HELP! with my computer virus

Status
Not open for further replies.
Don`t worry about the startup errors at the moment, we`ll address them when we`ve got rid of the rest of the nasties from your system.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
I just hit a brick wall. I can not download Rustock. When I try to open or extract the file I'm told it is an invalid file. bad zip file offset.
Davidstl
 
You`re the second person tonight that`s had trouble downloading the Regrun Reanimator file. I downloaded it myself not long ago just to check and it downloaded fine.

Try downloading it again, if it still won`t work, you can IM me on Yahoo Messenger(details in my profile) and I`ll gladly send you the files.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
HELP! with my computer fvirus

Dear Howard,
No luck downloading reanimator. I tried 5 different download locations.
Error in file #1: bad zip file offset (error local header not found): 0.
I am new to yahoo message but I could try.
davidstl
 
Ok, no problem. You can click on my yahoo messenger link, next to my post count.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
It looks like the rootkit has now gone. However, we still have a ways to go before your system is clean.

Go HERE and download and install the free Zonealarm Firewall. reboot your system.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Easy SpyRemover<This programme is not to be trusted.
Yahoo!\Antivirus<you shouldn`t have more than one antivirus programme running at the same time. Uninstall the yahoo antivirus programme.

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft Updates<This service is not genuine
PPPOEO

Close the services window.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

wkssvr.exe
pingppac.exe
EasySpyRemover.exe
pwintoea.exe
ucleaner_RT73o2aEZ2[1].exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {1CB5068C-96FC-C741-8C31-0452599DB167} - C:\WINDOWS\System32\bceazsf.dll (file missing)

O2 - BHO: (no name) - {21135A9A-5827-4749-337D-0847EB327A87} - C:\WINDOWS\System32\wlsnsyj.dll (file missing)

O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\SYSTEM32\durvilz.dll (file missing)

O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\SYSTEM32\drivera.dll (file missing)

O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe

O4 - HKLM\..\Run: [PPPOEO] pingppac.exe

O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart

O4 - HKLM\..\Run: [fswubun.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\fswubun.dll,qrjvihc

O4 - HKLM\..\Run: [xnxjqv.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\xnxjqv.dll,ivsglze

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\pwintoea.exe SKY001

O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe

O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe

O4 - HKCU\..\Run: [Microsoft Updates] wkssvr.exe

O4 - HKCU\..\Run: [Ultimate Cleaner.install] "C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe" continue

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9e} - (no file) (HKCU)

O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll

O20 - Winlogon Notify: instcat - instcat.dll (file missing)

O20 - Winlogon Notify: winxrn32 - winxrn32.dll (file missing)

O21 - SSODL: NginoXDAt - {36536D5F-9CF9-C7F5-63F4-75EE64BFB981} - C:\WINDOWS\System32\xpf.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe
C:\WINDOWS\SYSTEM32\pwintoea.exe
C:\Program Files\Easy SpyRemover<Delete the entire folder.

wkssvr.exe
pingppac.exe<Search your system for these files and delete all instances found.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the files you need to enter into killbox.

C:\WINDOWS\System32\xpf.dll
c:\windows\system32\ldcore.dll
C:\WINDOWS\System32\xnxjqv.dll
C:\WINDOWS\System32\fswubun.dll

Once your system has rebooted, rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
Okay, I'll try the new Firewall stuff. But should I really do the other stuff again. I did those procedures yesterday also. And the Killbox this morning.
But I'll do it all again if I must. If you think it will help somehow.
Davidstl
 
Now the rootkit has gone you need to follow the instructions, even if they seem to be the same. Remember, we have already got rid of some nasty stuff, my post above is just what`s left. If it doesn`t work, then I`ll have to look at other ways of getting rid of it.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
I am downloading Zone Alarm and will retry the other steps in safe mode as well. This could take awhile. Spyware seems to take an hour to run a scan. I'll be back.
Davidstl
 
Dear Howard,
I have bad news. ZoneAlarm caused a system crash three times. I had to uninstall it in Safe Mode just to get to my desktop or get online. And yes I followed your instructions first about removing my Yahoo.Antispy and Yahoo.Antivirus programs. I am not sure what to do now.
Davidstl

Dear Howard,
As I mentioned in my last post, Zone Alarm cause complete system failure when I opened it. What I've done is downloaded Kerio Firewall to see if it functions better. I hope this is acceptable.
Davidstl
 
Yes, that absolutely fine mate.

Zonealarm can cause problems on some systems, unfortunately your`s seems to be one of them.

Follow the instructions and post a fresh HJT log.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
Well I have downloaded and installed Kerio Firewall, but when I click on Start Firewall nothing seems to happen. What is a Firewall? Is Kerio supposed to run a Spyware scan? Because it is not opening any windows or promting me to do anything. What do I do now, just rerun killbox and HJT?
Davidstl

Dear Howard,
Okay, I did some homework on Firewall software, but right now all the Kerio options are a bit over my head. So I am not really sure how to optimize or customize its performance to my needs or whatever. Give me some time to learn what it is and does. Also, I have uninstalled my Yahoo AntiVirus and Yahoo AntiSpyware. Do you believe AVG and Kerio will provide BETTER protection? Also, I'm now hearing a single pop sound; which program is doing that? And why? I'm getting no error message onscreen, but I feel one of the new programs is trying to tell me something...any ideas?
I completed your last commands concerning running HJT and Killbox in Safe Mode, as well as the Task Manager and Control Panel work. I am including my latest HJT Log for you to check over. Thank you and what's next?
Davidstl

Dear Howard,
Here is the latest... All seems to be working fine except for one virus.
c:\documentsandsettings\localservice\localsettings\temp\stdrun14.exe
AVG AntiVirus identifies this as a threat but could not heal or remove it.
Do you have any suggestions?
Other than that the new software is running clean scans. Which is nice comparatively.
Davidstl
 
We`re so near yet so far from having your system clean. there is still one nasty entry in your HJT log, plus the stdrun14.exe to get rid of.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ucleaner_RT73o2aEZ2[1].exe
stdrun14.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [Ultimate Cleaner.install] "C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe" continue

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ<delete the entire folder.
c:\documentsandsettings\localservice\localsettings\temp\stdrun14.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
Okay, I have a fresh HJT Log for you and a few other questions and comments. I followed your instructions from the last post. However, I found no trace of your suggested programs in Task Manager, Services.msc, in Add\Remove Programs, and a files search turned up nothing.
AND when I run HJT to FIX the UCleaner stuff it does NOT. Why is it not FIXed?
PS stdrun.exe is in the AVG AntiVirus Vault. I hope it's rendered harmless there.
Davidstl
 
Delete all files in the AVG virus vault.

I can find absolutely no info on the ucleaner_RT73o2aEZ2[1].exe file and I`m begining to run out of ideas on how to get rid of it.

Let`s see if this utility can get rid of the file for you. Run the utility from safe mode. This is the filepath to the file you need to delete.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe

Once done, reboot your system and post a fresh HJT log from normal mode.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
Which way do I delete: Via Short Name or Via UNC? I see both UCleaner files and EasySpyRemover files with this DILINV utility.
PS are these programs actually doing things on my computer or are they just dead files?
Davidstl
 
Just stick to trying to delete the ucleaner_RT73o2aEZ2[1].exe file for now. This file is definitely active.

Try using the short Short Name, if that causes problems, try the UNC. Instructions are in the link I gave you.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
I did not find any file with RT73o2aEZ2[1].exe but I did see SFQ9A7QZ
This was found at C:\documentsandsettings\temporaryfiles\Content.IE5\SFQ9A7QZ.
I will try to delete it and search again for RT73o2aEZ2[1].exe
Davidstl
PS I'm surfing without freezing and I'm not getting pop-us...what do you think this program is doing?
 
I have no idea what that file does, as I can`t find any info for it. Edit: However, it appears that the RT73o2aEZ2[1].exe is part of the Ultimate Cleaner programme. This is a rogue Antispyware programme.

It probably isn`t there, but look in add/remove programmes in your control panel for anything to do with Ultimate Cleaner and uninstall it if you find it there.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
HELP! with mycomputer virus

Dear Howard,
Well, here is another HJT Log for you. I turn up nothing ing the Add/Remove Programs concerning UCleaner. And when I search my c: drive it finds nothing related to RT73o2aEZ2[1].exe
If this is an ACTIVE program how come it does show in a file search or appear in Task Manager or anywhere. Just how am I to locate and remove or terminate it on my system?
It is 10:30 PM here. I'm going to bed. Thank you for all the help.
Davidstl
 
Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [Ultimate Cleaner.install] "C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe" continue

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click on the fix checked button.

Close HJT and reboot your system.

Run HJT and see if the O4 - HKCU\..\Run: [Ultimate Cleaner.install] "C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe" continue entry is still there. If it is, we`ll try a registry edit next.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
It`s definitely worth a try to download the Prevx1 programme and see if it gets rid of it. I`ll keep my fingers crossed.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
HELP!with my computer virus

Dear Howard,
I have just downloaded PREVX1. I will run it and get back to you with the results when it finishes; Probably in an hour or two.
Davidstl
 
Status
Not open for further replies.

Similar threads

Senius
What would my FPS be low with 4090?
Replies
1
Views
861
Nelson28
N
S
Inactive Ransomware virus
Replies
5
Views
2K
Broni
Broni
W
  • Locked
Inactive I need help getting rid of a virus
Replies
3
Views
2K
Broni
Broni

Latest posts

Back