TechSpot

Strange error messages, ultra-slow PC, possible virus/spyware/malware problem

By Timtrash
Feb 29, 2008
Topic Status:
Not open for further replies.
  1. Hi

    I am a newcomer to Techspot but after having a good look around other posts I wondered if someone could help me with a PC problem I haven't experienced before. If it helps, I'm using a Dell Dimension 3000 desktop. The service tag has "JND5T1J" on it. There is also a yellow sticker on there which says "Windows XP Home Edition U7670"

    My problem is that I have started to receive some pretty strange error messages shortly after startup and whist using the computer. This all started a couple of weeks ago and since then my PC has been extremely slow. Sometimes I can't even start up properly - after the logon screen Windows often freezes at my screensaver and my shortcuts don't even appear. On the occasions that it does start up OK, some shortcuts often don't work at all and the internet takes an age to even come up. In addition, two desktop shortcuts for programs which I have never downloaded have appeared - one is Windows Updater, the other I am afraid I cannot remember at this moment.

    At the foot of this post I have provided details of the error messages I am commonly getting. I assumed that my PC was suffering from virus/spyware/malware and had a good look at the guidance provided by Julio in the thread entitled "Viruses/Spyware/Malware, preliminary removal instructions". I have run Windows Defender, Spybot Search and Destroy and Ad Aware and deleted loads of infections which were found. When the problems persisted, I started following the instructions at the above link to the letter, from the beginning. This included using TrendMicro's Housecall, Hijack This, CClean etc.

    However, I am now getting further and further into unknown territory and am fearful of doing further damage to my operating system. I wondered if anyone with more knowledge could guide me through how to tackle this problem once and for all. As much as I am enjoying learning and trying to proudly fix it myself, my inexperience could prove to be my downfall.

    The error messages I am experiencing are:

    (After startup) During a scan of files at system startup, potential errors in the system registry were found. p-07-0100 irql: 1f SYSVER 0xff00024 NT_Kernel error 1256 KMODE_EXCEPTION_NOT_HANDLED

    (While shutting down) Access violation at address 694C5405. Read of address 694C5405

    (Randomly while on the web) RUNDLL Error loading C:WINDOWS\system32\jatarwkf.dll The specified module could not be found.

    If anyone can assist I would very grateful indeed. Many thnaks for taking the time to read my post.
     
  2. kritius

    kritius TS Guru Posts: 2,087

    If you follow all the steps and then post the logs it will be easier to diagnose the problems that you are having. What step are you up to now?
     
  3. Timtrash

    Timtrash TS Rookie Topic Starter Posts: 40

    Hi, thanks for the reply.

    I had major problems with step 4 (Housecall) I could get as far as identifying all the infections, but whenever I hit "Clean now" it just sat there with that screen for more than 24 hours and nothing happened. I tried it several times but it didn't progress beyond that screen. In the end I moved on with the other steps (as per the instructions) and got as far as step 10. I downloaded and ran "Tool 1" but it said it couldn't run. Then my PC froze. I have managed to shut down from Control Panel and startup again but trying to do anything on the web takes an age. Should I start the whole thing from step 1 again, or should I be able to continue from where I left off? Also, if Tool 1 won't work should I ignore that and move on? I'm a little stuck. I anticipated following the 15 steps would take a few hours, but it has taken me more than a week to get this far - is that normal do you know?

    Thanks
    tim
     
  4. kritius

    kritius TS Guru Posts: 2,087

    Ok then, try this one for now

    http://www.bitdefender.com/scan8/ie.html

    If that doesnt work then move on. For now if its just TOOL 1 that doesnt work then use the other two and continue on.

    A week seems a bit excessive for completing this but hopefully it will be worth it to get the system clean.

    EDIT \ When cleaning after using TOOL 1 did you do it from safe mode?
     
  5. Timtrash

    Timtrash TS Rookie Topic Starter Posts: 40

    Hi

    I couldn't run TOOL 1 as it just gave me an error message when trying to. I'll try the link you sent me for bitdefender. Thanks again. Is it OK to start where I left off is the PC has been shut down, or do I need to go from step 1 from every fresh reboot?

    Thanks
     
  6. kritius

    kritius TS Guru Posts: 2,087

    Sorry I misread the post.

    You can start from where you left off. Might not be a bad idea to run Ccleaner again, just to be sure. Most of the steps up to there are just downloading and installing software.
     
  7. Timtrash

    Timtrash TS Rookie Topic Starter Posts: 40

    Step 10, "TOOL 3" problem

    Still working through the preliminary removal steps, I have managed to download and run Tool1 and Tool2, but when I follow the link to Tool3 the site cannot be found. I get a HTTP 404 error message: "the webpage cannot be found". Can I just proceed with steps 11 onwards or is there another way to find Tool3?

    I did go to the main site, atribune.org, but couldn't work out what it is on there that Tool3 relates to? Any advice? Thanks for all your help so far.
     
  8. kritius

    kritius TS Guru Posts: 2,087

    try getting TOOL 3 from HERE

    There has also been a problem with the AVG antirootkit, if you use Vista then you will need to use it so here is an alternate download location

    Get AVG anti rootkit from HERE

    Your almost done now.
     
  9. Timtrash

    Timtrash TS Rookie Topic Starter Posts: 40

    Still working on it - problems with Step 13

    Hi

    Apologies for the delay, Kritius, I am still working my way through preliminary removal. I am having some problems with Step 13. I'm trying to run my AVG free antivirus in safe mode (which I installed at Step 2) but I the antivirus is out of date. When I try to update from the web I am getting a message saying the connection failed. I am connected to the net fine, and all the right AVG exceptions are in my firewall so I'm trying to resolve this before I can complete Step 13. I only realised last night that there is an out-of-date Norton Antivirus on the PC, and I am told having that on there may prevent AVG from updating. I am trying to uninstall the Norton Internet Security but struggling with that now. If I can't manage to do it I may uninstall AVGand install Avast instead. When it rains it pours etc! Anyway, thanks for your patience, hope you're still reading this.
     
  10. kritius

    kritius TS Guru Posts: 2,087

    See this website for the norton removal tool, go through all the steps to get rid of it then update AVG and carry on, almost done now.

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

    EDIT\\\

    Extra Optional Steps

    Open My Computer, double-click on Drive C
    Double-click on Program Files
    Look for any Norton or Symatec product folders that remain. Right-click on them and choose Delete. Also look in the Program Files\Common Files for the Symantec Shared folder and delete it
    Close My Computer and other folders
     
  11. Timtrash

    Timtrash TS Rookie Topic Starter Posts: 40

    Removal steps complete - logs attached

    Hi

    I have finally manged to get through the 15 preliminary removal steps. I have only just seen the edit you made to the last reply - I had already used the Norton Removal Tool, but haven't gone through all the additional points you suggested. Hopefully this won't make a difference or harm my chances of success?

    My three logs are attached - 1)AVG anti spyware log, 2)HTL log and 3)Combofix log. In case it helps, here's a couple of bits of extra info.

    At step 13 my AVG scan found no threats.
    At Step 14 I had a problem where my PC wouldn't allow me to run AdAware while in safe mode. When I tried I got this error message: Application error "Exception EAccess Violation in module Ad-Aware2007.exe at 001DD084 Access violation at address 005dd084 in module 'AdAware2007.exe' Read of address 00000414"
    I rebooted into normal mode, ran AdAware, then went back into safe mode to run AVG Antispyware.

    At Step 11 the Panda antirootkit scan found nothing.

    In terms of symptoms I'm still getting, the PC is still very slow. I no longer get the "errors found in system registry" at startup, but I do still get a couple of RUNDLL error messages. Not sure what happens next but hopefully you can advise! Thanks again for your patience and help.
     
     
  12. kritius

    kritius TS Guru Posts: 2,087

    What do the rundll error messages say, are they still the same as before? What did ad aware find?

    Would you be able to run AVG antispyware again and make sure that its set to quarantine the files? (see a guide here)

    Check in your add/remove programs and see if you have any mention of
    MyWebSearch/MySearch

    Open HJT and do system scan only,
    Have it fix these entries,
    O2 - BHO: {0b4ef70d-33fa-eb28-1504-f81fc27a44e6} - {6e44a72c-f18f-4051-82be-af33d07fe4b0} - C:\WINDOWS\system32\ebwbsewo.dll (file missing)
    O2 - BHO: (no name) - {9F0B4B1F-6280-46CE-9016-C58A54AA731E} - (no file)
    O2 - BHO: (no name) - {A379044B-F317-4D27-AB8E-313F493940B7} - C:\WINDOWS\system32\vtuts.dll (file missing)
    O2 - BHO: (no name) - {F596C787-9606-4E4C-9052-B836B55F76E7} - (no file)
    O2 - BHO: (no name) - {F834B861-5D03-4EEB-B58B-0390FA12F221} - C:\WINDOWS\system32\mljjh.dll (file missing)
    O2 - BHO: (no name) - {F9388018-F72B-45F2-ABDA-A6D71BB2336E} - (no file)


    Would you also try TOOL 1 again for me and see if it worked this time?

    I also noticed Not-A-Virus in one of your logs so here are some instructions for that from Kaspersky,

    http://www.kaspersky.com/removaltools?vtopen=180063414#open

    Try that for now and let me know about the error messages and the AVG antispyware log, I want someone else to look at your logs.
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Can you also please try to attach c:\combofix.txt again

    that is not a complete log
     
  14. kritius

    kritius TS Guru Posts: 2,087

    Cheers Blind, how doed it look apart from that?
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    1 more missing
    O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

    Hopefully the rest of the entries will be gone after removing Mywebsearch

    I will check the combofix log for you - just message me when there is an updated one

    You are right on track ;)
     
  16. kritius

    kritius TS Guru Posts: 2,087

    Will do!:grinthumb
     
  17. Timtrash

    Timtrash TS Rookie Topic Starter Posts: 40

    Latest update

    Hi

    I've carried out all the instructions since my last reply.

    1) The two RUNDLL messages I get after system startup are as follows:

    RUNDLL
    Error loading C:\WINDOWS\system32\jatarwkf.dll
    The specified module could not be found

    RUNDLL
    Error loading C\:WINDOWS\system32\mygtsxxd.dll
    The specified module could not be found

    2) Kritius, you asked if AdAware found anything. I recall it did find a number of things but I'm sorry I don't remember any of the details.

    3) I have run AVG Antispyware again as instructed, making sure it was set to quarantine the files. I followed the instructions from that link. When I clicked on "apply all actions", to quarantine the findings, I got the following message:

    "Error while quarantining.
    Failed to make a backup of the file C:\System Volume Information\_restore{202550A8 - 7A33 - 4BCA - 40624.exe. Do you want to remove it anyway? YES or NO"

    I clicked "YES" For info, I have attached the log from that scan in case you need it.

    4) I checked in my Add or Remove Programs and the only thing that sounds like MyWebSearch / MySearch is something called "My Way Search Assistant". I haven't changed or removed this as I wasn't sure if that's what I was meant to do.

    5) I did the HJT scan and fixed the six 02 entries as advised.

    6) I ran Tool1 (SmitFraud) again and that seemd to work OK.

    7) I used the link to kaspersky as instructed. It said that no "Sony rootkit" was detected, and it appeared to take no action. Not sure if this is right or not.

    8) Blind Dragon - I have tried to atach the original combofix log again but the forum wouldn't allow me to, saying I had already posted it in this thread before. I even tried resaving it under a different name and attaching it but it still detected that it had been attached before. That's the only log file I have for Combofix but if you need me to run the programme again and attach the fresh log, I can do that no problem.

    Thanks both
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Those rundll32 errors are because your system is trying to load malware programs that were already removed. To fix them all we have to do is remove the registry entries.

    Please run combofix again
    Combofix
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  19. Timtrash

    Timtrash TS Rookie Topic Starter Posts: 40

    Logs attached

    I double clicked on Combofix.exe but it seems like I didn't need to wait until the warning message then press "1" and "Enter". As soon as I double clicked on the Combofix desktop shortcut it loaded and appeared to run all by itself. There was no prompt to press any keys and I ended up with a logfile so hopefully it worked OK. The log, and a fresh HJT log, are attached.
     
  20. kritius

    kritius TS Guru Posts: 2,087

    Ill let Blind Dragon know that the log is here and we'll wait and see what he has to say.

    How is the comp running now?
     
  21. Timtrash

    Timtrash TS Rookie Topic Starter Posts: 40

    Much quicker than before

    Hi Kritius

    The web certainly seems a lot faster, and it seems quicker at loading my desktop and shortcuts after startup. I haven't really tried doing anything else as I was wary of messing with too many things, at least until you folks give me the all-clear. Any tips on what I can do to prevent this kind of thing happening again too? Obviously I'll keep AVG free antivirus going, but should I be doing regular scans with Spybot, AdAware, and the rest of the programs I have run as part of the preliminary removal steps?
     
  22. kritius

    kritius TS Guru Posts: 2,087

    I wouldnt worry about the three tools in step 10 you can get rid of them once were done.

    ComboFix can also be deleted after were finished.

    I would do regular scans with your antivirus, keep it updated and on and if you download anything then have your AVG scan it before you open it.

    Keep your firewall on and check if it alerts you to anything.

    I clear my browsing history regularly and use Ccleaner to clear things as well.

    Also keep scanning with spybot and Ad-aware and once in a while with the AVG antispyware.

    Avoid questionable websites and watch what you download. Better safe than sorry.

    Also I found this on BleepingComputer HERE
     
  23. Timtrash

    Timtrash TS Rookie Topic Starter Posts: 40

    Sounds good, I'll definitely read the tutorials on internet safety concepts. Will you or Blind Dragon let me know what more I need to do, if anything, following the last two logs (to tackle the startup error messages). Overall this has been a huge learning experience for me and I wil definitely take more care to protect myself. Can't believe I'm almost through it! :D

    Forgot to add - when I go to My Computer, the Local Disk (C: ) the usual symbol has changed to a weird symbol - a palm outstretched with a red cross through it. It appeared a few days ago but I forgot to mention it. Also, I still have shortcuts on my desktop for programs which I never downloaded - they're for Help and Support Centre (a green shield) and Windows Update (a shield split into four sections - red, green, blue, yellow). Reckon I should just delete the shortcuts? Neither of these programs appear to show up in my Add/remove Programs menu.
     
  24. kritius

    kritius TS Guru Posts: 2,087

    Id like to see what Blind Dragon finds in the ComboFix logs first and see what he has to say about this, Hes very good at Malware removal.
     
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    You may want to print this or save it notepad to your desktop so you will have it while in safe mode.

    Go to Start -> Control Panel -> Administrative Tools -> double click Services

    Stop the Microsoft cache control (MSControlService)
    service from running by right-click it and choose Stop. Right click it again and choose Properties. In the Properties dialog box that appears, choose Manual from the Startup Type drop-down list and choose Disabled.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
    O4 - HKLM\..\Run: [ec0f7d4d] rundll32.exe "C:\WINDOWS\system32\jatarwkf.dll",b
    O4 - HKLM\..\Run: [BMef3c4ed1] Rundll32.exe "C:\WINDOWS\system32\mygtsxxd.dll",s
    O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)


    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files:

    Files:
    C:\WINDOWS\system32\mygtsxxd.dll <-This file only
    C:\WINDOWS\system32\jatarwkf.dll <-This file only

    Folders:
    C:\Program Files\MyWaySA <-This folder only

    Restart your computer into normal mode



    Run a new scan with Hijackthis and attach the log
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.