Items keep reappearing on Reboot and Slowing PC - Hijack this and Combo Fix attached

Anic

I tried to have a look at my friends PC as it was running very slow with the CPU running at 100% and she couldn't get onto the internet or use any of her applications

We googled a few items on my PC and could see that these seemed to be causing part of the problem.

She had Virgin Media's PC guard installed which now wouldn't work properly so we tried to reinstall it but it could not be registered - it would not accept their password so we uninstalled it and downloaded and installed Avast anti-virus and Adaware Antispyware which we ran and deleted a whole load of items.

When these had ran and she rebooted the first time worked fine but when she restarted it the next time it started slowing down again.

When we look at the startup items on the System Configuration, two items keep reoccurring which we have no idea how to get rid of. The are

startup item : arujahiga
command : rundll32.exe "C:\Windows\arujahiga.dll",e

startup item: Oqanadosexa
command : rundll32.exe "C:\Windows\oqanadosexa.dll",e

startup item : services
command: c:\windows\services.exe

If we untick these boxes the next time the PC starts it seems to work okay but if we reboot they automatically relaunch.

We have re-ran Avast and Adaware and they don't find anything.

Any help would be much appreciated


However now when we reboot some items keep reappearing on her

Jay08

Did you remove them from msconfig, start up tab?

Jay08

Those to .dll look like virues to me, I did a search for them and they are not showing up on Google which is not a good sign, Most .dll or on the net somewhere and they explain what they are used for.

Anic

Jay08 wrote: »

Did you remove them from msconfig, start up tab?

I don't know how to "remove" them - I unticked them but when you reboot they appear again ticked (with the unticked versions further down the list)

Anic

Jay08 wrote: »

Those to .dll look like virues to me, I did a search for them and they are not showing up on Google which is not a good sign, Most .dll or on the net somewhere and they explain what they are used for.

Thats what worried me - I couldn't find them either and they didn't disappear we performed an online scan or Avast antivirus and Adaware.

We also installed spybot S&D and ran CCleaner too.

I don't know what to do next.

Jay08

Have you got Zone Alarm which has the Virus system built in? You can download a 15 day trail from there site and run that and see if it picks up anything.

The other thing you could do is backup the important files and reinstall windows, nothing beats this. Your system is fully cleaned. If you go down this method please install something like Zone Alarm first before you plug the network cable into the machine.

Browntoa

the infection is reinstalling a t boot

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Anic

Thanks. We'll try that and let you know how we get on.

Unfortunately she has to go out now and I won't be able to help her until Tuesday - Is it okay if I post back then

Browntoa

yes no problem , they definately look like spayware

Anic

Hiya

Below is our log from MBAM.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3
17/02/2009 18:17:51
mbam-log-2009-02-17 (18-17-51).txt
Scan type: Quick Scan
Objects scanned: 97718
Time elapsed: 35 minute(s), 40 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 17
Memory Processes Infected:
C:\WINDOWS\services.exe (Backdoor.ProRat) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf4552-94f1-42bd-f434-3604812c807d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CMVideo.XMLDOMDocumentEventsSink (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CMVideo.XMLDOMDocumentEventsSink.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf4552-94f1-42bd-f434-3604812c807d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\john\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\john\Application Data\VideoEgg\Publisher (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\john\Application Data\VideoEgg\Publisher\4115 (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne\Start Menu\Programs\XP_AntiSpyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Anne\Start Menu\Programs\XP_AntiSpyware\Uninstall.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne\Start Menu\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne\Desktop\XP_AntiSpyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne\Application Data\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSosvn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shell31.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv291233948299.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini10801.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne\Local Settings\Temp\wrdwn6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anne\Local Settings\Temp\wrdwn9 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.


It certainly looks as though it has deleted a lot of things I am just about to reboot - so fingers crossed all goes okay.

I'll let you know

aliEnRIK

Download HIJACK THIS (Top right)
http://www.filehippo.com/download_hijackthis/
reboot
SCAN and post the log so we can see whats running