Malware problem

• Please download the below file from one of the two links:

http://download.bleepingcomputer.com/sUBs/combofix.exe

​

http://www.techsupportforum.com/sectools/combofix.exe

​

• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log for you. Attach that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

 

Okay! You have a load of malware files hiding that we need to remove. These may take a few repetitions to get all of the baddies.

Have you run a full scan with Ewido? Did you save a log? If not follow the directions in the below link (obviously ignore the download and install steps but make sure you get any updates).

Running Ewido Anti-Malware

Uninstall Limewire, most versions contain bundled malware unless you buy Limewire.

Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now make sure viewing of hidden files is enabled (per the READ & RUN ME step 2).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\system32\8eec124a.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [8eec124a.exe] C:\WINDOWS\system32\8eec124a.exe
O4 - HKCU\..\Run: [8eec124a.exe] C:\Documents and Settings\Jeff\Local Settings\Application Data\8eec124a.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Bulk E-Mailer <--- the whole folder
C:\Documents and Settings\Jeff\Local Settings\Application Data\8eec124a.exe
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\ZRF77GD1\bgates[1].exe
C:\Program Files\Common Files\Yazzle1127OinAdmin.exe
C:\WINDOWS\system32\wineil32.dll << This file
C:\WINDOWS\system32\awttqol.dll << This file
C:\WINDOWS\system32\8eec124a.exe << This file
C:\WINDOWS\g8509385.dll << This file
C:\WINDOWS\g6885140.dll << This file
C:\WINDOWS\g5683232.dll << This file
C:\WINDOWS\g4121165.dll << This file
C:\WINDOWS\g34616065.dll << This file
C:\WINDOWS\g33074358.dll << This file
C:\WINDOWS\g31867933.dll << This file
C:\WINDOWS\g30654669.dll << This file
C:\WINDOWS\g2920349.dll << This file
C:\WINDOWS\g29030804.dll << This file
C:\WINDOWS\g27821565.dll << This file
C:\WINDOWS\g26620468.dll << This file
C:\WINDOWS\g262908.dll << This file
C:\WINDOWS\g18189845.dll << This file
C:\WINDOWS\g1718410.dll << This file
C:\WINDOWS\g16638314.dll << This file
C:\WINDOWS\g15440682.dll << This file
C:\WINDOWS\g14235930.dll << This file
C:\WINDOWS\g11396056.dll << This file
C:\WINDOWS\g10193136.dll << This file

Additional step to delete files in the Downloaded Program Files folder :
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s 4a2a709c8c749ba0d307703f5c04257d_35.exe
del 4a2a709c8c749ba0d307703f5c04257d_35.exe
attrib -r -h -s gdnUS2339.exe
del gdnUS2339.exe
exit

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I have a feeling a couple baddies I had you fix in the previous message are going to come back, so let's continue with the below.

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of wineil32.dll once and then click the kill button. After you have killed all of the wineil32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of wineil32.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll

Note: You may not even see the other O20 line. If not, just continue.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\SYSTEM32\wineil32.dll
C:\WINDOWS\system32\awttqol.dll
C:\WINDOWS\system32\sstuv.dll
C:\WINDOWS\g142265.dll
C:\WINDOWS\g165240403.dll
C:\WINDOWS\g163707759.dll
C:\WINDOWS\g162505370.dll
C:\WINDOWS\g161304323.dll
C:\WINDOWS\g159770467.dll
C:\WINDOWS\g158569601.dll
C:\WINDOWS\g157367963.dll
C:\WINDOWS\g155923716.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.


Now attach a new HJT log.

Also run the below procedure and attach the newfiles.txt log.

Using ShowNew


Tell me how the steps went and make sure you tell me how things are working now!

 

In message number 6 I requested that you run that procedure with Ewido and then attach the log.

Did you run it?
Did you run it before proceding to message number 7?

I need the Ewido log. And if you did not run Ewido before doing the steps in message number 7. I need a new ShowNew log.\

Did you even do message number 7 properly? Did you use Killbox to delete those files? It does not look like it because I still see the below in your ShowNew log:

C:\WINDOWS\SYSTEM32\awttqol.dll
C:\WINDOWS\SYSTEM32\sstuv.dll

 

Why aren't you allowing Ewido to fix what it is finding? There is no sense running the tools unless you are going to let them fix the problems found. Run it again and make sure you tell it to fix all problems.

Save the new log and attach it. Also get a NEW ShowNew log afterwards.

And yes you need to run the procedure with Pocket Killbox again. You did not delete all the files as requested. Only this one ( C:\WINDOWS\SYSTEM32\wineil32.dll ) was removed.

 

The procedure I gave you for using Pocket Killbox explicitly said

Did you reboot immediately as specified??? I still see some of the infected qxxxxxxxx.dll files (where xxxxxxx are random numbers). You should run Killbox again and have it fix the below files which still exist:

C:\WINDOWS\g1725761.dll
C:\WINDOWS\g2076495.dll
C:\WINDOWS\g262908.dll
C:\WINDOWS\g271590.dll
C:\WINDOWS\g3701061.dll
C:\WINDOWS\g5024474.dll
C:\WINDOWS\g518014.dll
C:\WINDOWS\g875358.dll
C:\WINDOWS\SYSTEM32\compst~1.dll
C:\WINDOWS\SYSTEM32\sstuv.dll
C:\WINDOWS\SYSTEM32\vutss.ini

Again if killbox does not reboot or you get that error message, IMMEDIATELY reboot your PC yourself.


Now let's continue!

• After reboot Now Run Ewido again
• Click on the Quantine Tab
• Click on Select All and delete all files
• Reboot your Computer

In the previous instructions, did you run ShowNew before or after running Ewido? Run Ewido again and this time have it delete any malware it finds. Do not put it in the quarantine.

After running Ewido, attach the Ewido log and a new ShowNew log.

 

Normally that only happens if the files do not exist, but your other logs are showing the files. Physically look for the files yourself using Windows Explorer and see what you find. Tell me what you see (unless you already deleted them).

Also after getting the two new logs, see what is in the logs and if the files I'm asking you to delete still show in the logs, look for them again yourself and see if you actually see them.

 

Was it comstuic.dll or compstuic.dll????? If it was compstuic.dll, then it is the same file as compst~1.dll . This compst~1.dll form of the name is what is referred to as a DOS 8.3 format. It is basically an abbreviated form of the filename that fits into the DOS form where only 8 characters can be in the base filename ( the compst~1 part is the base name) and 3 characters can be in the extension ( the dll is the extension).

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of sstuv.dll once and then click the kill button. After you have killed all of the sstuv.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of sstuv.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note: some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\SYSTEM32\compstuic.dll
C:\WINDOWS\system32\sstuv.dll
C:\WINDOWS\SYSTEM32\vutss.ini
C:\WINDOWS\SYSTEM32\vutss.ini2
C:\WINDOWS\SYSTEM32\vutss.tmp
C:\WINDOWS\SYSTEM32\vutss.tmp2
C:\WINDOWS\SYSTEM32\vutss.dat
C:\WINDOWS\SYSTEM32\vutss.dat2

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now attach a new HJT log.

Also download the latest version of ShowNew (it changed since you last downloaded) and run the below procedure and attach the newfiles.txt log.

Using ShowNew


Tell me how the steps went and make sure you tell me how things are working now!

 

You forgot to answer my questions:

Now that we have gotten the malware files removed, they are finally showing up in your HJT log. They are inactive but we need to fix them. Run HJT and fix the below lines:

O2 - BHO: (no name) - {055DCC52-45B0-416B-B492-A17AB3EF34D3} - C:\WINDOWS\system32\sstuv.dll (file missing)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g262908.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Then attach a new and hopefully final HJT log. (if everything is working okay)

 

I repeated it again in the bold print quote in my last message. I'll repeat it again!

It is not really a written as a question but more as a directive but I'm questioning how things are working. If you don't tell me, I don't know.

You also did not attach a new HJT log requested in message number 19.

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

This thread is too old to revive and it has nothing to do with your current problems! Please follow the ALL of the instructions in the READ & RUN ME FIRST Before Asking for Support sticky thread and attach the 5 or 6 requested logs to a new thread that describes your current problems! Make sure you follow the directions for installing and renaming HijackThis which you should already have known since this is not your first time here.