Jump to content

Unable to Run Malbytes/limited HiJackthis


Recommended Posts

Good morning,

I am trying to 'fix' my friends computer and somehow he has broken everything...

Windows XP SP3

I cannot view the LAN adapter in Network Connections

There are 2 Network Connections in the Control Panel

I cannot install Avira (either get rctext.dll error or it just closes)

I cannot run MalwareBytes (Run-time erro '372' and vbalsgrid6.ocx)

I cannot use the search feature in windows.

I cannot click and drag.

I was only able to get HiJackThis working when I select the Diagnostic Startup option in MSCONFIG

file of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:35 AM, on 12/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Trend Micro\HijackThis11\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243842045671
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe

End of file - 3290 bytes

Link to post
Share on other sites


Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.


Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

c:\windows\$NtServicePackUninstall$\eventlog.dll | C:\Windows\system32\eventlog.dll
c:\windows\$NtServicePackUninstall$\svchost.exe | C:\Windows\system32\svchost.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

How is everything running???

Link to post
Share on other sites

I still have 2 Network Connection Icons in the Control Panel

No Ethernet adapters in Network Connections (ipconfig /all shows the NIC and it appears to be statically assigned to (This comp needs to be statically configured with a different rage to access the internet))

No click and drag

Cant Run Avira (copys files and appears to start to install but just closes)

Cant Run Malbytes (Run-time error '372' and vbalsgrid6.ocx)

Thanks for the help.


Link to post
Share on other sites

Do me a favor and re-download ComboFix to your desktop. Thanks

It appears that you have an infected copy of svchost.exe. We will try to replace it with a good copy, but i need you to install the recovery console. Here are the instructions to allow ComboFix do it for you.

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


Transfer all files you just downloaded, to the desktop of the infected computer.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Right-Click on My Computer ----> Click on Properties ---> Click on Hardware go to device manager

Under Network adapters

right click on the device and choose uninstall. Reboot your computer. You may need reconfigure how you get online if its not dhcp. Let me know though.

Otherwise we might have to rebuild your tcpip stack.

Link to post
Share on other sites

You are a wise sage. I just assumed it was good to go; however, it seems there may be some lingering issues. Some of which you may not be able to help resolve and I understand that.

Nevertheless, I get 2 pop-up when I start windows (see attached.) One mentions SQL database or server. I made sure the owned doesn't use or need a SQL database or server. The second is just a pop-up with no title or text...

The PC randomly freezes too. I could get thru a quickscan after you asked and had to reboot twice. It seems to be running longer now...

Lastly there are still 2 network connection icons in the control panel??







Link to post
Share on other sites

Okay the network connections folder appears normal to me. Local connection and 1394 icon are all okay. The MSN looks like an old one for maybe dailup.

For the other problem

Navigate to here

C:\documents and settings\all users\start menu\startup\Service Manager.lnk

delete that and you shouldn't have that other sql popup at startup.

Go ahead and run a full scan with antivir.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.