Dear all,

I stumbled on a problem the other day, when i had scanned my pc with Ad-Aware. It found some sort of malware (i thiunk it was a trojan), which i (of course) selected to be removed. when i selected remove, and i rebooted windows, i got this message;

which after translation says;
"An error oocured during loading the file C:/......
Cannot find the module".

This problem began when I, after scanning with adaware, and selecting remove all trojans, rebooted my pc, which during reboot removed some files in a DOS-command window. Once i got back into Vista (HP), this message was shown, which bugs, since it will be shown now all the time i start-up/reboot my laptop.
Also, i get a message at each startup by Spyware Guard that there's a BHO. When i click 'keep hte BHO', the message gets keeping back at every start-up/reboot ... The message says;
===========================
NEW BHO DETECTION ALERT
On 10:15:36 06-17-2008 a new BHO installation attempt was detected.
BHO: {25F071A2-A062-4CB1-AD34-36B47A2B49C6}
ProgramID: n/a
File Location: C:\Windows\system32\vtUlmmml.dll
User Action Taken: REMOVE BHO
============================

Anyone has an idea on whats wrong, or can be done to get rid of the error/BHO message?
Could ths be SpyWare Guard problem?

Just to be sure, here's my HJT log (sorry its so long);

Download HJT log; http://home.student.utwente.nl/h.e.v...ckthislog1.txt

edited post - reply can be deleted. my apologies

Basically what happened is the bad file was removed, however the registry entry that tells that program to launch is still there, but the file is gone so it can't be started, that is where the error comes from. To resolve just delete the startup entry that points to that file.

If you see an 04 entry in your hijackthis that points to that file delete it.

If you would like me to look through your log please attach it here, I would prefer not to use a link.

------------------------------

For the BHO you can have hijackthis fix a 02 entry that points to that file

Thank you very much, Blind Dragon.

I have attached my HJT log in this post. In the HJT scan, i found both the BHO entry and the 04 entry for the Windows error.

However, with respect to the windows error, i found in the HJT log that it points to rundll32.exe, and something with msserver (see the HJT). Is it safe to delete both entries? I think that removing the BHO entry wont be a problem, however, if something points to rundll.exe, im not sure whether to delete. Im not experienced enough with HJT to have full insight in such problems....

Also, since yesterday, i got a new error; i keep getting instant IE-screens pop-ups that refer to something called 'antivirusscherm', or something like that (translated to english, antivirusscherm means antivirusscreen).
I dont have that problem when i use firefox, however, the very first time i open a new IE screen (for instance, when i receive anew email in my hotmail account, and i have msn messenger running), i almost always get some 2nd screen which has a pop-up referring to the antivirusscherm site. From other sites, i know this is malware, or at least crap.
Can you perhaps look through my complete HJT to see where that antivirusscherm malware piece has its entries, and if there's more stuff which i can fix with HJT?

Very much thank in advance!

Hubert

Attached Files

hijackthis.log (15.3 KB, 2 views)

Disable Spywareguard

Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot.

-------------------------------------------------------------------------

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {D9A5B05E-D4C6-4270-A5F4-DBA2605519C0} - C:\Windows\system32\vtUlmmml.dll
  O2 - BHO: {41237ba5-dbe9-aac8-a8a4-597b419b16ad} - {da61b914-b795-4a8a-8caa-9ebd5ab73214} - C:\Windows\system32\aivvxcfh.dll
  O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrSjgd.dll,#1
  O4 - HKLM\..\Run: [2161017b] rundll32.exe "C:\Windows\system32\nnrnywsf.dll",b
  O4 - HKLM\..\Run: [BM225232e7] Rundll32.exe "C:\Windows\system32\cwtrnkrp.dll",s

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

--------------------------------------------------------------------------

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\Windows\system32\cwtrnkrp.dll
  C:\Windows\system32\nnrnywsf.dll
  C:\Windows\system32\awtrSjgd.dll
  C:\Windows\system32\aivvxcfh.dll
  C:\Windows\system32\vtUlmmml.dll
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

-------------------------------------------------------------------

After you have successfully rebooted and killbox deletes those files run
Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Currently, im running the malwarebytes scan (for the second time). However, after the first reboot (which i did when KillBox was completed), i still had some BHO warnings from spywareguard after start-up. This doesnt really frigthen me. What did frighten me was that when i ran the malwarebytes scan for the first time, and left my laptop running the scan, while i went to eat something, i found out that when i came back, windows injured some error, called 'BlueScreen', and recovered from it (via a reboot i guess), and therefore, the scan didnt completed. So, my first scan didnt complete, and I dont have a log yet. Right now, im thus performing the scan (again), and so I will post the log asap.

After the 2nd scan, things have become even more utter sh1t.
What happened;
during the second scan, Norton/Symantec gave me some messages about some threat, which i ignored. During the scan, i was working in MS Word 2007. At some point, after the Norton messages, i got a bluescreen. i couldnt do anything, had to wait until the physical memory dump was 100%. Then my laptop automatically rebooted, into normal windows mode.... and after a while, during reboot, my laptop just shut down out of nothing. So i rebooted it again, now in safe mode, configured my laptop back to the last system restore point, and now back in Vista.
After that, i wanted to de-install norton internet security. But thats not possible; to remove it, i need to shut it down. But i cant shut it down. Not via the control panel (Vista says im not authorized to shut norton down). Also, the icon in the system tray in the bottom tray wont let me shut it down .... i wanted to de-install/remove norton, since i had a feeling it causes the bluescreens. Also, i wanted to install Avast AV, since people here on the board say its a better AV program ....

Right now, the messages of the BHO and rundll32.exe errors, as posted in my first post, keep on popping up again. Im back to were i was, plus that i now have the feeling my laptop is even more unstable then before, and might be at the point of a break down. Not that i blame you Blind Dragon, its just that Vista sucks big time. Thnx in advance for any new reply. I hope you can help me. In the meantime, i will start over from your first post again.

Well, during the 3rd scan, i got the BlueScreen again, which might be the BSOD. However, i can return to Vista/desktop again, so thats a good thing. As of now, im not gonna run the Malwarebytes scan again, since i have the feeling that the scan, and thus with it, the bluescreen, damage my laptop.
Also, during start-up, the BHO wihch refers to ../system32/vtUImmmI.dll keeps getting back, every time in a different form of {...-...-...}.
Second, all programs i currently use which you described in your last post (that is, Spyware Guard, HJT, KillBox), cant be shut down correctly anymore. After i use a specific program, and click the red X, Vista says the program isnt shut down properly....

Just for ease, i included a HJT.

Hope you can find anything, or explain whats happened/happening. Im really confused as of now. Thnx again for any help. Thats really appreciated.

Attached Files

hijackthis.log (13.6 KB, 1 views)

Have Hijackthis fix these entries again

O2 - BHO: (no name) - {F3AA7397-617C-4267-98C0-30585DFB607C} - C:\Windows\system32\vtUlmmml.dll
O4 - HKLM\..\Run: [BM225232e7] Rundll32.exe "C:\Windows\system32\lbpuciok.dll",s

Reboot the computer into safe mode

Delete these manually:
C:\Windows\system32\lbpuciok.dll
C:\Windows\system32\vtUlmmml.dll

and run MBAM from safe mode, make sure that you get into safe mode on your first reboot



If it crashes we will go another route, but I don't think that it will.

After the scan reboot normally and attach the MBAM log

First of all, the key {...-...-..-.....-..} of the vtUImmmI.dll is different at each startup/boot.
Second, when i reboot into safe, i cant delete vtUImmmI.dll. (I assume safe mode is done by pressing F8 at startup, and then enter safe mode from the options menu).
Now what to do?

And trying to do the trick with KillBox, via
- selecting "Delete on reboot", and select single file
- copy/paste the path of the dll file into KillBox
- executing the command via a reboot
doesnt help either.

Right now, i get a message from windows, at the startup, that it cant find C:\Windows\system32\lbpuciok.dll ....

Any second thoughts?

Attached Files

hijackthis.log (13.7 KB, 1 views)

This may be weird to you if you have never used it, it will disable your clock and desktop - just let it go. Do not interrupt it

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Did both, here are the logs

Attached Files

	combofixlog.txt (26.1 KB, 3 views)
	hijackthis.log (13.2 KB, 1 views)

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Here you are.

Thanks for the professional replies!

Attached Files

	combofixlog.txt (26.7 KB, 3 views)
	hijackthis.log (13.1 KB, 2 views)

This thing is a pain.

gimme a sec and I will have soemthing for you

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- Please attach main.txt and extra.txt in your next reply.

Uhm, no need to scan with MBAM? Thats what your previous message said, if im right..

It may be able to unhook this, but I didn't want you to crash again, so I we will try Deckard, if that doesn't work I will try to remove it with a different script

After we get this one file unhooked then we can use MBAM to pick up whats left

This infection was just discovered and named June 16th, 2008. So I doubt they have definitions for it

ill do it the first thing tomorrow. right now im gonna go to sleep. will post again in approx. 10 hrs.

again, thnx for the professional and dedicated replies, really appreciated