Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

After malware removal 30 min start up time & run.DLL error

Started by amy elizabeth , Nov 13 2010 02:55 PM

This topic is locked

#16
SweetTech

Posted 16 November 2010 - 03:26 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hello,

Thanks for the detailed explanation.

That gives me a better idea of where to look now.

I'd like to get a look at the MBAM logs in which files have been detected, and removed. (So starting from this past Friday when it removed a bunch of infected files)

You can access these logs by doing the following:

Malwarebytes' Anti-Malware

Open Malwarebytes' Anti-Malware
Select the Logs tab
Click on the latest log. The bottom most log is the latest
Click Open
Notepad will open. Please post this log in your next reply.

#17
amy elizabeth

Posted 16 November 2010 - 03:50 PM

Member

Topic Starter
Member
19 posts

Here are my MBAM logs, the three on Friday that found infected files & the quick scan I ran Saturday morning that found nothing as well as the full scan I ran Saturday morning that found 1 infected registry key. Since then I've updated Malwarebytes a few times and rescanned but all scans have been clean.

Friday 1st scan

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5104

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/12/2010 10:46:11 PM
mbam-log-2010-11-12 (22-46-11).txt

Scan type: Quick scan
Objects scanned: 145966
Time elapsed: 12 minute(s), 16 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 4
Registry Keys Infected: 8
Registry Values Infected: 11
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
C:\Documents and Settings\Amy Grace\Application Data\hotfix.exe (Rogue.FakeAV) -> Unloaded process successfully.
C:\WINDOWS\Llupib.exe (Trojan.FraudPack) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\kq9xb.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\sshnas21.dll (Trojan.FraudPack) -> Delete on reboot.
C:\WINDOWS\wowuwmg.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\g9zlcwyy.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b1ba20c1-a503-59bd-f413-03b53a2c8953} (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b1ba20c1-a503-59bd-f413-03b53a2c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1ba20c1-a503-59bd-f413-03b53a2c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.FraudPack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\U36VRSFLG6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b1ba20c1-a503-59bd-f413-03b53a2c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrododegexino (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+mv0ndvdcxl (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+mv0ndvdcxl (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{bdb44a50-a3e5-6774-68db-7c0e1621c45c} (Spyware.Passwords.XGen) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnulqoxrqie (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u36vrsflg6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnulqoxrqie (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kq9xb.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\sshnas21.dll (Trojan.FraudPack) -> Delete on reboot.
C:\Documents and Settings\Amy Grace\Application Data\hotfix.exe (Rogue.FakeAV) -> Quarantined and deleted successfully.
C:\WINDOWS\Llupib.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\WINDOWS\wowuwmg.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\g9zlcwyy.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Amy Grace\Application Data\Ilgy\adud.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\WINDOWS\Llupia.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

++++++++++++++++++++++++++

Friday 2nd scan

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5104

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/12/2010 11:38:03 PM
mbam-log-2010-11-12 (23-38-03).txt

Scan type: Quick scan
Objects scanned: 143989
Time elapsed: 16 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fnafidi (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{bdb44a50-a3e5-6774-68db-7c0e1621c45c} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+mv0ndvdcxl (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\evonoces.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

+++++++++++++++++++++++++

Friday 3rd scan

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5104

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/13/2010 4:41:41 AM
mbam-log-2010-11-13 (04-41-41).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 260096
Time elapsed: 2 hour(s), 10 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\WSTB\ver64b.exe (Adware.BHO) -> Quarantined and deleted successfully.

++++++++++++++++++++++++++

Saturday quick scan

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5104

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/13/2010 10:16:16 AM
mbam-log-2010-11-13 (10-16-16).txt

Scan type: Quick scan
Objects scanned: 145618
Time elapsed: 9 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

++++++++++++++++++++++++++++++++

Saturday full scan

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5107

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/13/2010 11:32:52 AM
mbam-log-2010-11-13 (11-32-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 262275
Time elapsed: 1 hour(s), 13 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b1ba20c1-a503-59bd-f413-03b53a2c8953} (Trojan.ErtFor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#18
SweetTech

Posted 16 November 2010 - 04:05 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hello,

Please do the following as well:

Run System File Checker

Make sure you have your XP Disc handy

The System File Checker (Sfc.exe) utility is used for scanning protected operating system files to verify their version and integrity. If System File Checker detects any operating system file with the incorrect file version, it replaces the corrupted file with a file that has the correct version from the Windows installation source files.

To use System File Checker, follow these steps:

Click Start, click Run, type cmd.exe, and then click OK.
At the command prompt, type sfc /purgecache, and then press ENTER.
Note You may be prompted to provide Windows installation source files when you run the sfc /purgecache command. If the command is completed successfully, you will receive the following message:
Windows File Protection successfully made the requested change.
At the command prompt, type sfc /scannow, and then press ENTER.
Note
This command may take several minutes to finish. You may also be
prompted to provide Windows installation source files when you run the sfc /scannow command.
At the command prompt, type exit, and then press ENTER to close the command prompt.

#19
amy elizabeth

Posted 16 November 2010 - 04:21 PM

Member

Topic Starter
Member
19 posts

Well, I have the XP disc, but I don't think I have a way to run it on my computer. My computer is actually an ASUS EeePC netbook & does not have any sort of internal disk drives. I do have an external CD drive, but it hooks up to my computer via a USB connection and right now none of my USB ports seem to be working. Should I run the scan anyway, or would it be fairly pointless without the disc to replace the corrupted files?

#20
SweetTech

Posted 16 November 2010 - 04:25 PM

Sir SpamAlot

Retired Staff
7,671 posts

Try to run the scan anyways.

#21
amy elizabeth

Posted 16 November 2010 - 04:47 PM

Member

Topic Starter
Member
19 posts

Tried to run the scan, but it wants me to insert the XP disc. Any ideas?

#22
SweetTech

Posted 16 November 2010 - 04:54 PM

Sir SpamAlot

Retired Staff
7,671 posts

Did you try to run this command as well?

At the command prompt, type sfc /scannow, and then press ENTER.

#23
amy elizabeth

Posted 16 November 2010 - 05:21 PM

Member

Topic Starter
Member
19 posts

The sfc/scannow one is the one that I need the disc for. The sfc/purgecache ran fine.

#24
SweetTech

Posted 16 November 2010 - 05:25 PM

Sir SpamAlot

Retired Staff
7,671 posts

I need for you to search for a directory on your computer.

I need for you to see if a folder named i386 exist on your system.

Do you know how to perform a search with Windows XP or would you like me to provide you with instructions for doing so?

#25
amy elizabeth

Posted 16 November 2010 - 05:40 PM

Member

Topic Starter
Member
19 posts

It seems I have a lot of folders named i386, 37 of them actually. I also have 5 system files with i386 in the name & 1 application extention with i386 in the name.

#26
SweetTech

Posted 16 November 2010 - 05:44 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hello,

SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:folderfind
*i386*
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

#27
amy elizabeth

Posted 16 November 2010 - 05:53 PM

Member

Topic Starter
Member
19 posts

SystemLook 04.09.10 by jpshortstuff
Log created at 18:51 on 16/11/2010 by Amy Grace
Administrator - Elevation successful

========== folderfind ==========

Searching for "*i386*"
C:\5cdf5b2e30b271e8ad5053473a\i386 d------ [02:08 26/09/2009]
C:\desktop drive\Program Files\Java\j2re1.4.2\lib\i386 d------ [04:12 18/10/2009]
C:\desktop drive\WINDOWS\I386 d------ [04:18 18/10/2009]
C:\desktop drive\WINDOWS\Driver Cache\i386 d------ [04:20 18/10/2009]
C:\desktop drive\WINDOWS\ServicePackFiles\i386 d------ [04:15 18/10/2009]
C:\desktop drive\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386 d------ [04:15 18/10/2009]
C:\desktop drive\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386 d------ [04:15 18/10/2009]
C:\desktop drive\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386 d------ [04:15 18/10/2009]
C:\desktop drive\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386 d------ [04:15 18/10/2009]
C:\desktop drive\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386 d------ [04:15 18/10/2009]
C:\desktop drive\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386 d------ [04:15 18/10/2009]
C:\desktop drive\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386 d------ [04:15 18/10/2009]
C:\desktop drive\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386 d------ [04:15 18/10/2009]
C:\laptop drive 2\Program Files\Java\jre1.5.0\lib\i386 d------ [21:24 17/10/2009]
C:\Lexmark\lxk2400\drivers\scan\i386 d------ [16:06 11/08/2009]
C:\Lexmark\lxk2400\drivers\WIN_XP2K\i386 d------ [16:06 11/08/2009]
C:\Program Files\Java\jre6\lib\i386 d------ [04:58 15/11/2010]
C:\Program Files\Lexmark 2400 Series\Drivers\I386 d------ [16:07 11/08/2009]
C:\WINDOWS\I386 d------ [00:50 12/09/2008]
C:\WINDOWS\Driver Cache\i386 d------ [15:44 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386 d------ [08:26 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386 d------ [08:26 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386 d------ [08:26 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386 d------ [08:26 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386 d------ [08:26 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386 d------ [08:26 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386 d------ [08:26 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386 d------ [08:26 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386 d------ [08:26 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386 d------ [08:26 18/08/2008]
C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386 d------ [20:27 30/10/2008]
C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386 d------ [20:35 30/10/2008]
C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\i386 d------ [02:36 04/11/2008]
C:\WINDOWS\system32\spool\XPSEP\i386 d------ [02:08 26/09/2009]
C:\WINDOWS\system32\spool\XPSEP\i386\i386 d------ [02:08 26/09/2009]

-= EOF =-

#28
SweetTech

Posted 16 November 2010 - 06:13 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hello,

Thank you for providing me with that log.

I need to do some additional research on things, and will not have new instructions for you until tomorrow, after I've had a chance to look into it a little more.

#29
SweetTech

Posted 20 November 2010 - 07:38 AM

Sir SpamAlot

Retired Staff
7,671 posts

Hello,

Apologizes for the delay, I had overlooked this thread.

Registry Export
I need some more information on a key in your registry. Please do the following:
Press Start => Run, Copy/Paste the command below into the run dialog box and press Ok:

reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath" "%userprofile%\desktop\look.txt"

You should see a new file on your Desktop named look.txt. Please double click on the file to open it, and then post the contents of look.txt in this thread.

When you tried to run SFC what was the exact error message you were receiving?

#30
amy elizabeth

Posted 22 November 2010 - 01:19 PM

Member

Topic Starter
Member
19 posts

Hi!

Thanks for getting back to me. I've actually been busy with work for the past several days, so the delay in your reply wasn't a problem.

I copied & pasted the command you gave me:

reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath" "%userprofile%\desktop\look.txt"

and clicked "OK", but no look.txt file has appeared. It has been nearly half an hour...did it not work, or am I just being too impatient?

When I try to run sfc/scannow I don't get an error message, it just wants me to insert the XP disk, which I am unable to do because I don't have an internal CD drive. I have tried using an external drive (which I have used with my computer in the past & not had a problem with), however my computer keeps giving me an error message. When I go to Device Manager & click on Properties for that drive it gives me this in the Device Status window: Windows successfully loaded the device driver for this hardware but cannot find the hardware device. (Code 41). I have tried uninstalling & reinstalling it, but to no avail, every time I try to reinstall it it says "A problem occured during installation & your new hardware may not work properly". The drive is old & it has been a while since I've used it, so it is entirely possible that the drive itself is faulty. I'm borrowing a DVD/CDROM drive from a friend tomorrow in hopes that I will be able to actually run the XP disk & complete the sfc/scannow scan.