TechSpot

Finished 8 Steps, here are my logs

By DenzilVoorhees
Mar 1, 2009
  1. Had loads of problems over the past week, desktop doesn't show up (found out this was a problem with explorer.exe). Attached the logs as requested, the file called "Trojan" is the results of an AVG Anti-Virus that i copied down.

    Hope you can help,

    been battling this infection for a week and counting!
     

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Run HJT Scan only and select and Fix all lines listed below
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe
    O2 - BHO: (no name) - {8F8621B9-5221-48ED-B2B8-EFC4C01E45EA} - c:\windows\system32\tuxsjrw.dll
    O20 - Winlogon Notify: jwrwrqdi - C:\WINDOWS\SYSTEM32\tuxsjrw.dll

    OK update then run both MBAM and SAS again!

    In the last MBAM run there was "No Action taken" meaning you did not elect to clean the found items. Please do so on this run.

    Post both logs!

    Mike
     
  3. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Hi,

    Done the steps that you told me to do above.

    Attached are new logs.
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Run HJT Scan only and select and Fix all lines listed below
    O2 - BHO: (no name) - {8F8621B9-5221-48ED-B2B8-EFC4C01E45EA} - c:\windows\system32\tuxsjrw.dll
    O2 - BHO: (no name) - {8F8621B9-5221-48ED-B2B8-EFC4C01E45EA} - c:\windows\system32\tuxsjrw.dll
    O4 - HKUS\.DEFAULT\..\Run: [vblzhjpb.exe] C:\WINDOWS\vblzhjpb.exe (User 'Default user')
    O20 - Winlogon Notify: jwrwrqdi - C:\WINDOWS\SYSTEM32\tuxsjrw.dll

    Another run indicated!
    OK there were found/removed items in both MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

    So another run Quick Scan will likely find more. So UPDATE both and run again.

    Mike
     
  5. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Done and logs attached.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    OK more found run both again!

    mike
     
  7. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Hi,

    Am trying to run them again but have a problem now where Windows restarts within around 2 - 5 minutes of being on.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    That sounds like a heat related problem.

    Try it in Safe Mode with Networking? Post logs!

    If it works in Safe Mode then reboot to normal and do nothing for 10 minutes if it stays on, then repeat in normal to see if it is the MBAM orSAS that is doing it.

    Mike
     
  9. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Done again.

    Logs attached.
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    OK still some left they could not handle!

    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.
    =========================================

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    Mike

    EDIT: Forgot to pase belo
    Run HJT Scan only and select and Fix all lines listed below
    O2 - BHO: (no name) - {8F8621B9-5221-48ED-B2B8-EFC4C01E45EA} - c:\windows\system32\tuxsjrw.dll
    O4 - HKUS\S-1-5-18\..\Run: [zzgoownz.exe] C:\WINDOWS\zzgoownz.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [bnagyziz.exe] C:\WINDOWS\bnagyziz.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [rveisllf.exe] C:\WINDOWS\rveisllf.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [lfwopopy.exe] C:\WINDOWS\lfwopopy.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ntqvfbhx.exe] C:\WINDOWS\ntqvfbhx.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [phnrcexg.exe] C:\WINDOWS\phnrcexg.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [lfzxtelk.exe] C:\WINDOWS\lfzxtelk.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [tjydccme.exe] C:\WINDOWS\tjydccme.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [xlprywgl.exe] C:\WINDOWS\xlprywgl.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [fpnsmuvr.exe] C:\WINDOWS\fpnsmuvr.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [phjrmbpj.exe] C:\WINDOWS\phjrmbpj.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [tjyruioa.exe] C:\WINDOWS\tjyruioa.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [vxvwghpn.exe] C:\WINDOWS\vxvwghpn.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [zzgoownz.exe] C:\WINDOWS\zzgoownz.exe (User 'Default user')
    O20 - Winlogon Notify: jwrwrqdi - C:\WINDOWS\SYSTEM32\tuxsjrw.dll
     
  11. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Hi,

    That O2 (- BHO: (no name) - {8F8621B9-5221-48ED-B2B8-EFC4C01E45EA} - c:\windows\system32\tuxsjrw.dll) and O20 (- Winlogon Notify: jwrwrqdi - C:\WINDOWS\SYSTEM32\tuxsjrw.dll) doesn't seem to budge.

    Also the SDFix won't run on my laptop keeps coming up with a blue screen & fatal error not long after it has started, i've tried around 5 times.

    So i've only got 2 logs for you this time.
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    ComboFix is full of found nasties.

    Run combofix again!

    Mike
     
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    COMBOFIX-Script
    Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    Code:
    File::
    C:\WINDOWS\jrcbmogf.exe
    C:\WINDOWS\fpogbmbz.exe
    C:\WINDOWS\vxvzgphe.exe
    C:\WINDOWS\hdlzgvam.exe
    C:\WINDOWS\rvhtlpxy.exe
    C:\WINDOWS\vxvoxoog.exe
    C:\WINDOWS\lfoihuuq.exe
    C:\WINDOWS\jrcbmogf.exe
    c:\windows\system32\tuxsjrw.dll
    C:\WINDOWS\system32\ctfmon.exe
    Then drag this script and drop on top of ComboFix.

    ComboFix will now run a scan on your system.

    It may reboot your system when it finishes. This is normal.

    When finished, it will create a log. Attach the log back to us.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Mike
     
  14. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Followed instructions above and have attached Log.
     
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    Still there!

    Do this!

    Download then Roguefix http://www.internetinspiration.co.uk/downloads/roguefix_2.239.bat Note if the file opens instead of downloading then Rt click and chose "Save As"

    When finished it will reboot the computer when back to desktop do the below.

    Go here first download SmitfraudFix http://siri.geekstogo.com/SmitfraudFix.php
    the instructions for running it are also on this page print page if necessary and run it.

    After reboot run both MBAM and ComboFix to confirm it is gone.Attach logs!

    Mike
     
  16. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Hi,

    I've managed to run Roguefix and have attached a log.

    However, when i try to run SmitfraudFix: I load up safe mode (normal, networking and command line options) and then my computer freezes before i can do anything. Is it ok to run this in normal windows mode? I did manage to take a log (in normal windows operation) but haven't run any fixes from that program.

    Argh!!!!
     
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    OK in normal mode first

    run 2 3 5

    When it asks to clean the registry answer yes!

    Then boot to Safe Mode only and try the same steps from there.

    What you posted looked OK but the above just to be sure!

    How is computer after the above and is AVG still detecting the issues?

    Mike
     
  18. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    AVG isn't detecting anything. However every time i try to run SAS it shuts down my computer.
     
  19. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Run steps 2-3-5 in normal mode. See attached Log.

    Safe mode still not working.
     
  20. mflynn

    mflynn TS Rookie Posts: 2,655

    In Add/Remove Programs uninstall SAS reboot re download and reinstall.

    If it then still does the same, try it from Safe Mode!

    Are you are thinking the same as me, if it ran before and not now the there may be more malware?

    Because there is a reason it will not run now.

    Do the below when you can.

    Go here Download DrWeb http://www.techspot.com/vb/post724044-3.html

    Then....

    Boot to Safe Mode only! Not with Networking and run...

    DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.

    The first Virus it finds select Cure and do the same for all the rest.

    This could take hours!

    Mike
     
  21. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Safe mode on it's own isn't working. Loads to desktop then freezes.
     
  22. mflynn

    mflynn TS Rookie Posts: 2,655

    And normal mode does! Hmm!

    Lets cleanup:

    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.

    The do a full power off Shutdown wait 30 seconds and power back up try Safe mode now!

    Mike
     
  23. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    I've ran all those cleaners and still can't get safe mode to work.

    Followed the System Restore instructions too. Still no working safe mode.
     
  24. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Still can't get into safe mode.

    Now, uninstalled AVG and trying to install Avira but keep getting the following error message:

    "The CRC Sum of
    C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\basic\setup.exe has been changed! This could be due to a virus! Do you want to shut down setup?"

    Then there is only an "OK" box and it quits the installation.

    Plus i've had a problem with the laptop installing my BT Voyager 105 modem.
     
  25. DenzilVoorhees

    DenzilVoorhees TS Rookie Topic Starter

    Still can't get safe mode to work.

    The problem with the BT Voyager modem is that it tries to install the hardware (at the bottom right hand corner) and then saying that there was a problem installing it and causes the installer to stop.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...