Solve : UACd.sys Trojan?

1.	Solve : UACd.sys Trojan?
Answer» Please open Malwarebytes, click the Scanner TAB, select Perform Quick Scan, and press Scan. Remove selected, and POST the log in your next reply.Hi, it found nothing.... Malwarebytes' Anti-Malware 1.44 Database version: 3673 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18882 5-2-2010 19:49:24 mbam-log-2010-02-05 (19-49-24).txt Scan type: Quick Scan Objects scanned: 151494 Time elapsed: 5 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) To manually create a new RESTORE Point Go to Control Panel and select System and Maintenance Select System On the left select Advance System Settings and accept the warning if you get one Select System Protection Tab Select Create at the bottom Type in a name i.e. Clean Select Create Now we can purge the infected ones Go back to the System and Maintenance page Select Performance Information and Tools On the left select Open Disk Cleanup Select Files from all users and accept the warning if you get one In the drop down box select your main drive i.e. C For a few moments the system will make some calculations Select the More Options tab In the System Restore and Shadow Backups select Clean up Select Delete on the pop up Select OK Select Delete You are now done To remove all of the tools we used and the files and folders they created, please do the following: Please download OTC.exe by OldTimer: Save it to your Desktop. Double click OTC.exe. Click the CleanUp! button. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes. Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. == Please download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. == Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr. Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document. Hi DM Jay, I executed according to you instructions. The log is attached. Thanks! [Saving space, attachment deleted by admin]Please download the newest version of Adobe Acrobat Reader from Adobe.com Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable. Go to the Control Panel and enter Add or Remove Programs. SEARCH in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them. Once old versions are gone, please install the newest version. == Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection. Software recommendations Firewall Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version. Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first. PC Tools Firewall Plus: free and excellent firewall. AntiSpyware SpywareBlaster SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here. Spybot - Search & Destroy. Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot). NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. Resident Protection help A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them. Rogue programs help There are a lot of rogue programs out there that want to scare you into giving them your money and some malware ACTUALLY claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here: http://www.spywarewarrior.com/rogue_anti-spyware.htm Securing your computer Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future. Please consider using an alternate browser Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option. If you are interested: Firefox may be downloaded from here: http://www.getfirefox.com Opera is available here: http://www.opera.com/download/ See this page for more info about malware and prevention.Hi, Thanks for all the advice. I will enhance my PC's protection with the tools you're suggesting. However, I am still stuck with my explorer.exe issue. As I already mentioned, if I log in to my main user account, explorer will die and restart and die and restart and so on. This makes that I can not use this user account. You mentioned earlier that it was no biggie to get rid of that. You did some suggestions which I carried out, in another user account however, since the infected one is rendered useless. Please advice. Thanks!Restore Permissions for explorer.exe Please download Inherit by sUBs Drag and drop explorer.exe onto Inherit This shall restore permissions to the application The application should now run normally Please indicate in your next post if this was successful. Note: explorer.exe is located in the folder C:\windowsTried to download inherit, but got hit with the following: C:\Users\xbox\AppData\Local\Temp\fgW_siwp.exe.part could not be saved, because the source file could not be read. Try again later, or contact the server administrator. Furthermore AVAST acted up. The WebShield blocked the following threat: Object: ..../://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe\| Infection: Win32:Trojan-gen Action: Connection aborted Proces: firefox.exe How to proceed?Disable the antivirus and try again please. That happens all the time, but the actual tool is safe.Hi, Did what you asked, no positive result. Now, thinking about this, I wouldn't expect that something is wrong with explorer.exe anyway. I have 5 user accounts on my computer and on 4 out of them it works as it should. Only one account has this problem. Can it be that there is something wrong in the start-up procedure for this account? Again, I can not do any experiments on this user account, which might make it harder to analyze. Any more ideas would be very much appreciated! Thanks again. Possibly. Log in to another user account to do this method. Save the account files for the account that is giving the problem. Just copy the following folder and save it to a disc, flash drive or somewhere in another username's My Documents folder. C:\Users\{USERNAME} {USERNAME} is the name of the problem account. Copy that folder and save it somewhere. Then go to Control Panel > User Accounts (add or remove user accounts) Delete the problem user account by removing it and all of its files. (Remember that you made a backup of those files) ===== Then, create a new account with the same username, and do the same process in reverse, by going to C:\Users and pasting the backup folder in the folder (Users). Then, restart the computer and let me know if this issue still occurs. == If you get Access Denied messages, let me know and we can Take Ownership of that folder.Hi, sorry for the late reply, work kept me busy (it happens ) Followed your instructions and everything seems to be working ok again. Let me know what I still need to do to declare my PC cured! What ever's next, thanks a lot for all your help. I enjoyed working with you. Couldn't have done it without you! Cheers PeterSeems clean to me.

Answer»

Please open Malwarebytes, click the Scanner TAB, select Perform Quick Scan, and press Scan. Remove selected, and POST the log in your next reply.Hi,

it found nothing....

Malwarebytes' Anti-Malware 1.44
Database version: 3673
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

5-2-2010 19:49:24
mbam-log-2010-02-05 (19-49-24).txt

Scan type: Quick Scan
Objects scanned: 151494
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
To manually create a new RESTORE Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive i.e. C
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

You are now done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Hi DM Jay,

I executed according to you instructions. The log is attached.

Thanks!

[Saving space, attachment deleted by admin]Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
SEARCH in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

SpywareBlaster
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
Spybot - Search & Destroy.
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware ACTUALLY claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/

See this page for more info about malware and prevention.Hi,

Thanks for all the advice. I will enhance my PC's protection with the tools you're suggesting.

However, I am still stuck with my explorer.exe issue. As I already mentioned, if I log in to my main user account, explorer will die and restart and die and restart and so on. This makes that I can not use this user account.

You mentioned earlier that it was no biggie to get rid of that.
You did some suggestions which I carried out, in another user account however, since the infected one is rendered useless.

Please advice. Thanks!Restore Permissions for explorer.exe

Please download Inherit by sUBs

Drag and drop explorer.exe onto Inherit
This shall restore permissions to the application
The application should now run normally

Please indicate in your next post if this was successful.

Note: explorer.exe is located in the folder C:\windowsTried to download inherit, but got hit with the following:

C:\Users\xbox\AppData\Local\Temp\fgW_siwp.exe.part could not be saved, because the source file could not be read.

Try again later, or contact the server administrator.

Furthermore AVAST acted up. The WebShield blocked the following threat:

Object: ..../://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe|
Infection: Win32:Trojan-gen
Action: Connection aborted
Proces: firefox.exe

How to proceed?Disable the antivirus and try again please.

That happens all the time, but the actual tool is safe.Hi,

Did what you asked, no positive result.

Now, thinking about this, I wouldn't expect that something is wrong with explorer.exe anyway.
I have 5 user accounts on my computer and on 4 out of them it works as it should.
Only one account has this problem. Can it be that there is something wrong in the start-up procedure for this account? Again, I can not do any experiments on this user account, which might make it harder to analyze.

Any more ideas would be very much appreciated! Thanks again.

Possibly.

Log in to another user account to do this method.

Save the account files for the account that is giving the problem.

Just copy the following folder and save it to a disc, flash drive or somewhere in another username's My Documents folder.

C:\Users\{USERNAME}

{USERNAME} is the name of the problem account. Copy that folder and save it somewhere.

Then go to Control Panel > User Accounts (add or remove user accounts)

Delete the problem user account by removing it and all of its files. (Remember that you made a backup of those files)

=====

Then, create a new account with the same username, and do the same process in reverse, by going to C:\Users and pasting the backup folder in the folder (Users).

Then, restart the computer and let me know if this issue still occurs.

==

If you get Access Denied messages, let me know and we can Take Ownership of that folder.Hi,

sorry for the late reply, work kept me busy (it happens )

Followed your instructions and everything seems to be working ok again.

Let me know what I still need to do to declare my PC cured!

What ever's next, thanks a lot for all your help. I enjoyed working with you. Couldn't have done it without you!

Cheers PeterSeems clean to me.

Solve : UACd.sys Trojan?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment