Viruses/Spyware/Malware, preliminary removal instructions

By shiva64
Mar 27, 2008
  1. Hi Julio,
    I came across your solution for removing spyware and malware and gave it a go.
    Please could you look at the log files attached, as mentioned in your post. While doing carrying out the solution i seem to have lost the system32\oidlmehb.dll and the system32\gaxhrtrs.dll. Also the solution has not removed a trojan (AVAST keeps alerting to) Win32:Agent-BSU [TrJ]. Please help.

    Attached Files:

  2. kritius

    kritius TS Guru Posts: 2,084


    Before I can look over the log I would like you to do a couple of things for me,

    1)Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    2)Run the avg antispyware again and get it to quarantine the results,

    3)I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

    • Include the report in your next post.

    Thanks, and sorry for getting looked over yesterday, its pretty busy round here.
  3. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43

    kaspersky scan

    Thanks for that. Please see kaspersky scan log attached. Let me know what you think.
  4. kritius

    kritius TS Guru Posts: 2,084

    Delete Files and Folders
    • Right Click on the start button and chose explore
    • Show all hidden files and folders, see how HERE
    • Navigate to the following files and folders and delete them(if still present)
    C:\d.exe<---------This File
    C:\Documents and Settings\Varinder\Local Settings\Temp\2961271612.exe<---------This File
    C:\Documents and Settings\Varinder\Local Settings\Temp\csrssc.exe<---------This File
    C:\Program Files\MSN Messenger\riched20.dll<---------This File
    C:\WINDOWS\system32\jfiehayd.dll<---------This File
    C:\WINDOWS\system32\service.exe<---------This File

    • Empty the recycle bin.
    If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.


    This one is service.exe and not services.exe

    Navaigate to this folder and delete the contents of it but not the folder itself,
    Empty the recycle bin

    Run HijackThis again after you have turned off Spybots TeaTimer using the instructions I gave earlier.
    Also run Kaspersky again.
  5. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43

    Hi Kritius,
    tried to set "show all hidden files and folders" but for some reason option is not available. Tried through windows help and got message " this operation is cancelled due to restrictions in affect on this computer" Please contact system admin.
  6. kritius

    kritius TS Guru Posts: 2,084

    Back up the registry, see how HERE

    1. Click Start - Run - type Regedit
    2. Here expand to HKEY_CURRENT_USER
    3. in the right-side pane check for the DWORD value NoFolderOptions
    4. If it is not there then create a new DWORD value by right-clicking
    5. Type a name 'NoFolderOptions" and press Enter.
    6. Double-click the entry and set the value to 0
    7. Open any folder and see if Folder Options is there. If it is still not
    there then Log Off and Log in again or make a restart

    Try that
  7. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43

    Thanks i'll give it a shot.
  8. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43

    what a mess

    Couldn't run regedit message "regedit disabled by administrator" even though i am one.
    What i did.
    1, Tried to run backup utilit- wouldn't backup to cd drive. Instead saved to desktop then copied to cd successfully.
    2, Couldn't unhide hidden files and folders so used search to find files listed and removed that way instead. Not sure if this will give same result.
    3, Since running Kapersky computer got worse, more WIN32:agents messages. Also Google page turned black. Also when i tried to uncheck resident teatimer resident kept blocking this even though i had exited at system tray. took a few goes before it allowed it.
    4, After doing 1, and 2, No more WIN32: bsu messages yet. Google page is normal. However tried running regedit still saying it is disabled. Also still getting messag that modules c:\windows\system32\oidlmehb.dll and gaxhrts.dll not found.

    About to run kapersky again will post as soon as it finishes.
  9. kritius

    kritius TS Guru Posts: 2,084

    It contains a program written by Rathat, and it is a Policy Controller.
    Save and extract this program to the desktop.
    Once extracted, click on the RatsCheddar.exe file.
    Enable everything, then click Exit
    Reboot your Computer.

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    This thread is for the use of shiva64 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43


    I'll do that now. Please find HJT and Kaspersky scans attached.
  11. kritius

    kritius TS Guru Posts: 2,084

    Can you run HJT from normal mode please? After Malwarebytes finishes
  12. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43

    I'll try it now and post if doable with malware log.
  13. kritius

    kritius TS Guru Posts: 2,084

    I need it after Mlawarebytes finishes.
  14. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43


    Tried to upload both scans but wabpage froze. Triying to upload again but attachment screen just says attachment in progress and upload errors.
  15. kritius

    kritius TS Guru Posts: 2,084

    try deleting your previous uploads
  16. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43


    Please find sca attached. Hijackthis was done after mlawarebytes had finished.
  17. kritius

    kritius TS Guru Posts: 2,084

    Ill look over them as soon as I can. pretty backlogged here.
  18. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43

    No probs catch up later.
  19. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43

    Hi Kritius,
    Did u get a chance to look at those scans i sent?
  20. kritius

    kritius TS Guru Posts: 2,084

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O4 - HKLM\..\Run: [343a4aeb] rundll32.exe "C:\WINDOWS\system32\gaxhrtrs.dll",b
    O20 - Winlogon Notify: nnnoonn - C:\WINDOWS\

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Boot into safe mode and delete this file,


    Boot into normal mode

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please attach C:\vundofix.txt
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Please Download VirtumundoBeGone by secured2k
    • Save the file to your desktop
    • Close all running programs (including your Internet Browser)
    • Double-click VirtumundoBeGone.exe on the desktop
    • Read the introductory information, and then click Continue
    • Click Start
    • When asked if you want to continue, click Yes to run the fix
    • Click "Save Log"

    Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

    The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

    Empty Recycle Bin.

    Reboot and "attach" a new HijackThis log file along with the VBG.TXT into this thread.
    Also please describe how your computer behaves at the moment.
  21. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43

    Will do. Thanks.
  22. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43


    Hi Ran Hijackthis, deleted both files after scan only.

    Re started windows - Avast on-access protection won't run and internet connection won't work either. Message error 711 The remote access service manager could not start. Further detail - check plug and play or remote access connection manager. On checking plug and play was running but remote access wasn't. Tried to start but further error 1084 - "This service cannot be started in Safe Mode"

    Hence not downloaded Vundofix.
  23. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43

    Sorry note computer wasn't and isn't in safe mode.
  24. TimeParadoX

    TimeParadoX TS Rookie Posts: 2,273

    Download the programs he requested while still online, Once you boot into safemode you will not have Internet connection or your anti-virus protection programs running. Don't worry though, in safemode many services do not run except the ones made by Microsoft to keep your computer stable.
  25. shiva64

    shiva64 TS Rookie Topic Starter Posts: 43

    Hi i'm only on-line on my laptop not on main computer. Also i wasn't in safe mode.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...