyy
RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_982C2F88C92FA63E\0000]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log on your next reply

STEP 03

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 04

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup220_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

RESTART THE COMPUTER NOW

STEP 05

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 14.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 14 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u14-windows-i586.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

STEP 06

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Link to post
Share on other sites

Hello and thanks for your reply. I will try and get this done tonight if possible, I have to go over to a friend's place to do it. Before I got your reply I did a little more cleaning up and got rid of tinyproxy and whatever it was trying to do with DHCP, but there may still be some registry stuff somewhere. I couldn't get rid of this one UACd.sys entry in the registry, then I noticed no one had permissions to touch it so I changed that and trashed it. There's another entry that won't let me do anything with it at all, not even change permissions, and I think it's that 982C2F88C92FA63E thing whatever that is. The system is running great and Malwarebytes says it's clean, but I'll still do as you suggest seeing as there seems to be some last vestiges of things still around. I'll post back when I get it done. Thanks again for your time and help.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.