Error loading C:\WINDOWS\system32\uhvjsul.dll

Status
Not open for further replies.
Hello and welcome to Techspot.

Go HERE and follow the instructions exactly.

Post fresh HJT and Ewido logs as attachments into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of natzkie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Here are the logs

Can't remove the autostart of these 2 files:
sexy.dll & uhvjsul.dll

I just attached the log coz its too long to post
 

Attachments

  • hijackthis.log
    9.7 KB · Views: 8
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

BPK

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

sexy.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

F2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\system32\pavdr.exe,C:\WINDOWS\system32\userinit.exe,

O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - (no file)

O4 - HKLM\..\Run: [sexy] C:\Program Files\BPK\sexy.exe

O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf

O16 - DPF: {858B4F85-E945-4F0C-AF65-059E0AD9EEC0} (IntraLaunch.MainControl) - file://E:\Interface\IntraLaunch.CAB

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab

O20 - Winlogon Notify: fatrecov - fatrecov.dll (file missing)

O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\BPK Delete the entire folder.
C:\MuZiKa_29™\Installer\cFoss\cFosSpeed v212\crack\cfos_crack.exe
C:\Documents and Settings\Nathaniel\My Documents\Samurai X\Keyloggers

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :)

This thread is for the use of natzkie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
still there..

the 2 files are still there, wehenever i try to remove them using HJT, they reappear again when i do another round of scanning in HJT.
 
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

when it reboots and post a fresh HJT log as an attachment.

Regards Howard :)

This thread is for the use of natzkie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
i've deleted both of these files long ago, they don't exist in the directory


===================================================================================

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cnixvdma

*******************

Script file located at: \??\C:\WINDOWS\system32\ffjduqwt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\Program Files\BPK\sexy.exe for deletion
Deletion of file C:\Program Files\BPK\sexy.exe failed!

Could not process line:
C:\Program Files\BPK\sexy.exe
Status: 0xc000003a



File C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf not found!
Deletion of file C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf failed!

Could not process line:
C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
 
Those file must still be there as they are still in your HJT log. BTW, please post HJT logs as attachments.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

sexy.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

F2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\system32\pavdr.exe,C:\WINDOWS\system32\userinit. exe,

O4 - HKLM\..\Run: [sexy] C:\Program Files\BPK\sexy.exe

O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf

Click on the fix checked button.

Close HJT.

Run HJT and click on the config button, followed by the misc tools button. Click the delete file on reboot button and browse to C:\Program Files\BPK\sexy.exe
Click open. You will be prompted to restart your system. Once your system has restarted. Repeat the above instructions for C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf

Post a fresh HJT log as an attachment, only after doing the above.

Regards Howard :)

This thread is for the use of natzkie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
sorry, i thought i'm supposed to post the logs here. the files seem to be deleted in safe mode even after i scan it again w/ HJT but when i reboot in normal mode, the files reappear in the scan of HJT. i've attached an image containing all folders in my Program Files directory. (i cut the image to reduce the file size)
 
Is this the only account on the computer? If so, follow the instructions below.

Did you run all the tools etc in this thread HERE? If not, you should do so.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


Click start/run and type regedit into the run box.

Click edit/find and type sexy.exe and click the find next button. In the righthand pane right click on any entries that have sexy.exe in them and select delete. Then click the edit button again and select find next. Do this until you have deleted all keys with sexy.exe in them.

Repeat the above for this file. uhvjsul.dll

Once done, reboot your computer and post a fresh HJT log.

Regards Howard :)

This thread is for the use of natzkie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
yes, i followed every step you posted here. whenever i delete them from the registry, they seem to re appear again.
 
The nasty entries are still there.

Go to C:\Program files and delete the bpk folder. If you can`t, try opening the folder and delete what`s inside.

Download combofix.exe. Double click combofix.exe & follow the prompts.

A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Regards Howard :)

This thread is for the use of natzkie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

sexy.exe
iun6002.exe

Close task manager.

Click start/run and type regedit into the run box and press the enter key.

Navigate to the following key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete these entries, incuding any folder(if there).

sexy"="C:\\Program Files\\BPK\\sexy.exe

"uhvjsul.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\uhvjsul.dll,mrpmvyf"

Close regedit.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [sexy] C:\Program Files\BPK\sexy.exe
O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf

Click on the fix checked button.

Close HJT.

Delete the following bold files if there.

C:\WINDOWS\system32\uhvjsul.dll
C:\Program Files\BPK\sexy.exe
C:\WINDOWS\iun6002.exe

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of natzkie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
when i deleted the two files in the registry (safe mode), the HJT scan results were clean, then i rebooted in normal mode,to make sure i run the HJT scan again and then the two files appeared again.
 
I`m running out of ideas here.

Try this.

Download the Vundofix tool from HERE. I know you`ve already used it, but these instructions are a little different. It`s also important that you download a fresh copy as it may have been updated.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK

When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.

Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
In the Window: copy and paste the following in the first field: C:\WINDOWS\system32\uhvjsul.dll

Click the “Add Files” button.
Click the "Close Window" button.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Let me know the results and post a fresh HJT log.

If that doesn`t work, I have only one more possible fix for you to try.

Regards Howard :)

This thread is for the use of natzkie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
The way things are going, that may need to happen.

I`ve only one possible fix left and if that don`t work I`m completely out of ideas.

I`d love to get my hands on the malware writers and .......

Regards Howard :)
 
yeah, i'm thinking about reformatting too but it would take all day to download the updates from microsoft. here's what happened:
"No files were found, VundoFix V6.1.6 will now close" my computer did not shut down. what could be triggering these files to run in the registry even if i delete them? they seem to disappear in safe mode but then returns when i reboot into normal mode. :suspiciou
 
Ok, this is the last possible fix I can think of. I make no guarantee as to the outcome.

Download the attached file, extract it and save it to your desktop.

Double click the Regfix.reg file and you will be asked if you want to merge it into the registry, click yes. You will receive a message that says "successfully merged"

Reboot your system.

Download Brute Force Uninstaller from http://www.merijn.org/files/bfu.zip and unzip it to it’s own folder (c:\BFU).

Right click on this link http://metallica.geekstogo.com/EGDACCESS.bfu and choose 'Save As' (or 'Save Target As) in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU).

Start the Brute Force Uninstaller by double clicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do its job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Once that's done, post a fresh HJT log.


Regards Howard :(

This thread is for the use of natzkie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I`m really sorry I wasn`t able to help.

I hate it when I can`t solve a problem and just lately it seems to be happening far more often than I`d like.

That`s why I hate virus writers. The misery they cause really pisses me off.

Good luck with the format.

Regards Howard :)
 
Status
Not open for further replies.
Back