Noddy11 Posted June 28, 2009 ID:93859 Share Posted June 28, 2009 I'm not sure if this is the right place for this, but I'll try here first. I spent many hours cleaning a PC for a friend and I think it's more or less done, but I'm not sure. I cleaned off some trojans and a rootkit called UACd using various tools, but I was wondering if someone might look at these logs and let me know if there is anything still lurking about. I forgot to get the GMER log from their PC which still had some references to the UACd.sys thing, but here's the HJT and Combofix logs. Apologies if this is the wrong place for this.HJT Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:44:05 AM, on 6/28/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exeC:\WINDOWS\SYSTEM32\Brmfrmps.exeC:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\BRMFRSMG.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywayO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exeO23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe--End of file - 3414 bytesCombofix LogComboFix 09-06-26.02 - Flavia 06/28/2009 0:50.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.397 [GMT -4:00]Running from: c:\av stuff\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Flavia\Start Menu\WinPC Defender.LNKc:\windows\f49f4daa.datc:\windows\ieocx.dllc:\windows\system32\bszip.dllc:\windows\system32\drivers\fad.sysc:\windows\system32\UAChekkluotvrmbbkf.datc:\windows\system32\uacinit.dllc:\windows\system32\UACjqjnkfcpbooclrh.dllc:\windows\system32\UACphvmvpkyxgltaki.dllc:\windows\system32\UACxefajrfjndekyqp.dllc:\windows\system32\UACxqrfttkarrrkqae.dll.((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 ))))))))))))))))))))))))))))))).2009-06-27 03:12 . 2009-06-27 03:12 -------- d-----w- c:\windows\system32\scripting2009-06-27 03:12 . 2009-06-27 03:12 -------- d-----w- c:\windows\l2schemas2009-06-27 03:12 . 2009-06-27 03:12 -------- d-----w- c:\windows\system32\en2009-06-27 03:12 . 2009-06-27 03:12 -------- d-----w- c:\windows\system32\bits2009-06-27 03:10 . 2009-06-27 03:10 -------- d-----w- c:\windows\ServicePackFiles2009-06-27 03:03 . 2009-06-27 03:03 -------- d-----w- c:\windows\EHome2009-06-27 02:49 . 2009-06-27 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller2009-06-26 19:52 . 2009-06-26 19:52 -------- d-----w- c:\documents and settings\Flavia\Application Data\Serif2009-06-26 19:50 . 2009-06-26 19:50 -------- d-----w- c:\program files\Serif2009-06-26 05:18 . 2009-06-26 05:18 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2009-06-26 05:16 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\Flavia\Application Data\U3\temp\cleanup.exe2009-06-26 05:13 . 2009-06-28 04:45 -------- d-----w- C:\AV Stuff2009-06-26 05:12 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Flavia\Application Data\U3\temp\Launchpad Removal.exe2009-06-26 05:12 . 2009-06-27 02:48 -------- d-----w- c:\documents and settings\Flavia\Application Data\U32009-06-26 03:50 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe2009-06-26 03:49 . 2009-06-26 03:50 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL2009-06-26 03:47 . 2009-06-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com2009-06-26 03:47 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe2009-06-26 03:46 . 2009-06-26 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\U32009-06-17 19:32 . 2009-06-17 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}2009-06-17 19:29 . 2009-06-17 19:30 -------- d-----w- c:\program files\QuickTime.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-06-27 15:07 . 2005-01-05 16:44 36824 ----a-w- c:\documents and settings\Flavia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-06-27 05:35 . 2009-06-27 05:35 -------- d-----w- c:\program files\Trend Micro2009-06-27 03:35 . 2004-12-13 06:37 -------- d-----w- c:\program files\Common Files\AOL2009-06-27 03:35 . 2006-12-30 22:39 -------- d-----w- c:\program files\Apple Software Update2009-06-27 03:15 . 2004-08-10 19:13 77939 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat2009-06-27 02:55 . 2006-05-01 15:29 -------- d-----w- c:\program files\Common Files\Symantec Shared2009-06-27 02:55 . 2006-05-01 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec2009-06-26 04:55 . 2006-05-01 17:54 -------- d-----w- c:\program files\Norton AntiVirus2009-06-26 04:50 . 2008-12-23 17:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2009-06-26 03:44 . 2008-12-24 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-05-26 02:12 . 2009-05-26 02:09 19968 ----a-w- c:\windows\system32\UACplfsxhncrfamsty.dll2009-05-26 02:10 . 2009-05-26 02:09 0 ----a-w- c:\documents and settings\Flavia\Application Data\~ygw.tmp2009-05-07 15:32 . 2004-08-04 11:00 345600 ----a-w- c:\windows\system32\localspl.dll2009-04-29 04:46 . 2004-08-04 11:00 666624 ----a-w- c:\windows\system32\wininet.dll2009-04-29 04:46 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\ieencode.dll2009-04-17 12:26 . 2004-08-04 11:00 1847168 ----a-w- c:\windows\system32\win32k.sys2009-04-15 14:51 . 2004-08-04 11:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll2002-09-11 14:26 . 2005-01-05 16:56 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf2005-07-01 20:11 . 2005-07-01 20:09 56 --sh--r- c:\windows\SYSTEM32\CCDFAF4DD7.sys2008-10-12 20:45 . 2005-07-01 20:09 1682 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnkbackup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnkbackup=c:\windows\pss\Digital Line Detect.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnkbackup=c:\windows\pss\Microsoft Office.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnkbackup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\WINDOWS\\system32\\sessmgr.exe"=R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]R3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [1/12/2005 1:40 PM 2944]R3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [1/12/2005 2:09 PM 61952]R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [1/12/2005 1:40 PM 11008]R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [1/12/2005 1:34 PM 10368]S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]S4 DHCP Client (Dhcp) ;DHCP Client (Dhcp) ;c:\program files\tintinyproxyy\tinyproxy.exe --> c:\program files\tintinyproxyy\tinyproxy.exe [?]--- Other Services/Drivers In Memory ---*Deregistered* - aujasnkj*Deregistered* - PROCEXP113..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mStart Page = hxxp://www.dell4me.com/mywayuSearchURL,(Default) = hxxp://www.google.com/search?q=%sFF - ProfilePath - c:\documents and settings\Flavia\Application Data\Mozilla\Firefox\Profiles\kxfrh36q.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - www.google.comFF - plugin: c:\documents and settings\Flavia\Application Data\Mozilla\Firefox\Profiles\kxfrh36q.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dllFF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dllFF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dllFF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dllFF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dllFF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dllFF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dllFF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-06-28 00:56Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-1958075824-33202566-2454855625-1007\Software\Microsoft\SystemCertificates\AddressBook*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_982C2F88C92FA63E\0000]@DACL=(02 0000)"Service"="982C2F88C92FA63E""Legacy"=dword:00000001"ConfigFlags"=dword:00000000"Class"="LegacyDriver""ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}""DeviceDesc"="982C2F88C92FA63E""Capabilities"=dword:00000000.Completion time: 2009-06-28 1:00ComboFix-quarantined-files.txt 2009-06-28 05:00Pre-Run: 51,623,006,208 bytes freePost-Run: 53,872,893,952 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect162 --- E O F --- 2009-06-27 03:45 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 28, 2009 Root Admin ID:94000 Share Posted June 28, 2009 STEP 01Download but do not yet run ComboFixIf you have a previous version of Combofix.exe, delete it and download a fresh copy.Download it to your DESKTOP - it MUST run from the Desktopdownload.bleepingcomputer.com/sUBs/ComboFix.exesubs.geekstogo.com/ComboFix.exeUsing your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank linesKILLALL::Driver::DHCP Client (Dhcp)File::c:\program files\tintinyproxyy\tinyproxy.exec:\windows\SYSTEM32\CCDFAF4DD7.sysFolder::c:\program files\tintinyproxyyRegLock::[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_982C2F88C92FA63E\0000]Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.Disconnect from the Internet. Disable your Antivirus software. If it has Script Blocking features, please disable these as well. A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed. When the scan completes Notepad will open with with your results log open. Do a File, Exit.A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.Post back the Combofix log on your next reply.STEP 02Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen post back the MBAM log on your next replySTEP 03Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVAThen run this tool to help cleanup any left over JavaYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location and post it back when you replyThen look for the following Java folders and if found delete them.C:\Program Files\JavaC:\Program Files\Common Files\JavaC:\Windows\SunC:\Documents and Settings\All Users\Application Data\JavaC:\Documents and Settings\All Users\Application Data\Sun\JavaC:\Documents and Settings\username\Application Data\JavaC:\Documents and Settings\username\Application Data\Sun\JavaSTEP 04Download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup220_slim.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log FilesClick on Run Cleaner button on the bottom right side of the program.Click OK to any promptsRESTART THE COMPUTER NOWSTEP 05Download and Update Java RuntimeThe most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 14.Go to http://java.sun.com/javase/downloads/index.jspGo to Java Runtime Environment (JRE) 6 Update 14 about half way down the page and click on the Download button.In Platform box choose Windows.Check the box to Accept License Agreement and click Continue.Click on Windows Offline Installation, click on the link under it which says jre-6u14-windows-i586.exe and save the downloaded file to your desktop.Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.Uncheck the Toolbar button (unless you want the toolbar)Reboot your computerSTEP 06Run Kaspersky Online AV ScannerPlease go to Kaspersky website and perform an online antivirus scan.Read through the requirements and privacy statement and click on Accept button.It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.When the downloads have finished, click on Settings.Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programsArchivesMail databases[*]Click on My Computer under Scan and then put the kettle on![*]Once the scan is complete, it will display the results. Click on View Scan Report.[*]You will see a list of infected items there. Click on Save Report As....[*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.[*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving. Link to post Share on other sites More sharing options...
Noddy11 Posted June 30, 2009 Author ID:94367 Share Posted June 30, 2009 Hello and thanks for your reply. I will try and get this done tonight if possible, I have to go over to a friend's place to do it. Before I got your reply I did a little more cleaning up and got rid of tinyproxy and whatever it was trying to do with DHCP, but there may still be some registry stuff somewhere. I couldn't get rid of this one UACd.sys entry in the registry, then I noticed no one had permissions to touch it so I changed that and trashed it. There's another entry that won't let me do anything with it at all, not even change permissions, and I think it's that 982C2F88C92FA63E thing whatever that is. The system is running great and Malwarebytes says it's clean, but I'll still do as you suggest seeing as there seems to be some last vestiges of things still around. I'll post back when I get it done. Thanks again for your time and help. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 30, 2009 Root Admin ID:94443 Share Posted June 30, 2009 Okay please do. Please do not install other tools or software while we're working on this unless requested to.Thanks. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 1, 2009 Root Admin ID:94759 Share Posted July 1, 2009 Please post a status update on this. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 3, 2009 Root Admin ID:95282 Share Posted July 3, 2009 Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts