Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Received malware alert-UACd.sys.trojan

  • This topic is locked This topic is locked
10 replies to this topic

#1 Iggypup


  • Members
  • 6 posts
  • Gender:Male
  • Location:Scotland
  • Local time:02:42 AM

Posted 20 June 2009 - 10:58 AM

As stated in the topic title I have received a malware alert. It stated that the problem was caused by UACd.sys.trojan. Being only an intermediate user I don't know how to remove. I need assistance from someone who knows more on the subject. I'd be grateful for any assistance that any of you guys can give. I have run DDS and received the following message.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Stuart at 16:27:20.10 on 20/06/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.396 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\\ccSvcHst.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\\ccSvcHst.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Stuart\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\msupdt.exe,c:\windows\system32\oembios.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {10c0b0c0-fc01-473b-8ebb-4376353f96e4} - MSN helper
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\\coIEPlg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus DX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticae.exe /fu "c:\docume~1\stuart\locals~1\temp\E_SBF.tmp" /EF "HKCU"
uRun: [EPSON Stylus DX4400 Series (Copy 1)] rem c:\windows\system32\spool\drivers\w32x86\3\e_faticae.exe /fu "c:\windows\temp\E_S13B.tmp" /EF "HKCU"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [BitTorrent] "k:\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [<NO NAME>]
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [DMXLauncher] "c:\program files\roxio\media experience\DMXLauncher.exe"
mRun: [MediaFace Integration] c:\program files\fellowes\mediaface 5.0\SetHook.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\stuart\start menu\programs\startup\Shredder.bat
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226183053203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?e=1226711517332&h=d49c4fb5e520cfaf7e64bdf07ced55c2/&filename=jinstall-6u10-windows-i586-jc.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: msyujrif - ozzuocb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-16 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-4-12 310320]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-11 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-11 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-11 108552]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-4-12 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-4-12 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090618.002\IDSXpx86.sys [2009-6-19 276344]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-2-25 59624]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-2-25 84712]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [2008-1-23 501560]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-11 298776]
R2 N360;Norton 360;c:\program files\norton 360\engine\\ccSvcHst.exe [2009-4-12 115560]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-30 935208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-12 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090619.054\NAVENG.SYS [2009-6-20 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090619.054\NAVEX15.SYS [2009-6-20 876144]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2006-9-5 217600]
S1 1fdc78e;1fdc78e;c:\windows\system32\drivers\1fdc78e.sys [2009-6-16 0]
S2 gupdate1c99df73afa87b0;Google Update Service (gupdate1c99df73afa87b0);c:\program files\google\update\GoogleUpdate.exe [2009-3-6 133104]
S2 swdjntmb;1394 Net Support;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 CrystalSysInfo;CrystalSysInfo; [x]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]
S3 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctssvc.exe --> c:\program files\spyware doctor\pctsSvc.exe [?]

=============== Created Last 30 ================

2009-06-18 15:45 <DIR> --d----- c:\docume~1\stuart\applic~1\Backup MyPC
2009-06-18 15:34 12,288 a------- C:\dfgdjhse5rjfmkfsderhkldtd576ogd81.exe
2009-06-18 15:34 47,616 a------- c:\windows\soc_1245335648.exe
2009-06-18 15:34 2 a------- c:\windows\010112010146118114.dat
2009-06-18 15:34 142 a------- C:\487656.bat
2009-06-18 15:33 116,044 a------- c:\windows\system32\drivers\81086add.sys
2009-06-18 15:33 14,848 a------- c:\windows\kernel32.exe
2009-06-18 15:33 14,336 ----h--- c:\windows\ld10.exe
2009-06-18 15:33 <DIR> --dsh--- c:\windows\system32\lowsec
2009-06-18 15:33 184,848 a------- C:\eychkh.exe
2009-06-18 15:33 74,351 a------- C:\vbwew.exe
2009-06-16 17:25 <DIR> --d----- c:\program files\FJOtLqld
2009-06-16 15:16 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-16 15:16 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-16 15:16 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-16 15:16 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-06-16 15:16 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-16 15:16 <DIR> --d----- c:\program files\OGDxyGQe
2009-06-16 15:16 <DIR> --d----- c:\docume~1\stuart\applic~1\PC Tools
2009-06-16 15:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-16 01:10 46 a------- C:\p2hhr.bat
2009-06-16 01:10 2 ----h--- c:\windows\zaponce53222.dat
2009-06-16 01:10 2 ----h--- c:\windows\zaponce53173.dat
2009-06-16 01:10 2 ----h--- c:\windows\zaponce53290.dat
2009-06-16 01:10 0 a------- c:\windows\system32\drivers\1fdc78e.sys
2009-06-16 01:10 1,993 a------- c:\windows\st_1245129475.exe
2009-06-16 01:10 1,993 a------- c:\windows\st_1245111046.exe
2009-06-16 01:10 15,360 ----h--- c:\windows\ld09.exe
2009-06-16 01:09 40,960 a------- C:\debgx.exe
2009-06-16 01:09 15,000 a------- c:\windows\system32\fgddferdd.dll
2009-06-16 01:09 217,320 a------- C:\lvhvep.exe
2009-06-16 01:09 14,848 ----h--- c:\windows\ld08.exe
2009-06-16 01:09 24,576 a------- c:\windows\win32.exe
2009-06-16 01:09 15,000 a------- c:\windows\system32\gsf83iujid.dll
2009-06-16 01:09 2 a------- C:\-468835733
2009-06-16 01:09 96,768 a------- C:\imdtgn.exe
2009-06-16 01:09 24,576 a------- C:\nyfj.exe
2009-06-16 01:09 8,704 a------- C:\boeeya.exe
2009-06-12 01:07 11,264 a------- C:\Iexplor701.exe
2009-06-11 18:15 45 a------- c:\windows\system32\ca.dat
2009-06-11 18:12 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-11 18:12 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-11 18:12 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-11 18:12 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-11 18:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-06-11 18:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-11 11:33 <DIR> --dsh--- c:\windows\system32\sysproc64
2009-06-08 13:48 <DIR> --d-h--- c:\windows\PIF
2009-06-08 13:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Virgin Broadband
2009-06-05 16:06 <DIR> --d----- c:\docume~1\stuart\applic~1\bvegrqdi
2009-06-05 01:41 1 a------- c:\windows\system32\q1.dat
2009-06-05 01:41 1 a------- c:\windows\system32\idm.dat
2009-06-05 01:41 1 a------- c:\windows\system32\ck.dat
2009-06-05 01:41 1 a------- c:\windows\system32\c2d.dat
2009-06-05 01:13 70,144 a------- c:\windows\system32\inform.dat
2009-06-05 01:13 16,164 a------- c:\windows\system32\fkas
2009-05-30 20:43 <DIR> --d----- c:\program files\AVG
2009-05-30 20:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8ls
2009-05-29 22:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Fellowes
2009-05-29 22:29 <DIR> --d----- c:\program files\Fellowes
2009-05-29 22:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-05-29 16:43 <DIR> --d----- c:\program files\InterActual
2009-05-28 16:48 <DIR> --d----- c:\program files\common files\SureThing Shared
2009-05-25 17:48 48,128 a------- C:\pclips.exe
2009-05-25 17:08 6,656 a------- C:\ppi.exe

==================== Find3M ====================

2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 16:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 10:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 17:21 87,608 a------- c:\docume~1\stuart\applic~1\inst.exe
2009-04-15 17:21 47,360 a------- c:\docume~1\stuart\applic~1\pcouffin.sys
2009-04-15 16:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-12 13:39 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-02 14:21 84,480 a------- c:\windows\system32\ff_vfw.dll

============= FINISH: 16:31:38.87 ===============

If anyone needs further info contact me and I will provide whatever is needed to conquer this severe nusiance.

Attached Files

BC AdBot (Login to Remove)



#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 AM

Posted 23 June 2009 - 06:46 PM

Hi iggypup,

There is more than just UAC in your log. Please make sure you rename both these tools before you download them.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Let's see how it likes that :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 AM

Posted 27 June 2009 - 05:18 AM

Hi iggypup,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.


Posted Image
m0le is a proud member of UNITE

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 AM

Posted 29 June 2009 - 07:43 PM

Hi iggypup,

I understand you are having problems running programs.

Please download Combofix but don't run it yet.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe

Next we are going to try and run it a different way than double-clicking it.

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK: (assuming ComboFix.exe is on the desktop as was instructed)


Let me know if that works. :thumbup2:

Edited by m0le, 30 June 2009 - 01:38 PM.

Posted Image
m0le is a proud member of UNITE

#5 Iggypup

  • Topic Starter

  • Members
  • 6 posts
  • Gender:Male
  • Location:Scotland
  • Local time:02:42 AM

Posted 29 June 2009 - 09:08 PM

Hi m0le
Tried your suggestion and I get the following message.

Windows cannot open this file:

File: Combo-Fix.exe

To open this file, Windows needs to know what program created it. Windows can go online to look it up automatically, or you can manually selct from a list of programs on your computer.

What do you want to do?

When I tried the online option I recieved another message as follows.

File Type: Unkown

Description: Windows does not reconize this type of file.

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 AM

Posted 30 June 2009 - 01:41 PM

Sounds like you have damaged system files, iggypup.

Let's try one more option.

Open Task Manager by pressing the Ctrl Alt and Del keys, at the same time.

In the menu at the top of the dialog box, click File>New Task (Run...)

Copy/paste (or type) the following in the Run box and click OK: (assuming ComboFix.exe is on the desktop as was instructed)


If this doesn;t work (and I suspect it won't) let's attempt a repair

Please download sreng2.zip and save it to your Desktop.
  • Create a new folder on your hard drive called Sreng2 (C:\Sreng2) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to this link.)
  • Open the folder and double-click on SREngLdr.EXE to launch it.
  • Select System Repair from the left pane.
  • Click on Windows Shell/IE.
  • Put a check mark in the box next to Enable using Folder Options
  • Click Repair.
  • The Status should now show Ok.
  • Exit SREng and reboot the computer.
Let's see if that helps. I may need to refer you to another forum if this continues along the non-malware route but we'll see what happens. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 Iggypup

  • Topic Starter

  • Members
  • 6 posts
  • Gender:Male
  • Location:Scotland
  • Local time:02:42 AM

Posted 01 July 2009 - 07:45 PM

I followed your suggestions but I'm afraid (as you suspected) that it did not work. I downloaded sreng2.zip and foolwoed your instructions. However when I try to launch SREngLdr.exe I get the same error message that I had previously mentioned. Thank you for your efforts so far. You mention referal to another forum. I'm willing to listen to any suggestion now as I suspect that I may have to take my machine to an engineer to clean out and re-install. A nuisance since there was some files that I was unable to back up and will be lost now. C'est la vie. If I am unable to repair by the 6th July I will go offline until repaired. So thanks again for your efforts. I will keep you informed of the outcome.

#8 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 AM

Posted 01 July 2009 - 08:07 PM

Hi iggypup,

Sorry I couldn't help more.

I think a system scan for corrupt files might give you a better idea of the problem.

To do this simply go to the Run box on the Start Menu and type in:

sfc /scannow

More info on this process can be found here.

Then post at this forum at BC for some help. It seems to be a XP operating system problem and not a malware one.

I will keep this topic open for 5 days if you wish to communicate and I will then close it.

Good luck :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 Iggypup

  • Topic Starter

  • Members
  • 6 posts
  • Gender:Male
  • Location:Scotland
  • Local time:02:42 AM

Posted 03 July 2009 - 05:59 PM

Hi m0le
Thought I would give you an update on the saga with my machine. I was talking to a friend yesterday who has considerable experience with computers. I told him of the problems I was having. He suggested that I may have a problem with all of the dll links being broken. He suggested that I try a registry maintence software to fix the the issue with not being able to run exe files. If that was succesful I could then run the programmes that you had suggested and hopefully that would resolve a lot of the problems.
Trouble was most of the registry fix tools advertise themselves as being able to fix exe problems and then download fixes in exe format. So after going round in circles for a couple of hours and saw an advert for RegCure. I had tried this fix before, but as soon as they asked for money to fix the problems I would then uninstall the software. This time I gritted my teeth and paid up. Guess what? It did the job. Suddenly I could run exe files. I was then able to run the fixes you suggested and started making progress towards cleaning my machine. I still have a few problems that I will work on over the weekend, my machine is working but still a bit sluggish.
Thanks again for your efforts to help me. It is good to know that there are people out there willing to offer assistance when I get into an area beyond my experinece and knowledge. Regcure also allowed me a free download of other software after I had paid for the main software. Whether or not this software will be worth the money only time will tell. It was certainly a lot less the Symantec wanted for a remote scan and offer of fixes. I have now fallen out with Norton and this will be my last subscription to any of there services.

Cheers Iggypup

#10 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 AM

Posted 03 July 2009 - 07:30 PM

Glad you could solve it, iggypup.

Just a bit out of my area of expertise but I knew it wasn't malware.

Posted Image
m0le is a proud member of UNITE

#11 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 AM

Posted 07 July 2009 - 01:41 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users