I have one or several viruses and need some help

Status
Not open for further replies.
R

Rikus1978

Ok I downloaded something yesterday and tried to install when I did the computer rebooted and went back to windows, then rebooted again. I have tried to run all the programs suggested. Most of them remove lots of stuff from my computer, but it seems to come back. I think I have smitfraud. I have run the fix but when it gets to cleaning the registry it can't find regedit.com. I don't know what to do so I have come here for help. I am uploading my HJT log.
 
Hello and welcome to Techspot.

Go HERE and follow the instructions exactly.

Post a fresh HJT log into this thread, only after doing the above.

Regards Howard :wave: :wave:
 
I did follow those instructions and that is the log that I have after doing all that. I ran 3 of the 4 online scan programs and everything in the other threads (number 2 and 3) and that is my log as of now.
 
Your system is a complete mess. If that`s your HJT log after running the instructions, I`d hate to have seen it before. The fact that you`re running without any antivirus software, or firewall software is absolute madness.

Go and download the free AVG antivirus programme and the free Zonealarm firewall from HERE and HERE.

Now disconnect from the net. Install the Zonealrm programme first and reboot your computer, then install the AVG programme and reboot your computer again. Reconnect to the net and run the AVG updates.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run a complete virus scan with AVG and delete whatever it finds, then follow the rest of the instructions below.


Go to add remove programmes in your control panel and uninstall anything to do with(if there).

TClock
PartyGaming\PartyPoker

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

df2542d9.exe
svchostsys.exe<Not to be confused with svchost.exe.
TSKMGR~1.EXE
nynghbi.exe
dehcw.exe
Userinit.exe
kwintqez.exe
tclock_install.exe
psdsregm.exe
RunApp.exe

Close task manager.

Click start/run and type regsvr32 /u wowexec.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.

Click start/run and type regsvr32 /u winword.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\dehcw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,nynghbi.exe

O4 - HKLM\..\Run: [df2542d9.exe] C:\WINDOWS\system32\df2542d9.exe

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwintqez.exe GID003

O4 - HKCU\..\Run: [df2542d9.exe] C:\Documents and Settings\Paully\Local Settings\Application Data\df2542d9.exe

O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe

O4 - HKCU\..\Run: [Jzlrbfuy] C:\DOCUME~1\Paully\APPLIC~1\PPATCH~1\TSKMGR~1.EXE

O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe

O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwintqez.exe

O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\psdsregm.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O20 - AppInit_DLLs: winword.dll wowexec.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\PartyGaming\PartyPoker
C:\WINDOWS\system32\psdsregm.exe
C:\WINDOWS\system32\kwintqez.exe
C:\Program Files\TClock
C:\DOCUME~1\Paully\APPLIC~1\PPATCH~1\TSKMGR~1.EXE
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\WINDOWS\system32\df2542d9.exe
C:\WINDOWS\SYSTEM32\Userinit.exe,nynghbi.exe
C:\WINDOWS\system32\dehcw.exe
wowexec.dll
winword.dll

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.


Regards Howard :)
 
Ok I went through the stuff you said. 2 things. The df2542d9.exe and the Tclock.exe didn't show up in the HJT scan in safe mode. When I logged back into regular mode and ran the HJT scan they showed up again. I clicked them and did the fix. Here is my next log file.
 
Download the Pocket killbox programme from HERE.

Extract it, and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, only after you have finished inputting the files you want to delete. Hopefully your files will now be deleted.

These are the paths to the files you should delete.

C:\WINDOWS\system32\psdsregm.exe
C:\DOCUME~1\Paully\APPLIC~1\PPATCH~1\TSKMGR~1.EXE
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\WINDOWS\system32\mtpxwv.exe
C:\WINDOWS\system32\kwintqez.exe
C:\WINDOWS\system32\mtpxwv.exe
C:\WINDOWS\SYSTEM32\Userinit.exe,nynghbi.exe
C:\WINDOWS\system32\dehcw.exe

Once you`ve done that, do the following.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\dehcw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,nynghbi.exe

O4 - HKLM\..\Run: [lltpwt] C:\WINDOWS\system32\mtpxwv.exe reg_run

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwintqez.exe GID003

O4 - HKCU\..\Run: [iibqx] C:\WINDOWS\system32\mtpxwv.exe reg_run

O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe

O4 - HKCU\..\Run: [Jzlrbfuy] C:\DOCUME~1\Paully\APPLIC~1\PPATCH~1\TSKMGR~1.EXE

O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\psdsregm.exe

Click on the fix checked button.

Close HJT.

Reboot your system and post a fresh HJT log.

Regards Howard :)
 
Ok computer is improving and I do appreciate it very much. I tried the killbox thing and for everything you have there, it says "That file does not seem to exist" or that file cannot be deleted. When I go to c://windows/system32 the folder is empty. So I don't know what is going on there. Just thought I would give you a heads up on that. Latest log file incoming.
 
Status
Not open for further replies.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
478
eriksnyman1
E
Dood123
Help login in Instagram account, says use 2FA code but have not set up 2FA for insta
Replies
0
Views
719
Dood123
Dood123
Klevins
My PC's screen will disconnect when I open a web browser.
Replies
1
Views
734
SNGX1275
SNGX1275

Latest posts

Back