Registry help

[msu715]

Does anyone have a good recommendation for a free registry cleaner that REPAIRS the files for free, not just scans them? I have a DLL error that prevents me from using the internet and freezes my computer.  If anyone has a solution I'd gladly appreciate it.

[evilfantasy]

First and most important to know is that any Registry cleaner DO NOT repair the registry. The descriptions are misleading and have caused even 'healthy' computers to not boot back to Windows. NEVER run a registry cleaner on a PC that is having performance issues. You might as well just reformat and reinstall as that's likely what will happen if you do.

What is the exact .dll error or errors?

[msu715]

Well when I log-in to Windows this pops up, "Unable to display C:\Windows\Uhitovo.dll" then the background turns blue and I can't access the internet...any idea what this could be?

[evilfantasy]

That is a virus.

Can you go to C:\Windows\Uhitovo.dll and try to delete the Uhitovo.dll file?

Do you have a flash drive to transfer over some tools so we can clean the malware?

[msu715]

How would I go about getting to that file and delete it? Sorry I'm somewhat new at this whole virus thing.

[msu715]

And yes I do have a flash drive to transfer over software to clean the malware.

[evilfantasy]

First, what OS are you using? XP or Vista.

[msu715]

Its Windows XP

[evilfantasy]

Use these directions and transfer the file (SDFix) to the infected computer. It will create a log when complete and hopefully it will get your Internet connection back. Either way I need to see the log.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

* Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
* A window will now open showing SDFix being extracted into the C:\SDFix folder.     
* Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
* DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

When your computer has started in safe mode, and you see the desktop, close all open Windows.

* Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK  button.

Code: [Select]

C:\SDFix\RunThis.bat
* SDFix window will open containing some brief info and a disclaimer on the use of the tool.
* Type Y on your keyboard and then press Enter to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).

[msu715]

I'm using roomates computer and can't copy the report from my infected laptop to this computer since my Internet on the infected one isn't working. However, the scan finished up and found a few trojans. Any way I can copy it over?

[evilfantasy]

Yes you can put the .txt file on the flash drive and transfer it like you did SDFix.

Also transfer this next tool over and run it now please. Don't worry, well get it back to normal. Hopefully after running this next scan.

I need the ComboFix log even more than I do the SDFix log. It will tell me exactly what needs to be done next.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[msu715]

When I try to run ComboFix, something pops up that says I don't have Windows Recovery Console and that I need to install it, but I need an internet connection, which I don't have. Do you think I should continue on without it or do I absolutely need it?

[evilfantasy]

Yes please continue on. You can install it later but it won't be needed for what we are doing.

[msu715]

ComboFix 09-02-02.04 - Bob 2009-02-02 22:52:42.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.503.254 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bob\Application Data\NI.GSCNS
c:\documents and settings\Bob\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Bob\Application Data\NI.GSCNS\settings.ini
c:\windows\system32\cLkjQqru.ini
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaubqsxjol.sys
c:\windows\system32\PVGgQqss.ini
c:\windows\system32\PVGgQqss.ini2
c:\windows\system32\senekaaqpmepcf.dll
c:\windows\system32\senekalnkpaswu.dat
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\sackzllj.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


(((((((((((((((((((((((((   Files Created from 2009-01-03 to 2009-02-03  )))))))))))))))))))))))))))))))
.

2009-02-02 22:01 . 2009-02-02 22:01   578,560   --a--c---   c:\windows\system32\dllcache\user32.dll
2009-02-02 21:59 . 2009-02-02 22:00   <DIR>   d--------   c:\windows\ERUNT
2009-02-02 21:53 . 2009-02-02 22:27   <DIR>   d--------   C:\SDFix
2009-02-02 17:25 . 2009-02-02 17:25   <DIR>   d--------   c:\program files\RegCure
2009-02-02 17:06 . 2009-02-02 17:06   <DIR>   d--------   c:\program files\CCleaner
2009-02-02 16:58 . 2009-02-02 16:58   <DIR>   d--------   c:\program files\RegSweep
2009-02-02 16:58 . 2009-02-02 16:58   <DIR>   d--------   c:\documents and settings\Bob\Application Data\RegSweep
2009-02-01 23:53 . 2009-02-01 23:53   125,440   --a--c---   c:\windows\system32\dllcache\userinit.exe
2009-02-01 23:49 . 2009-02-01 23:50   135,168   --a------   c:\windows\ikoqurihikicil.dll
2009-01-27 00:53 . 2009-01-27 00:53   <DIR>   d--------   c:\program files\NBA Jam Tournament Edition
2009-01-16 00:10 . 2009-01-16 00:10   <DIR>   d--------   c:\documents and settings\Bob\Application Data\Viewpoint
2009-01-13 20:32 . 2009-01-13 20:32   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2009-01-13 20:32 . 2009-01-13 20:32   <DIR>   d--------   c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2009-01-13 20:32 . 2009-01-13 20:32   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-13 20:18 . 2009-01-13 20:18   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2009-01-11 19:46 . 2009-01-11 19:46   655   --a------   c:\windows\wininit.ini
2009-01-11 18:22 . 2009-01-13 21:31   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 17:52   ---------   d-----w   c:\documents and settings\Bob\Application Data\MSN6
2009-02-02 07:30   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-02-01 18:57   325,128   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-02-01 18:57   107,272   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-01-06 23:14   ---------   d-----w   c:\program files\Google
2009-01-05 05:26   ---------   d-----w   c:\documents and settings\Bob\Application Data\AVGTOOLBAR
2009-01-02 09:17   ---------   d-----w   c:\program files\Soulseek
2008-12-12 08:10   ---------   d-----w   c:\documents and settings\Bob\Application Data\Twain
2008-12-11 10:57   333,952   ----a-w   c:\windows\system32\drivers\srv.sys
2008-12-11 03:30   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-11 03:19   ---------   d-----w   c:\program files\Microsoft Works
2008-12-11 03:02   ---------   d-----w   c:\program files\Microsoft SQL Server
2008-12-11 03:02   ---------   d-----w   c:\documents and settings\Bob\Application Data\GetRightToGo
2008-11-16 01:05   65,848   ----a-w   c:\documents and settings\Bob\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2002-08-29 05:41  22016  e931e0a2b8bf0019db902e98d03662cb   c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 04:42  26112  a93aee1928a9d7ce3e16d24ec7380f89   c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-01 23:53  125440  b6fe9dcc2857c2d8e472d260b5735ecf   c:\windows\system32\userinit.exe
2009-02-01 23:53  125440  b6fe9dcc2857c2d8e472d260b5735ecf   c:\windows\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}"= "c:\program files\AOL\AIM Toolbar 5.0\aoltb.dll" [2008-03-07 1090912]

[HKEY_CLASSES_ROOT\clsid\{ea756889-2338-43db-8f07-d1ca6fb9c90d}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{371A6A18-2D6A-4DF8-A4AA-61CA349B3C70}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-13 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
"RegSweep"="c:\program files\RegSweep\RegSweep.exe" [2008-12-16 6751480]
"Vwagux"="c:\windows\ikoqurihikicil.dll" [2009-02-01 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-01 45056]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 13:57 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      \0

[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\Bob\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-09-01 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-09-01 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-01 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-01 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-09-01 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-04 33752]
.
Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-03 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-02-02 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-02-03 c:\windows\Tasks\RegSweep Scheduled Scan.job
- c:\program files\RegSweep\RegSweep.exe [2008-12-16 17:01]

2009-02-03 c:\windows\Tasks\RegSweep Scheduled Scan.job
- c:\program files\RegSweep [2009-02-02 16:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3332E765-3AFF-4823-BBF5-E09CBC32FCE4} - (no file)
BHO-{46487b65-3a2b-5f8c-4cbf-d0078049467c} - (no file)
BHO-{E075AEFB-325C-402A-82C3-59AC363FF35B} - (no file)
Notify-iifeeFYP - iifeeFYP.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-02 22:55:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-02-02 23:00:20 - machine was rebooted [Bob]
ComboFix-quarantined-files.txt  2009-02-03 04:00:16

Pre-Run: 128,087,625,728 bytes free
Post-Run: 127,998,791,680 bytes free

194   --- E O F ---   2009-01-15 08:02:01

[evilfantasy]

OK I see what the problem is now. This is a very nasty rootkit you have picked up.

Are you able to connect to the internet with the infected computer now? We can fix it but it will be easier with a net connection.