Viruses/Spyware/Malware, preliminary removal instructions

Status
Not open for further replies.

shiva64

Posts: 43   +0
Hi Julio,
I came across your solution for removing spyware and malware and gave it a go.
Please could you look at the log files attached, as mentioned in your post. While doing carrying out the solution I seem to have lost the system32\oidlmehb.dll and the system32\gaxhrtrs.dll. Also the solution has not removed a trojan (AVAST keeps alerting to) Win32:Agent-BSU [TrJ]. Please help.
 

Attachments

  • ComboFix.txt
    12.7 KB · Views: 5
  • hijackthis.log
    9.5 KB · Views: 6
Hi,

Before I can look over the log I would like you to do a couple of things for me,

1)Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings in TeaTimer.

2)Run the avg antispyware again and get it to quarantine the results,

3)I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    o Extended (If available, otherwise use standard)
    o Scan Options:
    o Scan Archives
    o Scan Mail Bases
  • Click OK
  • Under select a target to scan, select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Kas-SaveReport-1.gif

  • In the Save as... prompt, select Desktop
  • In the File name box, name the file
  • In the Save as type prompt, select Text file (see below)

    Kas-Savetxt.gif

  • Include the report in your next post.

Thanks, and sorry for getting looked over yesterday, its pretty busy round here.
 
kaspersky scan

Hi,
Thanks for that. Please see kaspersky scan log attached. Let me know what you think.
 
Delete Files and Folders
  • Right Click on the start button and chose explore
  • Show all hidden files and folders, see how HERE
  • Navigate to the following files and folders and delete them(if still present)
C:\d.exe<---------This File
C:\Documents and Settings\Varinder\Local Settings\Temp\2961271612.exe<---------This File
C:\Documents and Settings\Varinder\Local Settings\Temp\csrssc.exe<---------This File
C:\Program Files\MSN Messenger\riched20.dll<---------This File
C:\WINDOWS\system32\jfiehayd.dll<---------This File
C:\WINDOWS\system32\service.exe<---------This File

  • Empty the recycle bin.
If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

********************NOTICE***************************************


This one is service.exe and not services.exe

Navaigate to this folder and delete the contents of it but not the folder itself,
C:\QooBox\Quarantine
Empty the recycle bin

Run HijackThis again after you have turned off Spybots TeaTimer using the instructions I gave earlier.
Also run Kaspersky again.
 
Hi Kritius,
tried to set "show all hidden files and folders" but for some reason option is not available. Tried through windows help and got message " this operation is cancelled due to restrictions in affect on this computer" Please contact system admin.
 
Back up the registry, see how HERE

1. Click Start - Run - type Regedit
2. Here expand to HKEY_CURRENT_USER
SOFTWARE
MICROSOFT
WINDOWS
CURRENTVERSION
POLICIES
EXPLORER
3. in the right-side pane check for the DWORD value NoFolderOptions
4. If it is not there then create a new DWORD value by right-clicking
NEW-DWORD
5. Type a name 'NoFolderOptions" and press Enter.
6. Double-click the entry and set the value to 0
7. Open any folder and see if Folder Options is there. If it is still not
there then Log Off and Log in again or make a restart

Try that
 
what a mess

Couldn't run regedit message "regedit disabled by administrator" even though i am one.
What i did.
1, Tried to run backup utilit- wouldn't backup to cd drive. Instead saved to desktop then copied to cd successfully.
2, Couldn't unhide hidden files and folders so used search to find files listed and removed that way instead. Not sure if this will give same result.
3, Since running Kapersky computer got worse, more WIN32:agents messages. Also Google page turned black. Also when i tried to uncheck resident teatimer resident kept blocking this even though i had exited at system tray. took a few goes before it allowed it.
4, After doing 1, and 2, No more WIN32: bsu messages yet. Google page is normal. However tried running regedit still saying it is disabled. Also still getting messag that modules c:\windows\system32\oidlmehb.dll and gaxhrts.dll not found.

About to run kapersky again will post as soon as it finishes.
 
Google users in the United Kingdom will notice today that we "turned the lights out" on the Google.co.uk homepage as a gesture to raise awareness of a worldwide energy conservation effort called Earth Hour.

Download RatsCheddar.zip
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer.

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


This thread is for the use of shiva64 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
scans

Tried to upload both scans but wabpage froze. Triying to upload again but attachment screen just says attachment in progress and upload errors.
 
Fix entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a check next to the entries listed below
O4 - HKLM\..\Run: [343a4aeb] rundll32.exe "C:\WINDOWS\system32\gaxhrtrs.dll",b
O20 - Winlogon Notify: nnnoonn - C:\WINDOWS\

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis
  • Reboot HijackThis if necessary

Boot into safe mode and delete this file,

C:\WINDOWS\system32\gaxhrtrs.dll

Boot into normal mode

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please attach C:\vundofix.txt
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please Download VirtumundoBeGone by secured2k
  • Save the file to your desktop
  • Close all running programs (including your Internet Browser)
  • Double-click VirtumundoBeGone.exe on the desktop
  • Read the introductory information, and then click Continue
  • Click Start
  • When asked if you want to continue, click Yes to run the fix
  • Click "Save Log"

Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and "attach" a new HijackThis log file along with the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.
 
Help

Hi Ran Hijackthis, deleted both files after scan only.

Re started windows - Avast on-access protection won't run and internet connection won't work either. Message error 711 The remote access service manager could not start. Further detail - check plug and play or remote access connection manager. On checking plug and play was running but remote access wasn't. Tried to start but further error 1084 - "This service cannot be started in Safe Mode"

Hence not downloaded Vundofix.
 
shiva64 said:
Hi Ran Hijackthis, deleted both files after scan only.

Re started windows - Avast on-access protection won't run and internet connection won't work either. Message error 711 The remote access service manager could not start. Further detail - check plug and play or remote access connection manager. On checking plug and play was running but remote access wasn't. Tried to start but further error 1084 - "This service cannot be started in Safe Mode"

Hence not downloaded Vundofix.

Download the programs he requested while still online, Once you boot into safemode you will not have Internet connection or your anti-virus protection programs running. Don't worry though, in safemode many services do not run except the ones made by Microsoft to keep your computer stable.
 
Status
Not open for further replies.
Back