Please help -- malware/trojan infestation!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by timzahm, Jan 9, 2007.

  1. timzahm

    timzahm Private E-2

    Despite my best efforts to use a firewall and PC-Cillin antivirus and website blocking software, I got something infecting my system. Every so often when browsing the web, I get a pop up window to some site (usually starts with url.cpvfeed.com) that is thankfully blocked by PC-Cillin. Internet explorer also is much slower to respond and sometimes becomes "de-activated" in Windows (the IE window is still on the screen, but the title bar is grayed out with nothing else becoming active).

    I have run all the scans in the readme thread and the logs are attached. Many thanks to whoever can help me!!
     

    Attached Files:

    timzahm, Jan 9, 2007
    #1
  2. timzahm

    timzahm Private E-2

    the rest of the logs...
     

    Attached Files:

    timzahm, Jan 9, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Well actually you picked up more than one infection. On a quick glance thru your logs I see at least 6 infections.

    This will take a few iterations, so let's get started.
    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Run this ViewpointKiller to remove Viewpoint Media software.

    Uninstall the below software:
    J2SE Runtime Environment 5.0 Update 4
    CounterSpy <-- it is only a trial and we are finished with it now
    Outerinfo <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    Now attach the below new logs and tell me how the above steps went.

    1. Combofix
    2. GetRunKey
    3. ShowNew
    4. HJT
    We still have a bunch to do so don't be alarmed if you still see problems. We will get it all soon.
     
    Last edited: Jan 10, 2007
    chaslang, Jan 10, 2007
    #3
  4. timzahm

    timzahm Private E-2

    I ran combofix and viewpointkiller -- the log for the first and a screenshot from the second are attached.

    Then I tried to remove those three programs, but when I clicked on the Add/Remove Programs icon, I got an error message saying I was missing a dll file (screenshot is attached).

    I then went ahead and installed the Java program and ran the three scans, whose logs will follow in my next post.
     

    Attached Files:

    timzahm, Jan 10, 2007
    #4
  5. timzahm

    timzahm Private E-2

    GetRunKey, ShowNew, and HijackThis logs...
     

    Attached Files:

    timzahm, Jan 10, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually it said you were missing and EXE file. rundll32.exe to be exact. You need to replace this file. Let's see if we can locate one on your PC.

    Click Start and select Search
    Now Select "All files and folders"
    Enter the rundll32.exe in the "All or part of the file name:" box
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    • Search system folders
    • Search hidden files and folders
    • Search subfolders
    Then click the Search button. Tell me where you find matches. There may be a few.
     
    chaslang, Jan 10, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After you post the results from the search in message number 6, continue with the below.

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to COM+ Messages
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    Continue by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Also make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of winuqw32.dll once and then click the kill button. After you have killed all of the winuqw32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    ddabb.dll
    xxyyawt.dll

    Next double click on explorer.exe and again click once on each instance of winuqw32.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    ddabb.dll
    xxyyawt.dll

    Next double click on iexplore.exe and again click once on each instance of winuqw32.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    ddabb.dll
    xxyyawt.dll

    Now just exit Process Explorer.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\Program Files\Common Files\{606A9EA4-069B-1033-0326-060511240001}\Update.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {41B07E95-F847-4738-B9E0-F1E9F5324797} - C:\WINDOWS\system32\ddabb.dll
    O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\jefuriom.dll (file missing)
    O2 - BHO: (no name) - {B810FAA9-AA2C-4332-8486-FF7D81DD842B} - C:\WINDOWS\system32\xxyyawt.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\tvbacabs.dll",setvm
    O4 - HKLM\..\Run: [{606A9EA4-069B-1033-0326-060511240001}] "C:\Program Files\Common Files\{606A9EA4-069B-1033-0326-060511240001}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvjas.dll,startup
    O20 - Winlogon Notify: ddabb - C:\WINDOWS\system32\ddabb.dll
    O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\SYSTEM32\winuqw32.dll
    O20 - Winlogon Notify: xxyyawt - xxyyawt.dll (file missing)
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\Documents and Settings\Tim Hurley\Local Settings\Temporary Internet Files\Content.IE5\9O1IB923\mulbin32[1].exe
    C:\Documents and Settings\Tim Hurley\Local Settings\Temporary Internet Files\Content.IE5\AMVZ27K1\antzom[1].exe
    C:\Program Files\Outerinfo\OiUninstaller.exe
    C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
    C:\Program Files\Common Files\{606A9EA4-069B-1033-0326-060511240001}\Update.exe
    C:\WINDOWS\system32\wnsintcc.exe
    C:\WINDOWS\system32\ddabb.dll
    C:\WINDOWS\system32\drvjas.dll
    C:\WINDOWS\system32\khffefg.dll
    C:\WINDOWS\system32\tvbacabs.dll
    C:\WINDOWS\system32\winuqw32.dll
    C:\WINDOWS\system32\zwpa.dll
    C:\WINDOWS\system32\bbadd.ini
    C:\WINDOWS\system32\bbadd.bak2
    C:\WINDOWS\system32\bbadd.bak1
    C:\WINDOWS\system32\sbacabvt.ini
    C:\WINDOWS\system32\xxyyawt.dll
    C:\WINDOWS\system32\svchosts.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\Common Files\{306A9EA4-069B-1033-0326-060511240001}
    C:\Program Files\Common Files\{606A9EA4-069B-1033-0326-060511240001}
    C:\Program Files\Outerinfo

    Now run Ccleaner

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Tim Hurley\Local Settings\Temp

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jan 10, 2007
    #7
  8. timzahm

    timzahm Private E-2

    I found one rundll32.exe file, in a Spybot recovery folder. The exact results are attached.

    Continuing with the steps in post #7...
     

    Attached Files:

    timzahm, Jan 10, 2007
    #8
  9. timzahm

    timzahm Private E-2

    I finished everything listed above. The only quirks were that COM+ Messages was already stopped, so I just disabled it, and when I ran HijackThis the first time,

    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

    was not in the list. Everything else went according to instructions, and things are at least on their way back to normal if not already there (problems were intermittent before so I'll continue working and let you know if anything happens). I still can't open anything under the Control Panel -- the same error message comes up.
     

    Attached Files:

    timzahm, Jan 10, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please attach a copy of that SmitFraudC.zip file here to your next message. I'm not sure why Spybot is deleting rundll32.exe. It is not normally infected.

    Which version of Spybot's Detections files are you running?

    Run HJT and fix the below line:
    O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)

    Also delete the below file (use safe mode or use Killbox....whatever is necessary to delete it):
    C:\WINDOWS\system32\ejpboker.dll
     
    chaslang, Jan 10, 2007
    #10
  11. timzahm

    timzahm Private E-2

    Done and done. Attached is the HijackThis log that it generated right before I fixed the

    O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)

    line. Also attached is the zip file you requested. My Spybot's latest detection update was January 5, 2007.
     

    Attached Files:

    timzahm, Jan 11, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not useful! I only need a log after you fix it to see that it was successfully fixed. You already posted one from before fixing it.

    I scanned the file with 29 malware/virus scanners and they all say it is clean:
    Code:
    [COLOR=black][FONT=Verdana]STATUS: FINISHED  [/FONT][/COLOR][COLOR=black][FONT=Verdana]Complete scanning result of "[B]rundll32.exe[/B]"[/FONT][/COLOR]
[COLOR=black][FONT=Verdana]received in VirusTotal at 01.11.2007, 18:23:54 (CET).[/FONT][/COLOR]
 
[SIZE=3][FONT=Times New Roman]Antivirus                     [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]Version                 [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]Update              [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]Result[/FONT][/SIZE]
[SIZE=3][FONT=Times New Roman]AntiVir                        [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]7.3.0.21                [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.09.2007       [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Authentium                  [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]4.93.8                   [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007       [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Avast                          [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]4.7.892.0              [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]12.30.2006       [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]AVG                          [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]386                        [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007       [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]BitDefender                [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]7.2                         [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007       [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]CAT-QuickHeal         [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]9.00                       [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007       [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]ClamAV                    [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]devel-20060426     [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007       [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]DrWeb                       [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]4.33                      [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]eSafe                          [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]7.0.14.0                [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]eTrust-InoculateIT      [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]23.73.111             [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]eTrust-Vet                 [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]30.3.3319              [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Ewido                        [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]4.0                         [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Fortinet                      [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]2.82.0.0                [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007         [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]F-Prot                        [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]3.16f                     [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007         [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]F-Prot4                     [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]4.2.1.29                 [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Ikarus                       [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]T3.1.0.27               [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.09.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Kaspersky                [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]4.0.2.24                 [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]McAfee                   [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]4936                      [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Microsoft                 [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]1.1904                   [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007         [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]NOD32v2               [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]1971                      [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007         [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Norman                    [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]5.80.02                 [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Panda                       [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]9.0.0.4                  [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Prevx1                      [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]V2                        [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Sophos                      [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]4.13.0                  [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]Sunbelt                      [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]2.2.907.0             [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.05.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]TheHacker                [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]6.0.3.147             [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]UNA                        [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]1.83                     [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007         [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]VBA32                     [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]3.11.2                  [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.10.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
[SIZE=3][FONT=Times New Roman]VirusBuster               [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]4.3.19:9               [/FONT][/SIZE][SIZE=3][FONT=Times New Roman]01.11.2007        [/FONT][/SIZE][COLOR=#739999][SIZE=3][FONT=Times New Roman]no virus found[/FONT][/SIZE][/COLOR]
    I suggest you run Spybot and click Recovery and locate the Smitraud.C entry and select it and restore it. I still don't know why Spybot would remove this and also don't understand why your system did not immediately restore it since it is a file protected by the operating system. Now look in c:\windows\system32\dllcache for a file named rundll32.exe or a similarly named file and tell me what you find now.

    See if your problems are gone now! Also uninstall those programs I had told you to uninstall back in message # 3 (that include CounterSpy).
     
    chaslang, Jan 11, 2007
    #12
  13. timzahm

    timzahm Private E-2

    I restored the item from Spybot, and the run32dll.exe file is in the c:\windows\system32\dllcache folder. I was able to open Add/Remove Programs and uninstall the three programs listed -- but when I clicked on Remove for Outerware, I got the message that it was already deleted and now would be removed from the list.

    After uninstalling everything, I restarted and after Windows loaded I got the following error message:

    Error loading C:\Windows\system32\drvtuc.dll
    The specified module could not be found.

    I clicked OK and then ran Spybot, GetRunKey, ShowNew, and HijackThis. Logs to follow.
     

    Attached Files:

    timzahm, Jan 11, 2007
    #13
  14. timzahm

    timzahm Private E-2

    Latest HJT log
     

    Attached Files:

    timzahm, Jan 11, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay looking better!

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now delete the below remnant folder from CounterSpy:
    C:\Documents and Settings\Tim Hurley\Local Settings\Application Data\Sunbelt Software

    Now reboot!

    How are things working now?
     
    chaslang, Jan 12, 2007
    #15
  16. timzahm

    timzahm Private E-2

    Much better! I am not getting the popups anymore and IE seems to be running as well as it ever did. Everything works under the Control Panel and after I did the two steps in your last message I rebooted without incident. Thank you very much for your help!
     
    timzahm, Jan 12, 2007
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Jan 13, 2007
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds