Lots of viruses

[howard_hopkinso]

After the reformat and Windows reinstall, you would need to reinstall your games and enter the cd keys again. However, provided your games are legal, which I`m sure they are(if they aren`t, we won`t talk about them here), this won`t present any problems, as you`ll already have the cd keys that came with the games right.

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Timmyf]

After the reformat and Windows reinstall, you would need to reinstall your games and enter the cd keys again. However, provided your games are legal, which I`m sure they are(if they aren`t, we won`t talk about them here), this won`t present any problems, as you`ll already have the cd keys that came with the games right.

Yeh all legal..

I gotta make sure i can find windows disk tho

Also, how long does a format take?

 

[howard_hopkinso]

A lot depends on the size of your hard disk. Mine is 120gigs and it takes about 40 minutes for a full format(A quick format is not recommended) and about half an hour to reinstall Windows. Then, there`s all the drivers that need installing and firewall software. then, windows updates need to be run, followed by the reinstallation of any programmes/games etc. Altogether about 6 or 7 hours for my system.

I can see that you`re very reluctant to reformat your system and believe me I do understand.

Despite my better judgment, I am prepared to try and clean your system, as long as you understand the following.

1: After cleaning(if at all possible), your system may still not run properly and you may still need to reformat. In other words, I can`t guarantee It`ll sort your problems out.

2: If you choose to let me try to clean your system, you will need to follow 100% any instructions I give you.

The choice as they say, is yours.

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Timmyf]

Thanks mate.. Ill listen to whatever you say, we'll try.


Btw your a legend

 

[howard_hopkinso]

Ok, we need to try and get rid of your rootkit problem first. start by doing the following.

Download and run the Blacklight programme. follow all the instructions carefully.

Let me know the exact results of the Blacklight scan and post a fresh Combofix log. That means you`ll need to do a new scan with Combofix and post the resulting log.

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Timmyf]

Backlight didn't find anything.. But when i looked in process' there we about 4 svhost.exe

 

[howard_hopkinso]

Yes those are nasty, but don`t try and do anything on your own, otherwise we won`t know where we are.

Next: Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

Run the programme and click the "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path"
* Select the Rootkit Driver by placing a checkmark against it and click "Remove selected items." Next, agree for the terms and conditions that is displayed by AVG and click "OK" to reboot the PC.

Run the programme again and see if it finds anything the second time. Reconnect to the net.

Do a scan with Combofix.

Post a fresh Combofix log and let me know what AVG Antirootkit found(if anything)

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Timmyf]

AVG had one result, i removed it and scanned again and it was gone.

I'll make combofix log now

 

[Timmyf]

Argh when ever i try to add an attachment it freezes.. Can you read this then copy and paste into notepad or something, then ill edit

Edit: I`m studying your HJT log now.

 

[howard_hopkinso]

That`s good news. please will you also post a fresh HJT log, after you`ve finished the Combofix scan.

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

dfix
Microsoft updatesd
Win32 USB2

Microsoft Update Machine
Reg Services
Microsoft Update

Network Manager
Microsoft Windows Update
Boot Information Service

Microsoft AutoUpdater
Microsoft Telecoms Center
Windows Host Services

ssdfghjkl
Windows Configuration Loader
windows explorer32

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there). Make sure you get the file names correct and don`t worry if some of them aren`t there.

cjas.exe
wins32.exe
win32.exe

WINBOOT32.EXE
msconfg.exe
omkdikj.exe

svcshost.exe<Not to be confused with svchost.exe, which is legit.
pntovfxb.exe
svhost.exe<Not to be confused with svchost.exe, which is legit.

tdpaguo.exe
EBEB5879.exe
telcoms.exe

svhosts.exe<Not to be confused with svchost.exe, which is legit.
WINBOOT32.EXE
pntovfxb.exe

fwuzm.exe
ABoxInst_int25.exe
dllhost.exe

netddf.exe
explorer32.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\msvqxrad.dll (file missing)

O2 - BHO: (no name) - {EAD692AD-5E1A-02E0-6AEE-54800B4F00C7} - C:\WINDOWS\System32\fxfnlo.dll (file missing)

O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)

O4 - HKLM\..\Run: [dfix] cjas.exe

O4 - HKLM\..\Run: [Win32 USB2] wins32.exe

O4 - HKLM\..\Run: [Microsoft Update Machine] win32.exe

O4 - HKLM\..\Run: [Reg Services] WINBOOT32.EXE

O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe

O4 - HKLM\..\Run: [Network Manager] omkdikj.exe

O4 - HKLM\..\Run: [Microsoft Windows Update] svcshost.exe

O4 - HKLM\..\Run: [Boot Information Service] pntovfxb.exe

O4 - HKLM\..\Run: [Microsoft AutoUpdater] svhost.exe

O4 - HKLM\..\Run: [tdpaguo] C:\WINDOWS\tdpaguo.exe

O4 - HKLM\..\Run: [winconf] C:\WINDOWS\TEMP\EBEB5879.exe

O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\lmtejixp.dll",setvm

O4 - HKLM\..\RunServices: [dfix] cjas.exe

O4 - HKLM\..\RunServices: [Microsoft updatesd] svhosts.exe

O4 - HKLM\..\RunServices: [Win32 USB2] wins32.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] win32.exe

O4 - HKLM\..\RunServices: [Reg Services] WINBOOT32.EXE

O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe

O4 - HKLM\..\RunServices: [Network Manager] omkdikj.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Update] svcshost.exe

O4 - HKLM\..\RunServices: [Boot Information Service] pntovfxb.exe

O4 - HKLM\..\RunServices: [Microsoft AutoUpdater] svhost.exe

O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe

O4 - HKCU\..\Run: [Win32 USB2] wins32.exe

O4 - HKCU\..\Run: [fwuz] C:\PROGRA~1\COMMON~1\fwuz\fwuzm.exe

O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

O4 - HKCU\..\RunServices: [dfix] cjas.exe

O16 - DPF: {00330010-0000-0000-0000-000020160010} - http://207.234.185.217/ABoxInst_int25.exe

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab

O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)

O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)

O23 - Service: ssdfghjkl - Unknown owner - C:\WINDOWS\netddf.exe (file missing)

O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

O23 - Service: windows explorer32 - Unknown owner - C:\WINDOWS\system\explorer32.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there). Don`t worry if you can`t find some of them, or can`t delete some of them.

C:\WINDOWS\system\explorer32.exe<Not to be confused with explorer.exe

C:\WINDOWS\svchost.exe<The legit svchost.exe is in the system32 folder and not in the windows folder.

C:\WINDOWS\netddf.exe

C:\WINDOWS\system\dllhost.exe

C:\PROGRA~1\COMMON~1\fwuz<Delete the entire folder.

C:\WINDOWS\System32\lmtejixp.dll

C:\WINDOWS\tdpaguo.exe

C:\WINDOWS\TEMP\EBEB5879.exe

---------------------------------------------------------------------

You need to search your system for the files below and delete them. Make sure you only delete the files with the names in bold Look at the spelling carefully.

cjas.exe
wins32.exe
win32.exe

svhosts.exe<Not to be confused with svchost.exe
WINBOOT32.EXE
msconfg.exe<Not to be confused with msconfig.exe

omkdikj.exe
svcshost.exe<Not to be confused with svchost.exe
pntovfxb.exe

svhost.exe<Not to be confused with svchost.exe
telcoms.exe
ABoxInst_int25.exe

Reboot into normal mode and rehide your protected OS files.

Run a HJT scan and post a fresh HJT log.

Regards Howard

Edit: I`m off for a few hours of much needed sleep now, so don`t worry if I`m not around when you next reply. I will be in touch.

This thread is for the use of -Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Timmyf]

Okay heres the updated HJT log

(The file is 2kb smaller so things must have gone )




Im sus about these two

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {EAD692AD-5E1A-02E0-6AEE-54800B4F00C7} - C:\WINDOWS\System32\fxfnlo.dll (file missing)

 

[howard_hopkinso]

That`s looking much better.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft Windows Update
Windows Host Services (DLLHOST32)<Disable the service name and/or the name in brackets.

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

dllhost.exe
svcshost.exe<Not to be confused with svchost.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {EAD692AD-5E1A-02E0-6AEE-54800B4F00C7} - C:\WINDOWS\System32\fxfnlo.dll (file missing)

O4 - HKLM\..\RunServices: [Microsoft Windows Update] svcshost.exe

O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

svcshost.exe<Search your system for this file and delete all instances found.
C:\WINDOWS\system\dllhost.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Timmyf]

Thanks for all your help its running much faster


But im still getting a few probs.

-Msn randomly crashes.
-I cant get into any link from the control panel :S ("Windows cannot find rundll32.exe")
-Lots of the time Firefox, photoshop, MS paint will just freeze and go unresponsive when i try to save..


Ill boot up safe mode now, should i do it with networking?

Hello.

Heres the updated log..

Should i do a combofix one aswell?


Thanks again for your help:approve:

 

[howard_hopkinso]

Have HJT fix this entry from normal mode.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Click on the fix checked button.

Close HJT and reboot your system.

Other than the above inactive entry, your HJT log is now clean.

Please post fresh AVG Antispyware and Combofix logs.

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Timmyf]

Thanks.

Do you have any idea what could be causing the control panel + saves to stop working?

Im doing avg scan now

 

[howard_hopkinso]

I might have a better idea, once I`ve seen your AVG Antispyware and Combofix logs.

However, I did say before I started to clean your system, that it was possible your OS had been damaged.

Once I`ve seen your log files, I`ll see what we can do.

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Timmyf]

Just thought i would mention this before i start combofix


I keep getting recurring

HKLM\SOFTWARE\ISTbar

Just wondering if this is normal, its been found by avg and ad-aware

 

[howard_hopkinso]

Download and run this ISTbar removal TOOL.

Then post the log files I requested.

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Timmyf]

Heres the logs

 

[KrashdnBurnt]

Timmy, glad to see your gettn the best help on the net. hope things continue to go yuor way.

howard, thanks for all you do. you da man!

 

[Timmyf]

Timmy, glad to see your gettn the best help on the net. hope things continue to go yuor way.

howard, thanks for all you do. you da man!

Hes more helpful than like 5 call centres put together

 

[howard_hopkinso]

Did you run the AVG Antispyware scan before or after you ran the ISTbar removal tool?

Also, your Combofix log contains the output from several scans. I need you to delete all the Combofix logs on your system and post a fresh Combofix log.

Also, I want you to run the Ccleaner programme as per the instructions in this thread HERE.

Remember what I said about following instructions 100%

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Timmyf]

Did you run the AVG Antispyware scan before or after you ran the ISTbar removal tool?

Before..


So you mean all those logs are bunched up together?

 

[howard_hopkinso]

Yes, all the logs are bunched up together lol.

Run another AVG Antispyware scan, after you`ve run the ISTbar removal tool and Ccleaner. Then see what it comes up with. If it doesn`t find anything, there`s no need to post the log.

After you`ve done that, post a fresh HJT and Combofix log. Let me know exactly what problems you`re having, if any.

Regards Howard

This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.