RUcrzy trojan wont stay removed

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Have you been working on this problem at another malware removal forum? If so, why are you now coming here in the middle of working with someone else?

I see the below which would indicate that you have been working elsewhere:


C:\_OTMoveIt\MovedFiles\cp1041.nls

I also see the Pocket Killbox was being used!

Did they also have you download LSP-fix? It looks like it based on your logs!


Are you using any programs to control startups? I see many things disable with MSConfig but MSconfig appears to be in Normal Startup mode.


Follow the steps below in the order written!!


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the osfupiqlk.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move osfupiqlk.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
After clicking Fix, exit HJT.



Download the attached LJFix.zip file to your Desktop and extract the LJFix.bat file from it to your Desktop. Then double click on irishFix.bat to run it. This will create a log file named c:\FixND.txt

NOTE: After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.

• Now close ALL open windows now!!!!!
• Power down your PC now. Wait about 15 seconds and then power back up.
• After reboot Attach the c:\FixND.txt file here. Then continue on to the below instructions!

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Now also uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1_06
Java 2 Runtime Environment, SE v1.4.1_07
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 SDK, SE v1.4.1_07E

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment



Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\SYSTEM32\osfupiqlk.dll
C:\WINDOWS\n_cnzxzg.txt
C:\_OTMoveIt\MovedFiles\cp1041.nls
C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

I see you just logged in while I have been working this.

If you have not noticed, I have been editing and adding to the procedure in message # 6 so please refresh your page and re-read before continuing.

 

It did not work as desired. I'm attaching a new version of LJFix.zip. Extract it like the last time overwriting the previous file. However this time, make sure you boot into safe mode first, and then run the LJFix.bat file. After running it POWER DOWN like before, and then reboot and attach the FixND.txt log here.

That's part of this malware and I was wondering why it was not showing yet. Quarantine it and if it gives you an option to delete the file, delete it.

Please keep your PC in Normal Startup mode!! You now appear to be using MSconfig to control starups (i.e. a form or Selective Startup mode). Run MSconfig and select Normal Startup.


Now attach new logs from GetRunKey and ShowNew.

 

No this is not normal but the file we were trying to replace (ndis.sys) was infected and was part of your problem. It was also why you could not get rid of the cp1041.nls file. If ndis.sys had not been replace properly (and it looks like it was), you would lose connectivity.

Please attach a current HijackThis log.

 

When did this happen?
Does it happen all the time?
If it is at boot up, try booting in safe mode and tell me what happens.

 

Why are you installing something new right in the middle of our clean up efforts and also that I did not ask you to install?

Yes you do need an antivirus and a firewall (not a security suite) but I did not ask you to do this.

Is that HJT log from normal boot mode or safe boot mode?


Goto Add/Remove programs and uninstall the below:
Internet Explorer Default Page
Symantec Network Drivers Update



Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll (file missing)
O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_06) -
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete
C:\$RJ$.DAT
C:\cp1041.nls
C:\delete.bat
C:\WINDOWS\SYSTEM32\lrw.dll
C:\WINDOWS\SYSTEM32\tamnjql.dll
C:\WINDOWS\SYSTEM32\zpbqupo.dll

Now run Ccleaner

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Are you remembering to click Fix Checked with HijackThis? Something is blocking some of out fixes. Let's approach this a little differently.

First uninstall SuperAntiSpyware and Trojan Hunter since they could possibly causing us a problem.



Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

After reboot if you are still having problems with your getting a connection to the internet, please run the LSP-fix and tell me the names of all files you see in both the Keep column and if any are in the Remove column give me those names too.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Let's look for some more details so we can manually remove them.

Run this: Getting Uninstall Programs List From The Registry and attach the requested log.

 

Nothing I have had you do has anything to do with this. However installing Kaspersky Security Suite in the middle of all of this and then uninstalling may have caused issues. But I cannot say that for certain.

I'm still waiting for you to complete ALL of the instructions in message # 22.

 

The below will remove those two items I asked you to uninstall but you could not find!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

You did not follow instructions or you had an error! SuperAntispyware still shows!


Did you click Fix checked with HijackThis?

Did you remember to close ALL browsers before clicking Fix checked?

Did you run the Reset of web settings step?

 

When you obtained you HijackThis log why were the below running?
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\notepad.exe

 

I will give you steps but first did you do message number 28.

You did not answer my questions in message # 29.

Also did you see message # 30?


Is the connection you are having a problem with a wireless connection? If so, do you have a wired connection you can try?

 

They should all be closed before you run HijackThis!

 

It may or may not help! In the link you referenced, the person deleted ndis.sys which will definite cause a problem with connectivity. We did not delete the file, we made backup of the malware file and then replaced the bad file with a good copy from another folder on your PC.

Give the below a run first to see what happens:

XP TCP/IP Repair

 

Not yet!

Okay! I needed to know that you were running the fix properly. This probably means that your registry keys have been blank out.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

Not necessarily. These may all be part of your hardware. For example on the PC that I'm on right now, I have only one 10/100/1000 BT interface but three items show under Network Adapter. One is the Gigabit interface and the other two are for two firewire ports.

Do you have the drivers for your hardware so that they could be reinstalled?

 

Let's fix a few other things! These will not fix your network connection issue but they need to be done.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
After clicking Fix, exit HJT.

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now locate the below folders and delete it if found:
C:\Documents and Settings\Deb\Application Data\SUPERAntiSpyware.com
C:\Documents and Settings\Deb\Application Data\TrojanHunter
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
C:\Program Files\Kaspersky Lab
C:\Program Files\SUPERAntiSpyware

Is the below folder also related to Kaspersky? If so, delete it too.
C:\KAV

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Sounds like you have a lot more wrong with your PC than just the malware. You could be better off backing up all of your personal data and reinstalling. One other thing that may be of use, is trying to do a System Restore to a date prior to where the infection occurred.


According to your May 1st logs, you had already downloaded and installed the below:

Code:

"C:\Program Files\"
BROADCOM      May  1 2007              "Broadcom"
BROADC~1      May  1 2007              "Broadcom Management Programs"

I guess that means installing new software/drivers did not help.

 

What files are you referring too?

 

Which ones? And why do you want to overwrite them if the already exist?

You only need to restore files that are missing or corrupted and that is the reason for sfc and also why you require a CD that matches your installed version of Windows.

What is the file size and date of the below file on your laptop

C:\WINDOWS\SYSTEM32\DRIVERS\ndis.sys

Don't tell me the size in Kbytes. Tell me the size in bytes.