Author Topic: UACd.sys Trojan (Read 10163 times)

Joop · « **on:** February 01, 2010, 10:52:55 AM »

Hi,

Since the beginning of the year I am experiencing problems on my computer (Windows/Vista SP2). Defender won't start, virus scanner won't run anymore, programs won't install, websites have 'broken links' and programs crash (ie GoogleToolbar).
Now last week, Vista suddenly told me that this was all due to a Trojan named UACD.sys, which seems to be extremely difficult to remove.

After consulting the web, I (a.o.) was guided to you guys. I studied 2 similar problems but since one of you mentioned these problems are unique, I decided to post my own.

I already went through your start up cookbook and will append the logs for SAS/MBAM and HJT as text to this message
I installed AVAST as a virus scanner, ran CCleaner and updated Java. Note that this was all over the span of 2/3 days.

I had to rename all my downloads/executables to get them started at all, so whatever is running the show on my computer blocks by certain keywords or exact names???

Any help is greatly appreciated!

Thanks in advance
-----------------------

Logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/31/2010 at 09:00 PM

Application Version : 4.33.1000

Core Rules Database Version : 4541
Trace Rules Database Version: 2353

Scan type : Complete Scan
Total Scan Time : 02:10:11

Memory items scanned : 656
Memory threats detected : 0
Registry items scanned : 8033
Registry threats detected : 169
File items scanned : 184240
File threats detected : 81

Adware.Tracking Cookie
   C:\Users\eigenaar\AppData\Roaming\Microsoft\Windows\Cookies\eigenaar@atdmt[1].txt
   C:\Users\Iris\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@adtech[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@advertising[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@apmebf[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@atdmt[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@atdmt[3].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@collective-media[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@doubleclick[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@fastclick[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@media6degrees[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@mediaplex[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@overture[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@revsci[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@serving-sys[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@tacoda[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@tradedoubler[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@trafficmp[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@weborama[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@yieldmanager[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@zedo[1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@advertentiezoeker[1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@apmebf[1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@atdmt[1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@imrworldwide[2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@mediamarkt[2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@weborama[1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\xbox\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt

Rogue.SmartProtector
   C:\Windows\system32\srcr.dat

Trojan.Agent/Gen-Alureon
   HKU\.DEFAULT\Software\h8srt
   HKU\S-1-5-19\Software\h8srt
   HKU\S-1-5-20\Software\h8srt
   HKU\S-1-5-21-2280200681-2884239558-2584356172-1000\Software\h8srt
   HKU\S-1-5-18\Software\h8srt
   HKLM\Software\H8SRT
   HKLM\Software\H8SRT#affid
   HKLM\Software\H8SRT#subid
   HKLM\Software\H8SRT#type
   HKLM\Software\H8SRT#build
   HKLM\Software\H8SRT#cmddelay
   HKLM\Software\H8SRT#slrd
   HKLM\Software\H8SRT#slrm
   HKLM\Software\H8SRT\connections
   HKLM\Software\H8SRT\connections#925b3039
   HKLM\Software\H8SRT\connections#784d43e
   HKLM\Software\H8SRT\connections#9d0ed33a
   HKLM\Software\H8SRT\connections#dfbfa93a
   HKLM\Software\H8SRT\connections#1feaa9a4
   HKLM\Software\H8SRT\disallowed
   HKLM\Software\H8SRT\disallowed#trsetup.exe
   HKLM\Software\H8SRT\disallowed#ViewpointService.exe
   HKLM\Software\H8SRT\disallowed#ViewMgr.exe
   HKLM\Software\H8SRT\disallowed#SpySweeper.exe
   HKLM\Software\H8SRT\disallowed#SUPERAntiSpyware.exe
   HKLM\Software\H8SRT\disallowed#SpySub.exe
   HKLM\Software\H8SRT\disallowed#SpywareTerminatorShield.exe
   HKLM\Software\H8SRT\disallowed#SpyHunter3.exe
   HKLM\Software\H8SRT\disallowed#XoftSpy.exe
   HKLM\Software\H8SRT\disallowed#SpyEraser.exe
   HKLM\Software\H8SRT\disallowed#otscanit.exe
   HKLM\Software\H8SRT\disallowed#mbam.exe
   HKLM\Software\H8SRT\disallowed#mbam-setup.exe
   HKLM\Software\H8SRT\disallowed#flash_disinfector.exe
   HKLM\Software\H8SRT\disallowed#otmoveit2.exe
   HKLM\Software\H8SRT\disallowed#smitfraudfix.exe
   HKLM\Software\H8SRT\disallowed#prevxcsifree.exe
   HKLM\Software\H8SRT\disallowed#download_mbam-setup.exe
   HKLM\Software\H8SRT\disallowed#cbo_setup.exe
   HKLM\Software\H8SRT\disallowed#spywareblastersetup.exe
   HKLM\Software\H8SRT\disallowed#rminstall.exe
   HKLM\Software\H8SRT\disallowed#sdsetup.exe
   HKLM\Software\H8SRT\disallowed#vundofixsvc.exe
   HKLM\Software\H8SRT\disallowed#daft.exe
   HKLM\Software\H8SRT\disallowed#gmer.exe
   HKLM\Software\H8SRT\disallowed#catchme.exe
   HKLM\Software\H8SRT\disallowed#mcpr.exe
   HKLM\Software\H8SRT\disallowed#sdfix.exe
   HKLM\Software\H8SRT\disallowed#hjtinstall.exe
   HKLM\Software\H8SRT\disallowed#fixpolicies.exe
   HKLM\Software\H8SRT\disallowed#emergencyutil.exe
   HKLM\Software\H8SRT\disallowed#techweb.exe
   HKLM\Software\H8SRT\disallowed#GoogleUpdate.exe
   HKLM\Software\H8SRT\disallowed#windowsdefender.exe
   HKLM\Software\H8SRT\disallowed#spybotsd.exe
   HKLM\Software\H8SRT\disallowed#klif.sys
   HKLM\Software\H8SRT\disallowed#pctssvc.sys
   HKLM\Software\H8SRT\disallowed#pctcore.sys
   HKLM\Software\H8SRT\disallowed#mchinjdrv.sys
   HKLM\Software\H8SRT\disallowed#szkg.sys
   HKLM\Software\H8SRT\disallowed#sasdifsv.sys
   HKLM\Software\H8SRT\disallowed#saskutil.sys
   HKLM\Software\H8SRT\disallowed#sasenum.sys
   HKLM\Software\H8SRT\disallowed#ccHPx86.sys
   HKLM\Software\H8SRT\disallowed#mbamswissarmy.sys
   HKLM\Software\H8SRT\disallowed#mbam.sys
   HKLM\Software\H8SRT\disallowed#acs.exe
   HKLM\Software\H8SRT\disallowed#op_mon.exe
   HKLM\Software\H8SRT\disallowed#shWebSv.exe
   HKLM\Software\H8SRT\disallowed#ashmaiSv.exe
   HKLM\Software\H8SRT\disallowed#imapi.exe
   HKLM\Software\H8SRT\disallowed#aswUpdSv.exe
   HKLM\Software\H8SRT\disallowed#ashServ.exe
   HKLM\Software\H8SRT\disallowed#ashDisp.exe
   HKLM\Software\H8SRT\disallowed#avast.exe
   HKLM\Software\H8SRT\disallowed#avgemc.exe
   HKLM\Software\H8SRT\disallowed#avgwdsvc.exe
   HKLM\Software\H8SRT\disallowed#avgyray.exe
   HKLM\Software\H8SRT\disallowed#avgrsx.exe
   HKLM\Software\H8SRT\disallowed#avcenter.exe
   HKLM\Software\H8SRT\disallowed#avgnt.exe
   HKLM\Software\H8SRT\disallowed#sched.exe
   HKLM\Software\H8SRT\disallowed#avguard.exe
   HKLM\Software\H8SRT\disallowed#Combofix.exe
   HKLM\Software\H8SRT\disallowed#FAMEH32.exe
   HKLM\Software\H8SRT\disallowed#FCH32.exe
   HKLM\Software\H8SRT\disallowed#fsaua.exe
   HKLM\Software\H8SRT\disallowed#fsav32.exe
   HKLM\Software\H8SRT\disallowed#fsdfwd.exe
   HKLM\Software\H8SRT\disallowed#fsgk32.exe
   HKLM\Software\H8SRT\disallowed#fsgk32st.exe
   HKLM\Software\H8SRT\disallowed#fsguidll.exe
   HKLM\Software\H8SRT\disallowed#FSM32.EXE
   HKLM\Software\H8SRT\disallowed#FSMA32.EXE
   HKLM\Software\H8SRT\disallowed#FSMB32.EXE
   HKLM\Software\H8SRT\disallowed#fspc.exe
   HKLM\Software\H8SRT\disallowed#fsqh.exe
   HKLM\Software\H8SRT\disallowed#fssm32.exe
   HKLM\Software\H8SRT\disallowed#fsus.exe
   HKLM\Software\H8SRT\disallowed#avp.exe
   HKLM\Software\H8SRT\disallowed#nod32krn.exe
   HKLM\Software\H8SRT\disallowed#nod32kui.exe
   HKLM\Software\H8SRT\disallowed#CCSVCHST.exe
   HKLM\Software\H8SRT\disallowed#AluSchedulerSvc.exe
   HKLM\Software\H8SRT\disallowed#oahlp.exe
   HKLM\Software\H8SRT\disallowed#oasrv.exe
   HKLM\Software\H8SRT\disallowed#oacat.exe
   HKLM\Software\H8SRT\disallowed#oaui.exe
   HKLM\Software\H8SRT\disallowed#PF6.exe
   HKLM\Software\H8SRT\disallowed#pfsvc.exe
   HKLM\Software\H8SRT\disallowed#SCFManager.exe
   HKLM\Software\H8SRT\disallowed#SavService.exe
   HKLM\Software\H8SRT\disallowed#ALsvc.exe
   HKLM\Software\H8SRT\disallowed#SAVAdminService.exe
   HKLM\Software\H8SRT\disallowed#ALMon.exe
   HKLM\Software\H8SRT\disallowed#SCFService.exe
   HKLM\Software\H8SRT\disallowed#SAService.exe
   HKLM\Software\H8SRT\disallowed#McNASvc.exe
   HKLM\Software\H8SRT\disallowed#McProxy.exe
   HKLM\Software\H8SRT\disallowed#Mcshield.exe
   HKLM\Software\H8SRT\disallowed#MpfSrv.exe
   HKLM\Software\H8SRT\disallowed#msksrver.exe
   HKLM\Software\H8SRT\disallowed#mcagent.exe
   HKLM\Software\H8SRT\disallowed#SiteAdv.exe
   HKLM\Software\H8SRT\disallowed#mcmscsvc.exe
   HKLM\Software\H8SRT\disallowed#mcregist.exe
   HKLM\Software\H8SRT\disallowed#mcsysmon.exe
   HKLM\Software\H8SRT\disallowed#Smc.exe
   HKLM\Software\H8SRT\disallowed#Rtvscan.exe
   HKLM\Software\H8SRT\disallowed#SmcGui.exe
   HKLM\Software\H8SRT\disallowed#SymCorpUI.exe
   HKLM\Software\H8SRT\disallowed#PavPrSrv.exe
   HKLM\Software\H8SRT\disallowed#PslmSvc.exe
   HKLM\Software\H8SRT\disallowed#PsCrtlS.exe
   HKLM\Software\H8SRT\disallowed#PAVSRV51.EXE
   HKLM\Software\H8SRT\disallowed#AVENGINE.EXE
   HKLM\Software\H8SRT\disallowed#ApVxdWin.exe
   HKLM\Software\H8SRT\disallowed#WebProxy.exe
   HKLM\Software\H8SRT\disallowed#spiderml.exe
   HKLM\Software\H8SRT\disallowed#spiderui.exe
   HKLM\Software\H8SRT\disallowed#drwebbscd.exe
   HKLM\Software\H8SRT\disallowed#MpCmdRun.exe
   HKLM\Software\H8SRT\disallowed#MsMpEng.exe
   HKLM\Software\H8SRT\disallowed#TeaTimer.exe
   HKLM\Software\H8SRT\disallowed#sdra64.exe
   HKLM\Software\H8SRT\disallowed#avgtrey.exe
   HKLM\Software\H8SRT\disallowed#avg.exe
   HKLM\Software\H8SRT\disallowed#mcvsshld.exe
   HKLM\Software\H8SRT\disallowed#mcuimgr.exe
   HKLM\Software\H8SRT\disallowed#mcshell.exe
   HKLM\Software\H8SRT\disallowed#mcods.exe
   HKLM\Software\H8SRT\disallowed#avgtrày.exe
   HKLM\Software\H8SRT\disallowed#msseces.exe
   HKLM\Software\H8SRT\disallowed#MSASCui.exe
   HKLM\Software\H8SRT\disallowed#MsMpRes.dll
   HKLM\Software\H8SRT\disallowed#MpClient.Dll
   HKLM\Software\H8SRT\disallowed#MpRtMon.DLL
   HKLM\Software\H8SRT\disallowed#pev.exe
   HKLM\Software\H8SRT\disallowed#KDSsetap.exe
   HKLM\Software\H8SRT\disallowed#BDTUpdateService.exe
   HKLM\Software\H8SRT\disallowed#pctsAuxs.exe
   HKLM\Software\H8SRT\disallowed#pctsGui.exe
   HKLM\Software\H8SRT\disallowed#pctsSvc.exe
   HKLM\Software\H8SRT\disallowed#pctsTray.exe
   HKLM\Software\H8SRT\injector
   HKLM\Software\H8SRT\injector#*
   HKLM\Software\H8SRT\versions
   HKLM\Software\H8SRT\versions#/css/crcmds/install
   HKLM\Software\H8SRT\versions#/css/crcmds/extra

Adware.MyWebSearch
   D:\DOWNLOADS\SMILEYCENTRALPFSETUP2.3.50.10.ZNFOX000.EXE

===================================================================

Malwarebytes' Anti-Malware 1.44
Database version: 3673
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

1-2-2010 18:17:54
mbam-log-2010-02-01 (18-17-54).txt

Scan type: Quick Scan
Objects scanned: 160779
Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\h8srtkrl32mainweq.dll (Rootkit.Trace) -> Delete on reboot.

===================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:28:58, on 1-2-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.intl.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nl.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - *{BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
R3 - URLSearchHook: (no name) - *{EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: ccXgui - [XC]D-Ice - C:\Program Files\ccxgui\ccXservice.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8075 bytes

Dr Jay · « **Reply #1 on:** February 01, 2010, 03:57:11 PM »

Please download RootRepeal from GooglePages.com.

Extract the program file to your Desktop.
Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
Select ALL of the checkboxes and then click OK and it will start scanning your system.
If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
When done, click on Save Report
Save it to the Desktop.
Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

Joop · « **Reply #2 on:** February 02, 2010, 12:39:01 PM »

Hi

I downloaded RootRepeal and executed it like you indicated and got the famous blue screen. I actually tried it 3 times (also with firewall and avast disabled, no luck).

However, I don't know whether they are related, now, all of a sudden my explorer (folder overview not internet) died and kept dying, which made my user useless. It was like a repeated proces, popup that explorer died and than the icon bar + my desktop contents vanished, came back and started over. It really got to me now.

Luckily, this only happens to the user I was running RootRepeal in, I have a few users left to perform some tasks in.

In the mean time, I'm performing a backup of all my data onto an external hard drive, so that if it gets to me on the other users, I can perform a complete new install. Should I be worried that I copy something harmful while at it?

Thanks!

Dr Jay · « **Reply #3 on:** February 02, 2010, 02:19:37 PM »

Just copy only documents, videos, pictures, and music only. Do not copy programs.

It is a good idea to copy down the name of all of your programs.

If you would like to do that, go ahead.

I do have alternate utilities that can scan and make sure the computer gets cleaned. We are not stuck.

Joop · « **Reply #4 on:** February 02, 2010, 11:49:01 PM »

I've done just that, copy only the Users content.

I'll make a list of the programs I use now, just in case.

But, if you still have ideas, let's proceed and try to beat this thing. I'm still in for it

Dr Jay · « **Reply #5 on:** February 03, 2010, 08:34:38 AM »

Ok, go ahead...

Joop · « **Reply #6 on:** February 03, 2010, 08:54:56 AM »

Which tool do I need to execute in order to gather data for you?

Dr Jay · « **Reply #7 on:** February 03, 2010, 09:03:10 AM »

You don't need to gather data for me. But for yourself.

Save it to a CD or external drive, etc.

Then, if you wish to reformat and reinstall, go ahead.

Joop · « **Reply #8 on:** February 03, 2010, 10:22:00 AM »

Hi,

most likely we misunderstood each other. The saving of my data to my external HD is just to be sure, not because I want to give up.
Reformatting/installing is a last resort to me.

But you mentioned that you were not out of ideas to continue. So I want to continue as well.

So, unless you think reinstalling is what I should do, please give me some tools I can run

Thanks.

Dr Jay · « **Reply #9 on:** February 03, 2010, 12:08:59 PM »

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Joop · « **Reply #10 on:** February 03, 2010, 02:38:51 PM »

Hi,

It took me a while to find the program, since our enemy denies me access to the bleepingcomputer website. At last, I found on an earlier topic on UACd.sys on this site another link where I was able to find and download it

Also when I had it on my desktop I had to rename it to get it going.

The log is attached. Have fun.

[Saving space, attachment deleted by admin]

Dr Jay · « **Reply #11 on:** February 03, 2010, 09:44:50 PM »

Hi again. Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2.

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

5. Post the following in your next reply:

MBAM log
SAS log
ESET log

And, please tell me how your computer is doing.

Joop · « **Reply #12 on:** February 04, 2010, 02:08:28 PM »

Hi,

First this, only after I replied to you yesterday, I realized that MS defender didn't crash anymore and that I could visit any website I needed again. So, ComboFix did a *censored* of a job. Thanks very much for that suggestion

.

I executed the tools you suggested. The log of all 3 is attached.

I experienced the following little problem:

Malware Bytes would not perform an update -> error code 732 (2,0) Can't find file
Last update was from 1/31/10. Hope that's not too old.
Other funny thing: when I was ready to exit the program, it died on me???

After all was done I rebooted the PC and my initial problem seesm to be solved.

However on the 1 user I ran RootRepeal on, my explorer.exe keeps on dying. Vista pops up the message with the following description and suggestions:

**** Problem with Power Cinema (a codec filenamed CLDemuxer.ax)
sug 1: goto to CyberLink Corp and check for updates of CLDemuxer.ax
sug 2: use regsvr32 to undo registration of CLDemuxer.ax

Now I need your advice on this:
1 what do you think how to attack this?
2 I can't execute this on the infected user, so will it help if I execute it on another user which does not have the problem?

Hope you will also help me out of this fix. Thanks again!

[Saving space, attachment deleted by admin]

Dr Jay · « **Reply #13 on:** February 04, 2010, 05:48:34 PM »

No biggie. The rootkit is just acting up.

Download this << file >> & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code: [Select]

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

Joop · « **Reply #14 on:** February 05, 2010, 10:19:51 AM »

I did what you asked me, it was done in a few secs.

Output is attached

Hope you find something. Thanks again.

[Saving space, attachment deleted by admin]

Dr Jay · « **Reply #15 on:** February 05, 2010, 10:46:11 AM »

Please open Malwarebytes, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Joop · « **Reply #16 on:** February 05, 2010, 11:50:29 AM »

Hi,

it found nothing....

Malwarebytes' Anti-Malware 1.44
Database version: 3673
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

5-2-2010 19:49:24
mbam-log-2010-02-05 (19-49-24).txt

Scan type: Quick Scan
Objects scanned: 151494
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Dr Jay · « **Reply #17 on:** February 05, 2010, 03:26:21 PM »

To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive i.e. C
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

You are now done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Joop · « **Reply #18 on:** February 06, 2010, 01:57:41 AM »

Hi DM Jay,

I executed according to you instructions. The log is attached.

Thanks!

[Saving space, attachment deleted by admin]

Dr Jay · « **Reply #19 on:** February 06, 2010, 11:22:12 AM »

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

SpywareBlaster
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
Spybot - Search & Destroy.
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/

See this page for more info about malware and prevention.

Joop · « **Reply #20 on:** February 06, 2010, 11:36:29 AM »

Hi,

Thanks for all the advice. I will enhance my PC's protection with the tools you're suggesting.

However, I am still stuck with my explorer.exe issue. As I already mentioned, if I log in to my main user account, explorer will die and restart and die and restart and so on. This makes that I can not use this user account.

You mentioned earlier that it was no biggie to get rid of that.
You did some suggestions which I carried out, in another user account however, since the infected one is rendered useless.

Please advice. Thanks!

Dr Jay · « **Reply #21 on:** February 06, 2010, 12:06:48 PM »

Restore Permissions for explorer.exe

Please download Inherit by sUBs

Drag and drop explorer.exe onto Inherit
This shall restore permissions to the application
The application should now run normally

Please indicate in your next post if this was successful.

Note: explorer.exe is located in the folder C:\windows

Joop · « **Reply #22 on:** February 06, 2010, 01:09:17 PM »

Tried to download inherit, but got hit with the following:

C:\Users\xbox\AppData\Local\Temp\fgW_siwp.exe.part could not be saved, because the source file could not be read.

Try again later, or contact the server administrator.

Furthermore AVAST acted up. The WebShield blocked the following threat:

Object: ..../://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe|
Infection: Win32:Trojan-gen
Action: Connection aborted
Proces: firefox.exe

How to proceed?

Dr Jay · « **Reply #23 on:** February 06, 2010, 08:41:14 PM »

Disable the antivirus and try again please.

That happens all the time, but the actual tool is safe.

Joop · « **Reply #24 on:** February 07, 2010, 04:03:17 AM »

Hi,

Did what you asked, no positive result.

Now, thinking about this, I wouldn't expect that something is wrong with explorer.exe anyway.
I have 5 user accounts on my computer and on 4 out of them it works as it should.
Only one account has this problem. Can it be that there is something wrong in the start-up procedure for this account? Again, I can not do any experiments on this user account, which might make it harder to analyze.

Any more ideas would be very much appreciated! Thanks again.

Dr Jay · « **Reply #25 on:** February 07, 2010, 01:57:46 PM »

Possibly.

Log in to another user account to do this method.

Save the account files for the account that is giving the problem.

Just copy the following folder and save it to a disc, flash drive or somewhere in another username's My Documents folder.

C:\Users\{USERNAME}

{USERNAME} is the name of the problem account. Copy that folder and save it somewhere.

Then go to Control Panel > User Accounts (add or remove user accounts)

Delete the problem user account by removing it and all of its files. (Remember that you made a backup of those files)

=====

Then, create a new account with the same username, and do the same process in reverse, by going to C:\Users and pasting the backup folder in the folder (Users).

Then, restart the computer and let me know if this issue still occurs.

==

If you get Access Denied messages, let me know and we can Take Ownership of that folder.

Joop · « **Reply #26 on:** February 09, 2010, 12:01:04 PM »

Hi,

sorry for the late reply, work kept me busy (it happens

)

Followed your instructions and everything seems to be working ok again.

Let me know what I still need to do to declare my PC cured!

What ever's next, thanks a lot for all your help. I enjoyed working with you. Couldn't have done it without you!

Cheers Peter

Dr Jay · « **Reply #27 on:** February 09, 2010, 09:37:17 PM »

Seems clean to me.

Computer Hope Forum

News:

Author Topic: UACd.sys Trojan (Read 10163 times)

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay

Joop

Dr Jay