win32.bho.je trojan

win32.bho.je
Got this from somewhere. Spybot S&D wont get rid of it even on reboot.
Ad aware doesnt do anything
It seems to have knocked out AVG too as AVG no longer loads on startup, tho I can still run it from its icon

Any help gratefully received

 

Hi garglesand,
Welcome to Major Geeks!

Please follow the instructions in the READ & RUN ME FIRST and attach the requested logs so we can help you.

Thanks.
abri

 

ok I did the House Cleaning & Setup

then


# SUPERAntiSpyware: ran this with no problems


# SpyBot - Search & Destroy: would not update so i did manually. But on restarting pc it went to BSOD and spybot did not continue.


# Malwarebytes Anti-Malware: This would not run, gave this error

Problem encountered with interbet connection (ARM1054,12029)


# combofix.exe : ran it exactly as stated and got a log


# MGtools.exe : Would not run, gave error:

c:\windows\system32\cmd.exe
c:\windows\system32\autoexec.nt The system dile is not suitable for running MS-DOS applications


On reboot my AVG is not starting. But will when I start it from start menu

 

Hi garglesand,

Which error are you getting with the MGTools?

Also, I see you have Spybot's Teatimer. Please make sure this is disabled. You can right-click on the icon in the taskbar and look for the option to change the resident status or you can go into the program itself, make sure mode is set to advanced, check the tools option on the left, then the red and white resident shield and in the middle of the page you'll see a box where you can enable or disable Teatimer. Please be sure it is disabled.

abri

 

Sorry I thought i'd unchecked teatimer when i reinstalled
Anyway its off now.

I reran combofix and MGTools, logs attatched

The error i was getting was a xp window saying:

c:\windows\system32\cmd.exe
c:\windows\system32\autoexec.nt The system file is not suitable for running MS-DOS applications

but I just continually hit close this time, each time it appeared


Also getting

'Error loading C:\windows\system32\nvcpl.dll
A dynamic link library initialization routine failed'

on every reboot and AVG does not auto start

Thanks

 

Yes, sorry about that. I'm an idiot!
Been a little short of time around here and missed that bit lower down page


new log attatched

Thanks for help

 

Hi garglesand,

I'm finding some malware files that need to be removed from your computer. I would like to try and get them all at once and in order to do this, I need for you to put your computer into normal startup mode. To do this, please go to Start/Run and type in msconfig and click on ok. In the window that opens up click on the box next to Normal Startup, click on accept and ok. After you do this, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

Thanks.
abri

 

Ok done.


Thanks.

 

Hi garglesand,


You have a lot of zip files in your Windows directory. Did you put them there? If so, please create a folder for them in My Documents and move them there. If you don't want them, I'll have you delete them. They are the following:

C:\WINDOWS\system32\REN5A.tmp
C:\WINDOWS\system32\REN59.tmp
C:\WINDOWS\system32\zrqqxvne.dat
C:\WINDOWS\system32\cbXNFwXR.dll
C:\WINDOWS\raaku.exe.zip
C:\WINDOWS\prijden.exe.zip
C:\WINDOWS\nuno.borreicho.exe.zip
C:\WINDOWS\icemd.exe.zip
C:\WINDOWS\generalbart.exe.zip
C:\WINDOWS\fibreshells.exe.zip
C:\WINDOWS\celtcavalier.exe.zip
C:\WINDOWS\cymru_ambyth.exe.zip
C:\WINDOWS\delirium_trigger53.exe.zip
C:\WINDOWS\andrew.ryanar.exe.zip
C:\WINDOWS\andrew.roden.exe.zip
C:\WINDOWS\bigbird_pino.exe.zip

abri

 

Ok, deleted files.

Those exe.zip files were from an MSN spam thing. Didn't realize they had actually saved to PC though.

 

Hi garglesand,

Okay, first a question.

Is this a program you want installed? If not, go to add/remove programs and uninstall it.
PornBot Shareware 1.05

And now continue as follows:

1) Please disable your guest account if this has not already been done.

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {444f14df-73e6-4c37-9aa3-ca4e6944818b} - C:\WINDOWS\system32\cbXNFwXR.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sygate Personal Firewall] sysgut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [blah service] internet.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe
O4 - HKLM\..\RunServices: [blah service] internet.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] sysgut.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe
O20 - Winlogon Notify: rqrlefew - rqRLefEW.dll (file missing)
C:\WINDOWS\system32\rqRLefEW.dll_old

After you click fix, just close hijackthis.

3) Download and install Erunt. Use it to create a backup of your registry.

4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Now run CCleaner at the default setting with the Windows tab as the top one.


7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

OK done.

AVG still not starting on startup
Do I need to reinstall it?

cheers

 

Hi garglesand,

Yes. Uninstall AVG completely, including the settings option and the quarantine bin. Then reinstall it and see if it starts up properly. Let me know if this works.

Your startup is quite messy because you've been running it in either diagnostic or selective mode. Please keep it in normal startup mode at all times. Otherwise, when you uninstall programs, the uninstall doesn't pick up the items which have been turned off in the startup. Please do the following:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Let me know if you get a success message after you run this.

abri

 

ok, AVG is running fine again

I ran the fixME.reg with no problems and got a success message

Left machine in normal startup now, going through unwanted programs to stop them starting at windows start, rather than just unticking them in msconfig

 

Hi garglesand,

That is good news!

I should look at your MGlogs one last time to make sure the registry patch did what it was supposed to do, so if you could run the GetLogs.bat by double-clicking on it and posting the logs, I will look at them. The GetLogs.bat is in the MGTools folder under C and the MGlogs.zip can be found directly under C.

After that I will post the final cleanup instructions to you.


abri

 

OK

Here's attachment.

Thanks

 

Hi garglesand,

The second to last set of logs you produced and attached to post 7 were complete, but those with this most recent post were missing two of the scans. There are still some files which need to be removed. Please do the following and then I will explain what to do about getting a complete set of logs.


1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe

After you click fix, just close hijackthis.


2) Now run The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

3) Now run CCleaner at the default setting with the Windows tab as the top one.

4) Please see if Combofix will run now.

5) After you do that, please try running the MGTools again. Be sure to wait until you get the message to hit and key to close the window and produce the logs. If they still don't produce 5 logs (look directly under C:\ for the file called MGlogs.zip), then go to the XP Cleaning Instructions and reinstall the MGTools as per the instructions and allow them to overwrite the old tools. Then see if you can run them and get a complete set of logs.

6) Attach any logs you get which should include the Avenger log, Combofix log and the MGlogs.zip.

Let me know how things are going?

abri

 

Ok, new logs attached.

Thanks

 

Hi garglesand,

There's one driver that didn't get out. Please run Avenger as you did in Post 18, Step 2, only this time use the contents of this box:

After you run Avenger, please check the Avenger log to make sure it got deleted. If it did, I don't see anything further in your logs and if you're not having any other problems, you can continue on with the final cleanup instructions in the box below:

abri

 

ok Log reports this:

1st bit says deleted, next bit says it cant find it?

 

Hi garglesand,
Yes, that's probably good. If you go to C:\WINDOWS\system32\drivers\pxark.sys
you should be able to see if it's there or not.

If that's gone, go ahead with the final cleanup instructions in post 20 if you haven't already done them. It will be important to set a clean restore point as per the instructions and I recommend reading through the How to Protect Yourself from Malware and picking up Spyware Blaster and doing the immunization feature of Spybot. They're both described in that article.

abri

 

I have a problem setting a new restore point

The option does not come up when i right click my computer

I think the problem may come from the last virus i had about 18months ago, which messed up my main admin account. I just deactivated that account and made another admin account but now everytime my pc starts up after the 'Windows is starting up' screen i get the error message window: Your account has been disabled. Please see your system admin. OK

pressing ok takes me to the profile selection screen

I did spend a while looking into this problem originally to no avail

in the User Accounts screen it says that my current account is admin plus theres also a disabled guest account there. The problemm of the system restore tab not appearing seems to be because im not admin account?

I realise this is not part of my original problem, but do you know of anyway to restore my original main account?

Other than this problem, everything is working well
Thank you very much for your time and experience, sorry for the drawn out time between responses but as I said I've been a little busy lately.

Cheers

Garg

 

Hi garglesand,
If you boot up into safe mode by clicking on the F8 key during the bootup sequence and then choosing Safe Mode when you get the different options, what names appear on the welcome page where you select which user you want to use? When you right click on My Computer and then left click on properties, is the tab for system restore missing?
abri

 

Only the one profile appears. Jeremy

No there is no System restore tab when right clicking

 

Yep, that worked.

Thanks again for your help.

Cheers, all running fine again now

 

That's good news!
Thanks TimW!

Enjoy your computer, garglesand!