ulwindowseek, dodgy win temp files, dialer help!!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Xun, Jun 13, 2006.

  1. Xun

    Xun Private E-2

    Whenever I browse the internet now, I always get those two popups ulwindowseek and ulwindowurl, and Norton mentions Universa application.

    I think there are some trojans on my system too as loads of win##.tmp and win##.tmp.exe files keep on trying to contact other computers, and also there is this dialer Dialer.Dialplatform thing which is also alerted by Norton. Norton says that there are over 2000 infections for the dialer, but I can't get rid of any.

    I have already tried to follow the "READ & RUN ME FIRST Before Asking for Support" by chaslang, but it hasn't stopped any.

    I have attached my Bitdefender, pandascan and HiJack This! log files, so please help!!!
     

    Attached Files:

    Xun, Jun 13, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Do you plan on keeping AOL's antispyware software installed and running?

    Okay let's fixing your malware problems.

    First let's download two tools we will need:

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of winmfu32.dll once and then click the kill button. After you have killed all of the winmfu32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of winmfu32.dll and kill it. (If you do not find the dll, just continue on.)


    Now locate the below process in ProcessExplorer and right click on it and select Kill Process:
    C:\WINDOWS\system32\e1cc0ed8.exe

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [e1cc0ed8.exe] C:\WINDOWS\system32\e1cc0ed8.exe
    O4 - HKCU\..\Run: [e1cc0ed8.exe] C:\Documents and Settings\Xun Luo\Local Settings\Application Data\e1cc0ed8.exe
    O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    C:\Documents and Settings\Xun Luo\Local Settings\Application Data\e1cc0ed8.exe
    C:\Documents and Settings\Xun Luo\Local Settings\Temporary Internet Files\Content.IE5\13WY2ZSF\srvvgx[1].exe
    C:\Documents and Settings\Xun Luo\Local Settings\Temporary Internet Files\Content.IE5\PT5177G8\srvmih[1].exe
    C:\Documents and Settings\Yi Luo\Local Settings\Application Data\e1cc0ed8.exe
    C:\WINDOWS\system32\e1cc0ed8.exe
    C:\WINDOWS\system32\oins.exe
    C:\WINDOWS\system32\winmfu32.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot don't run anything else until you do the below.

    Locate the below with Windows Explorer and delete them (most of them should already be gone but we need to double check)
    C:\Documents and Settings\Xun Luo\Local Settings\Application Data\e1cc0ed8.exe
    C:\Documents and Settings\Xun Luo\Local Settings\Temporary Internet Files\Content.IE5\13WY2ZSF\srvvgx[1].exe
    C:\Documents and Settings\Xun Luo\Local Settings\Temporary Internet Files\Content.IE5\PT5177G8\srvmih[1].exe
    C:\Documents and Settings\Yi Luo\Local Settings\Application Data\e1cc0ed8.exe
    C:\WINDOWS\system32\e1cc0ed8.exe
    C:\WINDOWS\system32\oins.exe
    C:\WINDOWS\system32\winmfu32.dll

    Now attach a new HJT log here in your next message and tell me how the steps went.

    Also make sure you tell me how things are working now!
     
    Last edited: Jun 14, 2006
    chaslang, Jun 14, 2006
    #2
  3. Xun

    Xun Private E-2

    Thanks.

    I did all your instructions, but I'm not sure if absolutely everything has gone-nothing's happened yet, but I want to make sure my system is thoroughly clean.

    Here is the HiJack This! log.
     

    Attached Files:

    Xun, Jun 14, 2006
    #3
  4. Xun

    Xun Private E-2

    Oh, and I'm not sure whether the AOL program should be there-I don't have anything to do with AOL. It hasn't really helped me that much, anyway.
     
    Xun, Jun 14, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you do not use AOL, look in Add/Remove programs and uninstall anything you find related to AOL. Let me know what you find.

    Have HJT fix the below line again!
    O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)


    Is everything still working OK?
     
    chaslang, Jun 14, 2006
    #5
  6. Xun

    Xun Private E-2

    I think everything is working OK, but maybe the ulWindowSeek windows come back sometimes, not often. Thanks so far!

    Here is my HiJack This! log.
     

    Attached Files:

    Xun, Jun 15, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please be more clear in your messages! Are you or are you not having problems anymore?

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jun 15, 2006
    #7
  8. Xun

    Xun Private E-2

    Sorry, no popups have happened, ok.

    Thanks for your help, i'll post more if I get any more problems (not that I should!)
     
    Xun, Jun 16, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely.
     
    chaslang, Jun 16, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds