getting rid of unwanted dll's

[Guest]

I have had a problem with 2 certain dll's trying to load into IE7 as addon's
(tuvuvsq.dll and ddcca.dll). Whenever I stop them, one or both would rename
themselves and try to load again. I normally use Norton Internet Security
2007 and all of the spyware programs I have tried find nothing abnormal
(Ad-Aware, Spybot S&D, SpywareBlaster, AVG Anti-Spyware, TrojanHunter, and
Windows Defender all in normal and safe mode). I was finally able to get rid
of the ddcca.dll manually by unloading it with regsvr32 and manually removing
all instances from the registry. So far (little over a week) it hasn't
cropped back up.

tuvuvsq.dll is another story. It won't unload because regsvr32 can't find
an entry point. All attempts to manually remove it from the registry have
failed. I can delete all the keys associated with the dll, close the
registry and reopen the registry, and they are back in. trying to remove it
in "Safe Mode" have failed because someone in their infinite wisdom at MS has
forced users to "logon" in safe mode, even to a command prompt, and I have
been able to determine that the DLL is loaded with the winlogon service.

Any help or ideas in getting rid of this would be greatly appreciated.

 

[Malke]

I have had a problem with 2 certain dll's trying to load into IE7 as addon's
(tuvuvsq.dll and ddcca.dll). Whenever I stop them, one or both would rename
themselves and try to load again. I normally use Norton Internet Security
2007 and all of the spyware programs I have tried find nothing abnormal
(Ad-Aware, Spybot S&D, SpywareBlaster, AVG Anti-Spyware, TrojanHunter, and
Windows Defender all in normal and safe mode). I was finally able to get rid
of the ddcca.dll manually by unloading it with regsvr32 and manually removing
all instances from the registry. So far (little over a week) it hasn't
cropped back up.

tuvuvsq.dll is another story. It won't unload because regsvr32 can't find
an entry point. All attempts to manually remove it from the registry have
failed. I can delete all the keys associated with the dll, close the
registry and reopen the registry, and they are back in. trying to remove it
in "Safe Mode" have failed because someone in their infinite wisdom at MS has
forced users to "logon" in safe mode, even to a command prompt, and I have
been able to determine that the DLL is loaded with the winlogon service.

Any help or ideas in getting rid of this would be greatly appreciated.

Register at one of the forums below and post a HijackThis log there (not
here, please). You are still infected.

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/

Malke

 

[Poprivet]

Have you tried reading:
http://forums.techguy.org/security/481494-windows-hijacked-dodgy-apps-2.html

I see you've already posted to a lot of places, so assum you still have the
problem. This thread claimed to have success from what I read.

Please do not multipost; cross post instead:
http://en.wikipedia.org/wiki/Crossposting

HTH
Pop`