41

Should I download that firewall now or should I wait until we’re sure the computer is clean?

42

This is going to take some time to review the log, and I would like to enlist a second opinion.

For now install the firewall and I will post again as soon as I am able.

43

I have PM’d essexboy for an opinion on my proposed winpfind fix - his experience with this tool is vast and mine is not.

44

It seems as if my screen is going green and lines cut across the screen filling the page every now and then. Would this be related to my virus issues. I haven’t had this problem before and my laptop is realtively new. It’s about a year old, but has been used only within the past two months.

45

Sorry to butt in here … I had a heck of a time getting assorted malware off my XP just last week, including Purity Scan.

If I may ask … are you disabling System Restore before you make your changes?

46

I didn’t think I had to so I hadn’t done so.
Should I have?

47

Yes. This is why:

There are some problems associated with System Restore when it comes to viruses. When restore points are created they are stored in a directory that is accessible only to the System account and not to a user. This keeps the restore points safe from misuse and tampering. Unfortunately this also means that any virus scan software you may have installed can not scan the files located there as well. This causes a problem if a file that is infected with a virus gets backed up into a restore point because now the anti-virus software can not clean it. Now if you ever restore from a restore point, that file that is infected will be introduced back into your system.

With this in mind, if you find that you are infected with a virus, hijacker, or spyware and want to make sure you do not get reinfected if you restore a restore point, you should turn System Restore off and then back on again to clear all the restore points. This will guarantee that their are no infected files that could be restored.

From: http://www.bleepingcomputer.com/tutorials/tutorial56.html

48

It is necessary to clean the restore points as they may be infected, but I prefer to do this at the end - after the computer is clean but before there is any chance of restoring malware. You will recall, brenda31, we did this as part of the last steps in your last thread.

I am putting the final touches on a registry fix and winpfind fix and will post again shortly (sorry for the delays).

49

Oh ok. That’s fine. Do you know the problems with my screen may be associated with the viruses?

50

It may be, or it could be a hardware problem. Lets get this cleaned up and that may tell us which it is.

Please download ERUNT from here and back up your entire registry http://www.snapfiles.com/get/erunt.html

When done, please apply the registry fix below

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID{E8497736-90B2-4E1A-B930-2CC058FDECBB}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{E8497736-90B2-4E1A-B930-2CC058FDECBB}]

[-HKEY_CLASSES_ROOT\CLSID{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Outerinfo”=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“OuterinfoUpdate”=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{DC192567-65F9-4AB6-ADB7-E13575F81726}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify]
“ddccb”=-
“vtuspol”=-

You will need to create the repair registry fix: copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done with this step.

51

(with endless thanks for the help rendered in the above and the following)

Now Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Win32 Services - Non-Microsoft Only] YY -> (DomainService) DomainService [Win32_Own | Auto | Stopped] -> %System32%tcbbsjha.exe [Registry - Non-Microsoft Only] < ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks YY -> {DC192567-65F9-4AB6-ADB7-E13575F81726} [HKLM] -> %System32%vtuspol.dll [] < WinlogonNotify settings [HKLM] > -> HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify YY -> vtuspol -> vtuspol.dll < BHO's > -> HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects YY -> {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} [HKLM] -> %System32%mtgafqjo.dll [Reg Data - Value does not exist] [Files/Folders - Created Within 30 days] YY -> bccdd.bak2 -> %System32%bccdd.bak2 YY -> bccdd.ini2 -> %System32%bccdd.ini2 YY -> bccdd.tmp -> %System32%bccdd.tmp YY -> bccdd.tmp2 -> %System32%bccdd.tmp2 YY -> cqqpybod.ini -> %System32%cqqpybod.ini YY -> dljqvpxg.ini -> %System32%dljqvpxg.ini YY -> dobypqqc.dll -> %System32%dobypqqc.dll YY -> gxpvqjld.dll -> %System32%gxpvqjld.dll YY -> mtgafqjo.dll -> %System32%mtgafqjo.dll [Files/Folders - Modified Within 30 days] YY -> bccdd.bak2 -> %System32%bccdd.bak2 YY -> bccdd.ini2 -> %System32%bccdd.ini2 YY -> bccdd.tmp -> %System32%bccdd.tmp YY -> bccdd.tmp2 -> %System32%bccdd.tmp2 YY -> cqqpybod.ini -> %System32%cqqpybod.ini YY -> dljqvpxg.ini -> %System32%dljqvpxg.ini YY -> dobypqqc.dll -> %System32%dobypqqc.dll YY -> gxpvqjld.dll -> %System32%gxpvqjld.dll YY -> mtgafqjo.dll -> %System32%mtgafqjo.dll YY -> PEC2 , PECompact2 , -> %System32%dobypqqc.dll YY -> PEC2 , PECompact2 , -> %System32%gxpvqjld.dll YY -> PEC2 , PECompact2 , -> %System32%mtgafqjo.dll

The fix should only take a very short time. When its complete a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.

52

I’ve downloaded erunt and installed it. it’s opened up a file on my notepad that’s a registery backup for windows NT/2000/2003/XP. Am I supposed to close this and then open up a clean notepad and save the below
Quote
REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID{E8497736-90B2-4E1A-B930-2CC058FDECBB}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{E8497736-90B2-4E1A-B930-2CC058FDECBB}]

[-HKEY_CLASSES_ROOT\CLSID{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{F31723F2-81C7-4F92-9C4A-7E6F422E46CE}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Outerinfo”=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“OuterinfoUpdate”=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{DC192567-65F9-4AB6-ADB7-E13575F81726}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify]
“ddccb”=-
“vtuspol”=-

so that in essence I have two files. the back up one that was first created and the second one that is the registry fix?

53

Yes, make sure to save the registry backup before proceeding with the fix. Give it a name like regback or something else you can identify.

EDIT: I just realized the notepad that opened is the help file for Erunt. You actually don’t need to save that.

54

I’ve copied what you told me and have clicked on run fix, but it is still going. I shall post the results as soon as it’s done. It does seem like it’s been running awhile, though.

55

My hour glass is still going. Shouldn’t it have finished by now? I’m wondering if I should restart?

56

If you haven’t already restarted go ahead and do that. Has a log been produced?

EDIT: Did the registry fix run without problems?

57

Actually it says that it is not responding. It never got to the point where it produced a log. Should I repaste the info and run the fix again?

58

Try rebooting first. Then run the fix again with the same lines pasted in.

59

I’ve tried running the fix at least 3 or 4 times. Each time the hour glass keeps going until it says that it is not responding. What should I do?

60

I would like to freshen up the information we have, add to it a bit, and approach it a little differently.

First, download SDFIX and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose “Extract All”,
Open the extracted folder and double click “RunThis.bat” to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.

Now run ComboFix again and post that log.

Next, rename hijackthis.exe to hijackbrenda.exe, run that and post the HJT log it produces.

Finally, delete the current copy of WinPFind, download and run a new copy, and post that log. Here’s the download link again: WinPFind3u.exe