HELP! with my computer virus

By davidstl
Feb 1, 2007
Topic Status:
Not open for further replies.
  1. dear TechSpot,
    My computer is freezing-up when i click on links, it is running really slow, and my antivirus says that I am infected but it does not heal or delete the problems. Different virus programs find different numbers of "threats". Mcfee found 50+, and Avast found like 89 different threats. Please help me if you can. PS I also get pop-ups for spyware removers and porn; and something called: run-time error '424' object required.
    Please HELP!
    davidstl
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    HELP! with my computer virus PART DEUX

    Dear Howard,
    I just got your reply to my post. I would like to try the cleaning tools you provided. I don't do any online banking, but I have done shopping in the past; like from Amazon, and EBay, and stuff. Can I still use your tools? Or would there still be a "backdoor trojan" threat? I am a comuter novice at best.
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Ok, before continuing with my instructions, let`s try and see what nasties you have on your system. Go and read this thread HERE, then post a HJT log as an attachment into this thread.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    This is my HJT log. But how do I send you a copy of my AVG virus list?
    Thanks for the help.
    Davidstl

    Attached Files:

  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    I don`t require your AVG virus list.

    Your system is badly infected with all kinds of nasties.

    You need to follow the instructions in my first post.

    Once you`ve done that, please post a fresh HJT log and an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    I ran your four suggested tools and suddenly all is well. I appear to be running smoothly and so far no sex pop-ups -even though one was really good- I mean, so far you fixed me right up. Thanks a lot and I'll attatch a new HJT Log. I still can't figure out how to attach an AntiSpyware Log. But there WAS spyware on my computer.
    Thanks
    Davidstl

    PS how do I choose which boxes to check for deletion and which ones should be left untouched in the HJT Log?
    PPS I spoke too soon. I'm currently rerunning AVG AntiVirus, and it's found 3. However, that is better than 89. Plus I'm still surfing and no pop-ups or freezing.
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your system is still badly infected with a variety of nasties.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    Download and install AVG Antispyware(formerly Ewido) from http://download.ewido.net/ewido-signatures-full-current.exe
    Double-click the icon on your desktop to run it.
    On the top of the main screen click Shield. Click the word active to change it to inactive.
    On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
    If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-signatures-full-current.exe
    When you have finished updating, exit AVG Antispyware.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Easy SpyRemover

    Close your control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft Updates
    PPPOEO


    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    xjqlu.exe
    iexpfxc.exe
    wkssvr.exe

    pingppac.exe
    EasySpyRemover.exe
    haahus.exe

    pwintoea.exe
    SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe

    Close task manager.

    Make sure all windows are closed. Run AVG Antispyware..
    Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
    When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
    Then click 'Apply all actions'.

    Once finished, click the save scan report button, followed by the Save report as button and save it to your desktop.


    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\xjqlu.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iexpfxc.exe

    O2 - BHO: (no name) - {1CB5068C-96FC-C741-8C31-0452599DB167} - C:\WINDOWS\System32\bceazsf.dll

    O2 - BHO: (no name) - {21135A9A-5827-4749-337D-0847EB327A87} - C:\WINDOWS\System32\wlsnsyj.dll

    O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\SYSTEM32\durvilz.dll (file missing)

    O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\SYSTEM32\drivera.dll (file missing)

    O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe

    O4 - HKLM\..\Run: [PPPOEO] pingppac.exe

    O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart

    O4 - HKLM\..\Run: [fswubun.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\fswubun.dll,qrjvihc

    O4 - HKLM\..\Run: [xnxjqv.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\xnxjqv.dll,ivsglze

    O4 - HKLM\..\Run: [gqeyuq] C:\WINDOWS\System32\haahus.exe reg_run

    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\pwintoea.exe SKY001

    O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe

    O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe

    O4 - HKCU\..\Run: [Microsoft Updates] wkssvr.exe

    O4 - HKCU\..\Run: [dnlav] C:\WINDOWS\System32\haahus.exe reg_run

    O4 - HKCU\..\Run: [Ultimate Cleaner.install] "C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe" continue

    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwintoea.exe

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9e} - (no file) (HKCU)

    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll

    O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll

    O20 - Winlogon Notify: winxrn32 - winxrn32.dll (file missing)

    O21 - SSODL: NginoXDAt - {36536D5F-9CF9-C7F5-63F4-75EE64BFB981} - C:\WINDOWS\System32\xpf.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\System32\xjqlu.exe
    C:\WINDOWS\system32\userinit.exe,iexpfxc.exe
    C:\Program Files\Easy SpyRemover<Delete the entire folder.
    C:\WINDOWS\System32\haahus.exe
    C:\WINDOWS\SYSTEM32\pwintoea.exe

    wkssvr.exe
    pingppac.exe
    <Search your system for these two files and delete all instances found.

    C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\System32\bceazsf.dll
    C:\WINDOWS\System32\wlsnsyj.dll
    C:\WINDOWS\System32\fswubun.dll

    C:\WINDOWS\System32\xnxjqv.dll
    c:\windows\system32\ldcore.dll
    C:\WINDOWS\SYSTEM32\instcat.dll

    C:\WINDOWS\System32\xpf.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    Whoa! Okay. I'll give this all a try. It could take me awhile. Thanks and here goes...
    Davidstl
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    No problem mate, just take your time and follow the instructions very carefully.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    I have finished following the instructions you gave me. And I'll post a fresh HJT Log here too, plus my AVG AntiSpy Log. I have concerns though because the AVG SpyWare while it detected over 200 tracking threats and downloaders it did NOT move or delete them; it IGNORED them. Why? Don't I want them removed or deleted?
    My other concern is that while in Safe Mode the HJT FIXed the items you asked me to remove, but when I checked HJT in Normal Mode all the items you asked me to FIX were still listed...Why? I thought I just "FIXed" them.
    My last two concerns are: any instance of instcat.dll could NOT be fixed or deleted. Why? And lastly, something by ThinkAds is currently sending me Pop-ups. Why? Why me?
    Davidstl
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    The reason AVG has ignored everything is due to when it finished scanning you needed to tell it what you wanted it to do with the results. See this pictorial guide HERE.

    It also appears you`ve posted a fresh HJT log from safe mode, when what I needed was a log from normal mode.

    Run AVG Antispyware again in safe mode and apply the correct actions to the results. Then, reboot into normal mode and run a HJT scan. Post both HJT and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    I'm surfing without freezing, but I have new problems.
    1.) rundll error loading c:\windows\system32\xnxjqv.dll
    the specified modeule could not be found.
    2.) rundll error loading c:\windows\system32\fswubun.dll
    the specified modeule could not be found.
    I get these messages when I turn on the computer.
    3.) I can't ShutDown my computer from the Start Button anymore. When I click to ShutDown it only restarts. Sometimes i get this message on a black screen: STOP: c000021a {Fatal System Error} The windows logon process system process terminated unexpectedly with a ststus of 0xc0000005(0 x 00000000 0 x 00000000). The system has been shut down.
    4.) I'm still getting ad pop-ups for schools and classmates.

    I'm trying again with the AVG AntiSpyware and HJT. Sorry I sent you the wrong stuff. I really need your help.
    Davidstl
     
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Once I have your new HJT and AVG Antispyware logs, I`ll be in a better position to help you.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  15. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    Okay, I've just finished the new AVG AntiSpyware scan and applied the proper delete Action. The scan took an hour and a half in safe mode. Now i can quickly give you a new HJT Log, but a new AVG Spyware scan in normal mode will be another two hours I'm sure; I'm scan after this message is sent. I will shoot it to you after. Thanks for hanging in there with me.
    Davidstl
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your system is still heavily infected with lots of nasties.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    These are the filepaths you need to enter into Vundo fix.

    C:\WINDOWS\System32\xpf.dll
    C:\WINDOWS\SYSTEM32\instcat.dll
    c:\windows\system32\ldcore.dll

    C:\WINDOWS\System32\fswubun.dll
    C:\WINDOWS\System32\xnxjqv.dll

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  17. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    Okay, here are my fresh AVG and HJT Logs. I'm running VundoFix right now and I'll get back to you. Thanks.
    Davidstl
  18. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Ok, no problem. Once I have your new HJT log after running Vundofix, I`ll see what`s left for us to get rid of.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  19. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    I just finished VundoFix and it deleted all suggested files minus c:\windows\system32\instcat, which it could not delete. There was no reason given why.
    Here is the latest HJT Log file.
    I'm still getting ThinkAdz pop-ups.
    Thanks,
    Davidstl
  20. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply.

    when it reboots and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  21. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    Okay, I ran Avenger. However, when it attempted to auto reboot the system shut down giving me the {Fatal System Error}... message again. I can then only restart by holding in the power button on my tower. -Sucks.
    Davidstl
  22. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Ok, that`s got rid of some of the nasties but not all of them.

    Download and run the Blacklight programme. follow all the instructions carefully.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log and let me know the Blacklight results. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  23. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    I've done as you have asked and I am including my new log files.
    Thank you
    Davidstl
  24. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Ok, Combofix has identified a rootkit on your system.

    Please go HERE and follow the instructions for removing the Rustock rootkit.

    I`ve also noticed that you haven`t renamed your last HJT log and that you`re running HJT from the wrong location. Please follow the instructions in this thread HERE for HJT placement and renaming.

    Once you`ve done that, please post fresh Combofix and HJT logs.

    Regards Howard :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  25. davidstl

    davidstl Newcomer, in training Topic Starter Posts: 94

    Dear Howard,
    It is easy when someone else does the work. Thank you. And I am taking the next steps now.
    PS
    my computer seems to ShutDown from the Start Button again. Thanks.
    Though I still get the two RUNDLL ERROR for C:\windows\system32\xnxjqv.dll and \fswubun.dll upon Start-Up.
    Davidstl
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.