Error on Start up

Hi

Last week my daughter's computer was infected with Vundo or Virtumonde. I ran the Vundo removal program and reloaded windows but we are getting an error message in a little window at start up called RUNDLL that says

"Error Loading C:\WINDOWS\System32\htdegpk.dll
The specified module could not be found"

I have now followed all the steps in the Malware Removal Guide, but we are still getting the message.

Please see the attached logs.

Any advice you can offer would be appreciated.

 

Hi bowks!
Welcome to Major Geeks!


Do you know what the following entry belongs to and if it's something you want or not?

O4 - HKLM\..\Run: [general] \\dwnhigh_fs3\general$\start.bat

Please do the following:

1) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: {77ce2d1f-f83f-a00b-2b24-9ed1b7e2826e} - {e6282e7b-1de9-42b2-b00a-f38ff1d2ec77} - C:\WINDOWS\system32\dsxjosrm.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [b48d2cfa] rundll32.exe "C:\WINDOWS\system32\htdegqck.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O20 - Winlogon Notify: ljjhhif - ljjhhif.dll (file missing)

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O4 - HKLM\..\Run: [Windows Messenger Panel] wbcsvc.exe
O4 - HKLM\..\Run: [WarrantyReg] Program Files\Warranty\warranty.exe

After you click fix, just close hijackthis.

4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log. Also, please let me know if the registry patch (regedit4) gave you a success message.


Let me know how things are running now?

abri

 

Dear Abri

Yay!!! No more stupid start up error.

I can't thankyou enough. You guys rock. I am so happy although I don't know if it is my imagination or not, but the computer seems a little slow. I was thinking of running "How to Protect myself from Malware" tomorrow and that includes a cleanup. But I am so thankful.

attached is the logs your requested.

I'm sorry I really cant remember for sure, but I think I would have noticed if there was an error message when I did the registry patch.

I am so computer illiterate, but this has given me a buzz.

thanks again

 

Hi bowks,

I wanted to ask you about this entry? Any thoughts on that?

O4 - HKLM\..\Run: [general] \\dwnhigh_fs3\general$\start.bat


Avenger did not run properly. Look in Windows Explorer and see if you find the following files:

C:\WINDOWS\SETC9.tmp
C:\WINDOWS\SET110.tmp
C:\WINDOWS\SETD5.tmp
C:\WINDOWS\SET111.tmp
C:\WINDOWS\SETC6.tmp

abri

 

The first entry is something to do with the high school she attends (Darwin High). The computer was originally used for computer classes and connected to their system. Since she no longer uses the computer to school, I combined it with the other entries and deleted it. Hope that was OK.

I couldn't find any folder named SET... under windows in the C Drive

 

Oops! Disregard that last message. I was using my laptop because it is quicker. (Too early in the morning)

I'm checking Phoebe's now.

 

Now I'm on the right computer. I can see
SETC9.tmp
SET110.tmp
SETD5.tmp
SET111.tmp
SETC6.tmp

all there.

 

Hi bowks,
Please delete the tmp files I asked about. Then reboot the computer and see how it is running. If everything seems to be working okay, I would like for you to go ahead with the final cleanup instructions:

abri

 

Its going really well now. I really can't thank you enough.

just one thing though. I have almost completed the "protect your computer from Malware" but I can't Adjust Active X security settings. When I click on the world icon, nothing happens.

Is there any way around that, or is it important?

 

Hi bowks,
Normally when you click on the Security tab, the world icon is highlighted. You don't need to click on it. Is that the case for you? You simply go to the bottom two tabs which are Default Level and Custom Level. Do those buttons work or not?
abri

 

no, both are greyed out.

 

Hi bowks,

Try this: http://windowsxp.mvps.org/ie/secchangesettings.htm

Be sure to back up the registry keys as per the instructions in the link.

abri

 

It is working like a dream.

Thanks very much Abri. Both our laptops are now virusfree and protected.

I learned so much. I'm even going to pull my old laptop out and have a go at getting that functional again.

thanks

Gail

 

Hi bowks,
I'm glad to hear that!
Good luck with your computers and if you have time and like the learning, you might enjoy the other forums as well.
abri