• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 567
  • Last Modified:

RUNDLL Error Loading yyyy

Hi everyone,

Many times when I start my computer (Win XP PRO) I get an error popup: "RUNDLL error loading yyyy" the specified module could not be found. Above each letter of the yyyy are 2 dots (strange characters).  I am not sure if it is a virus since in IE7 recently started to load a popup window with an adult pictures& this happens every 2-3 minutes while I surf net.

Anyone can advice? On my PC I have Norton 360, I run an update and a full scan but it found nothing.
0
Refael
Asked:
Refael
  • 28
  • 24
  • 20
  • +2
4 Solutions
 
reubstrCommented:
Go to the control panel and 'add/remove programs' and see if you have some suspicious software.

go to maybe http://www.lavasoft.com/ and download the free spyware tool. Maybe Spybot too.

Run it and see if it cleans up your system. May have to run it more than once.

Next try hijackthis and post the log here.

let us know if any of this works.
0
 
RefaelAuthor Commented:
Hi reubstr,

Thank you for your quick response. I just checked in "add/remove programs" and the only application I do not recognise is called bonjour and I think it is part on apple application.
So now I will try to download your suggested tools and I will let you know.
0
 
and235100Commented:
Sounds like malware to me.
Depending on how your internet access is setup - run a full scan using HouseCall in Safe Mode:
Safe mode: http://www.computerhope.com/issues/chsafe.htm
HouseCall: http://housecall.trendmicro.com/

Then download, install, update and run a full scan of your system with SuperAntiSpyware:
http://www.superantispyware.com/download.html

Then - post a HijackThis log - don't fix anything - just generate the log file:
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
reubstrCommented:
No Problem Refael... Let me know how it works out.

reubstr
0
 
RefaelAuthor Commented:
Ok I downloaded Spybot and run a scan and it found the Virtumonde and the Virtumonde.Dll.

I click the "fix selected problems". When it tried to fix these a window popup to confirm or disconfirm "changes to register".

At the first scan i clicked "do not agree to the changes" then after i run the scan again it found the Virtumonde and the Virtumonde.Dll again &.. I run the scan second time but this time I clicked "agree for the changes" then I run the scan for the 3rd time and it found the Virtumonde and the Virtumonde.Dll again.... so its like a never end circle or?

How can I get rid of that? Also, very strange, since I use Norton 360 i download for Symantec the "FxVMonde" but this tool did not find anything.
0
 
RefaelAuthor Commented:

Continue&.
I disconnected from the internet and run the scan like 5 times already and there is no end.

First scan:
================================================
--- Search result list ---
Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-823518204-790525478-725345543-1003\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $7342F9D9] Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-823518204-790525478-725345543-1003\Software\Microsoft\aldd

Virtumonde.Dll: [SBI $5573B661]  Library (File, nothing done)
  C:\WINDOWS\system32\geebb.dll

3rd scan:
===========================================================
--- Search result list ---
Virtumonde: [SBI $42352499] User settings (Registry key, fixed)
  HKEY_USERS\S-1-5-21-823518204-790525478-725345543-1003\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $7342F9D9] Settings (Registry key, fixed)
  HKEY_USERS\S-1-5-21-823518204-790525478-725345543-1003\Software\Microsoft\aldd

Last scan (repeated like 3 times)
===================================================

--- Search result list ---
Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-823518204-790525478-725345543-1003\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $7342F9D9] Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-823518204-790525478-725345543-1003\Software\Microsoft\aldd
0
 
reubstrCommented:
You can try and turn off system restore (your choice). Then boot into safe mode and try running it then.

While the computer is rebooting, while you are on the config screens, hit F8 a bunch until the menu pops up...

If it is spyware, and 360 isn't set to search for spyware (i don't know) it wouldnt find it.

0
 
JonveeCommented:
Refael,
Spybot is good but unlikely to remove Virtumonde.  If you post a HijackThis logfile for us (as suggested by and235100), between us we can decide the best, more suitable tool to use.

The technique is to create a folder where you would like the HijackThis file to reside, and run it from there, not from the Desktop or a temp folder. It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. Temp folders get deleted, taking with them HJT's 'backups' of items that were 'fixed'.  Request help if you need more instructions.

Run Hijackthis scan, save the log file, then click the "Attach File" box then copy and paste the logfile to the "Add File" box that appears.

After we've viewed your logfile you'll probably need to run "Combofix".
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may hang.  
It is absolutely normal for you to see just a blue screen with flashing cursor, and this can last up to an hour or so.  Just let it run.
You may have to disable NAV, it's been reported that it can interfere with the cleanup.  In any case NAV is unlikely to be able to clear this infection.
0
 
rpggamergirlCommented:
Vundo usually hides from hijackthis scan, so you might need to rename Hijackthis.exe into something else to make sure vundo can't hide, or use the already renamed Hijackthis below:

http://danborg.org/spy/hjt/alternativ.exe <-- this is a renamed hijackthis.exe

Vundofix.exe is the tool for vundo removal but recent vundo infection can be better taken care of with combofix as some leftovers can be removed using its CFScript function.
0
 
reubstrCommented:
RPGGamerGirl I think has it nailed. Good post.
0
 
JonveeCommented:
Incidently if Combofix requires some 'assistance' later, suggest you try VirtumundoBeGone to remove the infection>

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Save the exe file to your Desktop.
Close all running programs including your Internet Browser.
Double-click the VirtumundoBeGone.exe file, and follow the instructions.

@ reubstr  .. yes, agreed, rpggamergirl's post was good.
0
 
RefaelAuthor Commented:
Hi and thank you all

I downloaded the alternativ.exe link posted by rpggamergirl.
I moved the alternativ.exe to a folder name "alternative" inside the "Program Files" folder.
I opened the application and run a scan with a log.
The scan took like 2 seconds and here I am attaching the log.

what should i do now?
hijackthis.log
0
 
RefaelAuthor Commented:
continue my "second ago" reply above...

and..... Jonvee i just tried to download the VirtumundoBeGone.exe but it says "File not found". at first it did find it but i could not save it... the second time i think it blocked the URL or?!
0
 
JonveeCommented:
This is the Vundo infection and ComboFix should remove them >

O20 - Winlogon Notify: awtqnkh - C:\WINDOWS\SYSTEM32\awtqnkh.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\awtqnkh.dll

These deactivated entries can be fixed, but that's not the real problem >
O2 - BHO: (no name) - {16C4CC4D-559A-40CA-927A-F59BD019E904} - C:\WINDOWS\system32\hnchdptx.dll
O2 - BHO: (no name) - {547CEF51-D2A4-4D17-808D-C40E21F3222D} - C:\WINDOWS\system32\gebcc.dll
O2 - BHO: (no name) - {C1625013-320C-4D62-BE0C-97ABE26B6B2E} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {FBF7F931-391D-42AA-9BB8-8D1B8FC0480A} - C:\WINDOWS\system32\geebb.dll (file missing)

Still investigating the remaining items ..
0
 
JonveeCommented:
Your analysed HJT logfile >
http://www.hijackthis.de/logfiles/90d48b1a571e5888dfa7eb67d02c8277.html

   >tried to download the VirtumundoBeGone.exe<
Ok, will investigate ..
0
 
JonveeCommented:
Definitely recommend you run ComboFix which could resolve your problem, & leave "VirtumundoBeGone" for the present.

Please see if you know these two sites, and Fix them with HijackThis if you don't>
O4 - HKCU\..\Run: [VIP Organizer] "C:\Program Files\VIP Quality Software\VIP Organizer\VIP Organizer.exe"
O4 - Global Startup: Font Reserve Startup.lnk = C:\Program Files\Font Reserve\FontReserve.exe
 
You can Fix this one, although it will quite likely regenerate>
O4 - HKLM\..\Run: [10332b6e] rundll32.exe "C:\WINDOWS\system32\trfufvvr.dll",b
0
 
JonveeCommented:
>tried to download the VirtumundoBeGone.exe<
For the record it seems ok, just downloaded it perfectly.  Haven't run it for obvious reasons :)

*If* we run into unexpected problems, you could download this newer version of HijackThis, then rename it (as before).  But please leave that for the moment>
Trend HijackThis 2.02:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Finally, the "04" entries "VIP Organizer" and "FontReserve.exe" do appear ok(perhaps you can confirm), but when we've completed you could finish by running Superantispyware>                        
http://www.superantispyware.com/
0
 
RefaelAuthor Commented:
Guys again thank you all.

This is what I did so far:
I downloaded the ComboFix.exe and run it. I let it run and do whatever it needs to do, I notice it deleted some files and then reboot my PC. Right after the reboot I run spybot and it did not find anything. Does this mean its gone or should I run ComboFix.exe again to make sure?

Also now when I open ms-outlook it opens a window "locate link browser" and looks for an exe file? What is this? Should I re-install IE7?

Thanks a million again!
0
 
JonveeCommented:
>should I run ComboFix.exe again to make sure?<

No, best to re-run HijackThis and post another logfile for us again, please.
0
 
RefaelAuthor Commented:
here is the new logfile
hijackthis1.log
0
 
JonveeCommented:
From the HJT logfile there's an improvement but this infection is still present>
O20 - Winlogon Notify: awtqnkh - C:\WINDOWS\SYSTEM32\awtqnkh.dll

Did you try to download & save VirtumundoBeGone.exe to your Desktop?
Perhaps you could try it again.
0
 
RefaelAuthor Commented:
i cannot download the "VirtumundoBeGone.exe" it seem like something deleted the file as soon as it finish download i tried renaming it and downloading to other locations....

what should i do know?
0
 
rpggamergirlCommented:
You don't need VirtumundoBeGone.exe, combofix should be enough to take care of this, just attach the report here and we'll check what other bad files needs to be removed.
0
 
rpggamergirlCommented:
Combofix has a CFScript function that takes care of any bad files(leftovers) but we need to see the Combofix.txt.


reubstr, Jonvee, thanks for the kind words there, :)
0
 
RefaelAuthor Commented:
ok how can i run the Combofix again.... when i try to click on the Combofix exe file on my desktop i get "you cannot rename Combofix as Combofix"....
0
 
rpggamergirlCommented:
When you first run Combofix it should have a report -- >C:\ComboFix.txt
please attach the combofix.txt here.
0
 
JonveeCommented:
>you cannot rename Combofix as Combofix<
Have you disabled all your antivirus, antiMalware, & Firewall?  One of these could be interfering with ComboFix.

Or, if you have trouble locating the combofix.txt,  you may be able to rename the ComboFix.exe file to Combo.exe before you try it again.
0
 
rpggamergirlCommented:
>>>you cannot rename Combofix as Combofix<<<
does happen if the previous run was aborted, if so please reboot.

If you previous run wasn't aborted and completed its run, it should have the log file and that's all we need to look at.
0
 
RefaelAuthor Commented:
ok i was sure i attached it before as i run this scan before i used the hijackthis.

ComboFix.txt
0
 
JonveeCommented:
>Should I re-install IE7?<
No, just reboot & that should also fix the IE7 problem.

If still no internet & your network icon appears on the Taskbar, right-click on it and see if you can select 'Repair'.  Any improvement?
0
 
rpggamergirlCommented:
Did you recognize all the programs listed in the Combofix log as your legit programs? I haven't check them all.


Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\system32\hnchdptx.dl
C:\WINDOWS\system32\itnygjhb.dll
C:\WINDOWS\system32\rmgtuylc.dll
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\geebb.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16C4CC4D-559A-40CA-927A-F59BD019E904}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{547CEF51-D2A4-4D17-808D-C40E21F3222D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1625013-320C-4D62-BE0C-97ABE26B6B2E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBF7F931-391D-42AA-9BB8-8D1B8FC0480A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"10332b6e"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkh]

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply.

0
 
RefaelAuthor Commented:
hi again,

I reboot the PC since I could not start ComboFix.exe.
When reboot the Rundll error appeared saying: error loading c:\windows\system32\trfufvvr.dll

Tried to run ComboFix.exe (the exe file is on my desktop) got the same error you cannot rename Combofix as Combofix.
rpggamergirl: I moved the ComboFix.exe to the folder its created C:\QooBox then I created the txt file and did what you asked but the same error appeared the rename problem.

0
 
JonveeCommented:
Refael,
Presume your antivirus etc have all been disabled?

If yes, then maybe it's worth removing the present copy of ComboFix (we can provide the simple instruction for this), & downloading another!  
But let's wait & see what rpggamergirl recommends, she's the Malware Huntress!
0
 
RefaelAuthor Commented:
hi Jonvee
i deleted the "C:\QooBox" folder and turn off the firewall of norton 360. still getting the same error!!!!
ps. i can still restore the folder if needed.
0
 
rpggamergirlCommented:
>>>rpggamergirl: I moved the ComboFix.exe to the folder its created C:\QooBox then I created the txt file and did what you asked but the same error appeared the rename problem.<<<

the combofix.exe and CFScript.txt has to be on the same location(which should both be on the desktop) if they're not on the same location then it won't work.


This could also be caused by the new infection,
Try and redownload Combofix,
but first you MUST delete the one you have first., delete the version you have on your desktop and anywhere else, and download from the link below.
http://download.bleepingcomputer.com/sUBs/Combo-Fix.exe
0
 
rpggamergirlCommented:
http://download.bleepingcomputer.com/sUBs/Combo-Fix.exe
Please download from the above link, not from the link Jonvee posted, the above in the renamed combofix.
0
 
JonveeCommented:
If it helps you can uninstall ComboFix as follows >

Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then select 'enter'.
0
 
rpggamergirlCommented:
Just delete the combofix folder not using the "ComboFix /u" command,
using the "ComboFix /u" command deletes everything, backups and all and we just want the renamed version.
0
 
RefaelAuthor Commented:
hi again

I tried this link: http://download.bleepingcomputer.com/sUBs/Combo-Fix.exe  but I am getting the same error.

I deleted the folder and even tried to rename the exe file but keep getting the same error.

Running ComboFix /u does not help now because the folder does not exit now after I deleted it.

For rpggamergirl: yes at first the exe file was on my desktop but then I moved it inside the folder and created the txt file and locate it at the same folder but it did not work.
0
 
rpggamergirlCommented:
Have you deleted al combofix folders? the cannot rename error can also occur if folder of the same name is present.
There are new nasties that prevent tools from running and  attack .exes with the strings, for example;
* \ComboFix.exe
* \combo.exe
* \combofix

Have you tried rebooting as well?
if still not working we'll use another tool.
0
 
RefaelAuthor Commented:
I search for files like combo I found some files related to this tool in the prefetch folder. I deleted them and yet still the same error.
0
 
rpggamergirlCommented:
So even if there are no combofix folder anywhere, and you download the renamed version, reboot, it still throws out the "can not rename error"?


Let's try WinPFind tool.(this will not delete anything during the first run, it will only delete files that are in the script on the second run)

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
* In the 'Files Created Within' group click 30 days
* In the 'Files Modified Within' group select 30 days
* In the 'File String Search' group select Non-Microsoft
* In the 'Drivers Services' group select Non-Microsoft
* In the 'Additional Scans' group select 'Desktop Components'

Now click the "Run Scan" button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked.
If it is, then click on it to uncheck it.
0
 
JonveeCommented:
Well it's ~1:30 am in these parts & i need some sleep, will drop by later.
0
 
rpggamergirlCommented:
I re-read the thread and realized I've repeated some of your posts, sorry...... night Jonvee!
0
 
RefaelAuthor Commented:
guys thank you all so much.... here is the txt file after the scan WinPFind3u
WinPFind3.Txt
0
 
JonveeCommented:
@ Refael  ..  not familiar with the analysis by the WinPFind tool, we will have to wait for rpg's verdict, but good luck.

@ rpggamergirl  ... repeated earlier posts?  No problem, i prefer to think of it as good teamwork  :)
0
 
rpggamergirlCommented:
Please Start WinPFind3U. Copy/Paste the information in the Quotebox below(all text inside the lines) into the pane where it says "Paste fix here" and then click the Run Fix button.
When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix.

After WinPFind have run the script, try and see if combofix can run, or run an online scan with either Trend as had been suggested or with Kaspersky. and show the logfile.


---------------------------------
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> 10332b6e -> %System32%\trfufvvr.DLL [rundll32.exe "C:\WINDOWS\system32\trfufvvr.dll",b]
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {16C4CC4D-559A-40CA-927A-F59BD019E904} [HKLM] -> %System32%\hnchdptx.dll [Reg Data - Value does not exist]
YN -> {547CEF51-D2A4-4D17-808D-C40E21F3222D} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> {98663E21-9CCE-4CF6-863C-911A9523A66F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> {C1625013-320C-4D62-BE0C-97ABE26B6B2E} [HKLM] -> %System32%\ssqrq.dll [Reg Data - Value does not exist]
YN -> {FBF7F931-391D-42AA-9BB8-8D1B8FC0480A} [HKLM] -> %System32%\geebb.dll [Reg Data - Value does not exist]
[Files/Folders - Created Within 30 days]
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> hnchdptx.dll -> %System32%\hnchdptx.dll
NY -> itnygjhb.dll -> %System32%\itnygjhb.dll
NY -> rmgtuylc.dll -> %System32%\rmgtuylc.dll
[Files/Folders - Modified Within 30 days]
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> hnchdptx.dll -> %System32%\hnchdptx.dll
NY -> itnygjhb.dll -> %System32%\itnygjhb.dll
NY -> rmgtuylc.dll -> %System32%\rmgtuylc.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]



[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> 10332b6e -> %System32%\trfufvvr.DLL [rundll32.exe "C:\WINDOWS\system32\trfufvvr.dll",b]
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {16C4CC4D-559A-40CA-927A-F59BD019E904} [HKLM] -> %System32%\hnchdptx.dll [Reg Data - Value does not exist]
YN -> {547CEF51-D2A4-4D17-808D-C40E21F3222D} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> {98663E21-9CCE-4CF6-863C-911A9523A66F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> {C1625013-320C-4D62-BE0C-97ABE26B6B2E} [HKLM] -> %System32%\ssqrq.dll [Reg Data - Value does not exist]
YN -> {FBF7F931-391D-42AA-9BB8-8D1B8FC0480A} [HKLM] -> %System32%\geebb.dll [Reg Data - Value does not exist]
[Files/Folders - Created Within 30 days]
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> hnchdptx.dll -> %System32%\hnchdptx.dll
NY -> itnygjhb.dll -> %System32%\itnygjhb.dll
NY -> rmgtuylc.dll -> %System32%\rmgtuylc.dll
[Files/Folders - Modified Within 30 days]
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> hnchdptx.dll -> %System32%\hnchdptx.dll
NY -> itnygjhb.dll -> %System32%\itnygjhb.dll
NY -> rmgtuylc.dll -> %System32%\rmgtuylc.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]

Open in new window

0
 
rpggamergirlCommented:
I'll be offline soon, so continue on guys!
0
 
JonveeCommented:
If after WinPFind you still cannot get ComboFix to run, it's a bit of a long shot but you could try the Stinger which is a utility that cleans the system of viruses that block anti virus software>
http://vil.nai.com/vil/stinger/

Here again is Trend Micro's, free, online virus scanner:            
http://housecall.trendmicro.com
and ..
Kaspersky Online Scanner>
http://www.kaspersky.co.uk/virusscanner
0
 
RefaelAuthor Commented:
Hi guys

I run the WinPFind3u with the with fixes sent by rpggamergirl
The PC restarted and then a notice popup by Spybot - Search & Destroy saying changes to registry denied by user or something like this I could not write down the exact message. Should I remove this application or?

I tried to run Combo-Fix.exe but the same error again&&..

Now what should I do? Should I try http://vil.nai.com/vil/stinger/ like Jonvee: suggested or?

Here attached in the log by WinPFind3u after running the fix.

PS. This time when the computer started I did not get the RUNDLL error.
02032008-211747.log
0
 
JonveeCommented:
Have just logged in.  Sorry i can't comment on the WinPFind log but will study & attempt interpretation.     rpg will probably be along shortly.

Ref to popup by Spybot, best not to have Spybot running.  Hopefully it's disabled?

Can't see any harm in trying Stinger, but not at the expense of wasting your time that you could otherwise spend on WinP & Combo.
0
 
JonveeCommented:
>Should I remove this application<
Assuming you're referring to Spybot S & D, then uninstall, yes.

WinPFind seems to have improved the situation but not sure about these 3 entries.  Am assuming 'not found' is good, but i'm not sure>
File C:\WINDOWS\SYSTEM32\hnchdptx.dll not found!
File C:\WINDOWS\SYSTEM32\itnygjhb.dll not found!
File C:\WINDOWS\SYSTEM32\rmgtuylc.dll not found!

But unless rpg has a better idea 'at this time', then could you please post another HijackThis logfile.  Reason being, we are looking for a possible improvement due to the WinPFind log entries.
0
 
JonveeCommented:
@ rpggamergirl      i'd be grateful if you would comment on the WinPFind log entries when you have a moment please?
 
The entries seem almost self explanatory but i can't believe it's that easy!  Certainly the three 'dll not found' items above are a little puzzling.  
Can you point me in the direction of any Tutorial(or basic instruction) please, or does it entail a course?  It was just a thought, maybe i could have contributed something.
0
 
RefaelAuthor Commented:
i think i am starting to lose you :-) here is a new log from HijackThis.
hijackthis-030208.log
0
 
JonveeCommented:
Lose us, no, we aren't going anywhere :)
     
Let's stick with it a while longer.  Here's your HJT analysed logfile>
http://www.hijackthis.de/logfiles/370c5284134955cb98c2d574f104c587.html

These stubborn entries are are the two that are just being a bit difficult to remove >
O4 - HKLM\..\Run: [10332b6e] rundll32.exe "C:\WINDOWS\system32\trfufvvr.dll",b
O20 - Winlogon Notify: awtqnkh - C:\WINDOWS\
0
 
RefaelAuthor Commented:
should i do with this anything? please let me know.... again always many thanks!
0
 
JonveeCommented:
Yes, could you please try running Superantispyware?  
If successful, hopefully one of those 'nasties' will be seen with a 'file missing' entry.  Then HijackThis has a chance of 'Fixing' the entry.

Have you had the opportunity to run the Trend Micro & Kaspersky online scans, please?

Finally, as ComboFix is not playing ball, only other suggestion tonight is to try VundoFix 6.5.10.  Not as good as ComboFix, but at least you may get it to run >>
http://www.softpedia.com/get/Antivirus/VundoFix.shtml

<Quoting>  To use VundoFix follow the instructions written below:
· Please download VundoFix.exe to your desktop.
· Double-click VundoFix.exe to run it.
· Put a check next to Run VundoFix as a task.
· You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
· When VundoFix re-opens, click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on. <Unquote>
0
 
RefaelAuthor Commented:
Jonvee what should I do first?

Should I download the free version from http://www.superantispyware.com/?tag=GOOGLE-SUPERANTISPYWARE? and send you the log file or should I download this first http://www.softpedia.com/get/Antivirus/VundoFix.shtml run a scan and send you the log file?

Jonvee, wouldnt it be better to just format the drive and install new win xp? It seem like a never ending story?! I just hate calling the XP activation centre every time I need to re-install my system
0
 
rpggamergirlCommented:
Are you saying Spybot's tea timer denied that registry change? tea timer always alert you for any changes in the registry, I should've ask you to turn it off. so that means those registry are still there.

Wait....I'll look at the log.
0
 
rpggamergirlCommented:
C:\WINDOWS\SYSTEM32\hnchdptx.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\hnchdptx.dll moved successfully.



[Files/Folders - Created Within 30 days]
C:\WINDOWS\imsins.BAK moved successfully.
File C:\WINDOWS\SYSTEM32\hnchdptx.dll not found! <-- was already moved as shown above.


C:\WINDOWS\SYSTEM32\itnygjhb.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\itnygjhb.dll moved successfully.
C:\WINDOWS\SYSTEM32\rmgtuylc.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\rmgtuylc.dll moved successfully.


the "not found' below is understandable as they have been moved. I put those files there twice, so the second time it was looking those files no longer there.
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\imsins.BAK not found!
File C:\WINDOWS\SYSTEM32\hnchdptx.dll not found!
File C:\WINDOWS\SYSTEM32\itnygjhb.dll not found!
File C:\WINDOWS\SYSTEM32\rmgtuylc.dll not found!


Yes do other scans, Kaspersky scan as well(online) so we'll know if there are others the logs didn't show.
0
 
JonveeCommented:
Formatting & reinstalling XP is really the last move and we don't give up that easily!  Let's fight this parasite removal for a bit longer, it somehow feels we're nearly there!

For the Kaspersky online scanner, see if these general guidelines help>>
 
Once the database has downloaded click 'next'.
Click Scan Settings, then change the 'Scan using the following antivirus database' from 'standard' to 'extended'.  
Click OK.
Click on 'My Computer' and please don't the computer until the scan is completed.
When scan completed click 'Save Report As'.
Enter a name for the file in the 'Filename' box, then click the down arrow to the right of 'Save as type' and select text file (*.txt).
Click 'Save' and the file should appear on your Desktop.

http://www.kaspersky.co.uk/virusscanner

@ rpggamergirl  .. thanks for the WinPFind log entry explanation, it's appreciated!
0
 
RefaelAuthor Commented:
hi guys,
here is the log from kaspersky critical areas log.txt
it found only 1 virus?!
kaspersky-criticalareas-log.txt
0
 
rpggamergirlCommented:
Well, only one virus so that's good!
Just manually delete C:\WINDOWS\system32\NTSpool.exe
if it refuses to delete, try deleting it in safe mode, or by using a third party tool like Killbox.exe.


@jonvee,
About WinPFind tutorial, I can't point you to any tutorial for that, there's another program that I run the report into, but you can learn starting from the basics of removing malware from any antispyware forums that train helpers, like WhatTheTech.com, GeeksToGo.com forum etc.
0
 
JonveeCommented:
@ Refael  .. from your Kaspersky log, and FYI, here's info on Trojan.Win32.Inject.uy and hopefully that one's nailed! >>

http://216.239.59.104/search?q=cache:81b0mSh0EAIJ:www.kaspersky.com/viruswatchlite%3Fhour_offset%3D-8+Trojan.Win32.Inject.uy&hl=en&ct=clnk&cd=1&gl=uk

If you require d/l info on Killbox.exe, let us know.

Upon completion of rpg's recommendations, suggest a Superantispyware scan followed by a HijackThis scan(the last?).  Thanks.

@ rpggamergirl  .. thanks for the additional advice, again it's appreciated.
0
 
RefaelAuthor Commented:
Hi Jonvee and rpggamergirl.... thank you guys!

I just run full scan including folders and files using kaspersky it found 10 viruses and 51 infected objects.

Knowing that... now I am not sure what is Norton 360 is for. I used to have NIS 2007 before and I think it was better as upgrading to Norton 360 might be a big mistake?!

Anyway I deleted the NTSpool.exe. My question is what now? Should I purchase kaspersky so it can fix these viruses and infected files? Let me know in your opinion what I should do now, thanks!
0
 
rpggamergirlCommented:
I'm not a fan of Norton, I used to have it.
Personally, I think Kaspersky is the best out there for detection and removal, but other antivirus also are very close to it.
Kaspersky free trial will remove viruses that it finds, so you can just try it if you like.

You also have the option of staying with Norton and just manually delete the viruses that Kaspersky found. You can use third tool like Killbox to delete multiple files(all the viruses that Kaspersky reported) in one go.

@Jonvee;
no problem, sorry if i kept missing to reply.
0
 
JonveeCommented:
IMHO i would not use Norton/Symantic, they "generally" appear to cause numerous problems, & are heavy on computer resources.  
Instead you could periodically use the free Kaspersky, and back that one up by also scanning with these two, both free >

AVG Antivirus Free 7.5.488 >>
http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10645435.html

"Trend Micro's FREE online virus scanner":            
http://housecall.trendmicro.com

For Malware use the free AdAware, SpyBot, and the more powerful Superantispyware, all three are free.
0
 
JonveeCommented:
You may not be quite out of the wood yet, perhaps you'd like to provide just one more HijackThis logfile, thanks.
0
 
RefaelAuthor Commented:
i will now downlaod Kaspersky and try to remove and fix what it finds.
hijackthis-040208.log
0
 
rpggamergirlCommented:
That's great! Kaspersky free trial should remove the viruses that it finds.

Refael, you can fix these entries in Hijackthis.

Please turn off Tea timer before fixing the entries.

You need to close all browsers and other windows(except hijackthis) and click "Fix Checked" button
O2 - BHO: (no name) - {16C4CC4D-559A-40CA-927A-F59BD019E904} - (no file)
O2 - BHO: (no name) - {547CEF51-D2A4-4D17-808D-C40E21F3222D} - (no file)
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - (no file)
O2 - BHO: (no name) - {C1625013-320C-4D62-BE0C-97ABE26B6B2E} - (no file)  
O2 - BHO: (no name) - {FBF7F931-391D-42AA-9BB8-8D1B8FC0480A} - (no file)
O4 - HKLM\..\Run: [10332b6e] rundll32.exe "C:\WINDOWS\system32\trfufvvr.dll",b
O20 - Winlogon Notify: awtqnkh - C:\WINDOWS\
0
 
JonveeCommented:
Refael,
Any luck?  Are you still making progress or have you run into another problem?

To correct my earlier statement that Kaspersky is free, should of course have read that Kaspersky has a "free trial", which is what you've been using presumably.
 
The earlier advice on scanners still stands, and our Home network of three machines uses nothing but those very same scanners(although not Kaspersky which is arguably the best free virus scanner around), & we have never had a problem.
0
 
JonveeCommented:
Guess you've run into further problems?  
Maybe at this stage and after much troubleshooting, it's time to do as you intimated earlier, format and reinstall XP.  
If you're contemplating doing it yourself, this link will help.  Whatever you decide, good luck>

"Clean Install Windows XP":
http://www.michaelstevenstech.com/cleanxpinstall.html
0
 
RefaelAuthor Commented:
Hello Jonvee and rpggamergirl

I am sorry for the late reply and I thank you so much for all your help.

I had to re-install XP, I deleted the partition and formatted the drive and reinstall the xp.
There was no end to the bugs and errors. I agree kaspersky is a great application it tried its best but I guess it could not handle the attacks. So now I have a clean XP and kaspersky is installed. I removed the Norton 360 knowing if the mess started while it was installed better no to have it again.

Question&.. can you please let me know how should I divide the question points? Can you suggest? You were all so helpful and many thanks for that.
0
 
JonveeCommented:
Your welcome, & thanks for reporting back!

>how should I divide the question points?<
If all other participants agree, may i suggest that as several of the comments (in attempting to cleanup your original system) were put forward by both rpggamergirl and Jonvee, they should have the majority of the "shared Points".  But it must not be forgotten that reubstr and and235100 both suggested using HijackThis, so they too should also have a share!

I guess the final decision is yours, it'll probably be fine, & hopefully this link will help you further>
"How do I close a question?":
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/ME/help.jsp
0
 
JonveeCommented:
That last link didn't work as intended.  Please scroll down about 60% to sub-heading "How do I close a question?":
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/ME/help.jsp#hi331
0
 
RefaelAuthor Commented:
Hi Guys, Thanks a million for your help. I hope the way i devided the points is fine with you all. thanks again!
0
 
rpggamergirlCommented:
Reformatting and reinstalling is a good idea.

Thanks!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 28
  • 24
  • 20
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now