Guys I'm trying to be a nice Uncle and fix my nieces computer that has been loaded with viruses and other garbage. I've been at it for over a day and a half and have ran just about everything. I've also used the sticky thread and did everything in the thread from SmitFraudFix to AdAware. The problems are many still but I think the main Trojans or whatever are ADW-CMDDSKTOP, Trojan-Dloader.bbr, and the biggie is one called TMFtZQ . If tried numerous time to attach a hjt text file and it keeps saying its not a valid file. When I rt. click it its properties are .txt Don't know what is going on.
Please check my HJT log.
- Thread starter ru1thirst
- Start date
- Status
howard_hopkinso
Posts: 21,238 +17
Since you are having problems attaching your HJT log file.
Just copy and paste it into this thread and I`ll take a look at it for you.
Also, please use proper thread titles from now on. Thanks.
Regards Howard
Just copy and paste it into this thread and I`ll take a look at it for you.
Also, please use proper thread titles from now on. Thanks.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html
Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Command Service (cmdService)
close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
bcrqo.exe
userinit.exe,mwyuyxk.exe
command.exe
Close task manager.
Click start/run and type regsvr32 /u C:\WINDOWS\system32\fpdrnznx.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.
Do the same for these entries as well.
C:\WINDOWS\system32\x3cqp0.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32o.dll
Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bcrqo.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mwyuyxk.exe
O2 - BHO: Yvakt Class - {2335EA94-74D6-46B4-BA93-8567DAC6CC9B} - C:\WINDOWS\system32\fpdrnznx.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O18 - Filter: text/html - {7B1EE13A-FE1E-48B0-AC2C-8ACC5E3BB7CB} - C:\WINDOWS\system32\fpdrnznx.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmFtZQ\command.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files(if there).
C:\WINDOWS\TmFtZQ\command.exe
C:\WINDOWS\system32\fpdrnznx.dll
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\system32\x3cqp0.dll
C:\WINDOWS\system32\userinit.exe,mwyuyxk.exe
C:\WINDOWS\system32\bcrqo.exe
Reboot into normal mode and turn system restore back on.
Post a fresh HJT log.
Regards Howard
Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Command Service (cmdService)
close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
bcrqo.exe
userinit.exe,mwyuyxk.exe
command.exe
Close task manager.
Click start/run and type regsvr32 /u C:\WINDOWS\system32\fpdrnznx.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.
Do the same for these entries as well.
C:\WINDOWS\system32\x3cqp0.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32o.dll
Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bcrqo.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mwyuyxk.exe
O2 - BHO: Yvakt Class - {2335EA94-74D6-46B4-BA93-8567DAC6CC9B} - C:\WINDOWS\system32\fpdrnznx.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O18 - Filter: text/html - {7B1EE13A-FE1E-48B0-AC2C-8ACC5E3BB7CB} - C:\WINDOWS\system32\fpdrnznx.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmFtZQ\command.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files(if there).
C:\WINDOWS\TmFtZQ\command.exe
C:\WINDOWS\system32\fpdrnznx.dll
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\system32\x3cqp0.dll
C:\WINDOWS\system32\userinit.exe,mwyuyxk.exe
C:\WINDOWS\system32\bcrqo.exe
Reboot into normal mode and turn system restore back on.
Post a fresh HJT log.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
No, don`t try and run them, you need to unregister the .dll files. Do the following.
Click start/run and type regsvr32 /u C:\WINDOWS\system32\fpdrnznx.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.
Do the same for these as well.
regsvr32 /u C:\WINDOWS\system32\x3cqp0.dll
regsvr32 /u C:\WINDOWS\cfg32r.dll
regsvr32 /u C:\WINDOWS\cfg32o.dll
Regards Howard
Click start/run and type regsvr32 /u C:\WINDOWS\system32\fpdrnznx.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.
Do the same for these as well.
regsvr32 /u C:\WINDOWS\system32\x3cqp0.dll
regsvr32 /u C:\WINDOWS\cfg32r.dll
regsvr32 /u C:\WINDOWS\cfg32o.dll
Regards Howard
howard_hopkinso
Posts: 21,238 +17
Mmm, that`s strange.
Go to add remove programmes in your control panel and uninstall SpywareBlaster.
The reason I want you to do this is, Spyware Blaster doesn`t normally showup in a HJT log, so I`m a little suspicious. Once you`ve uninstalled Spyware blaster, reinstall it from the location below.
Other than that though, your HJT log is now clean.
You can get spyware blaster from HERE.
Regards Howard
Go to add remove programmes in your control panel and uninstall SpywareBlaster.
The reason I want you to do this is, Spyware Blaster doesn`t normally showup in a HJT log, so I`m a little suspicious. Once you`ve uninstalled Spyware blaster, reinstall it from the location below.
Other than that though, your HJT log is now clean.
You can get spyware blaster from HERE.
Regards Howard
Well tried everything and I thought I'd just be better of reformatting but when I tried to reformat or reinstall xp it says the version is older than the version on the machine. I changed the boot seq. and tried to start from the version that I do have but it won't even boot from it. I always thought it was easy to do a reformat but I've never had to do it. Any thoughts?
howard_hopkinso
Posts: 21,238 +17
Follow the steps below.
1 restart your computer and go to setup usually by pressing the F2 or delete key.
2 Once you get into setup look for the boot menu and make sure you set it to boot from cd first followed by your hard drive.
3 Put the Windows xp disk into your cd.
4 Now save your settings and exit setup.
5 While your computer is booting you will see a message that says "press any key to boot from cd" press any key.
6 When the welcome to setup screen appears press enter and then press F8 to accept the Microsoft licence agreement.
7 You will be prompted to repair an insallation press the escape key.
8 Now select the partition that you want to reformat and press the D key to delete it you will be asked to confirm that you want to delete the partition.
9 Now press C to create a brand new partition you will be asked what size you want the partition to be in mega bytes. If you just press enter then the partition will be the maximum size that you can have. This is perfectly ok if you don`t want to create multiple partitions.
10 You will now be asked to format the partition select the ntfs file sytem and do a full format.
11 Once the format is complete setup will continue.
Your computer will restart during the remaining setup again you will be asked to press any key to boot from cd DO NOT PRESS ANYTHING. and setup will continue. Once the setup is complete and you are back in Windows remove the Windows cd from your cd drive.
Regards Howard
1 restart your computer and go to setup usually by pressing the F2 or delete key.
2 Once you get into setup look for the boot menu and make sure you set it to boot from cd first followed by your hard drive.
3 Put the Windows xp disk into your cd.
4 Now save your settings and exit setup.
5 While your computer is booting you will see a message that says "press any key to boot from cd" press any key.
6 When the welcome to setup screen appears press enter and then press F8 to accept the Microsoft licence agreement.
7 You will be prompted to repair an insallation press the escape key.
8 Now select the partition that you want to reformat and press the D key to delete it you will be asked to confirm that you want to delete the partition.
9 Now press C to create a brand new partition you will be asked what size you want the partition to be in mega bytes. If you just press enter then the partition will be the maximum size that you can have. This is perfectly ok if you don`t want to create multiple partitions.
10 You will now be asked to format the partition select the ntfs file sytem and do a full format.
11 Once the format is complete setup will continue.
Your computer will restart during the remaining setup again you will be asked to press any key to boot from cd DO NOT PRESS ANYTHING. and setup will continue. Once the setup is complete and you are back in Windows remove the Windows cd from your cd drive.
Regards Howard
Howard, First let me say thanks for all your help! I just got home and read your last post. I just wasn't able to get it to boot from the cd. I did go into the bios and set it to boot from the cd drive and sequence 1st but never saw any prompt saying press any key to boot from cd. Maybe I should have just restarted and kept hitting any key anyway? Not sure but I'm not at my neices home anymore but I may have to go back tomorrow. One neice got a new computer for bday and the other is stuck with the old one that was riddled with viruses. At least I was able to get it up and running and cleaned of most of the mess but trend micro is still catching and disabling these ad aware and trojans and because of this, prompts popping up saying trend micro is doing this. Catching them but annoying. I'll try press any key at restart tomorrow and hopefully be able to reinstall the older version of xp that they do have. Again, it is all they have laying around. I'm guessing service pack 1 and pack 2 is on the machine now. Thanks again and if you could let me know if I'm on the right tract.
howard_hopkinso
Posts: 21,238 +17
- Status
Similar threads
