Help me fix this so my son won't be grounded for life

First time to post....thanks to all who make this forum possible.

My darling little almost 15 yr old son may be grounded for life if y'all can't help me get this fixed.....(who has found out the hard way there is no such thing as "free pics of sexy girls")

In the past week I've deleted thousands of spyware/malware items before I found this forum.

I've read:
http://forums.majorgeeks.com/showthread.php?t=35407
and followed all steps.

Trend Micros got rid of 48 trojans!
ran all other suggested programs listed in tutorial...most found things and fixed them.

I am still infected with a download.trojan

located at:
c:\winnt\system32\lfyy4szuvn4.dll

I cannot delete it using Norton or a manual delete in safe mode. Get message:
access denied...check if dish not full or write-protected...or file in use.

I think there are still www.coolwebsearch issues as well.

I just wanted to check in with the experts before I proceed to the Hijack This portion of the tutorial. Do I need to get rid of this virus before I continue? And if so, can you point me in the right direction to find instructions to do so?

Thank you!

 

Hi InAMess,

Please go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

**** How many user Accounts are on your computer?

Somebody will take a look at your log when they gat a chance.

Best
PP

 

Hi PhilliePhan,

Here is my log file.

User accounts on computer are
administrator and owner
I use owner

thank you!

 

Hi InAMess,

AFTER we get you cleaned up, you MUST go to Windows Updates and get Updated. You are Waaay behind!!

Please download this tool: Pocket KillBox and keep it handy.

I (or someone else) will check back this evening if I get a chance. Please be Patient!

PP

 

Hi InAMess,

AFTER we get you cleaned up, you MUST go to Windows Updates and get Updated. You are Waaay behind!!

The story of my life...I'm always behind on something.

Please download this tool: Pocket KillBox and keep it handy.

Got it.

I (or someone else) will check back this evening if I get a chance. Please be Patient!

I'll check back later tonight for more instructions.
Thank you.

 

start with uninstalling Privacy Scanner. It's a bogus program. then make sure you've run about buster
http://majorgeeks.com/download4289.html


You have Trojans on your machine, so make sure you run the alternate scans listed at the bottom of our tutorial.

Find this file and delete it
C:\WINNT\Temp\RecoverFromReboot.exe

when you're done reboot and load up HJT

delete the following but make sure you DO NOT have your web browser open. If need be, print this out

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nqjfk.dll/sp.html#28129
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINNT\Temp\RecoverFromReboot.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - AppInit_DLLs: lfyy4szuvn4m.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/157b0b2e567ef5059219/netzip/RdxIE601.cab


O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing)

 

Find this file and delete it
C:\WINNT\Temp\RecoverFromReboot.exe

When I lookin the C:\WINNT\Temp folder it is empty. I have it set to show hidden files.
What should I do?
Thanks.

 

Something else I'm getting bogged down with...

RavAntivirus found 47 trojans but said I had to delete them manually.

There are a few I can't find:
C:\WINNT\n_yajqxe.dat
is one example

There are some that have more than one possiblitly and I don't know which one to delete:
C:\WINNT\unwise32.ini->ADS:ctiei
is one example
There are 4 different "unwise" things in there...but not one that matches this exactly.

I'm I just too unsavy to do this?
Help!

 

the a2
a-squared (a²) Free edition 1.1

 

Did that.
What is the next step? Is it time to send y'all another HijackThis log?

I still have the Download.Trojan virus:
C:\WINNT\System32\lfyy4szuvn4.dll

Thank you.

 

Everything fixed except coolwebsearch and download.trojan

I have done everything that was suggested in my previous thread -

http://forums.majorgeeks.com/showthread.php?t=48821

and y'all have done wonders.
I seem to be down to two problems.
CoolWebSearch and an unremovable Download.trojan located at:
C:\WINNT\System32\lfyy4szuvn4.dll

Can you help me with these remaining problems?
Thank you

Just FYI, with your help I've gotten rid of the win-eto nightmare and gone from ad-adware finding over 700 baddies to just the coolwebsearch showing up. I've cleaned out at least 50 trojans and am down to just one that I can't delete.
Thank you so very much!

 

Re: Everything fixed except coolwebsearch and download.trojan

Sorry...I forgot to put this in original post.
Why doesn't CWShredder "see" the coolwebsearch stuff on my computer?
When I run it, it says I'm not infected but ad-aware and Spybot keep finding and fixing it.

 

Boot to safe mode
go to start-->run
type

regsvr32 /u C:\WINNT\System32\lfyy4szuvn4.dll
hit enter

let us know if it failed or succeeded. Hit ok to the prompt.
If it succeeded then go to start--> run type CMD and hit enter

at the prompt type
del C:\WINNT\System32\lfyy4szuvn4.dll
hit enter

let us know if it finds the file and deletes it.

 

Hi Kodo,

It failed.

I wasn't sure if it mattered which account I did it in, so I did it both accounts on my computer and both failed.

 

post another log.
This time around, make sure you do NOT reboot the computer until I reply. Doing so will trigger the dll to mutate again and we'll have to look for a new file name.

 

Posting new log.
Thanks

 

find and delete this file
C:\WINNT\System32\riulndlp.exe

next go to start. .run. type CMD and hit enter

now type DIR /S lfyy4szuvn4m.dll
hit enter

it will take some time but I want to make sure we find it.
If found, take the location that it displays and type this at the prompt

regsvr32.exe /u [file location here]/lfyy4szuvn4m.dll

an example may look like but may not necessary be the same location
regsvr32.exe /u c:\windows\system32\lfyy4szuvn4m.dll

then do
del [file location]\lfyy4szuvn4m.dll


make sure you don't use [] ,I used that a place holder.
do this, report back..do not reboot.

 

Kodo...I can't find
C:\WINNT\System32\riulndlp.exe
I right clicked start -> explore -> C: -> WINNT -> System32
in the alphabetized list it goes from richtx32.ocx to rmoc3260.dll
I tried start -> search and typed in riulndlp.exe (checked in hidden files and folders)
It didn't find anything.

I did not do the rest of your instructions...waiting to hear if you want me to do that since I could not find and delete this file.

Thanks.

 

go onto the rest of the instructions, only do the same set of instructions for both files.

 

Hi Kodo

for both it said "file not found"

However, right before I hit start, the whole computer froze up for about 30 seconds, then the desktop kind of hiccupped...everything just winked out of existence for a couple of seconds and then came back and then blinked before holding steady again.

Could it have mutated during all that?
I have to go pick up my son from school...but will check back in as soon as I get home.

Thanks

 

only way to find out is to post a new log.
I have a few more ideas to try too.

 

Posting new log.

 

Hey Guys,

Don't want to get in the way or step on any toes, but you could try using Pocket KillBox to delete that pesky O20 - AppInit_DLLs: lfyy4szuvn4m.dll.
That's why I asked InAMess to download it in the first place.

Just use the Delete on Reboot option and click the Folder Icon to navigate to (or Copy and Paste) C:\WINNT\System32\lfyy4szuvn4m.dll

You might want to do the same for this one: C:\WINNT\System32\riulndlp.exe - Just Copy and Paste it into KillBox as well when you do the other one.
If you can't see them, copy and paste anyway. Killbox will tell you if it can't find the entry.

Just an idea.
Sorry if I got in the way. Thrash me if you wish!!

PP

 

I downloaded that and the post said to keep it handy but that was the last mention made to the program.
No thrashing from me, PP ....but I don't want to do anything I'm not supposed to.

Kodo...do you want me to do the above instructions?

I've been told not to reboot computer until further instructions so I'm holding there for now.

Ready and waiting for further instructions. (oh gwad, I think I just saluted)

 

PP beat me to it.. do exactly as he directs. I had to go to school so I could not respond. I just got home.

 

Oh guys....you have done so much!!!

The virus is gone. The Norton pop-up window is gone. A full Norton scan shows a big beautiful zero infections.

Killbox took care of
C:\WINNT\System32\lfyy4suvn4m.dll
with no problem.

For
C:\WINNT\System32\riuindlp.exe
I got this message:
PendingFileRenameOperationsRegistryDataHasBeenRemovedByExternalProcess!

I ran ad-aware and there is only 1 critical item:
CoolWebSearch Registry Key

I have the Ad-Aware log...do you want to see it?

Can I start doing the things recommended in the Sticky "How to protect yourself" or do I wait for resolution on CoolWebSearch first?


I want you both to know....I'm developing feelings for you!!!

 

did you remove that key with ad-aware?

 

Hi Kodo,

Yes I did...just as I have countless times in the last week but it always comes back so I didn't think much about it, just figured it would be the next thing we started working on.

I just saw your message this morning...I want you to know that I came in here and checked this board *before coffee*! and so I ran another Ad-Aware scan.

Guess what?

I'm CLEAN!!!!!!

I love you guys....thank you so much.

 

How to Protect yourself from malware!

 

I agree with Kodo. Definitely implement some of the suggestions in the link he gave. Especially the keeping your Windows Updated part!!

Happy Holiday Computing

PP