TechSpot

Lots of viruses

By --Timmy--
Feb 9, 2007
Topic Status:
Not open for further replies.
  1. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    After the reformat and Windows reinstall, you would need to reinstall your games and enter the cd keys again. However, provided your games are legal, which I`m sure they are(if they aren`t, we won`t talk about them here), this won`t present any problems, as you`ll already have the cd keys that came with the games right.

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  2. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49

    Yeh all legal..

    I gotta make sure i can find windows disk tho :(

    Also, how long does a format take?
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    A lot depends on the size of your hard disk. Mine is 120gigs and it takes about 40 minutes for a full format(A quick format is not recommended) and about half an hour to reinstall Windows. Then, there`s all the drivers that need installing and firewall software. then, windows updates need to be run, followed by the reinstallation of any programmes/games etc. Altogether about 6 or 7 hours for my system.

    I can see that you`re very reluctant to reformat your system and believe me I do understand.

    Despite my better judgment, I am prepared to try and clean your system, as long as you understand the following.

    1: After cleaning(if at all possible), your system may still not run properly and you may still need to reformat. In other words, I can`t guarantee It`ll sort your problems out.

    2: If you choose to let me try to clean your system, you will need to follow 100% any instructions I give you.

    The choice as they say, is yours.

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49

    Thanks mate.. Ill listen to whatever you say, we'll try.


    Btw your a legend :p
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Ok, we need to try and get rid of your rootkit problem first. start by doing the following.

    Download and run the Blacklight programme. follow all the instructions carefully.

    Let me know the exact results of the Blacklight scan and post a fresh Combofix log. That means you`ll need to do a new scan with Combofix and post the resulting log.

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49

    Backlight didn't find anything.. But when i looked in process' there we about 4 svhost.exe
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Yes those are nasty, but don`t try and do anything on your own, otherwise we won`t know where we are.

    Next: Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

    Run the programme and click the "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path"
    * Select the Rootkit Driver by placing a checkmark against it and click "Remove selected items." Next, agree for the terms and conditions that is displayed by AVG and click "OK" to reboot the PC.

    Run the programme again and see if it finds anything the second time. Reconnect to the net.

    Do a scan with Combofix.

    Post a fresh Combofix log and let me know what AVG Antirootkit found(if anything)

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49

    AVG had one result, i removed it and scanned again and it was gone.

    I'll make combofix log now
  9. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49

    Argh when ever i try to add an attachment it freezes.. Can you read this then copy and paste into notepad or something, then ill edit

    Edit: I`m studying your HJT log now.
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That`s good news. please will you also post a fresh HJT log, after you`ve finished the Combofix scan.

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    dfix
    Microsoft updatesd
    Win32 USB2

    Microsoft Update Machine
    Reg Services
    Microsoft Update

    Network Manager
    Microsoft Windows Update
    Boot Information Service

    Microsoft AutoUpdater
    Microsoft Telecoms Center
    Windows Host Services

    ssdfghjkl
    Windows Configuration Loader
    windows explorer32

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there). Make sure you get the file names correct and don`t worry if some of them aren`t there.

    cjas.exe
    wins32.exe
    win32.exe

    WINBOOT32.EXE
    msconfg.exe
    omkdikj.exe

    svcshost.exe<Not to be confused with svchost.exe, which is legit.
    pntovfxb.exe
    svhost.exe<Not to be confused with svchost.exe, which is legit.

    tdpaguo.exe
    EBEB5879.exe
    telcoms.exe

    svhosts.exe<Not to be confused with svchost.exe, which is legit.
    WINBOOT32.EXE
    pntovfxb.exe

    fwuzm.exe
    ABoxInst_int25.exe
    dllhost.exe

    netddf.exe
    explorer32.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\msvqxrad.dll (file missing)

    O2 - BHO: (no name) - {EAD692AD-5E1A-02E0-6AEE-54800B4F00C7} - C:\WINDOWS\System32\fxfnlo.dll (file missing)

    O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)

    O4 - HKLM\..\Run: [dfix] cjas.exe

    O4 - HKLM\..\Run: [Win32 USB2] wins32.exe

    O4 - HKLM\..\Run: [Microsoft Update Machine] win32.exe

    O4 - HKLM\..\Run: [Reg Services] WINBOOT32.EXE

    O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe

    O4 - HKLM\..\Run: [Network Manager] omkdikj.exe

    O4 - HKLM\..\Run: [Microsoft Windows Update] svcshost.exe

    O4 - HKLM\..\Run: [Boot Information Service] pntovfxb.exe

    O4 - HKLM\..\Run: [Microsoft AutoUpdater] svhost.exe

    O4 - HKLM\..\Run: [tdpaguo] C:\WINDOWS\tdpaguo.exe

    O4 - HKLM\..\Run: [winconf] C:\WINDOWS\TEMP\EBEB5879.exe

    O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe

    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\lmtejixp.dll",setvm

    O4 - HKLM\..\RunServices: [dfix] cjas.exe

    O4 - HKLM\..\RunServices: [Microsoft updatesd] svhosts.exe

    O4 - HKLM\..\RunServices: [Win32 USB2] wins32.exe

    O4 - HKLM\..\RunServices: [Microsoft Update Machine] win32.exe

    O4 - HKLM\..\RunServices: [Reg Services] WINBOOT32.EXE

    O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe

    O4 - HKLM\..\RunServices: [Network Manager] omkdikj.exe

    O4 - HKLM\..\RunServices: [Microsoft Windows Update] svcshost.exe

    O4 - HKLM\..\RunServices: [Boot Information Service] pntovfxb.exe

    O4 - HKLM\..\RunServices: [Microsoft AutoUpdater] svhost.exe

    O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe

    O4 - HKCU\..\Run: [Win32 USB2] wins32.exe

    O4 - HKCU\..\Run: [fwuz] C:\PROGRA~1\COMMON~1\fwuz\fwuzm.exe

    O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

    O4 - HKCU\..\RunServices: [dfix] cjas.exe

    O16 - DPF: {00330010-0000-0000-0000-000020160010} - http://207.234.185.217/ABoxInst_int25.exe

    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab

    O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)

    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)

    O23 - Service: ssdfghjkl - Unknown owner - C:\WINDOWS\netddf.exe (file missing)

    O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

    O23 - Service: windows explorer32 - Unknown owner - C:\WINDOWS\system\explorer32.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there). Don`t worry if you can`t find some of them, or can`t delete some of them.

    C:\WINDOWS\system\explorer32.exe<Not to be confused with explorer.exe

    C:\WINDOWS\svchost.exe<The legit svchost.exe is in the system32 folder and not in the windows folder.

    C:\WINDOWS\netddf.exe

    C:\WINDOWS\system\dllhost.exe

    C:\PROGRA~1\COMMON~1\fwuz<Delete the entire folder.

    C:\WINDOWS\System32\lmtejixp.dll

    C:\WINDOWS\tdpaguo.exe

    C:\WINDOWS\TEMP\EBEB5879.exe

    ---------------------------------------------------------------------

    You need to search your system for the files below and delete them. Make sure you only delete the files with the names in bold Look at the spelling carefully.

    cjas.exe
    wins32.exe
    win32.exe


    svhosts.exe<Not to be confused with svchost.exe
    WINBOOT32.EXE
    msconfg.exe<Not to be confused with msconfig.exe

    omkdikj.exe
    svcshost.exe
    <Not to be confused with svchost.exe
    pntovfxb.exe

    svhost.exe<Not to be confused with svchost.exe
    telcoms.exe
    ABoxInst_int25.exe

    Reboot into normal mode and rehide your protected OS files.

    Run a HJT scan and post a fresh HJT log.

    Regards Howard :)

    Edit: I`m off for a few hours of much needed sleep now, so don`t worry if I`m not around when you next reply. I will be in touch.

    This thread is for the use of -Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49

    Okay heres the updated HJT log

    (The file is 2kb smaller so things must have gone :D)




    Im sus about these two

    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {EAD692AD-5E1A-02E0-6AEE-54800B4F00C7} - C:\WINDOWS\System32\fxfnlo.dll (file missing)
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That`s looking much better.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft Windows Update
    Windows Host Services (DLLHOST32)<Disable the service name and/or the name in brackets.

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    dllhost.exe
    svcshost.exe<Not to be confused with svchost.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {EAD692AD-5E1A-02E0-6AEE-54800B4F00C7} - C:\WINDOWS\System32\fxfnlo.dll (file missing)

    O4 - HKLM\..\RunServices: [Microsoft Windows Update] svcshost.exe

    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    svcshost.exe<Search your system for this file and delete all instances found.
    C:\WINDOWS\system\dllhost.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  14. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49

    Thanks for all your help its running much faster :)


    But im still getting a few probs.

    -Msn randomly crashes.
    -I cant get into any link from the control panel :S ("Windows cannot find rundll32.exe")
    -Lots of the time Firefox, photoshop, MS paint will just freeze and go unresponsive when i try to save..


    Ill boot up safe mode now, should i do it with networking?

    Hello.

    Heres the updated log..

    Should i do a combofix one aswell?


    Thanks again for your help:approve:
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Have HJT fix this entry from normal mode.

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    Click on the fix checked button.

    Close HJT and reboot your system.

    Other than the above inactive entry, your HJT log is now clean.

    Please post fresh AVG Antispyware and Combofix logs.

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  16. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49

    Thanks.

    Do you have any idea what could be causing the control panel + saves to stop working?

    Im doing avg scan now
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I might have a better idea, once I`ve seen your AVG Antispyware and Combofix logs.

    However, I did say before I started to clean your system, that it was possible your OS had been damaged.

    Once I`ve seen your log files, I`ll see what we can do.

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  18. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49

    Just thought i would mention this before i start combofix


    I keep getting recurring

    HKLM\SOFTWARE\ISTbar

    Just wondering if this is normal, its been found by avg and ad-aware
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Download and run this ISTbar removal TOOL.

    Then post the log files I requested.

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  20. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49

    Heres the logs

    :)
  21. KrashdnBurnt

    KrashdnBurnt TS Rookie Posts: 28

    Timmy, glad to see your gettn the best help on the net. hope things continue to go yuor way.

    howard, thanks for all you do. you da man!
  22. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49


    Hes more helpful than like 5 call centres put together :p
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Did you run the AVG Antispyware scan before or after you ran the ISTbar removal tool?

    Also, your Combofix log contains the output from several scans. I need you to delete all the Combofix logs on your system and post a fresh Combofix log.

    Also, I want you to run the Ccleaner programme as per the instructions in this thread HERE.

    Remember what I said about following instructions 100% ;)

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  24. --Timmy--

    --Timmy-- TS Rookie Topic Starter Posts: 49


    Before..


    So you mean all those logs are bunched up together?
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Yes, all the logs are bunched up together lol.

    Run another AVG Antispyware scan, after you`ve run the ISTbar removal tool and Ccleaner. Then see what it comes up with. If it doesn`t find anything, there`s no need to post the log.

    After you`ve done that, post a fresh HJT and Combofix log. Let me know exactly what problems you`re having, if any.

    Regards Howard :)

    This thread is for the use of --Timmy-- only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.