Help with Mallware, virus, or whatever it is that crashes my computer...

Hello, I really need help!
I had a virus on my computer which I think was a Sasser: I ran and downloaded stng260 and my computer worked fine (before using stng260 my computer was shutting down after a window countdown of 60 seconds popped up)

Then I shut down and didn't install the latest microsoft updates, and the next time I opened the computer it wouldn't let me get past 4 minutes: a blue screen with writings would show and then reboot my computer. I couldn't read what it was but it showed "lzx32.sys" before shutting down!

For some reason I was able to go online long enough to run something called rustbfix.exe and everything seems to be working now. I also installed AVG anti spyware and when I run a scan it says 1 trace is detected in the following location: HKLM\SOFTWARE\Microsoft\Windows\Currentversion\Run\\Autosys.
How do I get rid of this, and how can I make sure that this thing won't happen again and that my computer is finally clean of all these?

(also, I don't know how to run a HighJackthis, which everyone seems to be posting on their logs, could someone please explain this to me?)
*biting nails and scared to close the computer*

 

Welcome to MajorGeeks.com, please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy
• AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

 

Hi Shadow Puter dude,

Thanks so much for replying. I attach here the files; hope you can help me, thanks! Please please please :cry

 

Don't combine the logs like that. Post them separately.

 

Here they are... thanks...

 

and here are the rest... please help me!

 

I can tell by reading your logs you have been trying to fix this yourself. Don't run anything I don't ask you to use. Some of these tools can cause serious damage to the OS when not used properly.

HijackThis is not in the location specified by our tutorial. Right-click on the underlined text and Save Link as to your Desktop. Move_HijackThis.vbs

Download
- Pocket Killbox

Empty the AVG Virus Vault
Run CCleaner

Using Add or Remove Programs in the Control Panel; uninstall the following:

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Follow the instructions for Smitfraud, SpySheriff, SpyAxe & PSGuard Removal.

Run AVG Anti-Rootkit and save the log

Post the following logs:
1. SmitRem log
2. AVG Anti-RootKit log
3. ShowNew
4. GetRunKey
5. HijackThis

 

I can't find the following in hijackthis...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

should i continue anyway with teh instructions?

 

IF the lines aren't there they aren't there continue with the instructions.

 

Hi Shadow Puter Dude,

Here are the logs. I did save the link Move_Hijackthis.vbs to my desktop but when I click on it, it just says that hijack.exe can't be found so I ran it from where it was. Also I attach the log of Panda Virus.

I ran AVG Anti Rootkit but nothing showed from the scans and I wasn't given the option to save a log.

For Killbox, I didn't get a "PendingFileRenameOperations prompt" message.

hijackthis log to follow...

Thanks a million...

 

hijackthis log

 

oh and here is my activescan log.

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post the following logs:
1. ShowNew
2. GetRunKey
3. HijackThis

 

Here are the logs...

 

*oh and before I forget, for Killbox, I didn't get a "PendingFileRenameOperations prompt" message.

 

Run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Post a Fresh ShowNew log.

 

Here is my newfiles.txt...
When I ran pocket killbox, I tried to paste the paths to the clipboard but it wasn't showing up and it kept on prompting me to add something to the yellow box, so I copied and pasted one path to the yellow box... I hope this was all right?
Also, yesterday I have tried to reinstall my audio in this computer, because I don't have sound anymore... That's all I installed recently...
Thanks!

 

here's the file sorry

 

Your log is looking pretty good. How is your computer running?

 

Whew, thank you! The computer seems to be working fine now, no more crashing so far. I just have one question though: when I start the computer, usually before the blue welcome Windows opens, there used to be tiny white bars running from the left screen to the right while it booted up. Ever since I got infected that feature has disappeared: instead there it's just a black screen before it opens the Windows screen. Is this a normal thing? Because apart from that, things seem to working ok.

I guess now I should take the measures to prevent this thing from coming back!

Thanks so much for your help, Shadow Puter Dude, you don't know how much I appreciate it! Merci beaucoup!

 

Do the following:

Start -> Run
type notepad c:\boot.ini
click 'OK'

copy and paste the contents of notepad in your reply.

 

Here it is...

 

Your boot.ini looks fine. Run MsConfig click-on the boot.ini tab and make sure SOS is unchecked. Reboot.

Still no splash screen?

 

Actually, I'm not sure what a splash page is, but all I know is that before, this is how my computer worked when I'd reboot...
-computer logo
-ask for password
-black screen with little bars at the bottom of the page that would move from left to right, as if it were booting up
-Windows XP logo, with a bar with blue squares like it were booting (I wonder if this is the splash page? If it is, then it's working fine)
-Welcome windows, then my desktop

But now the 2nd item is gone (little white bars)
Maybe it's not important, I just wanted to know if this was normal and if it's ok. Apart from that, things are working ok.

Oh, the only other problem I'm encountering is that each time I reboot, I lose the sound, and I need to put in my installation cd and reinstall the Audio. I've done it 4 times now, and it still doesn't stay put! I'm not sure if all this is related to what happened with the virus...

 

This isn't normal. The one with the Windows logo is all you should see.

If you have a removable sound card. Uninstall the drivers, shut down. Remove the Card, Reboot, shut down, install the card. Reboot, close new hardware found wizard; install the drivers from the CD. Reboot.

Still dropping the drivers?

 

If the Windows logo is all I should see, then I suppose that's a good thing,that I don't see the black screen with the white bars.
Anyway, no, I don't have a removable soundcard...and it still keeps on dropping the driver.
also, when I shut down, there's always a little window saying that Explorer.EXE is closing, and I always have to click on the option to stop the program (next to the Cancel button).

 

You may need to do a "Repair Install", but first.

If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

I will try to reinstall my audio. I've also followed the instructions below and will follow the steps on how to prevent this thing from happening again.

Once again, Thank you! Eternally grateful for your help!!!!

 

You're welcome.

If you have anymore problems with the Audio drivers post in either the Hardware or Software Forums.