Jump to content

Can't Remove uacinit.dll


Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:41:51 AM, on 8/15/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18813)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

C:\Windows\WindowsMobile\wmdc.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Windows\tsnp2std.exe

C:\Windows\vsnp2std.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\MP4 Player\Mp4Player.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O1 - Hosts: ::1 localhost

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll

O2 - BHO: (no name) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [tsnp2std] C:\Windows\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\Windows\vsnp2std.exe

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [MP4 Player] "C:\Program Files\MP4 Player\mp4Player.exe" hmw

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')

O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: ImageMixer HDD Camera Monitor.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O13 - Gopher Prefix:

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://kingsisle.hs.llnwd.net/e1/static/th...ameLauncher.CAB

O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: Google Update Service (gupdate1c9aa7d3acff170) (gupdate1c9aa7d3acff170) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--

End of file - 11821 bytes

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 6.0.6001 Service Pack 1

8/15/2009 8:32:28 AM

mbam-log-2009-08-15 (08-32-28).txt

Scan type: Quick Scan

Objects scanned: 93152

Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

Hello lil,

I seriously doubt that HJT would be the origin of the message regarding Genuine Microsoft Software. I highly suspect it is something else altogether.

Please advise if your pc has a Certificate of authenticty sticker on it's case.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Go here and download RootRepeal to your Desktop. Doubleclick to extract the compressed file to it's own folder and then rightclick on RootRepeal.exe and choose "Run as Administrator" Click on the Report tab and then click on Scan. A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers

Files

Processes

Hidden Services

You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread.

Link to post
Share on other sites

Root Repeal received an error:

17:10:49: Unrecognized partition type 6 (0x6)!

17:10:49: Could not read system registry! Please contact the author!

This is the log file it created up to the point of the error:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/15 17:10

Program Version: Version 1.3.5.0

Windows Version: Windows Vista SP1

==================================================

Drivers

-------------------

Name: dump_diskdump.sys

Image Path: C:\Windows\System32\Drivers\dump_diskdump.sys

Address: 0x8CB70000 Size: 40960 File Visible: No Signed: -

Status: -

Name: dump_nvstor32.sys

Image Path: C:\Windows\System32\Drivers\dump_nvstor32.sys

Address: 0x8CB7A000 Size: 147456 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\Windows\system32\drivers\rootrepeal.sys

Address: 0x9CDC0000 Size: 49152 File Visible: No Signed: -

Status: -

Name: SKYNETeofmlnks.sys

Image Path: C:\Windows\system32\drivers\SKYNETeofmlnks.sys

Address: 0x8C417000 Size: 151552 File Visible: - Signed: -

Status: Hidden from the Windows API!

Processes

-------------------

Path: System

PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe

PID: 1332 Status: Locked to the Windows API!

==EOF==

Link to post
Share on other sites

Since this is on Vista, in most all the tools I will have you use, you will need to First, do a RIGHT-Click on the program shortcut, link, or the executable .... and then select RUN As Administrator

Please always remember that !!

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not lilhokie and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Start with this:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

Next, download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Right-click on avenger.exe and select Run As Administrator to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\Windows\system32\drivers\SKYNETeofmlnks.sys

    Drivers to delete:
    SKYNETeofmlnks.sys
    SKYNETeofmlnks


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator

At the command-prompt window, type in the following to begin Combofix

Combo-Fix.exe

and press Enter key

  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once without asking me first.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Avenger.txt

& C:\Combofix.txt

Link to post
Share on other sites

Here's the text of avenger.txt. I'm continuing onto the next step of your instructions....

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: could not delete file "C:\Windows\system32\drivers\SKYNETeofmlnks.sys"

Deletion of file "C:\Windows\system32\drivers\SKYNETeofmlnks.sys" failed!

Status: 0xc0000156

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\SKYNETeofmlnks.sys" not found!

Deletion of driver "SKYNETeofmlnks.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\SKYNETeofmlnks" not found!

Deletion of driver "SKYNETeofmlnks" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Combo Fix ran for awhile and rebooted the machine a few times....

Before the 1st time, It asked me to jot down some files:

c:\windows\system32\drivers\UACrmsdaeinwl.sys

c:\windows\system32\UACvvbockrnyv.dll

c:\windows\system32\UACcjwxpwtskv.dll

c:\windows\system32\UACuveeagtjfc.dll

c:\windows\system32\UACsunwombpbj.db

c:\windows\system32\UACppqcaqaknv.dll

c:\windows\system32\UACiqbqdeoxtq.dll

After the 3rd time it rebooted, I got the message that an unauthorized change was made to windows. WHen I click on the "Learn More" button, it takes me to this link:

http://www.microsoft.com/genuine/downloads....1033&RFM=2

When this happened earlier, I removed Hijack this and the problem went away. My computer came with Windows Vista on it, it has the a Certificate of authenticity sticker on it's case. It's an Acer Aspire with and AMD Athelon processor.

Link to post
Share on other sites

When I close the browser that is opened after the Unauthorized change message, then click close, it takes me back to the login screen. It will not actually boot windows, it only allows me to get to a browser to view their knowledge base about the problem. I can then open another tab to reply here. Using the browser, I was able to find out that the file "c:\combofix.txt" does not exist, so it did not complete it's execution.

I'll wait to hear back from you before doing anything else.

Link to post
Share on other sites

Do a new run of The Avenger

If you must, restart (reboot) your system fresh beforehand.

  • Right-click on avenger.exe and select Run As Administrator to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\drivers\UACrmsdaeinwl.sys
    c:\windows\system32\UACvvbockrnyv.dll
    c:\windows\system32\UACcjwxpwtskv.dll
    c:\windows\system32\UACuveeagtjfc.dll
    c:\windows\system32\UACsunwombpbj.db
    c:\windows\system32\UACppqcaqaknv.dll
    c:\windows\system32\UACiqbqdeoxtq.dll

    Drivers to delete:
    UACrmsdaeinwl.sys
    UACrmsdaeinwl
    UACr
    UACrserv
    UACd.sys
    UACd


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • icon_exclaim.gifMake sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of C:\Avenger.txt;
  • the contents of OTL.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

FYI - I turned the computer off (instead of just doing a reboot) and then restarted. This time, windows opened fine and the combofix that I started last night is continuing to run. I will post the log (if it completes) and wait to hear from you before I run Avenger again.

Link to post
Share on other sites

BTW - Thank you for all of your help so far.... It is truly appreciated.
You are quite welcome. Glad to be of assistance.

That was a very good move on your part on powering off and getting Combofix to get going.

I'm modifying the Avenger scan below and adding a couple of other runs. The Combofix noted a bit of remnant of the rootkit and hopefully this next Avenger pass will complete the task.

  • Right-click on avenger.exe and select Run As Administrator to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\drivers\UACrmsdaeinwl.sys
    c:\windows\system32\drivers\SKYNETeofmlnks.sys
    c:\windows\system32\UACvvbockrnyv.dll
    c:\windows\system32\UACcjwxpwtskv.dll
    c:\windows\system32\UACuveeagtjfc.dll
    c:\windows\system32\UACsunwombpbj.db
    c:\windows\system32\UACppqcaqaknv.dll
    c:\windows\system32\UACiqbqdeoxtq.dll

    Registry keys to delete:
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETedmvxtii]

    Drivers to delete:
    SKYNETedmvxtii
    UACrmsdaeinwl.sys
    UACrmsdaeinwl
    UACr
    UACrserv
    UACd.sys
    UACd


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • icon_exclaim.gifMake sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2635 or later. The latest program version is 1.40

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Reply with copy of C:\Avenger.txt

the latest MBAM scan log

the Sysclean log

Link to post
Share on other sites

When running avenger, after saying Yes to Are you sure you want to execute the script, I got the following Error: "Error: Invalid registry syntax in command: "[-HKEY_LOCAL_MACHINE_SYSTEM]ControlSet001\Services\SKYNETedmvxtii]" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode)."

I then selected OK, And OK to continue script execution. Everything else seemed to go as described in your instructions.

Was the dash not supposed to be in the script?

Link to post
Share on other sites

Avenger Log:

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6001, Service Pack 1)

Sun Aug 16 17:36:25 2009

17:36:09: Error: Invalid registry syntax in command:

"[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETedmvxtii]"

Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.

Skipping line. (Registry key deletion mode)

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "c:\windows\system32\drivers\UACrmsdaeinwl.sys" not found!

Deletion of file "c:\windows\system32\drivers\UACrmsdaeinwl.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not delete file "c:\windows\system32\drivers\SKYNETeofmlnks.sys"

Deletion of file "c:\windows\system32\drivers\SKYNETeofmlnks.sys" failed!

Status: 0xc0000156

Error: file "c:\windows\system32\UACvvbockrnyv.dll" not found!

Deletion of file "c:\windows\system32\UACvvbockrnyv.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\UACcjwxpwtskv.dll" not found!

Deletion of file "c:\windows\system32\UACcjwxpwtskv.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\UACuveeagtjfc.dll" not found!

Deletion of file "c:\windows\system32\UACuveeagtjfc.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\UACsunwombpbj.db" not found!

Deletion of file "c:\windows\system32\UACsunwombpbj.db" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\UACppqcaqaknv.dll" not found!

Deletion of file "c:\windows\system32\UACppqcaqaknv.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\UACiqbqdeoxtq.dll" not found!

Deletion of file "c:\windows\system32\UACiqbqdeoxtq.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Driver "SKYNETedmvxtii" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACrmsdaeinwl.sys" not found!

Deletion of driver "UACrmsdaeinwl.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACrmsdaeinwl" not found!

Deletion of driver "UACrmsdaeinwl" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACr" not found!

Deletion of driver "UACr" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACrserv" not found!

Deletion of driver "UACrserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!

Deletion of driver "UACd.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found!

Deletion of driver "UACd" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

I still need to run the Trend Micro Sysclean Package

MBAM Log:

Malwarebytes' Anti-Malware 1.40

Database version: 2636

Windows 6.0.6001 Service Pack 1

8/16/2009 5:44:59 PM

mbam-log-2009-08-16 (17-44-59).txt

Scan type: Quick Scan

Objects scanned: 93562

Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\momanddad\Desktop\avenger.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

When running avenger, after saying Yes to Are you sure you want to execute the script, I got the following Error: "Error: Invalid registry syntax in command: "[-HKEY_LOCAL_MACHINE_SYSTEM]ControlSet001\Services\SKYNETedmvxtii]" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode)."

I then selected OK, And OK to continue script execution. Everything else seemed to go as described in your instructions.

Was the dash not supposed to be in the script?

The dash was intended. We did ok. The rootkit service has been quashed.

Do not be concerned. Please keep on with the SYSCLEAN run and when done. post that log, and then await my next reply.

Link to post
Share on other sites

After all of these posts, I'm not even 1/4 of the way through the file. Is there another way to get it to you?

It continues through a long list of files and after the files, this is the end:

32248 files have been read.

32248 files have been checked.

32248 files have been scanned.

213422 files have been scanned. (including files in archived)

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

Stop At: 8/16/2009 22:26:15 42 minutes 32 seconds (2552.82 seconds) has elapsed.(79.162 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

Link to post
Share on other sites

Stop posting any further snippets from the Sysclean log. Those are un-useable and just makes one wonder if you downloaded and setup all 3 components of Sysclean as requested. I will remove the others you posted. We cannot make any use of them.

Instead, do an online scan.

You will want to print out or copy these instructions to Notepad for offline reference!

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

Link to post
Share on other sites

I thought I followed all of the instructions on the last scanner. I downloaded and extracted all three modules and put them in a directly on my hard drive. But I guess I must have missed something.

Here's the ESET Log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6048

# api_version=3.0.2

# EOSSerial=8fe4f13c6fa7f44da10e2c063c38ed9d

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-08-17 10:14:32

# local_time=2009-08-17 06:14:32 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=6.0.6001 NT Service Pack 1

# compatibility_mode=5121 61 100 88 493720621472328

# compatibility_mode=5889 61 66 100 498189533375836

# scanned=239653

# found=1

# cleaned=1

# scan_time=3915

C:\Qoobox\Quarantine\C\Windows\System32\drivers\UACrmsdaeinwl.sys.vir a variant of Win32/Olmarik.HI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Very good. The Eset scan only found a item already in quarantine. This is good to go after these next steps.

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html

javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 16 -"
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_16 from Sun Microsystems Inc.

=

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it.

Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs).

{In Classic view, double click Program and features}.

Look for it and click the line for it. Select Change/Remove to de-install it.

Un-install Eset online scan.

OK & Exit out of Control Panel

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( combofix.exe icon_exclaim.gif), put that name in the RUN box stated just below.

The "/u" in the command line below is to start Combofix for it's cleanup & removal function.

Note the space after x and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
    In the command box that opens, type or copy/paste
    combofix /u
    and then press ENTER key.

  • Right-click OTL.exe otlDesktopIcon.png and then select "Run as administrator" to start it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

Delete RootRepeal and any of its leftovers.

Delete Gmer and any of its leftovers.

Delete the SYSCLEAN downloads and the C:\DCE folder

We are finished here. Best regards.

Link to post
Share on other sites

I just got to the point of clean up where I have to run OTL.EXE.

I never did that step. Remember I was having problems with combo-fix.exe, so you gave me the instructions with Avenger, otl.exe and one other scan. But when I turned off the machine and restarted combo fix continued it's run, so I didn't do that step and waited for further instructions. You gave me the new avenger script, but I didn't go back to the original instructions with avenger and run any of the programs after that.

So I still have the dce directory, atf cleaner and enrunt1.1 on my machine.

I did purchase MBAM.

Link to post
Share on other sites

Look over the log. If the summary sections have 0 items tagged, like this:

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

then I won't need it.

I'll check back here late tonight and get back with you. Please be patient meantime.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.