By ASG ยท 7 replies
Jan 10, 2006
  1. I seem to have become infected with rofl.sys. My AVG has gone crazy, constantly looping the virus alert whenever I quarantine it or delete it.

    I ran HJT and here's the log

    Thank you for your help

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  3. Tedster

    Tedster Techspot old timer..... Posts: 6,002   +15

    boot in SAFE mode and follow my rules...

    run your anti-virus and spybot, ewido, and ad-aware.
    post results.

    then we can begin.
  4. ASG

    ASG TS Rookie Topic Starter

    I tried doing most of the stuff on those posts, but most of the programs just ended up crashing on me or not updating...
    I did the best I could given the circumstances and I think I fixed a few things.

    I still have that pesky rofl.sys though (and there's also a process that keeps popping up on the task manager process list that I hadn't noticed before and I have no idea what it is... nor does google, apparently - hseure.exe. it's on the WINDOWS dir)

    Anyway, here's my new (and hopefully improved) HJT log

    I apreciate all the help I can get, cause this computer is seriously acting up!
  5. Tedster

    Tedster Techspot old timer..... Posts: 6,002   +15

    If you're overrun with multiple viruses and trojans, as hard as it may be, your best best might be to do a complete reinstall. Correcting the registry can be complicated and difficult, even for an experienced user like myself. With a fresh install, you can place safeguards in place BEFORE you connect the computer physically online. So install your firewall, anti-virus, and anti-trojans before connecting. then immediately update all 3 with the latest versions and also update windows completely.

    Your system appears to be infected with the w32/tile-bot virus and variants. This virus also downloads additional malware and compounds the infection.
    It also has the symptoms of the mytob virus.
    W32.Mytob.ML@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

    both viruses attack file in question.

    w32/tilebot-x et all are also known as hacktool.rootkit viruses and are VERY difficult to remove. read the sticky on how to remove rootkits.
    1. Disable System Restore (Windows Me/XP).
    2. Update the virus definitions.
    3. Run a full system virus scan and delete all the files detected.
    4. some registry editing may need to be done.

    mytob - read:
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode, and turn off system restore.

    Open your task manager, and end task for(if still there)


    Run a full system scan with your AVG.

    Run HJT with no other programmes open, and let HJT fix the following if still there.

    O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\sx.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O15 - Trusted IP range:
    O15 - Trusted IP range:

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O21 - SSODL: mtklefa - {9FAB6534-C2D0-4A68-7BAA-B0C8EA05B491} - C:\WINDOWS\System32\mfrays32.dll (file missing)
    O21 - SSODL: CIFBB0EF - {264604AA-7846-648F-3009-2B87327B37C4} - C:\WINDOWS\System32\Ahkopcpd.dll (file missing)

    O23 - Service: Windows 32-bit PnP Driver (winpnp32) - Unknown owner - C:\WINDOWS\System32\winpnp32.exe (file missing)

    Close HJT.

    Click start/run, and type services.msc into the run box, and press the enter key.

    When the window appears. Maximise it, and locate Windows 32-bit PnP Driver. Double click on it, and stop it if it`s still running if you can. Set the startup type to disabled. Click apply/ok.

    Go into the following directories, and delete the bold files.


    Reboot your computer, and turn system restore back on.

    Regards Howard :)
  7. XAxis06

    XAxis06 TS Rookie

    I too, a victim of rofl.sys

    Hey everyone,

    So, I have formatted my computer and reinstalled XP pro, and received rofl.sys a week later at least twice now. I have also followed ALL instructions on


    as well as the ones on this current forum.

    I use AVAST anti-virus and occasionally it pops up saying I have a trojan. My internet gets shut down now and then (@college) because the CIT guys says my computer is trying to hack passwords on the network. Mind you, all these problems continue to happen even after I format and do a complete reinstallation. Here are my Hijack this logs and my Ewido scan report. Please help, this thing is annoying and I have finals commin up =o/
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    For a start, you`re running a completely unpatched version of Windows. You need to install at least SP1 and preferably SP2.

    Go HERE and follow the instructions.

    Then, go HERE and do likewise.

    Open a new thread in this forum and post a fresh HJT log, only after doing the above.

    Regards Howard :wave: :wave:
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...