How can i remove this virus please?

Machine is real slow. Found 2 trojans yesterday and deleted. Ran AVG and it found a further one called vbspsyme in c:\q123.vbs or something like that. It asked if i should heal or delete. Heal said there was an error handling it.
Before i mess it up whats my next move please?

 

Did spot this. Dunno if it helps. Im too scared to do anything lol.

http://vil.nai.com/vil/content/v_100749.htm#Variants

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

With respect i am having trouble downloading things as the computer keeps disconnecting due to the virus. I have run loads of the things you suggest to use and hijack this shows to be ok (using hijack this reader). Whilst i appreciate you want to do things step by step this is a little difficult right now. Just wondering (in the first instance) if i should just remove c:\q123.vbs (as it cant be healed) and then see how we get along?I have attached the hjt logfile (albeit done before the steps you suggest for the aforementioned reasons)

 

Apologies. Here it is

 

Yes, delete that file you mentioned! First thing I want you to do is Click Start > Run > Type in msconfig. Now click the Startup Tab and check EVERYTHING. BUT DO NOT REBOOT!!!

After you complete the above, attach a fresh HJT log.

 

Here ya go.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

MyWebSearch


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

F2 - REG:system.ini: Shell=explorer.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\c.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Microsoft© PID Lex] C:\WINDOWS\System32\PIDLex.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\MyWebSearch ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\PIDLex.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Ok, here we go.
When i booted into safe mode the items you told me to remove

C:\Program Files\MyWebSearch ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\PIDLex.exe

were not there. (Saying that i did check if they were there before you posted yesterday and i couldnt find them then.)

Also upon running ccleaner it said there were 210 issues. I hadnt looked at this part before (i did notice something about a websearchassistant in there) so i left it alone. I will gladly select "fix selected issues" if you tell me to.
Also i had to run spybot in normal mode as i couldnt update in safe mode. No immediate threats found.
I also ran the cleanmgr in normal mode. I would also add that the temp files and temp int files were already checked.

Here is the new hjt log. (it will be on the next page as i am going to have to post this and then sign off and sign back on again.

 

Would like to add that the "issues" i mentioned on ccleaner were not what it cleaned but i selected issues and then scanned (hope you understand what i mean)
Also when i restarted AOL it said this

internet explorer cannot open the internet site http:welcomescreen.aol.svc.co.uk/ukrestart/.

 

The startup error message i just posted does now not appear so thats ok.

One other thing is that the computer is still pretty slow, certainly alot slower than it was before all this started.

 

Never use the Issues part of CCleaner as its known to cause some minor problems. I have had many cases where this messed up java and other things so dont run this scan only the cleaner.

Your HJT log is clean, lets run a few more scans to confirm your clean.

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

After you complete the above, reboot and let me know if anything was found and how things are running now.

 

I got rid of the old version in had and downloaded the new one and then searched and loaded the updates only to be told the evaluation period had expired!!! Blazes. What can i do now please?

 

If you want to continue using it then you will have to purchase it or uninstall it.

 

Download Spy Sweeper 4.0.3.363 and install it.

After you install make sure you get the updated spyware definitions. Then do a full sweep removing all infections. After you remove the infections with SpySweeper, reboot and attach a fresh HJT log.

 

HJT logfile posted after spysweeper. Not done TrojanHunter but will try to download it again.

 

When i try to get rid of Trojan Hunter on my pc i remove it from add and remove programs, remove it from all programs on the start menu, then go to c program files / ***** and remove it there too.....except contmenu.dll says it cant be removed.access denied. How can i remove this part of TH so that i can reisnstall???

 

Reboot into Safe Mode and then delete the folder.

 

One other thing I wanted to point out is that your running AVG AntiVirus and Trend Micro Internet Security. You need to pick one and uninstall the other as running 2 antivirus programs will cause conflicts on your computer.

 

TrojanHunter is still telling me the evaluation period has ended despite me reomoving every trace i can find. Would you be able to tell me exactly where to try and find every little part of it.
As it stands at the minute there is STILL something that is making the machine slow and making it disconnect (only occasionally now). I feel TH would be able to sort the problem. I look forward to your help on this but if push comes to shove it looks like we will have to do a complete system shutdown and restart as though the machine came in its original state. Would you be able to tell me how to do this if need be?

 

If TrojanHunter says trial period has expired the only thing you can do to continue using it is to purchase it. Trial versions such as this hide a certain registry entry that keeps track of such installs where the program knows when to expire, thats why its called a "trial". Also, some trials have to have a registration file which you have to purchase and this will give you unlimited usage. Either way, you must purchase the program in order to keep using it.

Now lets run one last scan to remove any leftovers.

-Please download Ewido Security Suite

- Install and get any updates!
- Run a full scan on Local Disk C:\
- Remove ALL found infections

 

Still mega slow. Dunno whats wrong but its not right. I have saved all my documents and photos so i reckon its about time for a complete reinstallation and start again? What do you think? Something is definately slowing it down even to the point where you click something and have to wait say 3 seconds for it to do it whereas before it was immediate. AOL takes ages to start up too.
How do i get my pc back to its original state? If you think thats the best option?

 

Did you run Ewido or not?

Also, this is a last resort, reinstalling your OS so be patient.

Generate a StartupList log using HijackThis.
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

 

Yes of course i ran Ewido. I may not be as clever as you but i will do as you say and will say if i didnt do anything. Im not that thick am i lol.
Here is the log for you. I must confess though. You`re very good at this ;-)

Forgot to say, Ewido only found some minor tracking cookie things.....no viruses.

 

You didnt attach me the startup log

Also, how much memory do you have installed?
What speed CPU do you have?

 

Doh. I didnt upload it.
7 hundred and something meg of ram
think the cpu speed is 1.60 ghz.

 

Okay, now attach me the startup log from HJT and previously requested.

 

Sorry, you have lost me there. Could you explain again please. I have sent you the startup log? Whats next

 

Oh, you hadnt attached it when I posted that

Okay, from this log I see you still have not removed one of the antivirus programs I requested. You can't run more than one antivirus program because they will cause conflicts on your computer. Pick ONE and uninstall the other.

Also, the AOL Spyware Protection I would recommend removing because this causes more harm than good in many cases.

After you complete the above uninstalls, reboot into Safe Mode and delete the following files:

C:\WINDOWS\system32\MsAgent32.exe

C:\WINDOWS\System32\dxkfgl.exe

After you remove these 2 files, reboot and attach a fresh HJT log.

 

Ok then. I booted into safe mode and removed a folder call c:/windows.msagent.exe but could not find one call c:/windows/dxkfgl.exe
I also ran hjt in safe mode and removed the entry about aolspyware with the missing file but it still shows!! I have also uninstalled the pccillin. I am now sending you an updated hjt log to see where we go next?

 

First, uninstall anything I had you install like Ewido & SpySweeper. Your HJT log looks clean to me, are you still running slow?

 

I have uninstalled them both. Yes its still mega slow. Before all this if i opened say 5 windows pretty quickly they would all load up pretty much together and very quick, now if i try it with 2 it takes an age.
Something is DEFINATELY slowing my machine down. Is it a virus? Could it be my connection? ie non-broadband. I have a brand new modem installed so whats next? Full reinstallation? Coz this is driving me maaaaaaad ;-)

 

I did see somewhere about my system speed being 32.8 kbs. Surely that is far too slow for a 56k modem? Not that i know anything of course. There is an AOL log when i right click on the AOL icon and ask for system information. Would that be of any use. Anyway i think we are getting towards the end of all we can do arent we? Just thought th 32.8 kbs thing didnt seem right.

 

I know nothing about AOL because personally I hate their software. Are you on dialup or cable/dsl?

Also, press CONTROL + SHIFT + ESC at the same time, when task manager opens, click on the Processes Tab. Now click where it says CPU and see which processes are taking up so much usage.

Does it run slow in Safe Mode?

 

Hi. The processes thing is fine, i checked that ages ago, 94%/97% system idle, 3% tskmanger, 3% explorer. Not only does it keep disconnecting but it often struggles to connect. With the greatest respect the amount of time and effort we have both put in i do firmly believe that if i get the machine started from its original state then i might be better off. It really is driving me mad now and affecting my work.
The only other thing i can think of is perhaps an AOL problem. I may well try uninstalling AOL and using a Wanadoo disc i have here to see if anything improves, its the 32kbs or lower that concerns me.
I look forward to your help once more but i honestly think its time now as i really cannot imagine what is wrong other than a hidden trojan that we cannot find or a connection problem.
Can we resolve this in the next post please bjgarrick????

 

Oh and one other thing, when i try to sign on to AOL in safe mode it says the communication port is invalid or busy and wont let me log on AT ALL !!!!
Could that be a clue ?????? Im going for a pint hopefully when i return my knight in shining armour will have this sussed out for me ha ha.

 

If your on Dialup you cant access the internet in Safe Mode, this is normal.

Like I've mentioned before, I would do away with the AOL software as I have had numerous problems with it in the past.

Download RegSupreme Pro 1.1

Install this program, after you install you will be prompted to "defrag" you registry for best performance. You can go ahead and click YES, should take but a minute or so.

After this completes at the top, click the REGISTRY CLEANER tab. Then click on "Aggressive" and let it scan. Afterwards you will see the total of invalid entries found. Once its complete, select ALL entries and select FIX. The program will then fix the ones that are fixable, the ones that are not will be removed. Type in a backup filename and save to an easy location just in case.

Let me know the results! After you do this reboot and see if your running any better.

 

I may be tempting fate here but it seems alot better.....maybe so far as to say back to how it was. Fingers crossed eh? What has that thing done then?

 

How many errors did it find/repair? This is a registry cleaner, it detects invalid/corrupt registry entries and repairs or removes them depending upon your choice.

 

Cant remember but at least 200 or so. It fixed 50 odd and deleted the rest. Looking good so far. What a guy ;-)

 

Glad things are better, are you having any further problems?

 

Things are NOT ok but you have done everything you can.
I think i have pinpointed the problem. My connection speed (i am on dial up) is 24kbps on a 56k modem. When i took the pc to my father in laws it was 44kbps which clearly (to me anyway) shows that there is a problem on the line but BT say their isnt but are going to increase the "gain" which i am still waiting for. At least we now know its not my pc. Is it?

 

Oh and another thing i have done a complete system restore and cant remember hopw to stop those flaming annoying pop ups. Cheers, oh by the way the speed is up to 31 kbps. Is that acceptable or shall i ring em again?

 

If you did a System Restore everything we have done is pretty much a waste of time because you most likely brought all of your problems back.

About the dialup connection, depending on how far you are from the server depends on your connection. Your speed will vary in every place you connect from. If your happy with it I wouldnt worry about it, if its still slow then I would ring them back.

 

Noooo, i mean a factory reset. And how can i stop these silly silver boxes coming up saying i have 47 critical errors etc etc and to go to a site that will sell me some protection?

 

If you getting pop-ups then you need a pop-up blocker, have you installed SP2? If not, this has a pop-up blocker integrated in it, set it to medium and you will be ok.