HELP! with my computer virus

[davidstl]

dear TechSpot,
My computer is freezing-up when i click on links, it is running really slow, and my antivirus says that I am infected but it does not heal or delete the problems. Different virus programs find different numbers of "threats". Mcfee found 50+, and Avast found like 89 different threats. Please help me if you can. PS I also get pop-ups for spyware removers and porn; and something called: run-time error '424' object required.
Please HELP!
davidstl

 

[howard_hopkinso]

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

HELP! with my computer virus PART DEUX

Dear Howard,
I just got your reply to my post. I would like to try the cleaning tools you provided. I don't do any online banking, but I have done shopping in the past; like from Amazon, and EBay, and stuff. Can I still use your tools? Or would there still be a "backdoor trojan" threat? I am a comuter novice at best.

 

[howard_hopkinso]

Ok, before continuing with my instructions, let`s try and see what nasties you have on your system. Go and read this thread HERE, then post a HJT log as an attachment into this thread.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
This is my HJT log. But how do I send you a copy of my AVG virus list?
Thanks for the help.
Davidstl

 

[howard_hopkinso]

I don`t require your AVG virus list.

Your system is badly infected with all kinds of nasties.

You need to follow the instructions in my first post.

Once you`ve done that, please post a fresh HJT log and an AVG Antispyware log.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
I ran your four suggested tools and suddenly all is well. I appear to be running smoothly and so far no sex pop-ups -even though one was really good- I mean, so far you fixed me right up. Thanks a lot and I'll attatch a new HJT Log. I still can't figure out how to attach an AntiSpyware Log. But there WAS spyware on my computer.
Thanks
Davidstl

PS how do I choose which boxes to check for deletion and which ones should be left untouched in the HJT Log?
PPS I spoke too soon. I'm currently rerunning AVG AntiVirus, and it's found 3. However, that is better than 89. Plus I'm still surfing and no pop-ups or freezing.

 

[howard_hopkinso]

Your system is still badly infected with a variety of nasties.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

Download and install AVG Antispyware(formerly Ewido) from http://download.ewido.net/ewido-signatures-full-current.exe
Double-click the icon on your desktop to run it.
On the top of the main screen click Shield. Click the word active to change it to inactive.
On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-signatures-full-current.exe
When you have finished updating, exit AVG Antispyware.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Easy SpyRemover

Close your control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft Updates
PPPOEO


Close the services window.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

xjqlu.exe
iexpfxc.exe
wkssvr.exe

pingppac.exe
EasySpyRemover.exe
haahus.exe

pwintoea.exe
SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe

Close task manager.

Make sure all windows are closed. Run AVG Antispyware..
Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
Then click 'Apply all actions'.

Once finished, click the save scan report button, followed by the Save report as button and save it to your desktop.


Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\xjqlu.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iexpfxc.exe

O2 - BHO: (no name) - {1CB5068C-96FC-C741-8C31-0452599DB167} - C:\WINDOWS\System32\bceazsf.dll

O2 - BHO: (no name) - {21135A9A-5827-4749-337D-0847EB327A87} - C:\WINDOWS\System32\wlsnsyj.dll

O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\SYSTEM32\durvilz.dll (file missing)

O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\SYSTEM32\drivera.dll (file missing)

O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe

O4 - HKLM\..\Run: [PPPOEO] pingppac.exe

O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart

O4 - HKLM\..\Run: [fswubun.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\fswubun.dll,qrjvihc

O4 - HKLM\..\Run: [xnxjqv.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\xnxjqv.dll,ivsglze

O4 - HKLM\..\Run: [gqeyuq] C:\WINDOWS\System32\haahus.exe reg_run

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\pwintoea.exe SKY001

O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe

O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe

O4 - HKCU\..\Run: [Microsoft Updates] wkssvr.exe

O4 - HKCU\..\Run: [dnlav] C:\WINDOWS\System32\haahus.exe reg_run

O4 - HKCU\..\Run: [Ultimate Cleaner.install] "C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe" continue

O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwintoea.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9e} - (no file) (HKCU)

O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll

O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll

O20 - Winlogon Notify: winxrn32 - winxrn32.dll (file missing)

O21 - SSODL: NginoXDAt - {36536D5F-9CF9-C7F5-63F4-75EE64BFB981} - C:\WINDOWS\System32\xpf.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\System32\xjqlu.exe
C:\WINDOWS\system32\userinit.exe,iexpfxc.exe
C:\Program Files\Easy SpyRemover<Delete the entire folder.
C:\WINDOWS\System32\haahus.exe
C:\WINDOWS\SYSTEM32\pwintoea.exe

wkssvr.exe
pingppac.exe<Search your system for these two files and delete all instances found.

C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\System32\bceazsf.dll
C:\WINDOWS\System32\wlsnsyj.dll
C:\WINDOWS\System32\fswubun.dll

C:\WINDOWS\System32\xnxjqv.dll
c:\windows\system32\ldcore.dll
C:\WINDOWS\SYSTEM32\instcat.dll

C:\WINDOWS\System32\xpf.dll

Once your system has rebooted, rehide your protected OS files.

Post a fresh HJT log as well as an AVG Antispyware log.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
Whoa! Okay. I'll give this all a try. It could take me awhile. Thanks and here goes...
Davidstl

 

[howard_hopkinso]

No problem mate, just take your time and follow the instructions very carefully.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
I have finished following the instructions you gave me. And I'll post a fresh HJT Log here too, plus my AVG AntiSpy Log. I have concerns though because the AVG SpyWare while it detected over 200 tracking threats and downloaders it did NOT move or delete them; it IGNORED them. Why? Don't I want them removed or deleted?
My other concern is that while in Safe Mode the HJT FIXed the items you asked me to remove, but when I checked HJT in Normal Mode all the items you asked me to FIX were still listed...Why? I thought I just "FIXed" them.
My last two concerns are: any instance of instcat.dll could NOT be fixed or deleted. Why? And lastly, something by ThinkAds is currently sending me Pop-ups. Why? Why me?
Davidstl

 

[howard_hopkinso]

The reason AVG has ignored everything is due to when it finished scanning you needed to tell it what you wanted it to do with the results. See this pictorial guide HERE.

It also appears you`ve posted a fresh HJT log from safe mode, when what I needed was a log from normal mode.

Run AVG Antispyware again in safe mode and apply the correct actions to the results. Then, reboot into normal mode and run a HJT scan. Post both HJT and AVG Antispyware logs.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
I'm surfing without freezing, but I have new problems.
1.) rundll error loading c:\windows\system32\xnxjqv.dll
the specified modeule could not be found.
2.) rundll error loading c:\windows\system32\fswubun.dll
the specified modeule could not be found.
I get these messages when I turn on the computer.
3.) I can't ShutDown my computer from the Start Button anymore. When I click to ShutDown it only restarts. Sometimes i get this message on a black screen: STOP: c000021a {Fatal System Error} The windows logon process system process terminated unexpectedly with a ststus of 0xc0000005(0 x 00000000 0 x 00000000). The system has been shut down.
4.) I'm still getting ad pop-ups for schools and classmates.

I'm trying again with the AVG AntiSpyware and HJT. Sorry I sent you the wrong stuff. I really need your help.
Davidstl

 

[howard_hopkinso]

Once I have your new HJT and AVG Antispyware logs, I`ll be in a better position to help you.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
Okay, I've just finished the new AVG AntiSpyware scan and applied the proper delete Action. The scan took an hour and a half in safe mode. Now i can quickly give you a new HJT Log, but a new AVG Spyware scan in normal mode will be another two hours I'm sure; I'm scan after this message is sent. I will shoot it to you after. Thanks for hanging in there with me.
Davidstl

 

[howard_hopkinso]

Your system is still heavily infected with lots of nasties.

Download Vundofix from HERE.

Double click the Vundofix.exe to run it.

Right click in the vundofix window and click add files.

Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

These are the filepaths you need to enter into Vundo fix.

C:\WINDOWS\System32\xpf.dll
C:\WINDOWS\SYSTEM32\instcat.dll
c:\windows\system32\ldcore.dll

C:\WINDOWS\System32\fswubun.dll
C:\WINDOWS\System32\xnxjqv.dll

Post a fresh HJT log after doing the above.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
Okay, here are my fresh AVG and HJT Logs. I'm running VundoFix right now and I'll get back to you. Thanks.
Davidstl

 

[howard_hopkinso]

Ok, no problem. Once I have your new HJT log after running Vundofix, I`ll see what`s left for us to get rid of.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
I just finished VundoFix and it deleted all suggested files minus c:\windows\system32\instcat, which it could not delete. There was no reason given why.
Here is the latest HJT Log file.
I'm still getting ThinkAdz pop-ups.
Thanks,
Davidstl

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply.

when it reboots and post a fresh HJT log.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
Okay, I ran Avenger. However, when it attempted to auto reboot the system shut down giving me the {Fatal System Error}... message again. I can then only restart by holding in the power button on my tower. -Sucks.
Davidstl

 

[howard_hopkinso]

Ok, that`s got rid of some of the nasties but not all of them.

Download and run the Blacklight programme. follow all the instructions carefully.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log and let me know the Blacklight results. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
I've done as you have asked and I am including my new log files.
Thank you
Davidstl

 

[howard_hopkinso]

Ok, Combofix has identified a rootkit on your system.

Please go HERE and follow the instructions for removing the Rustock rootkit.

I`ve also noticed that you haven`t renamed your last HJT log and that you`re running HJT from the wrong location. Please follow the instructions in this thread HERE for HJT placement and renaming.

Once you`ve done that, please post fresh Combofix and HJT logs.

Regards Howard

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[davidstl]

Dear Howard,
It is easy when someone else does the work. Thank you. And I am taking the next steps now.
PS
my computer seems to ShutDown from the Start Button again. Thanks.
Though I still get the two RUNDLL ERROR for C:\windows\system32\xnxjqv.dll and \fswubun.dll upon Start-Up.
Davidstl