Jump to content

I picked this up on my scan


Recommended Posts

I hope this is the right forum sub-bracket I'm in. >.<

Well, did a scan and this came up:

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 2

15/07/2009 2:11:58 PM

mbam-log-2009-07-15 (14-11-58).txt

Scan type: Quick Scan

Objects scanned: 118313

Time elapsed: 13 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

And like I said earlier, upon reboots, the uacinit.dll and UAC rootkit doesn't become fixed or removed.

I also want to add, I did a Ad Aware scan, removed 3 infections but they keep coming back upon restart.

\\?\globalroot\systemroot\system32\uacyimvqojbrtwwinecx.dll

C:\WINDOWS\system32\UACmkhscdguxfudwwjxv.dll

C:\WINDOWS\system32\UACyimvqojbrtwwinecx.dll

UAC seems to be a commonality between all these buggers >.<

Link to post
Share on other sites

Ok, just ran hijack this, big post soon:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:01:23 PM, on 15/07/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\stsystra.exe

C:\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ca.dell.com/content/default.as...;l=en&s=gen

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ca.dell.com/content/default.as...;l=en&s=gen

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (file missing)

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (file missing)

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [bootSkin Startup Jobs] "C:\Bootskin\BootSkin\BootSkin.exe" /StartupJobs

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Daemon Tools\DAEMON Tools Pro\DAEMON Tools Lite\daemon.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166844152234

O16 - DPF: {7D4733C0-C43B-4A81-AF43-F9B20D1F8348} - http://www.octoshape.com/test/ax/octoshape.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel

Link to post
Share on other sites

Hi ya,

Said i would meet ya down here :(

Right you have UAC variant CLB/WinNT Alureon rootkit on board.

We need to attack the driver inorder to get this beasty laid to waste so please use the following walkthrough as a fix/guide.

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Once you have wiped the file,reboot and run MBAM Quick scan and allow it to remove what it finds.

Reboot the PC then post back the MBAM log generated from that scan.

Thanks in advance :)

Link to post
Share on other sites

Ok, so did the scan thing, not 100% sure on something:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/07/15 17:35

Program Version: Version 1.3.2.0

Windows Version: Windows XP Media Center Edition SP2

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruigneoqnhi.dat

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruijbykbhkv.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruixaxiwuee.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruixirlrjmi.dat

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACacciqvobsygyxgmfd.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACbihvcuffdjdxtfdij.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmkhscdguxfudwwjxv.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnextjgpmsoykdmtrv.db

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACslkmppashwtxuqhjh.dat

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtlqdjnmhdrijhjrpt.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyimvqojbrtwwinecx.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC653f.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6b89.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7453.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7879.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7d3c.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACc0bb.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACc7b0.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACce57.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd52d.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACdb76.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe0f5.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruistfpyckkio.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiuxoakyolnd.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACjvbfcihcpbvlsoblu.sys

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruifwirdkko.sys

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Temp\UAC58cb.tmp

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacyimvqojbrtwwinecx.dll.f376ca4a672e76102b96ef6c3247e0.aawqff

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\14\15-{A4~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\14\15-{A4~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\14\15-{A4~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.3

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\14\15-{A4~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\17\17-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v17-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v17-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\18\18-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v18-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v18-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\19\19-{9C4A7D62-E672-4FE7-A5FE-E0D3A3B2E6E9}-v19-{9C4A7D62-E672-4FE7-A5FE-E0D3A3B2E6E9}-v19-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\19\19-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v19-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v19-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\20\20-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v20-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v20-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\21\21-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v21-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v21-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Messenger\mattminimini@hotmail.com\SharingMetadata\someonerules2@hotmail.com\DFSR\Staging\CS{CF36F486-05D0-A263-AF03-42E656466C10}\22\22-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v22-{A4011549-CBF4-4CCE-A24E-6D3A598415F9}-v22-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Matthew\Application Data\Macromedia\Flash Player\#SharedObjects\5CFJFN5A\g-ecx.images-amazon.com\images\G\01\x-locale\personalization\uts\flash:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Invisible to the Windows API!

==EOF==

I saw 3 .sys files there, 2 of which i'm pretty sure are the ones i'm supposed to nuke. But hiberfil.sys I'm not sure what I should do with that one.

And what about the other ones that don't start with UAC or hjgrui?

Link to post
Share on other sites

Hi ya,

uh-oh double bubble...got yourself a pair of CLB variants there :(

Dont touch hyberfil.sys thats the legitimate Hibernation driver for the pc.

All you need to do is wipe the 2 .sys files that have the target prefix's(UAC + hjgrui) and Reboot!!!

Don't worry about the rest of the files as MBAM quick scan will be opening a whole can of whoop on them when you run it :)

Link to post
Share on other sites

Hi ya,

uh-oh double bubble...got yourself a pair of CLB variants there :)

Dont touch hyberfil.sys thats the legitimate Hibernation driver for the pc.

All you need to do is wipe the 2 .sys files that have the target prefix's and Reboot!!!

Don't worry about the rest of the files as MBAM quick scan will be opening a whole can of whoop on them when you run it :)

Alright, thanks for all your help :(

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.