Strange error messages, ultra-slow PC, possible virus/spyware/malware problem

Hi

I am a newcomer to Techspot but after having a good look around other posts I wondered if someone could help me with a PC problem I haven't experienced before. If it helps, I'm using a Dell Dimension 3000 desktop. The service tag has "JND5T1J" on it. There is also a yellow sticker on there which says "Windows XP Home Edition U7670"

My problem is that I have started to receive some pretty strange error messages shortly after startup and whist using the computer. This all started a couple of weeks ago and since then my PC has been extremely slow. Sometimes I can't even start up properly - after the logon screen Windows often freezes at my screensaver and my shortcuts don't even appear. On the occasions that it does start up OK, some shortcuts often don't work at all and the internet takes an age to even come up. In addition, two desktop shortcuts for programs which I have never downloaded have appeared - one is Windows Updater, the other I am afraid I cannot remember at this moment.

At the foot of this post I have provided details of the error messages I am commonly getting. I assumed that my PC was suffering from virus/spyware/malware and had a good look at the guidance provided by Julio in the thread entitled "Viruses/Spyware/Malware, preliminary removal instructions". I have run Windows Defender, Spybot Search and Destroy and Ad Aware and deleted loads of infections which were found. When the problems persisted, I started following the instructions at the above link to the letter, from the beginning. This included using TrendMicro's Housecall, Hijack This, CClean etc.

However, I am now getting further and further into unknown territory and am fearful of doing further damage to my operating system. I wondered if anyone with more knowledge could guide me through how to tackle this problem once and for all. As much as I am enjoying learning and trying to proudly fix it myself, my inexperience could prove to be my downfall.

The error messages I am experiencing are:

(After startup) During a scan of files at system startup, potential errors in the system registry were found. p-07-0100 irql: 1f SYSVER 0xff00024 NT_Kernel error 1256 KMODE_EXCEPTION_NOT_HANDLED

(While shutting down) Access violation at address 694C5405. Read of address 694C5405

(Randomly while on the web) RUNDLL Error loading C:WINDOWS\system32\jatarwkf.dll The specified module could not be found.

If anyone can assist I would very grateful indeed. Many thnaks for taking the time to read my post.

If you follow all the steps and then post the logs it will be easier to diagnose the problems that you are having. What step are you up to now?

Hi, thanks for the reply.

I had major problems with step 4 (Housecall) I could get as far as identifying all the infections, but whenever I hit "Clean now" it just sat there with that screen for more than 24 hours and nothing happened. I tried it several times but it didn't progress beyond that screen. In the end I moved on with the other steps (as per the instructions) and got as far as step 10. I downloaded and ran "Tool 1" but it said it couldn't run. Then my PC froze. I have managed to shut down from Control Panel and startup again but trying to do anything on the web takes an age. Should I start the whole thing from step 1 again, or should I be able to continue from where I left off? Also, if Tool 1 won't work should I ignore that and move on? I'm a little stuck. I anticipated following the 15 steps would take a few hours, but it has taken me more than a week to get this far - is that normal do you know?

Thanks
tim

Ok then, try this one for now

http://www.bitdefender.com/scan8/ie.html

If that doesnt work then move on. For now if its just TOOL 1 that doesnt work then use the other two and continue on.

A week seems a bit excessive for completing this but hopefully it will be worth it to get the system clean.

EDIT \ When cleaning after using TOOL 1 did you do it from safe mode?

Hi

I couldn't run TOOL 1 as it just gave me an error message when trying to. I'll try the link you sent me for bitdefender. Thanks again. Is it OK to start where I left off is the PC has been shut down, or do I need to go from step 1 from every fresh reboot?

Thanks

Sorry I misread the post.

You can start from where you left off. Might not be a bad idea to run Ccleaner again, just to be sure. Most of the steps up to there are just downloading and installing software.

Step 10, "TOOL 3" problem

Still working through the preliminary removal steps, I have managed to download and run Tool1 and Tool2, but when I follow the link to Tool3 the site cannot be found. I get a HTTP 404 error message: "the webpage cannot be found". Can I just proceed with steps 11 onwards or is there another way to find Tool3?

I did go to the main site, atribune.org, but couldn't work out what it is on there that Tool3 relates to? Any advice? Thanks for all your help so far.

try getting TOOL 3 from HERE

There has also been a problem with the AVG antirootkit, if you use Vista then you will need to use it so here is an alternate download location

Get AVG anti rootkit from HERE

Your almost done now.

Still working on it - problems with Step 13

Hi

Apologies for the delay, Kritius, I am still working my way through preliminary removal. I am having some problems with Step 13. I'm trying to run my AVG free antivirus in safe mode (which I installed at Step 2) but I the antivirus is out of date. When I try to update from the web I am getting a message saying the connection failed. I am connected to the net fine, and all the right AVG exceptions are in my firewall so I'm trying to resolve this before I can complete Step 13. I only realised last night that there is an out-of-date Norton Antivirus on the PC, and I am told having that on there may prevent AVG from updating. I am trying to uninstall the Norton Internet Security but struggling with that now. If I can't manage to do it I may uninstall AVGand install Avast instead. When it rains it pours etc! Anyway, thanks for your patience, hope you're still reading this.

See this website for the norton removal tool, go through all the steps to get rid of it then update AVG and carry on, almost done now.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

EDIT\\\

Extra Optional Steps

Open My Computer, double-click on Drive C
Double-click on Program Files
Look for any Norton or Symatec product folders that remain. Right-click on them and choose Delete. Also look in the Program Files\Common Files for the Symantec Shared folder and delete it
Close My Computer and other folders

Removal steps complete - logs attached

Hi

I have finally manged to get through the 15 preliminary removal steps. I have only just seen the edit you made to the last reply - I had already used the Norton Removal Tool, but haven't gone through all the additional points you suggested. Hopefully this won't make a difference or harm my chances of success?

My three logs are attached - 1)AVG anti spyware log, 2)HTL log and 3)Combofix log. In case it helps, here's a couple of bits of extra info.

At step 13 my AVG scan found no threats.
At Step 14 I had a problem where my PC wouldn't allow me to run AdAware while in safe mode. When I tried I got this error message: Application error "Exception EAccess Violation in module Ad-Aware2007.exe at 001DD084 Access violation at address 005dd084 in module 'AdAware2007.exe' Read of address 00000414"
I rebooted into normal mode, ran AdAware, then went back into safe mode to run AVG Antispyware.

At Step 11 the Panda antirootkit scan found nothing.

In terms of symptoms I'm still getting, the PC is still very slow. I no longer get the "errors found in system registry" at startup, but I do still get a couple of RUNDLL error messages. Not sure what happens next but hopefully you can advise! Thanks again for your patience and help.

What do the rundll error messages say, are they still the same as before? What did ad aware find?

Would you be able to run AVG antispyware again and make sure that its set to quarantine the files? (see a guide here)

Check in your add/remove programs and see if you have any mention of
MyWebSearch/MySearch

Open HJT and do system scan only,
Have it fix these entries,
O2 - BHO: {0b4ef70d-33fa-eb28-1504-f81fc27a44e6} - {6e44a72c-f18f-4051-82be-af33d07fe4b0} - C:\WINDOWS\system32\ebwbsewo.dll (file missing)
O2 - BHO: (no name) - {9F0B4B1F-6280-46CE-9016-C58A54AA731E} - (no file)
O2 - BHO: (no name) - {A379044B-F317-4D27-AB8E-313F493940B7} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: (no name) - {F596C787-9606-4E4C-9052-B836B55F76E7} - (no file)
O2 - BHO: (no name) - {F834B861-5D03-4EEB-B58B-0390FA12F221} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {F9388018-F72B-45F2-ABDA-A6D71BB2336E} - (no file)

Would you also try TOOL 1 again for me and see if it worked this time?

I also noticed Not-A-Virus in one of your logs so here are some instructions for that from Kaspersky,

http://www.kaspersky.com/removaltools?vtopen=180063414#open

Try that for now and let me know about the error messages and the AVG antispyware log, I want someone else to look at your logs.

Can you also please try to attach c:\combofix.txt again

that is not a complete log

Cheers Blind, how doed it look apart from that?

1 more missing
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

Hopefully the rest of the entries will be gone after removing Mywebsearch

I will check the combofix log for you - just message me when there is an updated one

You are right on track

Will do!:grinthumb

Latest update

Hi

I've carried out all the instructions since my last reply.

1) The two RUNDLL messages I get after system startup are as follows:

RUNDLL
Error loading C:\WINDOWS\system32\jatarwkf.dll
The specified module could not be found

RUNDLL
Error loading C\:WINDOWS\system32\mygtsxxd.dll
The specified module could not be found

2) Kritius, you asked if AdAware found anything. I recall it did find a number of things but I'm sorry I don't remember any of the details.

3) I have run AVG Antispyware again as instructed, making sure it was set to quarantine the files. I followed the instructions from that link. When I clicked on "apply all actions", to quarantine the findings, I got the following message:

"Error while quarantining.
Failed to make a backup of the file C:\System Volume Information\_restore{202550A8 - 7A33 - 4BCA - 40624.exe. Do you want to remove it anyway? YES or NO"

I clicked "YES" For info, I have attached the log from that scan in case you need it.

4) I checked in my Add or Remove Programs and the only thing that sounds like MyWebSearch / MySearch is something called "My Way Search Assistant". I haven't changed or removed this as I wasn't sure if that's what I was meant to do.

5) I did the HJT scan and fixed the six 02 entries as advised.

6) I ran Tool1 (SmitFraud) again and that seemd to work OK.

7) I used the link to kaspersky as instructed. It said that no "Sony rootkit" was detected, and it appeared to take no action. Not sure if this is right or not.

8) Blind Dragon - I have tried to atach the original combofix log again but the forum wouldn't allow me to, saying I had already posted it in this thread before. I even tried resaving it under a different name and attaching it but it still detected that it had been attached before. That's the only log file I have for Combofix but if you need me to run the programme again and attach the fresh log, I can do that no problem.

Thanks both

Those rundll32 errors are because your system is trying to load malware programs that were already removed. To fix them all we have to do is remove the registry entries.

Please run combofix again
Combofix

• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• Type "1" (and Enter) to start the fix.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Logs attached

I double clicked on Combofix.exe but it seems like I didn't need to wait until the warning message then press "1" and "Enter". As soon as I double clicked on the Combofix desktop shortcut it loaded and appeared to run all by itself. There was no prompt to press any keys and I ended up with a logfile so hopefully it worked OK. The log, and a fresh HJT log, are attached.

Ill let Blind Dragon know that the log is here and we'll wait and see what he has to say.

How is the comp running now?