Windows error after malware removal

Thank you very much, Blind Dragon.

I have attached my HJT log in this post. In the HJT scan, i found both the BHO entry and the 04 entry for the Windows error.

However, with respect to the windows error, i found in the HJT log that it points to rundll32.exe, and something with msserver (see the HJT). Is it safe to delete both entries? I think that removing the BHO entry wont be a problem, however, if something points to rundll.exe, im not sure whether to delete. Im not experienced enough with HJT to have full insight in such problems....

Also, since yesterday, i got a new error; i keep getting instant IE-screens pop-ups that refer to something called 'antivirusscherm', or something like that (translated to english, antivirusscherm means antivirusscreen).
I dont have that problem when i use firefox, however, the very first time i open a new IE screen (for instance, when i receive anew email in my hotmail account, and i have msn messenger running), i almost always get some 2nd screen which has a pop-up referring to the antivirusscherm site. From other sites, i know this is malware, or at least crap.
Can you perhaps look through my complete HJT to see where that antivirusscherm malware piece has its entries, and if there's more stuff which i can fix with HJT?

Very much thank in advance!

Hubert

Disable Spywareguard

Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot.

-------------------------------------------------------------------------

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {D9A5B05E-D4C6-4270-A5F4-DBA2605519C0} - C:\Windows\system32\vtUlmmml.dll
  O2 - BHO: {41237ba5-dbe9-aac8-a8a4-597b419b16ad} - {da61b914-b795-4a8a-8caa-9ebd5ab73214} - C:\Windows\system32\aivvxcfh.dll
  O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrSjgd.dll,#1
  O4 - HKLM\..\Run: [2161017b] rundll32.exe "C:\Windows\system32\nnrnywsf.dll",b
  O4 - HKLM\..\Run: [BM225232e7] Rundll32.exe "C:\Windows\system32\cwtrnkrp.dll",s

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

--------------------------------------------------------------------------

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\Windows\system32\cwtrnkrp.dll
  C:\Windows\system32\nnrnywsf.dll
  C:\Windows\system32\awtrSjgd.dll
  C:\Windows\system32\aivvxcfh.dll
  C:\Windows\system32\vtUlmmml.dll
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

-------------------------------------------------------------------

After you have successfully rebooted and killbox deletes those files run
Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Currently, im running the malwarebytes scan (for the second time). However, after the first reboot (which i did when KillBox was completed), i still had some BHO warnings from spywareguard after start-up. This doesnt really frigthen me. What did frighten me was that when i ran the malwarebytes scan for the first time, and left my laptop running the scan, while i went to eat something, i found out that when i came back, windows injured some error, called 'BlueScreen', and recovered from it (via a reboot i guess), and therefore, the scan didnt completed. So, my first scan didnt complete, and I dont have a log yet. Right now, im thus performing the scan (again), and so I will post the log asap.

After the 2nd scan, things have become even more utter sh1t.
What happened;
during the second scan, Norton/Symantec gave me some messages about some threat, which i ignored. During the scan, i was working in MS Word 2007. At some point, after the Norton messages, i got a bluescreen. i couldnt do anything, had to wait until the physical memory dump was 100%. Then my laptop automatically rebooted, into normal windows mode.... and after a while, during reboot, my laptop just shut down out of nothing. So i rebooted it again, now in safe mode, configured my laptop back to the last system restore point, and now back in Vista.
After that, i wanted to de-install norton internet security. But thats not possible; to remove it, i need to shut it down. But i cant shut it down. Not via the control panel (Vista says im not authorized to shut norton down). Also, the icon in the system tray in the bottom tray wont let me shut it down .... i wanted to de-install/remove norton, since i had a feeling it causes the bluescreens. Also, i wanted to install Avast AV, since people here on the board say its a better AV program ....

Right now, the messages of the BHO and rundll32.exe errors, as posted in my first post, keep on popping up again. Im back to were i was, plus that i now have the feeling my laptop is even more unstable then before, and might be at the point of a break down. Not that i blame you Blind Dragon, its just that Vista sucks big time. Thnx in advance for any new reply. I hope you can help me. In the meantime, i will start over from your first post again.

Well, during the 3rd scan, i got the BlueScreen again, which might be the BSOD. However, i can return to Vista/desktop again, so thats a good thing. As of now, im not gonna run the Malwarebytes scan again, since i have the feeling that the scan, and thus with it, the bluescreen, damage my laptop.
Also, during start-up, the BHO wihch refers to ../system32/vtUImmmI.dll keeps getting back, every time in a different form of {...-...-...}.
Second, all programs i currently use which you described in your last post (that is, Spyware Guard, HJT, KillBox), cant be shut down correctly anymore. After i use a specific program, and click the red X, Vista says the program isnt shut down properly....

Just for ease, i included a HJT.

Hope you can find anything, or explain whats happened/happening. Im really confused as of now. Thnx again for any help. Thats really appreciated.

Have Hijackthis fix these entries again

O2 - BHO: (no name) - {F3AA7397-617C-4267-98C0-30585DFB607C} - C:\Windows\system32\vtUlmmml.dll
O4 - HKLM\..\Run: [BM225232e7] Rundll32.exe "C:\Windows\system32\lbpuciok.dll",s

Reboot the computer into safe mode

Delete these manually:
C:\Windows\system32\lbpuciok.dll
C:\Windows\system32\vtUlmmml.dll

and run MBAM from safe mode, make sure that you get into safe mode on your first reboot



If it crashes we will go another route, but I don't think that it will.

After the scan reboot normally and attach the MBAM log

First of all, the key {...-...-..-.....-..} of the vtUImmmI.dll is different at each startup/boot.
Second, when i reboot into safe, i cant delete vtUImmmI.dll. (I assume safe mode is done by pressing F8 at startup, and then enter safe mode from the options menu).
Now what to do?

And trying to do the trick with KillBox, via
- selecting "Delete on reboot", and select single file
- copy/paste the path of the dll file into KillBox
- executing the command via a reboot
doesnt help either.

Right now, i get a message from windows, at the startup, that it cant find C:\Windows\system32\lbpuciok.dll ....

Any second thoughts?

This may be weird to you if you have never used it, it will disable your clock and desktop - just let it go. Do not interrupt it

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Did both, here are the logs

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\Windows\system32\lbpuciok.dll
C:\Windows\system32\awtrSjgd.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM225232e7"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57A52E74-004C-464B-96CC-4DFE5366EA02}"=-

Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Here you are.

Thanks for the professional replies!:grinthumb

This thing is a pain.

gimme a sec and I will have soemthing for you

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- Please attach main.txt and extra.txt in your next reply.

Blind Dragon said:

This thing is a pain.

gimme a sec and I will have soemthing for you

Click to expand...

Uhm, no need to scan with MBAM? Thats what your previous message said, if im right..

It may be able to unhook this, but I didn't want you to crash again, so I we will try Deckard, if that doesn't work I will try to remove it with a different script

After we get this one file unhooked then we can use MBAM to pick up whats left

This infection was just discovered and named June 16th, 2008. So I doubt they have definitions for it

Blind Dragon said:

It may be able to unhook this, but I didn't want you to crash again, so I we will try Deckard, if that doesn't work I will try to remove it with a different script

After we get this one file unhooked then we can use MBAM to pick up whats left

This infection was just discovered and named June 16th, 2008. So I doubt they have definitions for it

Click to expand...

ill do it the first thing tomorrow. right now im gonna go to sleep. will post again in approx. 10 hrs.

again, thnx for the professional and dedicated replies, really appreciated

No problem, I may have something better worked out for you by then, so check the thread before following the above

If you can get MBAM to run, I found one instance where it was able to unhook and remove this one.

I also recommend you uninstall both Norton and Avast ->

Norton removal tool found here -> http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

----------------------------------------------------------

Get Avira Anti-virus - update it - run full scan
http://www.download.com/Avira-AntiV...l-10322935&subj=dl&tag=button&cdlPid=10831109



Install Avira Antirootkit tool (takes seconds to run)
http://www.free-av.com/en/tools/4/avira_antirootkit_tool.html

After scanning click view report and attach here.

Blind Dragon said:

No problem, I may have something better worked out for you by then, so check the thread before following the above

Click to expand...

Since my internetconnection temporarily didnt work, i conducted the DSS scan, since i didnt knew what to do, except that i could do the DSS scan. Here are the results.
Should i still go on with what you suggested in your last post?

Just to be sure, I completely deinstalled all Norton stuff via your link of the removal kit, and also deleted Avast. Currently, im running the avira rootkit, and after that i will run the avira scan. When both are done, i will post he logs.

And here are the 2 new logs.