[Resolved] Review my log please

[zoidb3rg]

Ive been having windows explorer problems. My windows explorer sometimes freezes the programs that are running work fine but when I try to click on my desktop I get the hourglass sign on my mouse meaning that it is working. It doesnt stop until I turn off my laptop. Then sometimes when I start up my computer windows explorer doesnt start up. I can start it in task manager then it works fine. Im pretty new to this so if someone could review my hjt logs that would be very helpful.

P.S. I saw this thread which is related to my problem and Im currently in the middle of moving and im not able to get to my windows cd. So I havent tried that yet. I will when I get a chance, so I thought this would be a good course of action first.

 

[Po`Girl]

Hi,

You certainly have a Vundo trojan,and maybe something else.

I suggest you go HERE follow all the steps,and post the three logs required.

The Vundo removal tool is in Step 10,but best do all of them.


Bonus advice : You have too many start up programs (3rd party programs that start with Windows).

Go to Start/Run/type : msconfig ok/ start up tab, and uncheck everything except anti virus.

 

[zoidb3rg]

Hi, Po`Girl

Thank for responding so quickly to my post. I did everything in Preliminary malware, and vundo giude that you posted the link to. My computer seems to be doing alot better i havent had any problems. But then again i just finished with it and i havent given a lot of time to really see, but so far no problems. Here are all the files that it says to post.

 

[raybay]

Run AVG AntiVirus, as well as Antispyware. When you get this:

C:\WINDOWS\system32\hbcaqfrb.exe -> Trojan.Agent.daj : Cleaned.
C:\WINDOWS\system32\ryddcghk.exe -> Trojan.Agent.daj : Cleaned.

Immediately reboot to SAFEMode, and run your scans again in safe mode.

Then look at the excellent READ files on infestations here on this forum.

 

[momok]

Hi,

Your system is still terribly infected. Please post a fresh HijackThis log, as well as a ComboFix log in your next reply.

 

[zoidb3rg]

Run AVG AntiVirus, as well as Antispyware. When you get this:

C:\WINDOWS\system32\hbcaqfrb.exe -> Trojan.Agent.daj : Cleaned.
C:\WINDOWS\system32\ryddcghk.exe -> Trojan.Agent.daj : Cleaned.

Immediately reboot to SAFEMode, and run your scans again in safe mode.

Then look at the excellent READ files on infestations here on this forum.

I did this and when I ran my scans in safe mode AVG couldnt find anything. Adware could not run in safe mode an error kept coming up. I appreciate everyones help here are the new logs that u requested Momok. Also Antiroot didnt find anything.

 

[momok]

Hi,

I requested a ComboFix log. It should be located in C:\ComboFix.txt.

 

[zoidb3rg]

Woops sorry about that here it is

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
   
3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
   O2 - BHO: {8a20c3d8-30ba-843b-fff4-afe1f7324233} - {3324237f-1efa-4fff-b348-ab038d3c02a8} - (no file)
   O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
   Close HJT.
   
   
4. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   

   File::
   C:\WINDOWS\system32\rxlknlea.dll
   C:\WINDOWS\system32\drhkfadf.dll
   C:\WINDOWS\system32\symjvujy.dll
   C:\WINDOWS\system32\pogbcjoy.dll
   C:\WINDOWS\system32\rxolqopi.dll
   C:\WINDOWS\system32\wbers.dat.dmp
   C:\WINDOWS\system32\wbers.dat
   C:\WINDOWS\system32\egnoxrgb.dll
   C:\WINDOWS\system32\hulkxlll.dll
   C:\WINDOWS\system32\gxftcpal.dll
   C:\WINDOWS\system32\tancgxub.dll
   C:\WINDOWS\system32\ovjckybw.dll
   C:\WINDOWS\system32\gqtomkav.dll
   C:\WINDOWS\system32\jgsmsptd.dll
   C:\WINDOWS\system32\dggfgiro.dll
   C:\WINDOWS\system32\delnqwgx.dll
   C:\WINDOWS\system32\tswmemij.dll
   C:\WINDOWS\system32\aoclwpik.dll
   C:\WINDOWS\system32\mhgmdtps.dll
   C:\WINDOWS\system32\mrinvkvf.dll
   C:\WINDOWS\system32\fkeahkgr.dll
   C:\WINDOWS\system32\bppluncn.dll
   C:\WINDOWS\system32\njwjrask.dll
   C:\WINDOWS\system32\jobnswts.dll
   C:\WINDOWS\system32\fmmqsiij.dll
   C:\WINDOWS\system32\phcrtcpg.dll
   C:\WINDOWS\system32\tygmkqrs.dll
   C:\WINDOWS\system32\tjxrrirf.dll
   C:\WINDOWS\system32\ecmagaay.dll
   C:\WINDOWS\system32\jycdepds.dll
   C:\WINDOWS\system32\frbmnjrr.dll
   C:\WINDOWS\system32\yahwrifd.dll
   C:\WINDOWS\system32\atlvkjck.dll
   C:\WINDOWS\system32\prmwiwof.dll
   C:\WINDOWS\system32\gpnxxbyx.dll
   C:\WINDOWS\system32\hsyqucns.dll
   C:\WINDOWS\system32\osrklkkx.dll
   C:\WINDOWS\system32\bjafckoh.dll
   C:\WINDOWS\system32\ynmgempv.dll
   C:\WINDOWS\system32\mculjonk.dll
   C:\WINDOWS\system32\gvfceawq.dll
   C:\WINDOWS\system32\tkevuqip.dll
   C:\WINDOWS\system32\ohmoaygs.dll
   C:\WINDOWS\system32\cadmhqjk.dll
   C:\WINDOWS\system32\lokupeog.dll
   C:\WINDOWS\system32\pwcibtnj.dll
   C:\WINDOWS\system32\phexiemi.dll
   C:\WINDOWS\system32\vxtklvdn.dll
   C:\WINDOWS\system32\vtwrnnee.dll
   C:\WINDOWS\system32\lsudhqsv.dll
   C:\WINDOWS\system32\vbvawjsq.dll
   C:\WINDOWS\system32\gdhodrix.dll
   C:\WINDOWS\system32\uicwidxh.dll
   C:\WINDOWS\system32\yevyhuvy.dll
   C:\WINDOWS\system32\hrpcrkmj.dll
   C:\WINDOWS\system32\xkdoxyiu.dll
   C:\WINDOWS\system32\cgwbckot.dll
   C:\WINDOWS\system32\abfhedxn.dll
   C:\WINDOWS\system32\viplyyka.dll
   C:\WINDOWS\system32\fsmbhgra.dll
   C:\WINDOWS\system32\xaowvwlf.dll
   C:\WINDOWS\system32\ifftasup.dll
   C:\WINDOWS\system32\vbgehvmm.dll
   C:\WINDOWS\system32\aqddpxsq.dll
   C:\WINDOWS\system32\enopnnsd.dll
   Registry::
   [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\68d716db]

5. Save this as CFScript on the desktop.
6. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
7. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
   
   
8. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of zoidberg only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[zoidb3rg]

Alright thank you very much Momok your help along with everyone elses is greatly appreciated. I had no idea the extent of the damage until you guys have helped me.

 

[momok]

Hi,

Your logs look clean now.

1. Please download and run CCleaner via step 9 of the instructions HERE.
   
   
2. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
   
   
3. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
4. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
5. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
momok =)

This thread is for the use of zoidb3rg only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[zoidb3rg]

Ty so much for your help I really appreciate it.

 

[momok]

Thread closed as the problem appears to have been resolved. Should the original starter require it to be reopened, please PM a mod.