Cannot delete bug file

[fubar]

I am working on a friends computer that was heavily loaded with major bugs. I've been able to neutralize most of them but this one just will not stay away. It is batmeter16.dll. I don't know which virus it is associated with but it shows up when I do an HJT scan. I click to delete it and do another scan and it comes right back.

I've run malwarebytes several times and it is now reporting clean. HJT reports the file as being in C:\windows, but I cannot find it there. I've searched the entire contents of all drives and it is not found. Neither could I find it in the registry. It's a mystery.

I am doing all of this while in safe mode and Restore is turned off. I've already completed a thorough cleaning with ccleaner and deleted all temp files, and cleaned up the reg.

The computer is a Dell with XP Home installed. I have not been able to boot into xp normal with any success as of yet but I am able to work in safe mode now. Consequently, I cannot install SuperAntiSpyware, nor Adaware-SE. For some reason neither of those two will install while in safe mode.

Anybody know how to get rid of this file?

Thanks...Randy

[Train]

Have you ried gmer?

Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

[fubar]

Nope, haven't heard of that one, but I will do as you have requested.

Thanks.

[fubar]

Doesn't look like much to me but maybe there's something that you will see. By the way, i was finally able to get SuperAntispyware installed and run. It found about 46 entries that it said it fixed. Now when run HJT I still see the 018 entry but it doesn't list the batmeter16.dll file anymore. The computer seems to be doing much better now. I will include the latest HJT log as well after the GMER log for your review.

Thanks Train...Randy


GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-12 02:37:09
Windows 5.1.2600 Service Pack 2
Running: 3bdjh7jt.exe; Driver: C:\DOCUME~1\HANNAH~1\LOCALS~1\Temp\uwlcypog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF74D787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF74D7BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:24 AM, on 11/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: hc_tray.lnk = C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter hijack: text/html - {a6d99a9c-484a-4a16-aa0c-2e72067f9c07} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3614 bytes

[Train]

POst the SuperAntispyware log too.

[fubar]

OK, here's the superantispyware log...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/12/2009 at 02:07 AM

Application Version : 4.30.1004

Core Rules Database Version : 4264
Trace Rules Database Version: 2148

Scan type : Complete Scan
Total Scan Time : 00:29:05

Memory items scanned : 258
Memory threats detected : 0
Registry items scanned : 5078
Registry threats detected : 0
File items scanned : 18052
File threats detected : 46

Adware.Tracking Cookie
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@specificmedia[2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@overture[1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@adinterax[2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@media6degrees[2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@interclick[2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@tribalfusion[1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@serving-sys[2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@collective-media[2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@questionmarket[1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@specificclick[1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@tacoda[1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@revsci[2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@trafficmp[1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@insightexpressai[2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@pointroll[1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike brodeur@adbureau[1].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][2].txt
C:\Documents and Settings\Mike Brodeur\Cookies\mike [email protected][1].txt

Trojan.Agent/Gen
C:\DOCUMENTS AND SETTINGS\HANNAH BRODEUR\LOCAL SETTINGS\TEMP\F.EXE

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

[Train]

See if you can find C:\WINDOWS\system32\Batmeter16.dll

Super should have got if it was still there.
http://www.superantispyware.com/malw...TER16.DLL.html

[fubar]

I did a full search of the computer last night for that file and didn't find anything. Searched the registry for it as well and couldn't find any reference there either.

I just looked in C:\windows\system32 and didn't see it. I found batmeter.dll, but not batmeter16.dll.

The 018 is still showing up in HJT...without the batmeter16.dll, though. It just says file missing now.

This is strange. The computer seems to be working OK, though. I can boot normally and it's not real slow like it was. No more popups. I am still concerned about it though.

Thanks Train.

[Train]

batmeter.dll should be a legit file check its properties.
Mine reads version 6.0.2900.5512
Battery Meter Helper DLL and M$ file.

Do you have hidden checked to be shown?

[fubar]

Yes, all files are visible...none hidden.

My properties are the same as yours so I guess this file is legit. I think the file and virus are gone but for some reason this reg entry remains. If I search the registry for the 018 HJT log entry {a6d99a9c-484a-4a16-aa0c-2e72067f9c07}, I find it listed in four different locations. I'm wondering if it would be safe to just delete them from the registry. I ran ccleaner in hopes that it would do it but it still shows up in the HJT log after.

[Train]

iF IT IS A FOLDER, EXPAND IT AND SEE WHAT IS THERE.

[fubar]

Here's a few screenshots of what I see in the registry.

FYI: I've been able to install several updates during this time, such as SP3, IE8 and many hotfixes. This machine was fairly neglected so it needed a lot. But I have had no problems with downloading and installing them. It is now as current as it can be and seems to be working normal.

[Train]

If it is working normal, Keep tabs for a few days.

[fubar]

Pretty much what I was thinking.

Thanks for the help Train.

[Train]

You are Welcome!