Couple Of annoying Problems

[Chipmyster]

Ok, firstly the history.

Computer has been connected to the internet for about one month with NO problems at all, then out of the blue on this ordinary day, im gettin attacked by trojans svchost is playing about and the computer is running dam slowly.

Firstly the viruses, i have AVG free and up till today has never seen anything, today its come across what it deems trojans called "Trojan horse generic2.JHS" It picks Them up and can heal or move to vault, the problem is they keep on appearing time and time again using stupid names like 51528357283dl.exe and just keep attacking and are placed inside the system32 folder, i have zonealarm firewall free as well.

The svchost is the more frustrating at the moment. It was working fine then suddenly i was playing World Of Warcraft and i was hitting 1400 ping, left to find svchost was using 100k memory and changing between 0-25 cpu usage. I have no idea what might cause this.

Some help would be really nice, its a newish computer as well its just why did this all happen at once and can i make it stop, ive attached a HJT doc if that helps.

P.S During this post another generic2 tried to attack.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is infected with a few nasties.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of Chipmyster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chipmyster]

Ok, I think I've done this right.

The picture, as I didnt know how else to show, shows the one file that never gets removed and appears every time on SBS&D, the virus scanners and other spyware programs dont pick this up.

I still get random trojans attacking, a good example is "Threat Dectected!, C:\WINDOWS\system32\22431562ld.exe" that appeared while typing this post.

Lastly, when I close the computer it always gives me a "rundll32.exe" error and that it is not responding and needs to be closed.

This is begining to get annoying as I want to use the computer for other things then fixing it, so any help would be much apprechaited ( yes I suck at spelling )

Thanks, Dan

 

[howard_hopkinso]

Your running more than one antivirus programme. This is not recommended, will slow your system down and can cause conflicts. Uninstall one of them now.

Once you`ve done that, do the following.

Download the Pocket killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ShadowMu-Launcher v3.1.exe
rfbxmjrr.exe
wupdate.exe
VTAgentReboot.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [antivirus] C:\Documents and Settings\Dan\Desktop\rfbxmjrr.exe

O4 - HKLM\..\Run: [wupdate] rundll32 C:\WINDOWS\system32\wupdate,wupdate

O4 - Global Startup: VTAgentReboot.exe

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\wupdate
C:\Documents and Settings\Dan\Desktop\rfbxmjrr.exe
C:\Documents and Settings\Dan\My Documents\Shadow Mu\ShadowMu-Launcher v3.1.exe

VTAgentReboot.exe<Search your system for this file and delete all instances of it.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\rpcc.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of Chipmyster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chipmyster]

Well, did all that, my svchost is no longer playing around, ill see if i get spammed by more viruses at a later date. It all seems to be working OK Thank you alot for the quick and very helpful responses howard.

And heres the log so you can check that

(P.S. Yes is moving much faster, didnt take 30 seconds to load the attach file window)

 

[howard_hopkinso]

Well done, your HJT log is now clean.

Have HJT fix this inactive entry.

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)

Also, delete the killbox backups.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Chipmyster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chipmyster]

Thank you again for the help , if i have further problems ill post back

 

[Chipmyster]

More problems...

Well it seem's i got struck again by these vile things.

After doing all the prelims etc, its come down to my search's being redirected to other sites and not opening the one i would like. I've attached the two logs you require hopefully this can get sorted out again

Cheers, Dan

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Windows Management Service

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

dmfim.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\dmfim.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\dmfim.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having any problems with being redirected.

Regards Howard

This thread is for the use of Chipmyster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chipmyster]

Done that, everything seems to working ok, attached the hjt log and hope its all clean. Thanks again

 

[howard_hopkinso]

Your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Chipmyster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chipmyster]

I don't know if this is related but its worrying me slightly, currently im using Zonealarm firewall which does the job its supposed to do well, its just that right this moment im watching it tick numbers, going up 10 blocked intrusions in a second or so, all my setting are on high security, but since i reinstalled it yesterday ive had 155k blocked intrusions....this worries me slightly but, like i said im not sure if this is a problem for this section. If it isn't i can repost in the correct area.

 

[howard_hopkinso]

I don`t think that`s anything to worry about.

Can you give details of exactly what`s being blocked?

Regards Howard

This thread is for the use of Chipmyster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chipmyster]

I have just taken a screenshot of the log page, it's just thousands and thousands of what you see there.

[/url]

If you want anything more specific then that i'll post it up.

 

[howard_hopkinso]

That`s fine mate and it`s nothing to worry about. I have exactly the same kind of medium risk log entries in my Zonealarm log. It just show`s that Zonealarm is doing it`s job properly. Just forget about it.

Regards Howard

This thread is for the use of Chipmyster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chipmyster]

Ah, ok thanks for that, never seen it go this high Again thanks, your a bloody life saver

 

[Chipmyster]

Back again.

Well more problems, I seem prone to them.

This time it's a little more serious. I had a standard attack which doesnt happen very often at all, but it came and attacked to the point i hit lock the internet with zone alarm. I have the prelim stuff saved to a text file and started running through what i could and locating the files that were flagged as viruses and got rid of them all.

After that i rebooted and got back to the internet, the first thing that happened and has happened since is a virus called totutor i believe attacks, get detected and deleted, this happens every time i reboot the computer.

Next is when i try to load internet explorer i get the message "This application has failed to start because msvcrl.dll was not found. Re-installing the application may fix this problem"

In answer to how I am actully posting, a friend sent me firefox which works perfectly fine.

I have got a HJT log and a AVG Anti Root Log. If you need more just let me know

P.S. As an off-topic note, my computer takes a VERY long time to shutdown it can somtimes sit for 5 mins just turning off, dont know if thats related to anything been happening for awhile.

Thanks, Dan.

 

[DelJo63]

get a copy of Spywareblaster to stop bad ActiveX programs.

 

[Chipmyster]

Well, i have it now, but it doesn't help anything ^.^

 

[DelJo63]

Well, i have it now, but it doesn't help anything ^.^

it's not self-evident that it does, unless you have it PROMPT before blocking.

Me -- I just want the protection without the fuss.

The object is to inhibit as many paths into your system to avoid another
contamination.

 

[Chipmyster]

Sorry i realized how that sounded, yes I can see why i need it for the future.

Sorry for how i came across.

 

[DelJo63]

no offense taken -- what's true today can change tomorrow so we all eat
crow somewhere / sometime !

 

[howard_hopkinso]

Your system is infected with the Rustock rootkit and a wareout hijack infection.

Run AVG Antirootkit as per the instructions HERE and have it fix the lzx32.sys entry. Do another scan and see if it reappears.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

Fix all 017 entries.<These are from the hijacker.

Click on the fix checked button.

Close HJT and reboot your system.

Post a fresh HJT log as well as the C:\fixwareout\report.txt.

Let me know how your system is running and the results of the AVG Antirootkit scan.

Regards Howard

This thread is for the use of Chipmyster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chipmyster]

Right, did all of that.

I still get this message when i try to load Internet explorer.

"This application has failed to start because msvcrl.dll was not found. Re-installing the application may fix this problem"

And when i logged back in, i always get an attack by a file called "totour.exe" which always gets detected and deleted.

Other then that, everything is normal.

Here are the log files you requested If you need more let me know.

The AVG Rootkit scan came up clean.

 

[howard_hopkinso]

Your system is still infected with a trojan rootkit.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Regards Howard

This thread is for the use of Chipmyster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.