You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how
HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how
HERE.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
dfix
Microsoft updatesd
Win32 USB2
Microsoft Update Machine
Reg Services
Microsoft Update
Network Manager
Microsoft Windows Update
Boot Information Service
Microsoft AutoUpdater
Microsoft Telecoms Center
Windows Host Services
ssdfghjkl
Windows Configuration Loader
windows explorer32
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there). Make sure you get the file names correct and don`t worry if some of them aren`t there.
cjas.exe
wins32.exe
win32.exe
WINBOOT32.EXE
msconfg.exe
omkdikj.exe
svcshost.exe
<Not to be confused with svchost.exe, which is legit.
pntovfxb.exe
svhost.exe
<Not to be confused with svchost.exe, which is legit.
tdpaguo.exe
EBEB5879.exe
telcoms.exe
svhosts.exe
<Not to be confused with svchost.exe, which is legit.
WINBOOT32.EXE
pntovfxb.exe
fwuzm.exe
ABoxInst_int25.exe
dllhost.exe
netddf.exe
explorer32.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\msvqxrad.dll (file missing)
O2 - BHO: (no name) - {EAD692AD-5E1A-02E0-6AEE-54800B4F00C7} - C:\WINDOWS\System32\fxfnlo.dll (file missing)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [dfix] cjas.exe
O4 - HKLM\..\Run: [Win32 USB2] wins32.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] win32.exe
O4 - HKLM\..\Run: [Reg Services] WINBOOT32.EXE
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Network Manager] omkdikj.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] svcshost.exe
O4 - HKLM\..\Run: [Boot Information Service] pntovfxb.exe
O4 - HKLM\..\Run: [Microsoft AutoUpdater] svhost.exe
O4 - HKLM\..\Run: [tdpaguo] C:\WINDOWS\tdpaguo.exe
O4 - HKLM\..\Run: [winconf] C:\WINDOWS\TEMP\EBEB5879.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\lmtejixp.dll",setvm
O4 - HKLM\..\RunServices: [dfix] cjas.exe
O4 - HKLM\..\RunServices: [Microsoft updatesd] svhosts.exe
O4 - HKLM\..\RunServices: [Win32 USB2] wins32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] win32.exe
O4 - HKLM\..\RunServices: [Reg Services] WINBOOT32.EXE
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [Network Manager] omkdikj.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svcshost.exe
O4 - HKLM\..\RunServices: [Boot Information Service] pntovfxb.exe
O4 - HKLM\..\RunServices: [Microsoft AutoUpdater] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
O4 - HKCU\..\Run: [Win32 USB2] wins32.exe
O4 - HKCU\..\Run: [fwuz] C:\PROGRA~1\COMMON~1\fwuz\fwuzm.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - HKCU\..\RunServices: [dfix] cjas.exe
O16 - DPF: {00330010-0000-0000-0000-000020160010} -
http://207.234.185.217/ABoxInst_int25.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
http://www.drivecleaner.com/.freewar...eanerstart.cab
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
O23 - Service: ssdfghjkl - Unknown owner - C:\WINDOWS\netddf.exe (file missing)
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: windows explorer32 - Unknown owner - C:\WINDOWS\system\explorer32.exe (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following
bold files and/or directories(if there). Don`t worry if you can`t find some of them, or can`t delete some of them.
C:\WINDOWS\system\
explorer32.exe<Not to be confused with explorer.exe
C:\WINDOWS\
svchost.exe<The legit svchost.exe is in the system32 folder and not in the windows folder.
C:\WINDOWS\
netddf.exe
C:\WINDOWS\system\
dllhost.exe
C:\PROGRA~1\COMMON~1\
fwuz<Delete the entire folder.
C:\WINDOWS\System32\
lmtejixp.dll
C:\WINDOWS\
tdpaguo.exe
C:\WINDOWS\TEMP\
EBEB5879.exe
---------------------------------------------------------------------
You need to search your system for the files below and delete them. Make sure you only delete the files with the names in
bold Look at the spelling carefully.
cjas.exe
wins32.exe
win32.exe
svhosts.exe<Not to be confused with svchost.exe
WINBOOT32.EXE
msconfg.exe<Not to be confused with msconfig.exe
omkdikj.exe
svcshost.exe<Not to be confused with svchost.exe
pntovfxb.exe
svhost.exe<Not to be confused with svchost.exe
telcoms.exe
ABoxInst_int25.exe
Reboot into normal mode and rehide your protected OS files.
Run a HJT scan and post a fresh HJT log.
Regards Howard
Edit: I`m off for a few hours of much needed sleep now, so don`t worry if I`m not around when you next reply. I will be in touch.
This thread is for the use of -Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.