Spyware Problems

[plague27]

Hello guys, I am having the exact same problems, and I am going to go out on a limb and assume that that file you cannot delete is in fact bad. I have a file that is located in the EXACT same spots and runs as a process and will not delete. It showed up after I got spyfalcon, quake, virtumonde, dialer.platform, 3 other dialers, 5 trojans, and a computer that will no longer boot anywhere other than safe mode without having a bsod. To can this in a nutshell, it is bad. I am now dealing with he tail end of what the original poster has been dealing with. Slow performance(well, since last night, until I started getting bsods everytime windows security told me automatic updates are disabled). I know I am making this long winded, but this is the 4th day of nonstop hunting I have been doing. My file is called 5c19c1d2.exe, it seems that it is a random file that constantly perpetuates itself. the smitfraud program will not run all the way, it crashes on the registry fix to the desktop. The bsod is specifically saying page fault in non page area and then does a memory dump and reboots- indefinately. I cannot go anywhere other than safe mode and am on a different laptop now. I will get the hijack log shortly.
I don't want to hijack this thread, but I got the exact same thing he did, only instead of having better performance after following ALL of the above steps, I can't boot.

Here is the hijack in the attachment......and thanks for any and all help that you may offer...anyone.

 

[plague27]

Ok, I got the machine to boot, if I close my lid before the security popup shows up, the computer suspends, continues loading, and doesn't crash. So now to find out wtf is wrong with it. Basically what I have left to deal with is zonealarm is told not to, but still shows strange incoming connection blocks. It looks like someone is trying specifically to screw with me, and feels like it to. Why would someone make something like this? How...seriously, how messed up does someone have to be to create something like this? I just don't understand. Anyway, I am clicking refresh every 5 seconds on here....this is really, really bothering me because it is the first time I have ever been hit by a virus that wasn't fixed in about 20 minutes and a reboot.

*Edit* Nevermind, the second I connected to get on windows update and get the fix for this s.o.b. it crashed again. I am at my wits end.

*Edit v2* Also, is there supposed to be six instances of svchost running at one time? There are only 2 in safe mode....

 

[howard_hopkinso]

Hello and welcome to Techspot.

Download the Pocket Killbox programme from HERE. Extrect it, but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\compstuic.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O20 - AppInit_DLLs: C:\WINDOWS\system32\wucrtupd.dll

O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g1838562.dll

O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\wucrtupd.dll

C:\WINDOWS\g1838562.dll

C:\WINDOWS\SYSTEM32\winzzc32.dll

C:\WINDOWS\compstuic.dll

Once your system has rebooted, turn system restore back on and post a fresh HJT log.

Regards Howard :wave: :wave:

 

[plague27]

Thanks for the warm welcome Howard. I really appreciate your help in the matter. I followed your directions and ended up with this HJT file. The winlogon entry looks suspicious because that wasn't there before I believe....

 

[howard_hopkinso]

Delete the following bold file.

C:\DOCUME~1\Jason\LOCALS~1\Temp\RtkBtMnt.EXE

Your remaining 020 winlogon entry is safe.

Post a fresh HJT log.

Regards Howard

 

[plague27]

I believe the rtk file is for my realtek audio drivers...I may be wrong though. Should I still delete it?

 

[howard_hopkinso]

As far as I`m aware, that file shouldn`t be running from a temp location.

If it were me I`d kill it.

Regards Howard

 

[plague27]

Well, it wasnt there anyway so we'll see if there is something else wrong.

 

[howard_hopkinso]

Your HJT log is clean.

The C:\DOCUME~1\Jason\LOCALS~1\Temp\RtkBtMnt.EXE file is still in your HJT log.

You`ll probably need to do the following, in order to find it.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

I`m not saying the file is nasty, just that I`m a little surprised at where it`s located.

Regards Howard

 

[plague27]

It isn't showing up in Hijack though, I can't delete it... Do I need to manually look for it or should I killbox it?

 

[howard_hopkinso]

It is showing up in HJT, under the list of running processes.

You should be able to browse to it`s location.

C:\DOCUME~1\Jason\LOCALS~1\Temp\RtkBtMnt.EXE

The above location is actually C:\Documents and settings\Jason\local settings\temp

However, you may need to turn on show all files etc in order to see it.

Don`t use killbox to delete it.

Regards Howard

 

[plague27]

When I navigated to it it said it is the Realtek Audio HD rerouter from Realtek Semiconductor corp. and that it was modified at 12:51PM...approximately the time I installed my driver update. It is safe to clear everything in the temp folder though correct? Should I just clear out the folder entirely? That seems to be where alot of viruses resided in the past....

 

[howard_hopkinso]

Yes just clear out all the files that Windows will let you delete.

Regards Howard

 

[plague27]

Well I think it is all gone, thanks for all the help howard. I appreciate it.

 

[plague27]

Ok...I am beginning to think it is not all fixed. You see, before the "incident" my laptop idled with about 140 something megs of memory usage....it idles at 240 now. That is out of 460 (512 but lose a bit to integrated gpu). The processes LOOK fine...other than svchost chugging at over 35 megs of memory....odd. Any ideas? Norton says I have two dialers but the files don't exist where norton says they do....Oh well. All your help has been amazing and I am ever grateful to all that you have done. Thank you Howard.

 

[howard_hopkinso]

Post a fresh HJT log and I`ll see what you can lose in order to speed up your system.

One thing you could deffintley do, is to get rid of that Symantec/Norton crapware. It`s a real resource hog.

The free AVG antivirus programme and the free Zonealarm firewall are very good.

You can get them HERE. and HERE.

Regards Howard