Finished 8 Steps, here are my logs

[DenzilVoorhees]

Had loads of problems over the past week, desktop doesn't show up (found out this was a problem with explorer.exe). Attached the logs as requested, the file called "Trojan" is the results of an AVG Anti-Virus that I copied down.

Hope you can help,

been battling this infection for a week and counting!

 

[mflynn]

Run HJT Scan only and select and Fix all lines listed below
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe
O2 - BHO: (no name) - {8F8621B9-5221-48ED-B2B8-EFC4C01E45EA} - c:\windows\system32\tuxsjrw.dll
O20 - Winlogon Notify: jwrwrqdi - C:\WINDOWS\SYSTEM32\tuxsjrw.dll

OK update then run both MBAM and SAS again!

In the last MBAM run there was "No Action taken" meaning you did not elect to clean the found items. Please do so on this run.

Post both logs!

Mike

 

[DenzilVoorhees]

Hi,

Done the steps that you told me to do above.

Attached are new logs.

 

[mflynn]

Run HJT Scan only and select and Fix all lines listed below
O2 - BHO: (no name) - {8F8621B9-5221-48ED-B2B8-EFC4C01E45EA} - c:\windows\system32\tuxsjrw.dll
O2 - BHO: (no name) - {8F8621B9-5221-48ED-B2B8-EFC4C01E45EA} - c:\windows\system32\tuxsjrw.dll
O4 - HKUS\.DEFAULT\..\Run: [vblzhjpb.exe] C:\WINDOWS\vblzhjpb.exe (User 'Default user')
O20 - Winlogon Notify: jwrwrqdi - C:\WINDOWS\SYSTEM32\tuxsjrw.dll

Another run indicated!
OK there were found/removed items in both MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan will likely find more. So UPDATE both and run again.

Mike

 

[DenzilVoorhees]

Done and logs attached.

 

[mflynn]

OK more found run both again!

mike

 

[DenzilVoorhees]

Hi,

Am trying to run them again but have a problem now where Windows restarts within around 2 - 5 minutes of being on.

 

[mflynn]

That sounds like a heat related problem.

Try it in Safe Mode with Networking? Post logs!

If it works in Safe Mode then reboot to normal and do nothing for 10 minutes if it stays on, then repeat in normal to see if it is the MBAM orSAS that is doing it.

Mike

 

[DenzilVoorhees]

Done again.

Logs attached.

 

[mflynn]

OK still some left they could not handle!

Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.
=========================================

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mike

EDIT: Forgot to pase belo
Run HJT Scan only and select and Fix all lines listed below
O2 - BHO: (no name) - {8F8621B9-5221-48ED-B2B8-EFC4C01E45EA} - c:\windows\system32\tuxsjrw.dll
O4 - HKUS\S-1-5-18\..\Run: [zzgoownz.exe] C:\WINDOWS\zzgoownz.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [bnagyziz.exe] C:\WINDOWS\bnagyziz.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [rveisllf.exe] C:\WINDOWS\rveisllf.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [lfwopopy.exe] C:\WINDOWS\lfwopopy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntqvfbhx.exe] C:\WINDOWS\ntqvfbhx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [phnrcexg.exe] C:\WINDOWS\phnrcexg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [lfzxtelk.exe] C:\WINDOWS\lfzxtelk.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjydccme.exe] C:\WINDOWS\tjydccme.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlprywgl.exe] C:\WINDOWS\xlprywgl.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fpnsmuvr.exe] C:\WINDOWS\fpnsmuvr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [phjrmbpj.exe] C:\WINDOWS\phjrmbpj.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjyruioa.exe] C:\WINDOWS\tjyruioa.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [vxvwghpn.exe] C:\WINDOWS\vxvwghpn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [zzgoownz.exe] C:\WINDOWS\zzgoownz.exe (User 'Default user')
O20 - Winlogon Notify: jwrwrqdi - C:\WINDOWS\SYSTEM32\tuxsjrw.dll

 

[DenzilVoorhees]

Hi,

That O2 (- BHO: (no name) - {8F8621B9-5221-48ED-B2B8-EFC4C01E45EA} - c:\windows\system32\tuxsjrw.dll) and O20 (- Winlogon Notify: jwrwrqdi - C:\WINDOWS\SYSTEM32\tuxsjrw.dll) doesn't seem to budge.

Also the SDFix won't run on my laptop keeps coming up with a blue screen & fatal error not long after it has started, i've tried around 5 times.

So i've only got 2 logs for you this time.

 

[mflynn]

ComboFix is full of found nasties.

Run combofix again!

Mike

 

[mflynn]

COMBOFIX-Script
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

File::
C:\WINDOWS\jrcbmogf.exe
C:\WINDOWS\fpogbmbz.exe
C:\WINDOWS\vxvzgphe.exe
C:\WINDOWS\hdlzgvam.exe
C:\WINDOWS\rvhtlpxy.exe
C:\WINDOWS\vxvoxoog.exe
C:\WINDOWS\lfoihuuq.exe
C:\WINDOWS\jrcbmogf.exe
c:\windows\system32\tuxsjrw.dll
C:\WINDOWS\system32\ctfmon.exe

Then drag this script and drop on top of ComboFix.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

When finished, it will create a log. Attach the log back to us.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Mike

 

[DenzilVoorhees]

Followed instructions above and have attached Log.

 

[mflynn]

Still there!

Do this!

Download then Roguefix http://www.internetinspiration.co.uk/downloads/roguefix_2.239.bat Note if the file opens instead of downloading then Rt click and chose "Save As"

When finished it will reboot the computer when back to desktop do the below.

Go here first download SmitfraudFix http://siri.geekstogo.com/SmitfraudFix.php
the instructions for running it are also on this page print page if necessary and run it.

After reboot run both MBAM and ComboFix to confirm it is gone.Attach logs!

Mike

 

[DenzilVoorhees]

Hi,

I've managed to run Roguefix and have attached a log.

However, when i try to run SmitfraudFix: I load up safe mode (normal, networking and command line options) and then my computer freezes before i can do anything. Is it ok to run this in normal windows mode? I did manage to take a log (in normal windows operation) but haven't run any fixes from that program.

Argh!!!!

 

[mflynn]

OK in normal mode first

run 2 3 5

When it asks to clean the registry answer yes!

Then boot to Safe Mode only and try the same steps from there.

What you posted looked OK but the above just to be sure!

How is computer after the above and is AVG still detecting the issues?

Mike

 

[DenzilVoorhees]

AVG isn't detecting anything. However every time i try to run SAS it shuts down my computer.

 

[DenzilVoorhees]

Run steps 2-3-5 in normal mode. See attached Log.

Safe mode still not working.

 

[mflynn]

In Add/Remove Programs uninstall SAS reboot re download and reinstall.

If it then still does the same, try it from Safe Mode!

Are you are thinking the same as me, if it ran before and not now the there may be more malware?

Because there is a reason it will not run now.

Do the below when you can.

Go here Download DrWeb https://www.techspot.com/vb/post724044-3.html

Then....

Boot to Safe Mode only! Not with Networking and run...

DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.

The first Virus it finds select Cure and do the same for all the rest.

This could take hours!

Mike

 

[DenzilVoorhees]

Safe mode on it's own isn't working. Loads to desktop then freezes.

 

[mflynn]

And normal mode does! Hmm!

Lets cleanup:

Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.

The do a full power off Shutdown wait 30 seconds and power back up try Safe mode now!

Mike

 

[DenzilVoorhees]

I've ran all those cleaners and still can't get safe mode to work.

Followed the System Restore instructions too. Still no working safe mode.

 

[DenzilVoorhees]

Still can't get into safe mode.

Now, uninstalled AVG and trying to install Avira but keep getting the following error message:

"The CRC Sum of
C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\basic\setup.exe has been changed! This could be due to a virus! Do you want to shut down setup?"

Then there is only an "OK" box and it quits the installation.

Plus i've had a problem with the laptop installing my BT Voyager 105 modem.

 

[DenzilVoorhees]

Still can't get safe mode to work.

The problem with the BT Voyager modem is that it tries to install the hardware (at the bottom right hand corner) and then saying that there was a problem installing it and causes the installer to stop.