Dont understand.

Help wit this,thx(really):

 

Hi montana_john,
Welcome to Major Geeks!

Your computer is badly infected. You have files of a trojan which steals information so if you do any online banking, you need to change passwords and talk to your bank about how to protect yourself. I would like for you to do the instructions for HijackThis first, which will get you started, and as soon as you have completed them, continue on with the instructions in the READ & RUN ME FIRST and attach all the requested logs.

Begin by running HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kvsc3] C:\WINDOWS\Kvsc3.exE
O4 - HKLM\..\Run: [DbgHlp32] C:\WINDOWS\DbgHlp32.exe
O4 - HKLM\..\Run: [msosomec] C:\WINDOWS\msosomec.exe
O4 - HKLM\..\Run: [PTSShell] C:\WINDOWS\PTSShell.exe
O4 - HKLM\..\Run: [WSockDrv32] C:\WINDOWS\WSockDrv32.exe
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exE
O4 - HKLM\..\Run: [SHAProc] C:\WINDOWS\SHAProc.exe
O4 - HKLM\..\Run: [LotusHlp] C:\WINDOWS\LotusHlp.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [NVDispDrv] C:\WINDOWS\fujxop.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.EXE
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [MsIMMs32] C:\WINDOWS\MsIMMs32.exE
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ygvicyxp] C:\WINDOWS\giypobhs.exe
O4 - HKLM\..\Run: [WINSvr32] C:\WINDOWS\WINSvr32.exE
O4 - HKLM\..\Run: [tciocp32] C:\WINDOWS\tciocp32.exe
O4 - HKLM\..\Run: [mfchlp32] C:\WINDOWS\mfchlp32.exe
O4 - HKLM\..\Run: [mfchlp32] C:\WINDOWS\mfchlp32.exe
O4 - HKLM\..\Run: [dndsioc] C:\WINDOWS\dndsioc.exe
O4 - HKLM\..\Run: [fmbiost] C:\WINDOWS\fmbiost.exe
O4 - HKLM\..\Run: [fmsbbqi] C:\WINDOWS\fmsbbqi.exe
O4 - HKLM\..\Run: [900e2580] rundll32.exe "C:\WINDOWS\system32\rdtbhboj.dll",b
O4 - Startup: MonKey 1.7 .lnk = C:\Program Files\MonKey\MonKey.exe
O4 - Startup: VirtuaGirl HD.LNK = ?
O20 - AppInit_DLLs: msosmhfp00.dll,msosdohs01.dll
O23 - Service: 72503303 - Unknown owner - C:\WINDOWS\system32\E3B9DA8B.EXE (file missing)

After you click fix, just close hijackthis.

As soon as you complete the above, go to the READ & RUN ME FIRST and go straight to the instructions for downloading and installing CCleaner. Once installed, run it at the default setting as per the instructions.

Then continue on and do the instructions on this page and the continuing page which will be specific for your operating system. When you're finished attach all the logs.

Tell me how this went?

abri

 

I did what you say.But i think i made mistake.I fixed everything you said,ran CCleaner and at last i cant browse internet...Some apps not working.What is this.

NEED HELP!
PLEASE!

 

Hi montana_john,

Your computer is full of trojans of the type which steal passwords. The first thing you need to consider is if you have any information on your computer with regard to banking and credit cards. If so, you need to call your bank/credit card companies and ask them how you should proceed with your accounts in light of the fact that your computer's security has been compromised.

All of the files you had HijackThis fix are malware files. You can go to the backup of HijackThis and have them all restored. Run HijackThis and click on None of the above just run the program. On the page that opens up, click on Config at the bottom and on the next page at the top click on Backups. Put a checkmark next to all of the files and have them restored. See if this returns your Internet explorer to a working state.

After you do that, see if you can run the instructions in the READ & RUN ME FIRST and attach all the requested logs. Some of the malware will be removed by the scans which you are asked to run, and after that, by looking at the logs you attach with your post, we can remove whatever still remains. If you are using cracked versions of software or have agreed to involvement with any sites which distribute gambling or pornography, chances are good that you will not be able to completely rid your computer of the infections and you will need to back up your data, reformat and change all your online passwords (changing your passwords you should do in any case).

Let me know how this goes.
abri

 

Ok,i just did what you say.And now it says "Internet connection could not be established" and when i try to repair the connention,it says TCI/IP could not be established.Now i cant format my computer.(because i am adminmistrator of many computer.not this one i am using other computer to write these things)I ran full scan and detected no virus.
After all Norton maybe destroyed some internet things i didnt look.And now its up to you Abri.Help me,please.I am dying.

 

Now i still cannot use internet.TCI/IP not connected.
Ran norton and found no virus now.Faster than before.
Only thing is i am not have rights to format my computer.I am a administrator of many computer.So HELP!You are my only hope.:confused

 

Hi montana_john,

One of your posts seems to be invisible, I'm not sure why. First what I would like to say is that based on your original HijackThis log, your computer is full of trojans. You do not have to have an internet connection to proceed with the instructions in the READ & RUN ME FIRST. You may need to download the installation programs onto a flashdrive or cd on another computer and then transfer them to the infected computer.

It's important to have the instructions for each tool, so be sure to print them out. Then run as many of the scans as you can and see if they will get rid of the malware.

To make things easier, please try and get Combofix onto your desktop first (in either normal or safe mode) and run that before you do any other scan. The Combofix instructions can be found by scrolling down to the bottom of the READ & RUN ME and selecting the cleaning instructions for your operating system. On the page that opens, scroll down until you come to the instructions "Running Combofix". Click on this. If you're able to do this, then go back to the very beginning of the READ & RUN ME and do all of the instructions except Combofix.

Also, for my information, when you ran CCleaner, which things did you have checked? The items we want you to delete using CCleaner are those which are checked by default on the Windows tab. When you open CCleaner, the broom should be clicked over on the left side and the tab that is showing is the Windows tab. Some but not all the items on that tab are checked. Then you click on Start Cleaner. Is this what you did?

Please do as much of the READ & RUN ME as you can (link in post 2) and attach the requested logs. We cannot help you until we can see what's going on. If you aren't able to complete a scan, make a note of what happens and then proceed with the next one.

abri

 

Here is the log.Help with this.And still no internet

 

Hi montana_john,

Your combofix shows that your computer has files which need to be removed. Our experience is that we have better success getting your computer fixed if we can remove all the bad files at once. In order to do this, I need for you to run ALL the scans in the READ & RUN ME. If you have trouble with one of the scans, go on to the next one but make a note of why you weren't able to run it. The only information you've given me so far is that you don't have an internet connection. When I told you that you can run these scans without an internet connection, you attached a log for combofix. How did you get combofix on your computer? Can you install and run the other scans from the READ & RUN ME in the same way? The link for the READ & RUN me is in both posts 2 and 4 of this thread. As you work through these instructions, you will most likely find some relief from the symptoms. We will have more success getting this process to a successful completion if you give me all the help you can, rather than giving me one little piece of information here and one piece there.

Thanks.
abri

 

And i cang find the MGtools log.It says on C:\ but its not there.
Ok this is all i can do.I have no internet so SpyBot is not working...

Tnx.

 

Hi Montana John,

If you have not the logs, but you do have the superman icon under C which is the file called MGTools.exe, please double click on it and allow it to run. See if the logs show up as the MGlogs.zip under C. If this does not produced the logs, but you Do have the MGTools folder located in C (folder, not file), please open that and look for a file in there called GetLogs.bat. Doubleclick on this file and allow it to run to completion. When it's finished, it will give you a message to hit any key. After you hit any key, go back to C and look in there again and see if you have the file called MGlogs.zip now? If so, please attach it. One of these two procedures should produce the complete set of logs

If none of this works, please tell me. We can work with Combofix, but will miss some things that are important.

Thanks.
abri

 

I did everything you said.The is no file callet that .bat thing.
And i even run it again.And still no .zip log.Dont know what happened.
There is no other program that same as MGTools?
And thanks for helping me all the way.
Yours,

Montana.

 

Hi Montana_John,

1) Please download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) After you complete the above, I would like for you to run CCleaner. There should be a red C icon on your desktop. (It's not the red combofix item with the x in it, but a red-orange C.) Please double click on this and the CCleaner window will open. Down at the lower righthand corner is a button which says Run Cleaner. Please click on this. It will tell you files will be removed permanently. Say yes and then allow it to run. When it's finished, just close the window.

3) Now I would like for you run your copy of HijackThis again and attach the log with your next post.

You will have two logs to attach: Avenger.txt and HijackThis.log

Thanks.
abri

 

Here is the log.Sorry for letting u wait for long.
I went to Alabama for some business.

 

Hi Montana_John,

Here are some further instructions:

1) Before you continue, please go to your HijackThis folder under Program Files in C and find hijackthis.exe. Right-click on it and select rename and change the name to analyse1.exe Then just exit HijackThis and remember that it's been renamed but is still the same program.

Then continue as follows:

2) Now we need to stop a service. Please do the following:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, look for this service (it may be at the top of the list) 72503303
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT (renamed to analyse1.exe), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste 72503303 into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

3) Now re-run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - Winlogon Notify: khfDwxwX - khfDwxwX.dll (file missing)
O23 - Service: 72503303 - Unknown owner - C:\WINDOWS\system32\E3B9DA8B.EXE (file missing)

After clicking Fix, exit HJT.


4) Please do the following:
Now we need to use ComboFix to remove some files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\WINDOWS\system32\k12076981441.exe
C:\WINDOWS\system32\k120769761519.exe
C:\WINDOWS\system32\k12076975931.exe
C:\WINDOWS\system32\k12076934811.exe
C:\WINDOWS\system32\k12076934401.exe
C:\WINDOWS\system32\llk1207693405.h
C:\WINDOWS\system32\k12076713131.exe
C:\WINDOWS\system32\k12076594771.exe
C:\WINDOWS\system32\k12076588891.exe
C:\WINDOWS\system32\k12074466051.exe
C:\WINDOWS\system32\k12074454451.exe
C:\WINDOWS\system32\k12073530331.exe
C:\WINDOWS\system32\k12073524951.exe
C:\WINDOWS\system32\k12073170951.exe
C:\WINDOWS\system32\k12073132101.exe
C:\WINDOWS\system32\k12073106781.exe

LOOK::
C:\Enlish.lng

DIRLOOK:
C:\DOOMS
C:\WOLF3D
C:\DUKE3D
  

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop. Combofix.exe (or cf.exe) is a red disk with a white X in it. The CFScript.txt will have the normal icon for any other text document.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


5) Now run CCleaner at the default setting with the Windows tab as the one on top.

6) While we can try little by little to get some of the malware out of your computer, there will still be files left over that we've missed. There are other ways for us to proceed, but the MGTools is the easiest, so I would like for you to try one more time to get this to install properly.

To begin with, are you working from the internet on this computer or are you transferring the software we want youi to download from a cd or flash drive? In order to function correctly, the MGTools have to be installed directly in C:\ This means, that if you download or downloaded them to a cd or flashdrive or install them in some place besides C:\ (for instance, on your desktop) you need to open Windows Explorer and find MGTools.exe (whether on a cd, flash drive or in your computer) and pull this file to Local Drive ( C: ) drive.
If you are getting an error message, during download, please tell me what that is.

The names associated with this program can be a little confusing, because there is the MGTools.exe which you download. Then after running the MGTools.exe program, there is a folder (not a file) called MGTools. Inside that folder there are a lot of different programs. Do you have this folder? If you do a search of your computer for MGTools, you should find it unless you tried to run it from an external medium like a cd or flash drive.

Let me know how this goes and if your computer has an internet connection or not? Be sure to attach the Combofix log with your next post and the MGlogs.zip if you get them. If you are unable to get them, please run the renamed HijackThis (now called analyse1.exe) by double-clicking on it and attach that with your Combofix log.

abri