Startup error message / spyware

rexer · Oct 24, 2008

Hi there. I have a computer that had a spyware infection and several popups, including a message stating that a .dll is missing. I went through the steps and all appears to be running smoothly with the exception of the error message that the .dll is missing.
In addition to the steps suggested by majorgeeks, I also ran tweaknow registry cleaner to help get rid of the error...but obviously it didn't fix it. I have attached the log files for your review. Thanks.

TimW · Oct 25, 2008

You will have to be much more specific than " a .dll is missing." What is the exact error message?

You are also running two anti-virus programs:
avast! Antivirus
McAfee SecurityCenter
Choose one and uninstall the other!

Also uninstall:
Viewpoint Media Player

Do a search for:
FunWebProducts
Delete each instance of it.

rexer · Oct 27, 2008

Here is the error message...it says moot.exe - Entry Point Not Found. Then, below it is a pretty long message that references (I think) a key logger which is too big to attach as a bitmap. It reads:
"The procedure entry point
?Log@Logger@core@@QBEXABV%basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@@Z
could not be located in the dynamic link library CoreDll.dll."

TimW · Oct 27, 2008

Please re-run both SAS and MWB's, attach those logs, and also attach a new MGLogs.zip from running the C:\MGTools\GetLogs.bat file.

rexer · Oct 27, 2008

Here are the 2 of the logs you requested. SAS burped and I'm rerunning. All other steps you requested have been performed, but ran into some issues with removing some of the funweb files. I am being denied permission. I'm still working on that...

rexer · Oct 28, 2008

Here is the SAS log.

TimW · Oct 28, 2008

I'm not seeing anything in your logs.

Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction Here for installation.

Accept the License Agreement.

Once the ActiveX installs,Click Full System Scan

Once the download completes,the scan will begin automatically.

The scan will take some time to finish,so please be patient.

When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply.

rexer · Oct 29, 2008

Here is the report:
Scanning Report
Tuesday, October 28, 2008 13:51:45 - 15:44:40
Computer name: J3YGZB1
Scanning type: Scan system for malware, rootkits
Target: C:\

--------------------------------------------------------------------------------

Result: 2 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Webtrends (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 61748
System: 3706
Not scanned: 84
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
3#

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Blacklight: 1.0.68
F-Secure Hydra: 2.8.8110, 2008-10-28
F-Secure Pegasus: 1.20.0, 2008-09-21
F-Secure AVP: 7.0.171, 2008-10-28
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

TimW · Oct 29, 2008

Unfortunately, that only tells me it found two items and didn't remove them.

Did it not report during the scan what it found?

rexer · Oct 29, 2008

TimW said: ↑

Unfortunately, that only tells me it found two items and didn't remove them.

Did it not report during the scan what it found?
Click to expand...

It did mention something...that line that reads

Result: 2 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Webtrends (spyware)
System

But that is it.

TimW · Oct 29, 2008

Yes..but not identified ....one more time, this time with BitDefender:

Now go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

rexer · Oct 31, 2008

Tim,
I'm getting you the log. I had to rerun it because of user error. But it reported clean.
However, that pop up that hits me at startup continues. I believe this is the only issue with this computer now is that popup. As indicated earlier, here is the text from it:
"The procedure entry point
?Log@Logger@core@@QBEXABV%basic_string@GU$char_traits@G@std@@V?$allocator@G@2@@std@@@Z could not be located in the dynamic link library CoreDll.dll."
1

rexer · Oct 31, 2008

Okay, I thought I had done something wrong. It turns out when I run BD that I am unable to generate a log into anything but an html document. But the log reads clean anyway with 0 infected files.
So, I guess all we need to do is work on that startup error message and we'll be done.

TimW · Oct 31, 2008

Please download and install Startup Manager

Tell me what all is in your startup list.

You can also view your startups using CCleaner.

rexer · Nov 1, 2008

I see no way to copy the list as it is html. I reviewed the startup items and none of them reference the error message that pops up. There are a number of items that all APPEAR legit and functional. CCCleaner didn't list it either. When I look at my startup items with msconfig, I don't see it either. I really don't know where this is coming from. Thanks for helping me with this. I don't know what to do.

chaslang · Nov 1, 2008

This message you are getting is not a malware problem. I would say it is more than likely an issue with "Musicmatch Jukebox" that you have installed. If you don't use this software that Dell preinstalled then uninstall it. If you do use it, then just stop loading all the junk from it at startup. You can disable these ( and a couple other unneeded startups ) with the below.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"RealTray"=-
"QuickTime Task"=-
"MimBoot"=-
"MMTray"=-
"mmtask"=-
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

rexer · Nov 4, 2008

Chaslang and Tim,
That last step corrected the last problem we were having. This computer had a virus which had affected Windows, and when we removed the virus that error at startup occurred.
Thank you for everything gentlemen!!!!

TimW · Nov 4, 2008

You are most welcome.....we can now clean up from the scans:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Log in or Sign up

Startup error message / spyware

rexer Private E-2

Attached Files:

combofix.txt

mbam-log-2008-10-22 (16-43-08).txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

rexer Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

rexer Private E-2

Attached Files:

MGlogs.zip

mbam-log-2008-10-27 (18-50-50).txt

rexer Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 10-27-2008 - 20-02-23.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

rexer Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

rexer Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

rexer Private E-2

rexer Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

rexer Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rexer Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member