need your help chaslang...

You will have to dowload copies of the below using another PC and then transfer them to your PC via a USB drive, a CD,....etc. The USB infection problem may be cureable by steps further down. However using a CD may be the safest bet if your CD drive still works.

• AVG Antispyware
• GetRunKey
• ShowNew
• HijackThis

Make sure you follow the directions in the READ ME for installing and using them and then run them and attach the logs here. You will need to copy the logs back to the other PC so you can upload them here. Without the logs, there is not too much we can do for you other than suggesting that you run an updated antivirus program in safe mode. You other alternative is to boot into safe mode and shutdown ALL unnecessary applications and then make sure you have enble viewing of hidden files and folders as instructed in step 2 of the READ ME. Then look for the below file and delete it:

C:\WINDOWS\lsass.exe

Only delete the above if found. DO NOT DELETE C:\WINDOWS\system32\lsass.exe which is valid.

I also recommend that you never let anyone put anything on your PC again.

You need to keep your PC properly protected and not let so called friends install or plug anything into it anymore. Especially to install codecs to view questionable videos.

Do the below:

Editing AUTORUN.INF on all drives if infected

1. Right-click Start then click Search
2. In the Named input box, type:
   AUTORUN.INF
3. In the Look In drop-down list, select My Computer
4. Once located, select the file then open with Notepad. Check if it contains the following strings:
   • shellexecute=Boot.exe
   • shell\Open\command=Boot.exe e
5. If those lines are found, delete the two lines with boot.exe on it.
6. Make sure you check ALL drives (thumb drive too) and do the same on all drives.
7. Save the edited file and then reboot.

http://forums.majorgeeks.com/images/misc/progress.gif​

 

You MUST install and rename HijackThis as requested in step 7 of the READ ME. You have this:

C:\HijackThis

It MUST be this:
C:\Program Files\HijackThis\analyse.exe

Why didn't you allow AVG Antispyware to fix what it found??

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to HFOBJH
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • VLNEIKQDESUZLG
  • Messenger Sharing USN Journal Reader service
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste HFOBJH into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • VLNEIKQDESUZLG
  • usnsvc
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS.1\system\lsass.exe
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS.1\system\lsass.exe
O4 - Global Startup: MSconfig.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.1\

After clicking Fix, exit HJT.
No reboot into safe mode and delete the below if found
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSconfig.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HFOBJH.exe <-- you may need to login to the Administrator account in safe mode to find and delete this.
C:\Program.exe


Now reboot into normal mode.
Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes you should properly install it and rename it before continuing.

No! Only when we have determined that your PC is clean.

 

Good luck!

 

You're welcome. After you reinstall, make sure you follow all the steps in the below immediately:

How to Protect yourself from malware!