Jump to content


Recommended Posts

I am attempting to fix a Dell Inspiron 510m with XP Home, AVG free, Windows firewall. The symptoms were that it was slow and had problems connecting to the internet.

I ran Malwarebytes, which detected :-






Rootkit.Agent (which after reading the forum, appears to be a nasty one).

The removal using Malwarebytes and all seemed to be going well until the reboot.

Got the error message, "The application has failed to start as themed32.dll was not found. Reinstalling the application may fix this problem".

I tried to restore, but either the system checkpoint files have been deleted or unable to access them.

I am able to start windows in safe mode with a command prompt.

It was then that I found the Malwarebytes forum.

Defogger finished with no errors. Defogger didn't ask me to restart (as per the instructions), but I did it anyway.

Ran the dds.scr file. Got the failure message due to themed32.dll missing about 100 times, to which I clicked ok each time.

DDS.txt ==>

DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL

Run by Bob at 17:36:45.35 on 16/06/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.354 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch


C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs



============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [kdx] c:\program files\kontiki\KHost.exe -all

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe

IE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll/search.htm

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab

DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://sell-vehicle.ebay.co.uk/images/eps/eBay_Enhanced_Picture_Control_v1-0-3-50.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,84/mcinsctl.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab

DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

Notify: req - c:\windows\system32\req.dll

Notify: Sebring - c:\windows\system32\LgNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-4 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 216200]

S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-22 29584]

S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-17 242896]

S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528]

S1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-6-7 59240]

S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-6-7 166632]

S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-1 916760]

S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-1 308064]

S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-27 54752]

S2 gupdate1c989ff22fd18c0;Google Update Service (gupdate1c989ff22fd18c0);c:\program files\google\update\GoogleUpdate.exe [2009-2-8 133104]

S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-6-7 840936]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-18 24652]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-06-16 16:19:25 0 ----a-w- c:\documents and settings\bob\defogger_reenable

2010-06-14 12:29:31 0 d-----w- C:\Dellfix2

2010-06-14 12:27:59 1677 ----a-w- C:\Dellfix

2010-06-14 08:18:18 50477 ----a-w- C:\Defogger.exe

2010-06-14 08:18:18 3707422 ----a-w- C:\ComboFix.exe

2010-06-14 08:18:18 293376 ----a-w- C:\qzb3qivg.exe

2010-06-13 16:30:37 0 d-----w- c:\windows\LastGood.Tmp

2010-06-13 09:25:15 0 d-----w- C:\78b3d2db2c8339f5c3

2010-06-12 20:15:33 0 d-----w- C:\6a81e9c1698b693065ba9f

2010-06-10 07:31:58 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-01 09:53:21 0 d--h--w- C:\$AVG

2010-06-01 09:51:58 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-06-01 09:50:57 0 d-----w- c:\windows\SxsCaPendDel

==================== Find3M ====================

2010-06-13 13:11:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-01 09:52:51 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-06-01 09:52:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-12 10:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2010-04-06 03:52:46 2462720 ------w- c:\windows\system32\dllcache\WMVCore.dll

2008-10-22 21:59:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102220081023\index.dat

============= FINISH: 17:40:34.15 ===============

attach.txt should be attached to this post.

I didn't see an ark.txt file and am not sure where the malwarebytes logs are.

How can I fix this?



Link to post
Share on other sites

  • Root Admin

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.


  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

Link to post
Share on other sites

Just to clarify the situation.

The Dell laptop Inspiron won't connect to the internet, in fact it doesn't appear to have a usable desktop. It is started in safe mode with a command prompt. The access to this forum is via a clean PC. I am using a memory stick to transfer the downloaded diagnosis program files (e.g. dss.scr, combofix etc) to the C: drive of the infectect laptop and sending the results/log back via the stick.

XP Home was pre-installed on the laptop when bought new and Dell didn't supply the installation CD. I have contacted Dell requesting it be sent.

Situation so far and questions:-

1) done, combofix copied to a folder on the C: drive. (I have no desktop)

2) there is no system tray and the instructions to temporarily disable security tools seem to be applicable only if you have one.

I was able to go into windows task manager and kill processes such as AVG*.exe.

When I attempted to kill AAWService.exe it just restarts.

There is a process running called lsass.exe, which I believe is bad. Should I attempt to kill it or leave it?

The other running processes are:-






svchost.exe (x3)






system Idle Process SYSTEM

3) I haven't run Combofix yet, I will wait till you confirm what action I should take for step 2.


Link to post
Share on other sites

  • Root Admin

If your able to see any GUI (which seeing task manager seems to indicate you can) then please run it. If it won't run then try the following.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System

  • Place a blank CD in your burner and double-click on the downloaded file named

  • If the above link does not work please try this one:

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the

    • Select
      Scan all files

    • Select
      Try to repair infected files
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    Click on
    Virus scanner

    Click on
    Start scanner
    at the bottom of the screen

    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    if you're unable to view the entire screen of Avira.

  2. You can also review this one
    Fixed Rescue CD Resolution Probs with Dell Video

  3. Currently only the German keyboard is supported.
    Command Line not working
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

Well that didn't go well....what could go wrong did go wrong.

There is no GUI to mention and no system tray. In normal mode every time I tried to end the AVG processes, they just restarted.

Went back into safe mode, this time the AVG processes ended with Task Manager.

I then started Combofix from the command prompt, but it said that AVG was still active and warned me that unpredictable results may occur if I continued, so I went for plan B.

Plan B, Use the Avira Antivir Rescue System CD.

Downloaded exec and burnt CD ok. Changed Dell laptop boot order to boot from CD, Linux came up ok. I selected Option 1: Boot AntiVir Rescue System (default).

As it is a Dell, the screen resolution was wrong (i.e. can't see the British flag or start scanner button).

I used "CTRL + ALT + BACKSPACE" to exit the graphical interface and then entered the command manually. ==> antivir -allfiles -z -ren /mnt/

Scan time 00:00:01

Rebooted, still same as before.

Is there a safe place I can download msconfig for XP, then I could update the startup list and prevent AVG from coming up and be able to run Combofix ?


Link to post
Share on other sites

  • Root Admin

Please try another one of the following. These type of infections are not going to be stopped by simply editing some startup lists.

LiveCD for Malware and Virus Removal

Here are links to Antivirus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair if needed.

All of them except Avira are in the ISO image file format. Avira uses an EXE that has built-in CD burning capability.

Avira AntiVir Rescue System

BitDefender LiveCD

Dr Web LiveCD

F-Secure Rescue CD

Kaspersky RescueDisk

For those users that need a FREE utility to properly burn the ISO image


How to write an image file to a disc with ImgBurn

If you do have the time, and required software you can build a UBCD4W that has a wealth of repair tools on it.

Link to post
Share on other sites

I didn't expect to fix the problem by editing the startup list, but I was hoping to use it to prevent AVG starting so that I could run Combofix.

Avira Antivir didn't work.

BitDefender ran ok, but didn't find anything.

Are there any of the others that are more likely to be successful for a problem like this?

Link to post
Share on other sites

  • Root Admin

Without being able to logon to a GUI Desktop or the Windows install CD it is probably going to be very difficult to track down the actual issue. We don't know if it's damage from this infection or an install or damage from registry issues or from trying to do a recovery.

If you can find or borrow a Windows XP Home CD then you can run SFC to attempt a repair.

How to Use SFC.EXE to Repair System Files

Link to post
Share on other sites

I ran SFC.exe which finished without finding any missing files. I borrowed an XP Home CD, which I put in the drive and attempted to run recovery, but was stopped as I didn't know the Admin password. (It wasn't blank)

After rebooting, the GUI was back, so I plugged an ethernet cable in to get the latest Malwarebytes database and ran a scan which found 5 objects:-

3 occurrences of Trojan.Agent in the Registry,

Backdoor.Bot also in the registry

and Worm.Prolaco in a system restore file.

I haven't attempted to remove them as I will wait for you suggestion as to the next action to take since the GUI is back.

btw, Dell wanted

Link to post
Share on other sites

  • Root Admin

Please post the full MBAM log for me.

Are you saying that aside from these detections in the log the system now appears to be okay and that error is no longer coming up?

Please run a new DDS scan and post back it's logs as well.

and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
to run the tool.

When done, the
will open.

Click Yes at the next prompt for Optional Scan.

    When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop

  • Please include the following logs in your next reply:

Link to post
Share on other sites

The Themed32.dll not found error has gone away.

There is another new error I get, but I don't it is related to this problem. (I think it is self inflicted...sorry).

"Error loading C:\WINDOWS\uxarbiyixevoyoh.dll. The specified module could not be found."

mbam log:-

Malwarebytes' Anti-Malware 1.46


Database version: 4222

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

21/06/2010 23:55:10

mbam-log-2010-06-21 (23-55-10).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 224929

Time elapsed: 1 hour(s), 10 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yrumegemida (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0001025.exe (Worm.Prolaco) -> No action taken.


I have attached the DDS.txt and Attach.txt files as requested.



Link to post
Share on other sites

  • Root Admin

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0001025.exe

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:


  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Then update Malwarebytes and and do another scan. Make sure you have it fix anything it finds and post back the new log as well.

Link to post
Share on other sites

  • Root Admin

Please click on START - RUN and copy/paste the following entry into the run line and click OK.

CMD /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /v aux /t REG_SZ /d wdmaud.drv /f

Then update your Anti-Virus and do a FULL system scan and let me know if it finds anything or not.

Link to post
Share on other sites

  • Root Admin

We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.

Disable your AntiVirus temporarily so that it does not block removal of Combofix.

Press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK

ComboFix /Uninstall


This will uninstall ComboFix. It will also implement some cleanup procedures.

Re-enable your AntiVirus now.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.


Please read the following topic: So how did I get infected in the first place?

Take care.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.