help with a virus

[blu_smiley]

my virus scanner(nod 32) keep detecting these viruses every so often but its not going away..
it affects my internet i.e...i can go on the internet for like 30 mins but then it suddenly stops working....
th only way to get the internet working is to restart...
when the internet stops working, it also affects the other computers in the house....
i know it has nothing to do with my internet connection and isp because it only happens to my computer (thats affected with the virus) because i can go on the internet all day on the other computers.
Also sometimes my applications dont close properly when i shut down....and when i shut down i get this thing saying "run time error 53-file not found ".
i think thats about it...sorry if i sound confusing
 
Ive attached the 1)SUPERantispyware log
                            2) eset online scanner log
                            3) hijackthis log

I'd appreciate anyone that can help me!
thanks in advance

[saving space - attachment deleted by admin]

[Broni]

I can't see any firewall running, unless you have Windows firewall up???

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries:

- R3 - URLSearchHook: (no name) - {B3FD786C-9985-B876-F5DC-96CB2B9E59E6} - C:\WINDOWS\system32\ukqg.dll (file missing)

- F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe

- F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xpjava.exe

- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

- O4 - HKLM\..\Run: [Microsoft Config 32] msconfigx32.exe

- O4 - HKLM\..\Run: [DRam prosessor] winupdate.exe

- O4 - HKLM\..\Run: [system] tskmgr.exe

- O4 - HKLM\..\Run: [MSUpdater] System32i.exe

- O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe

- O4 - HKLM\..\RunServices: [system] tskmgr.exe

- O4 - HKLM\..\RunServices: [MSUpdater] System32i.exe

- O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe

- O4 - HKCU\..\Policies\Explorer\Run: [digoun] C:\WINDOWS\System32\digoun.exe

- O4 - HKCU\..\Policies\Explorer\Run: [kbdsld] C:\WINDOWS\System32\kbdsld.exe

- O4 - HKCU\..\Policies\Explorer\Run: [regign] C:\WINDOWS\System32\regign.exe

- O4 - HKCU\..\Policies\Explorer\Run: [commv2] C:\WINDOWS\System32\commv2.exe

- O4 - HKCU\..\Policies\Explorer\Run: [mshuie] C:\WINDOWS\System32\mshuie.exe

- O4 - HKUS\S-1-5-18\..\Run: [Microsoft Config 32] msconfigx32.exe (User 'SYSTEM')

- O20 - Winlogon Notify: wintuh32 - wintuh32.dll (file missing)

- O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe (file missing)

- O23 - Service: tsecure - Unknown owner - C:\WINDOWS\tsecure.exe (file missing)

4. Click on "Fix checked" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- from C:\WINDOWS\system32, files: digoun.exe, kbdsld.exe, regign.exe, commv2.exe, mshuie.exe

8. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Run HijackThis again, and post back its log back here.

[blu_smiley]

^ thanks for helping =D

but where am i suppose to begin step 3??.....ive opened hjt but i dont know what to do next as you described in step 3)

[Broni]

Oh, click on Scan.

[blu_smiley]

im on internet explorer (ver7) but i cant find "folder options" under tools

[Deerpark]

It's not Internet Explorer blu_smiley, it's Windows Explorer. This is the name of the program that lets you browser you folders and such.
Just double click "My Computer" and you'll launch it.

[blu_smiley]

Deerpark: thanks for that!!
------------------------

hjt log attached

[saving space - attachment deleted by admin]

[evilfantasy]

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
When finished, it will produce a log for you.
Attach that log in your next reply.

Do not mouseclick combofix's window while it's running. That may cause your computer to stall

[blu_smiley]

combofix log attached

[saving space - attachment deleted by admin]

[evilfantasy]

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

File::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\temp.dat
C:\WINDOWS\system32\System32i.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ceb43567-9b98-11db-a316-000f3d300101}]
\Shell\AutoRun\command - ~tmp0.1st.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ceb43568-9b98-11db-a316-000f3d300101}]
\Shell\AutoRun\command - ~tmp0.1st.exe

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

==========

Please run the F-Secure Online Scanner

Note: This Scanner works with Internet Explorer Only!

• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
  
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click

Cancel, then New Scan[/list]

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
  
• Click Automatic cleaning
  
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

• This scan will only work with Internet Explore
• You must have administrator rights to run this scan
• This scan can take several hours, so please be patient

[/list]

==========

Next post please attach
combofix log
f-secure online scan log

[blu_smiley]

combofix & fsecure logs attached

[saving space - attachment deleted by admin]

[evilfantasy]

Looking better. Still more to do though.


Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main ATF Cleaner menu to close the program.

Restart the computer.

----------

Please download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
  
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  
• Save the DrWeb.csv report to your desktop.
  
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  

----------

Run a new hijackthis scan and post that log along with the DR.Web log please.

[blu_smiley]

the linke you gave me to dl DrWeb-CureIt .exe doesnt work

[evilfantasy]

Sorry about that, it is fixed now.

[blu_smiley]

I downloaded drweb cure it but the express scan doesn't finish scanning

This happens:


and then this shows up:

[evilfantasy]

OK, you can uninstall that. We will use AVG Antispyware instead. Sorry for that, I have not had any problems with it before....



Download and install AVG Anti-Spyware Free to your desktop.

    * Once you have downloaded AVG Anti-Spyware Free , locate the icon on the desktop and double-click it to launch the set up program.
    * Once the setup is complete you will need run AVG and update the definition files
    * On the main screen select the icon Update then select the Update now link.
    * Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
    * Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
    * Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
    * Under Reports
    * Select Automatically generate report after every scan
    * Un-Select Only if threats were found
    * Under "What to scan"? "Select Scan every file".
   
    * Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan
    * AVG will now begin the scanning process, be patient this may take a little time.
    * Once the scan is complete do the following:
    * If you have any infections you will prompted, then select Apply all actions <--be sure qaurantine is selected
    * Next select the Reports icon at the top.
    * Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
    * Make sure to remember where you saved that file, this is important (usually the desktop)
    * Close AVG Anti-Spyware Free

    * Attach the AVG scan report in the next post.

[blu_smiley]

I have SUPER antispyware from  before. Do I need to uninstall that before I  install AVG antispyware?

[evilfantasy]

No it will not hurt to have both installed, they only run when you launch them so it is safe.

[blu_smiley]

AGV log attached

-----------

do i still need to post the hjt log?


[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Yes, I will need to see a new HijackThis log.

The hjiackthis logs are how we can tell if the removal tools are working and if more work needs to be done.

[blu_smiley]

hijack this log attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Delete the copy of Combofix from the desktop and download a new one.

Download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
When finished, it will produce a log for you.
Attach that log in your next reply.

Do not mouseclick combofix's window while it's running. That may cause your computer to stall

Also post a fresh hijackthis log after combofix has completed.

[blu_smiley]

combo fix & hjt log attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
  
• On the page that opens, scroll down to

Hardware Clock Driver (hwclock)

• Then right click the entry, select Properties and press Stop Service.
  
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
  
• Now repeat the above to Stop and Disable the below Service (if you do not find it or get any errors, just continue):

winauthm (spdauth)

---------------

Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and save it to your desktop.

Don't use it yet

---------------

Open HijackThis and select Do a system scan only then place a check mark next to:

O4 - HKUS\S-1-5-18\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'Default user')
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe (file missing)

Close all windows except for HijackThis and click Fix checked

---------------

Double click OTMoveIt.exe to launch it.

Be sure there is a check mark next to Unregister Dll's and OCX's

• Copy the file paths below to the clipboard by highlighting ALL of them.
  
• Then right-click and choose copy.

C:\WINDOWS\temp\kimochiz.exe
C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\spdauth.exe

• Return to OTMoveIt, right click in the Paste List of Files/Folders to be moved window and choose Paste.
  
• Click the MoveIt! button.
  
• The list will be processed and the results will appear in the right hand pane.
• Copy everything on the Results window to the clipboard by highlighting ALL of them.
  
• Then right-click and choose copy, and paste it on your next reply.
• When finished click Exit to exit the program.
  
• Please add the log in your next reply.

• If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.

• If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at : C:\_OTMoveIt\MovedFiles\********_******.log
  
  • (where "********_******" is the "date_time")[/color]
  Click Exit to close OTMoveIt.
  
  ---------------
  
  Next post please add
  OTMoveIt log <<Just copy and paste it in the post.
  New HijackThis log.

[blu_smiley]

I did the system scan only but when it finished i couldnt find:
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe (file missing)

[evilfantasy]

We stopped them from running in services so they probably just didn't get picked up by the HJT scan.

Do the next step with OTMoveIt and we will see if they are removed by it.

[blu_smiley]

ok ^^

oh oh one thing...should i fix:
O4 - HKUS\S-1-5-18\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'Default user')

[evilfantasy]

ok ^^

oh oh one thing...should i fix:
O4 - HKUS\S-1-5-18\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'Default user')

Yes fix them in hijackthis and then continue with OTMoveIt.

[blu_smiley]

OTmoveIt:

File/Folder C:\WINDOWS\temp\kimochiz.exe not found.
File/Folder C:\WINDOWS\System32\hwclock.exe not found.
File/Folder C:\WINDOWS\spdauth.exe not found.
 
Created on 01022008_151824

---------------
hjt log attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Well that revealed a few more bad guys.


Run Combofix again and post the log.



Also run SDFix and post its log.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log

[blu_smiley]

when i press F8 the 'advance options' menu doesnt appear..
instead it's  'boot device' and asks me to select a drive O__O

[evilfantasy]

OK, just do the combofix log.

[blu_smiley]

combofix log attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Now download The Avenger By Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the Input script manually box.
  
• Click on the Magnifying Glass Icon which will open a new window titled View/edit script
  
• Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\WINDOWS\temp\kimochiz.exe
C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\spdauth.exe

Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system

• Now click the 'Done' button.
  
• Click on the Green Light and OK the prompt.
  
• You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
  
• A log file from Avenger will be produced at C:\avenger.txt
  

The Avenger will automatically do the following:

• It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger's actions.
  
  • This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  
  • Please attach the C:\avenger.txt in your next post.
  ----------
  
  
  Run the BitDefender Online Scanner
  Click I Agree to the license and then select Click here to scan
  DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED.
  That will make your logs huge and we don't need to see clean files.
  
  Once Bitdefender completes the scan:
  Click-on the Detected Problems tab.
  Then select Click here to export the scan report
  
  When the window comes up to save the report, change the Save as type: box to:
  Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save
  
  This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it.
  (take notice of where you save it so you can find it later)
  
  This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
  
  If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us
  
  Post the bdscan.txt file as an Attachment.
  
  ----------
  
  Next post please add
  avenger log
  bitdefender log
  new hijackthis log

[blu_smiley]

avenger, bdscan and hjt logs attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

We need to do some work in the registry to get rid of the TELLCOMA.EXE.

Backup the registry

1. Click Start, click Run, type (or copy and then paste) %SystemRoot%\system32\restore\rstrui.exe, and then click OK.
2. On the Welcome to System Restore page, click Create a restore point, and then click Next .
3. On the Create a Restore Point page, type a name for the restore point and then click Create
4. After the restore point has been created, click Close.
* Remember or write down the name you give the restore point.

Kill the tellcoma process
Open Windows Task Manager by pressing CTRL+ALT+DELETE all at the same time and choose the processes tab.

In the list of running programs locate the process:
TELLCOMA.EXE and right click it then choose End task

Close Task Manager.

Remove tellcoma from the registry

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.

2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run

3. In the right panel, locate and delete the entry:
Microsoft Telecoma Center = "tellcoma.exe"

4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>RunServices

5. In the right panel, locate and delete the entry:
Microsoft Telecoma Center = "tellcoma.exe"

6. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run

7. In the right panel, locate and delete the entry:
Microsoft Telecoma Center = "tellcoma.exe"

8. Leave Registry Editor open.

Restoring EnableDCOM and RestrictAnonymous Registry Entries


1. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole

2. In the right panel, locate the entry:
EnableDCOM = "N"

3. Right-click on this registry entry and choose Modify. Change the value of this entry to:
EnableDCOM = "Y"

4. Close Registry Editor.

Toggle System Restore to clear infected restore points

1. Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer

3. Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

Run Housecall

Use the Trend Micro Housecall Scan

• Click Scan Now. It's Free
  
• Read and put a Check next to Yes, I accept the Terms of Use
  
• Then click Launch HouseCall Wait for the Java-Based Housecall Kernel Test
  
• Click Starting Housecall and wait for the updates to finish.
  
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  
  • It will download the latest scan engine and pattern files. When the definitions have been downloaded, the scan will start.
  • Please wait while HouseCall scans your system…
  • Once the scan is complete, it will take you to the summary page.
• Under Cleanup options choose Clean all detected infections automatically
  
• Click the Clean now>> button.
  
• When presented with a notification According to your instructions, all detected infections were cleaned..., click OK
  
  • The Housecall log is saved to C:\Documents and Settings\UserName\.housecall\log\
  Check for Updates
  
  Go to www.windowsupdate.microsoft.com and check for any updates.
  
  Next post
  Housecall log
  New HijackThis log
  
  

[blu_smiley]

I cant find TELLCOMA.EXE in task manager

[evilfantasy]

Open the registry and see if you can find the entries in there and follow those instructions.

[blu_smiley]

went to the registry but couldnt find the entries

[evilfantasy]

Post a fresh hijackthis log please.

[blu_smiley]

hjt log attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Post a fresh hijackthis log please.

Scan saved at 4:25:02 p.m., on 3/01/2008

I need a NEW hijackthis log.

[blu_smiley]

^ But that is a new one..
i scanned it only like 15 minutes ago

[evilfantasy]

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open -
• main.txt <- this one will be maximized
  
• and extra.txt <-this one will be minimized
• Attach the contents of main.txt in your post.
  
• Please also attach extra.txt to your post.

What DSS will do:

• Create a new System Restore point in Windows XP and Vista.
• Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

[blu_smiley]

main and extra txt attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Open HijackThis and select Do a system scan only then place a check mark next to:

O4 - HKUS\S-1-5-18\..\Run: [Microsoft Telecoma Center] tellcoma.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Telecoma Center] tellcoma.exe (User 'Default user')

Close all windows except for HijackThis and click Fix checked

Exit Hijackthis.

----------

1) Please download Pocket Killbox

Unzip it to the desktop

2) Please run Killbox.

3) Select "Delete on Reboot"

4) Open the text file with these instructions in it, and copy the file name in the quote box below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\tellcoma.exe

5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard"

6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt Click "No" at the Pending Operations prompt



If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click HERE to download and run missingfilesetup.exe Then try Killbox again..

Let the system reboot.

Post a new HijackThis log.

[blu_smiley]

when i clicked "delete file" i got "pending file name operations registry data has been removed by external process"

and then it doesnt reboot by itself

[evilfantasy]

Reboot the computer.

After rebooting, open up Killbox again, click File -> Logs -> Actions History Log

Copy and paste the contents of kb.log and post it in your next reply.


If that doesn't work go to Start > Run and type: (or copy and paste)

notepad systemdrive%\!Killbox\Logs\kb.log

Copy and paste the contents of kb.log and post it in your next reply.


Also run a new hijackthis scan and post the log.

[blu_smiley]

kill box & hjt logs attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

This is definitely a nasty one. They are renamed to something else now.

Open HijackThis and select Do a system scan only then place a check mark next to:

O4 - HKUS\S-1-5-18\..\Run: [Microsoft Config 32] msconfigx32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Config 32] msconfigx32.exe (User 'Default user')

Close all windows except for HijackThis and click Fix checked

Exit Hijackthis.



Open Killbox.

Click the button that says All Files

Copy the files in the quote box below.

C:\WINDOWS\System32\tellcoma.exe
C:\WINDOWS\System32\msconfigx32.exe

In Killbox click File > Paste from clipboard

Check the box to Replace On Reboot, then check the box under it Use Dummy.

Then click the red X and allow reboot.

Post the Killbox log i the next post along with a new hijackthis log please.

[blu_smiley]

i cant seem to get the new kb log?....i got to kb..click files...click logs then i click actions history log but it comes up with the previous kb log..
am i doing something wrong?

[evilfantasy]

Did it seem like it worked this time?

[blu_smiley]

what do you mean?

[evilfantasy]

Did killbox work with no errors?

Post a new hijackthis log please.

[blu_smiley]

it came up with the same message as before

---------

hjt log attched

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

I have asked on the errors and it seems this is not uncommon for killbox to report this.


The log is finally clean. How is the computer now?


Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally.

Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
4. When finished exit out of OTMoveIt2


Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
  
• Move the arrow down to Standard CleanUp!
  
• Uncheck the following:
  
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK
  
  • Press the CleanUp! button to start the program. Reboot/logoff when prompted.
    
    Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility
    
    
    
    This is a good time to clear your infected system restore points and establish a new clean restore point:
    
    • Go to Start > All Programs > Accessories > System Tools > System Restore
      
    • Select Create a restore point, and click Next.
      
    • Next, go to Start > Run and type in cleanmgr
      
    • Select the More options tab
      
    • Next to System Restore click Clean up...
    This will remove all restore points except the new one you just created.
    
    
    Let me know how everything is now.

[blu_smiley]

I think everything is ok now!
I'll let you know if any of the symptoms appear again!!
thanks so much for this!! Im sorry if i ve bee a pain ^^
thank you thank you!!

btw..how come i have a antivirus on my pc but it still doesnt help instead we have to go through all thses steps?

[evilfantasy]

thanks so much for this!! Im sorry if i ve bee a pain ^^

No problem, glad you stuck it out also.

how come i have a antivirus on my pc but it still doesnt help instead we have to go through all thses steps?

Not sure how it got there. All it takes is one click and all sorts of stuff can get in. Antivirus can't always stop some of the well written virus out there.

I'll let you know if any of the symptoms appear again!!

Absolutely, we will be here.

I think everything is ok now!

Good, I hope it stays that way.


To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Safe surfing........