stfox Posted December 31, 2009 ID:177966 Share Posted December 31, 2009 Ok, let me explain my problem: My computer keeps informing me that I have malware caused by UACD.sys. My webpages are constantly getting redirected, and internet explorer contiously stops working. I have AVG and it did not detect this problem, I downloaded PC tools and it too did not detect any virus. So I downloaded avenger and attempted to delete the UACD.sys file since it was not listed in my hidden files. After rebooting my computer it said the files could not be deleted because they do not exist. Next I downloaded Malwarebytes anti-malware. After downloading, I could not get the files to run: the message "Malwarebytes Anti-Malware has stopped working" appears. So I tried uninstalling and installing again, downloading from Mozilla Fox rather than internet explorer, remaming the file, opening in safe mode, and opening under another user account, but none of these work to run malwarebytes. So I performed a scan with highjackthis and the logs are below. I do not know what to do from here, and would really appreciate any help. Thank you in advance,Steve Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:21:03 PM, on 12/31/2009Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18865)Boot mode: NormalRunning processes:C:\Windows\System32\smss.exeC:\Windows\system32\csrss.exeC:\Windows\system32\wininit.exeC:\Windows\system32\csrss.exeC:\Windows\system32\services.exeC:\Windows\system32\lsass.exeC:\Windows\system32\winlogon.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\System32\svchost.exeC:\Program Files\Fingerprint Sensor\AtService.exeC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\system32\SLsvc.exeC:\Windows\system32\WLANExt.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Windows\System32\WLTRAY.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Windows\ehome\ehtray.exeC:\Windows\system32\svchost.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\Windows\system32\svchost.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\System32\svchost.exeC:\Windows\System32\WLTRYSVC.EXEC:\Windows\System32\bcmwltry.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Spyware Doctor\TFEngine\TFService.exeC:\Users\Steve Fox\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0S7IMR0W\windows-kb890830-v3.2[1].exec:\df1f509f7e94fb5b9eefbe5a860ad7f9\mrtstub.exeC:\Windows\system32\MRT.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\Iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = PreserveR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dllO3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenterO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\RunOnce: [shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; AskTB5.5)" -"https://learn.nmsu.edu/webct/ContentPageServerServlet/Imported_Resources/cengel_tea6e_webct_vista_backup/chapter1/flashcards.html?pageID=16259860071"O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O15 - Trusted Zone: *.netzero.comO15 - Trusted Zone: *.netzero.netO16 - DPF: {64CD313F-F079-4D93-959F-4D28B5519449} (Jeopardy Control) - http://www.worldwinner.com/games/v56/jeopardy/jeopardy.cabO16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cabO23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exeO23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exeO23 - Service: Creative OA001 RunApp Service (OA001Srv) - Creative Technology Ltd. - C:\Windows\System32\OA001Srv.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXEO23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe--End of file - 8096 bytes Link to post Share on other sites More sharing options...
noknojon Posted December 31, 2009 ID:177977 Share Posted December 31, 2009 Welcome stfox -As you are badly infected and Malwarebytes will not run then please read these instructions to get help -We do not diagnose logs and do detailed removal in the general area of the forum -Follow as many steps as you can and move to the next step if you get stuck -Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.One of the expert helpers there will give you one-on-one assistance when one becomes available.Thank You - EDIT - PC Tools will not remove these problems - Link to post Share on other sites More sharing options...
stfox Posted December 31, 2009 Author ID:177994 Share Posted December 31, 2009 Welcome stfox -As you are badly infected and Malwarebytes will not run then please read these instructions to get help -We do not diagnose logs and do detailed removal in the general area of the forum -Follow as many steps as you can and move to the next step if you get stuck -Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.One of the expert helpers there will give you one-on-one assistance when one becomes available.Thank You - EDIT - PC Tools will not remove these problems -Thanks for your reply noknojon, but when i attempt those steps I ran into 2 problems:1. I do not know how to discable script-blockers.2. When I attempt to scan my computer with GMR, my computer freezes, then turns black, then shuts down. I am not sure what to do now. Link to post Share on other sites More sharing options...
marktreg Posted January 1, 2010 ID:177995 Share Posted January 1, 2010 Hi stfox,Script blocking is sometimes a part of antivirus software, so disabling your antivirus is usually enough.However, if you still can't complete any of the steps in the directions here, just skip those steps altogether. Then post a NEW topic here and describe the problems you are having.One of the expert helpers there will give you one-on-one assistance when one becomes available. Link to post Share on other sites More sharing options...
SpySentinel Posted January 1, 2010 ID:178044 Share Posted January 1, 2010 Replied to his HJT Log. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now