Random IE Popups (OI), Trojan Vundo
- Thread starter Strizz75
- Start date
- Status
howard_hopkinso
Posts: 21,238 +17
Sorry, forgot to attach it. Fixed now.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Your HJT log is clean.
However, your Combofix log is not.
If we can`t fix this soon, a backup of your important data and a reformat might be the best way to go.
Run the avenger again, but use the script attached to this post.
Attach the c:\avenger.txt as well as fresh Combofix log.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
However, your Combofix log is not.
If we can`t fix this soon, a backup of your important data and a reformat might be the best way to go.
Run the avenger again, but use the script attached to this post.
Attach the c:\avenger.txt as well as fresh Combofix log.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
That all looks good.
Run a full system scan with your AV and see if it still finds anything.
Also, take a look in your task manager and see if anything coincides with the pausing.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Run a full system scan with your AV and see if it still finds anything.
Also, take a look in your task manager and see if anything coincides with the pausing.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
All avg appeared to find was a bunch of tracking cookies; I'll play around with the task manager later today to see if I can figure out what is causing the pausing since it is still occurring. Can I assume it isnt downloader/malware/viruses causing the issue? Also, when would it be good to re enable system restore, and do I have to do anything to create a new restore point, etc. Thanks for the continued help.
howard_hopkinso
Posts: 21,238 +17
Run the Ccleaner programme as per step9 of these instructions.
That should get rid of a lot of rubbish on your system as well as the cookies.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
That should get rid of a lot of rubbish on your system as well as the cookies.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Alright, ran the ccleaner, all it found was some cookies. I was browsing the program in the tools section of it, and I noticed a couple of strange entries under the 'startup' section:
HKLM: Run lmhheldw C:\jkjkfmmu.bat
HKLM: Run nslnwqqo C:\wbgliuye.bat
I believe the second one was on that was targeted in an avenger script.
I am still experiencing the pausing; I thought it might be related to my HP printer software (printer is currently unhooked), however I am still unsure if that is the case, as I disabled most of it through the task manager and am still having the issue (I had a similar problem a few years ago with it). I've attached another HJT log that shows those files active. Also, I have been running under a selective startup (I originally checked the startup tab of my msconfig), because I found a file related to a virus symantec had picked up on early on:
C:\WINDOWS\tsitra572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C0883320174139
Located in: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Is it possible that even though it is disabled on startup it is still in the system to any extent? Upon checking the startup tab, the afore mentioned .BAT files are currently active on startup as well; is it possible any of this is attributing to the issues I am still having?
HKLM: Run lmhheldw C:\jkjkfmmu.bat
HKLM: Run nslnwqqo C:\wbgliuye.bat
I believe the second one was on that was targeted in an avenger script.
I am still experiencing the pausing; I thought it might be related to my HP printer software (printer is currently unhooked), however I am still unsure if that is the case, as I disabled most of it through the task manager and am still having the issue (I had a similar problem a few years ago with it). I've attached another HJT log that shows those files active. Also, I have been running under a selective startup (I originally checked the startup tab of my msconfig), because I found a file related to a virus symantec had picked up on early on:
C:\WINDOWS\tsitra572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C0883320174139
Located in: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Is it possible that even though it is disabled on startup it is still in the system to any extent? Upon checking the startup tab, the afore mentioned .BAT files are currently active on startup as well; is it possible any of this is attributing to the issues I am still having?
howard_hopkinso
Posts: 21,238 +17
Your HJT log is clean.
Let`s try this.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
tsitra572.exe
Close task manager.
Locate and delete the following bold files and/or directories(if there).
tsitra572.exe<Search your system for this file and delete all instances found.
C:\jkjkfmmu.bat
C:\wbgliuye.bat
Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.
Click edit and choose find. Type tsitra572.exe into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to tsitra572.exe and display them in the righthand pane. Right click on any such tsitra572.exe entries and choose delete.
Now click edit again and choose find next. Again, delete any entries that reference tsitra572.exe.
Repeat the above, until no more tsitra572.exe entries are found.
Close regedit.
Reboot into normal mode and rehide your protected OS files.
Let me know if you`re still having problems.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Let`s try this.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
tsitra572.exe
Close task manager.
Locate and delete the following bold files and/or directories(if there).
tsitra572.exe<Search your system for this file and delete all instances found.
C:\jkjkfmmu.bat
C:\wbgliuye.bat
Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.
Click edit and choose find. Type tsitra572.exe into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to tsitra572.exe and display them in the righthand pane. Right click on any such tsitra572.exe entries and choose delete.
Now click edit again and choose find next. Again, delete any entries that reference tsitra572.exe.
Repeat the above, until no more tsitra572.exe entries are found.
Close regedit.
Reboot into normal mode and rehide your protected OS files.
Let me know if you`re still having problems.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Alright, I'm on another computer, have regedit running on the machine in question...
while continuing to find next and edit for tsitra572.exe I found several corresponding files, including the two earlier mentioned .bat files; however, the third and final time searching I was prompted with just about every file/command on the system (save files, empty recycle bin, various programs, etc.) Im relatively unfamiliar to regedit.. does this mean everything is infected by tsitra572.exe? I havent deleted anything else yet, but aside from all the normal programs/files/commands, there are a few suspect ones that turned up:
Name ------ Data
gfeurhmj.bat ------ gfeurhmj
ihrfxpmg.bat ------ ihrfxpmg
klscxodg.bat ------ klscxodg
nsoawdsn.bat ------ nsoawdsn
C:\WINDOWS\system32\gijpwfub.exe ------ gijpwfub
C:\WINDOWS\system32\wbem\mofcomp.exe ------ mofcomp
C:\WINDOWS\b128.exe ----- b128
Also I have the registry saved, should I attach that in a post as well?
while continuing to find next and edit for tsitra572.exe I found several corresponding files, including the two earlier mentioned .bat files; however, the third and final time searching I was prompted with just about every file/command on the system (save files, empty recycle bin, various programs, etc.) Im relatively unfamiliar to regedit.. does this mean everything is infected by tsitra572.exe? I havent deleted anything else yet, but aside from all the normal programs/files/commands, there are a few suspect ones that turned up:
Name ------ Data
gfeurhmj.bat ------ gfeurhmj
ihrfxpmg.bat ------ ihrfxpmg
klscxodg.bat ------ klscxodg
nsoawdsn.bat ------ nsoawdsn
C:\WINDOWS\system32\gijpwfub.exe ------ gijpwfub
C:\WINDOWS\system32\wbem\mofcomp.exe ------ mofcomp
C:\WINDOWS\b128.exe ----- b128
Also I have the registry saved, should I attach that in a post as well?
howard_hopkinso
Posts: 21,238 +17
Delete these entries only.
gfeurhmj.bat ------ gfeurhmj
ihrfxpmg.bat ------ ihrfxpmg
klscxodg.bat ------ klscxodg
nsoawdsn.bat ------ nsoawdsn
C:\WINDOWS\system32\gijpwfub.exe ------ gijpwfub
C:\WINDOWS\b128.exe ----- b128
Do a search of your system and delete the actual files if found.
Regards Howard
gfeurhmj.bat ------ gfeurhmj
ihrfxpmg.bat ------ ihrfxpmg
klscxodg.bat ------ klscxodg
nsoawdsn.bat ------ nsoawdsn
C:\WINDOWS\system32\gijpwfub.exe ------ gijpwfub
C:\WINDOWS\b128.exe ----- b128
Do a search of your system and delete the actual files if found.
Regards Howard
Well I did all that and restarted... the system stopped doing the pausing for about 10-15 minutes, then when I came back and checked it out again it had resumed its duties, every 10-15 seconds for 2-3 seconds. I know the HJT log has been clean but I attached another one, those two odd .bat files are still showing up. I restarted and tried shutting down just about anything that wasnt essential through the task manager but that didnt seem to do the trick either. The computer is 100% better than it was 5 days ago, however, I cant figure out how I inherited this constant pausing, it breaks up the entire flow and Im not sure what else to do.
howard_hopkinso
Posts: 21,238 +17
Try this.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - HKLM\..\Run: [nslnwqqo] C:\wbgliuye.bat
O4 - HKLM\..\Run: [lmhheldw] C:\kfjkfmmu.bat
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\wbgliuye.bat
C:\kfjkfmmu.bat
Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.
Click edit and choose find. Type lmhheldw into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to lmhheldw and display them in the righthand pane. Right click on any such lmhheldw entries and choose delete.
Now click edit again and choose find next. Again, delete any entries that reference lmhheldw.
Repeat the above, until no more lmhheldw entries are found.
Repeat the above for nslnwqqo
Close regedit.
Reboot into normal mode and rehide your protected OS files.
Post a fresh HJT log and let me know if you still have the problem.
You might also want to post a fresh Combofix log as well.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - HKLM\..\Run: [nslnwqqo] C:\wbgliuye.bat
O4 - HKLM\..\Run: [lmhheldw] C:\kfjkfmmu.bat
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\wbgliuye.bat
C:\kfjkfmmu.bat
Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.
Click edit and choose find. Type lmhheldw into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to lmhheldw and display them in the righthand pane. Right click on any such lmhheldw entries and choose delete.
Now click edit again and choose find next. Again, delete any entries that reference lmhheldw.
Repeat the above, until no more lmhheldw entries are found.
Repeat the above for nslnwqqo
Close regedit.
Reboot into normal mode and rehide your protected OS files.
Post a fresh HJT log and let me know if you still have the problem.
You might also want to post a fresh Combofix log as well.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Your HJT log is clean.
Uninstall both AVG Antispyware and Superantispyware.
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.
Let me know if you`re still having problems.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Uninstall both AVG Antispyware and Superantispyware.
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.
Let me know if you`re still having problems.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Both your logfiles are clean.
I`d like you to try something and see if it makes a difference.
Download this Symantec/Norton removal tool.
Download one antivirus and one firewall from the choices below.
AVG free or Avast antivirus programmes.
Zonealarm Kerio or Comodo free firewall programmes.
Disconnect from the net and run the Symantec/Norton removal tool.
Reboot your system the required number of times.
Install whichever firewall you chose and reconnect to the net.
Install whichever antivirus programme you chose and run the antivirus updates.
Do a full system scan with the antivirus programme and delete whatever it finds(if anything).
Post back and let me know if things have improved.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I`d like you to try something and see if it makes a difference.
Download this Symantec/Norton removal tool.
Download one antivirus and one firewall from the choices below.
AVG free or Avast antivirus programmes.
Zonealarm Kerio or Comodo free firewall programmes.
Disconnect from the net and run the Symantec/Norton removal tool.
Reboot your system the required number of times.
Install whichever firewall you chose and reconnect to the net.
Install whichever antivirus programme you chose and run the antivirus updates.
Do a full system scan with the antivirus programme and delete whatever it finds(if anything).
Post back and let me know if things have improved.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Quick question, before I do this, I came home from work today and tried to give it another shot, instead by using internet explorer as opposed to firefox; the pausing issue is not occuring, which leads me to believe it was browser related.... Im not a big fan of internet explorer though, is it possible to uninstall and reinstall firefox and have this alleviate itself?
howard_hopkinso
Posts: 21,238 +17
Yes, by all means try uninstalling and reinstalling FF.
I still recommend you get rid of that resource hogging Symantec/Norton crapware.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I still recommend you get rid of that resource hogging Symantec/Norton crapware.
Regards Howard
This thread is for the use of Strizz75 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Hopefully, we can get it sorted sooner, rather than later. I don`t know about you, but this is making me mad. I hate not being able to solve a problem.
Regards Howard
Regards Howard
Well I just uninstalled and reinstalled firefox but its still pausing sporatically.. however Im not sure if it actually completely uninstalled, I uninstalled through the control panel, but upon using it after the reinstall it still had all my favorites as well as the customized home page..... any thoughts?
howard_hopkinso
Posts: 21,238 +17
The thing is, if after uninstalling FF you go ahead and delete everything to do with FF, you`ll find all your bookmarks are gone. Of course you could backthem up first I suppose.
Click Bookmarks/organise bookmarks/file/export and save a copy to wherever you want.
personally, I`m not sure your problem is browser related.
Regards Howard
Click Bookmarks/organise bookmarks/file/export and save a copy to wherever you want.
personally, I`m not sure your problem is browser related.
Regards Howard
- Status
Similar threads
