Spyware stopping me from installing any software to fix it and stopping me from getting to technical URLS

Try using:

  1. Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  2. Dr. Web Anti-Virus
http://www.freedrweb.com/

When using Combofix, show us the logfile.

Also check to make sure that (BITS) path to executable is correct.
Start > Run > type in:

services.msc

Highlight on "Background Intelligent Transfer Service" rightclick and click on properties and check to make sure that the "Path to excutable" points to --> C:\WINDOWS\system32\svchost.exe -k

Making sure that it's "S" on System32 and not "F" for Fystem32.
Let us know if it is not correct and we'll change it.

rpggamergirl: I checked the BITS and it is fine only difference is path ends with a space then netsvcs

JeremySBrown:  Tried Dr web it found one item but did not clear up anything, your combofix link is the instructions which will be very helpful if only i could find wher to download.

Does anyone have a liink to download CmboFix everything I have is a dead end

awawada:  I will start on your list soon.


It appears that all programs are working except , internet access to website mentioned above, system restore, and virus/malware programs will not update. I uninstalled AVG since it was giving Outlook plug in error issues. Defender is running but can not update, I took the updates from my system.

I have vaction next week and will be away from Computers the whole week so I can not remote access, I can hardly wait!!!  I do ahve backup person but his confidence with these things is not high, he is a format and start over guy. I like the challange in a way. Anyway I will attack it after that, if not fixed today.

Thanks you for your help.

muerte33:
I did try http://www.superantispyware.com/ and it only found 1 item

BITS is okay then, thanks for checking it.

Here's a Combofix.exe link and also intructions if needed.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



More Combofix download mirrors if needed:
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

@ssaver - On the following link: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

HI
Here is the combo fix log.
Odd thing when I rebooted, a short time after ( maybe 4 minutes) he called me and the virus was back.
He ahd not gone anywhere but di have his Ipod attached.
I am running spydoctor on it now to clean it up.

Now I can't get rid of the darn system security 2009
I can't find wqhere is is hiding itself and there is no icon this time.
Comes back everytime I reboot
I am running spyware doctor in safe mode now.
Figure alwasy when your ging on vaaction

I went into msconfig and found where the bugger was, at least I stopped that , still can't get rid of the hijackers or other symptoms.

Hello,

You ran ComboFix in 'reduced functionality mode'. Did you download a fresh copy and run it? Or you got an old version and ran that?

Download the Dr Web CureIt Live CD from: http://www.freedrweb.com/livecd/ and burn it as an image on a CD. Then boot your PC from this CD and run the scanner, that should delete the rootkit files automatically and allow you to run other scanners properly then. The current scanners that you've downloaded are running from within Windows. The Live CD will not load Windows and hence, skip the rootkit completely in this case.

The line that makes it obvious that you have an infection is this -
 "imagepath"="\systemroot\system32\drivers\hjgruikrbjmvqa.sys"

Hope it helps.

I like to create an Ultimate Boot CD for windows on a clean PC.
http://www.ubcd4win.com/
It contains antivir and several anti-spyware tools.
The great thing about it is you boot clean and it runs the tools against a drive you did not boot off of.
This is one of the best 45 minutes you will ever spend (building this boot disk).

Your combofix is an older version, run this script below and if it doesn't solved the problem then download the latest version.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste all the text/characters between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\lich.exe
C:\Windows\system32\drivers\hjgruikrbjmvqa.sys
c:\windows\system32\drivers\bd2d1376.sys
C:\tajcyg.exe
C:\jwymywn.exe
C:\lfnbft.exe

FileLook::
c:\documents and settings\Jason Peluso.GADKSHF1-JP\Jason Peluso.GADKSHF1-JP.exe

DirLook::
c:\windows\System Volume Information
C:\1854840081

Driver::
lich
bd2d1376
cerc6

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitueucckg]
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Sorry I am on vacation  and only got access today but only for 15 minutes so I will not have time to log on and try anything.
I do return on Monday thanks for being patient with me.

It's okay....  I'll be away for the whole weekend and should be back Monday afternoon.
But many Experts will be here to reply to you.

Ok I am back from vacation.
1st odd but none of the links above went to a downloadable link, either they did not have anymore of the links got can not display. If I gave a FTP site could someone post to it. I am not real comfortable with this option but can always delete the FTP after I get the file.

rpggamergirl: I will try your first and see what results
warturtle: I downloaded your suggestion and will try, will let you know
muerte33: I will do your suggestion after, will be good for future events anyway.
Now this system is a graphic designers and he is rendering a project with a deadline (remember all programs except virus/malware like) are working. He is up against a deadline so I have to wait until that is done. Perhaps tomorrow.
Sorry for the delay but I really appreciate the help.

The older Combofix version should still process the script and remove those bad entries, if not let us know and I'll give you the link via PD.
Please also attach the combofix log when done.

ssaver - you might want to try...if you haven't already...XoftSpySE Anti-Spyware.
http://www.paretologic.com/products/xoftspyse/index.aspx

rpggamergirl:
I tried the scrpt and it wanted to update but could not, I was unsure if I should run in 'reduced functionality mode:. Unfortunaltely I have not been sucessful in downloading a newer version using any of the links above or that we ahve found here.

warturtle:
I am running the scan now. It is finding alot of things but some seem to be real do i need to be very careful about what I clean?  
What I mean is there are a lot of paths such as dell/drivers/R175891/WDM/RTLCPL.exe and other real programs on the system    I know that is Real Tech. Note that these most have tag at end saying infected with the win32.Virut.56

I think I know the answer which would be checking list carefully and do not get rid of anything that looks real but just want confirmation. If I clean everything
 Thanks

Wow, there have been a lot of threads with Virut infections recently, it must be quite widespread then. It would be a good idea to format and re-install the Operating System and other applications. Virut will infect .exe, .scr, .asp, .htm, .html (and possibly others as well) and it would be easier to reinstall the OS than to look for the infected files and then replace them one-by-one.

That would be my suggestion.

With virut some scanners delete files without cleaning the registry and may render the pc unbootable.

Go to the link below and see if you can access this Combofix link there.. follow the instructions.
http://www.experts-exchange.com/Community_Support/Hidden/Private_Discussions/Q_24455711.html

rpggamergirl:
tried the link no luck, I could donwload the file but when it tried to download COMBOFIX  it failed
I tried on two machines and tried both downloads.

Then I had to take my son to get his woisdom teeth pulled.
will try other suggestions later.

<<<"I tried the scrpt and it wanted to update but could not, I was unsure if I should run in 'reduced functionality mode:">>>

Just run it in that mode..... only the autofixing is disabled but the script will still be run and delete what's in it.

Did you run the LiveCD that warturtle was suggesting?
For virut I would opt for a reformat... if you have time also check out virut options here:
http://www.experts-exchange.com/articles/Software/Internet_Email/Anti_Spyware/Virut-Malware-continues-to-evolve.html


I hope your son won't be in too much pain.

Ok i will try in in that mode and see what results I get

YesI ran LIVECD that found so many that is what found the Virut.56
 YOu both suggested the romat at this point
I will try the script and see waht happen if no try the format and reinstall.

Question for you both, If the do run the LIVeCD and blindly let it fix everything it finds, if it renders the system unbootable can not not then just boot to CD and reinstall/ Repair OS at least in theory he would not loose his files but would he have to reload all programs.

rpggamergirl:
I ran the script agian attached is the log, rebooted the system but still can not connect to Microsoftsite etc.

Another thing I notice is that it has been asking him for password at login and he swears that it never did before. I thuoght it was set up to be that way but I did not build set up this last system and that person is gone.

You can backup all the safe documents (word, excel. powerpoint) using Knoppix (www.knoppix.org). Its a linux live CD that can access your hard drive and you can drag and drop files from your hard-disk into an external USB drive. After that you can format and re-install the OS. Burn the ISO as an image and boot your PC from it.

A repair should ideally work, but a re-format would be more assuring. After running a repair, you still might have to re-install all other non-Windows applications again (the affected ones).

Thanks Warturtle, will download

If you're not reformatting yet, then do these below:

c:\documents and settings\Jason Peluso.GADKSHF1-JP\Jason Peluso.GADKSHF1-JP.exe
Do you know that above executable?
If not... then delete it(include it in the script)


Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\hjgruiswyvnrid.dat
c:\windows\system32\hjgruiqqfnlnos.dll
C:\ptmlkq.exe
c:\windows\system32\hjgruikvnpialc.dat
c:\windows\system32\drivers\HJGRUIKRBJMVQA.SYS.del
c:\windows\system32\hjgruitogodpii.dll
c:\documents and settings\Jason Peluso.GADKSHF1-JP\Jason Peluso.GADKSHF1-JP.exe

Folder::
c:\windows\System Volume Information
C:\1854840081

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.



Also Download GMER:
http://www.geekstogo.com/forum/redirect.php?url=http%3A%2F%2Fwww.gmer.net%2Ffiles.php

Unzip it to the desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Oddly enough I have not formated yet, his regular programs are working fine and he had some deadlines with a lot of rendering to do.

rpggamergirl: Ran the script it did not delete anything but the folders so i deleted manually, when system rebooted it came up with install windows radio + tv supports icon in task bar. I said no but it was probaly going to do wahte ver it wanted anyway. Now the internet gets hijacked. Also it will not show me system32 and other folders/files unless I manually type in the address even thought the settings are all correct.

I am running GMER now will post the scan results when completed.

Warturtle: I did not fogotten your suggestion, actualy I kind of did when user had to do some rendering but will try it after.

I feel that whatever this is it renames itself anytime we get close.

Can you please show us the combofix log, it might tell us why it failed to delete(assuming the files were really there).

Yes, the Gmer log would help us.

Can you also run RootRepeal? as some CLB rootkit infection that shows up in Gmer, the driver doesn't show up and it shows up in RR.(this is a variant of CLB rootkit)

Download RootRepeal.zip and unzip it to your Desktop.
http://rootrepeal.googlepages.com/RootRepeal.zip

   * Double click RootRepeal.exe to start the program
   * Click on the Report tab at the bottom of the program window
   * Click the Scan button
   * In the Select Scan dialog, check:
         o Drivers
         o Files
         o Processes
         o SSDT
         o Stealth Objects
         o Hidden Services

   * Click the OK button
   * In the next dialog, select all drives showing
   * Click OK to start the scan

         Note: The scan can take some time. DO NOT run any other programs while the scan is running

   * When the scan is complete, the Save Report button will become available
   * Click this and save the report to your Desktop as RootRepeal.txt
   * Go to File, then Exit to close the program

On GMER how do I capture the scan where does it copy? I did scan but when it was complete there was no option to save or copy when completed.

Here is the cobofix log from 7-20 and one from today 7-21

Some bad files are showing in the combofix log, but why is it that those 2 logs are from an old version that was released in 2006?
While the first Combofix log you posted is January 2009?

Anyway all versions of Combofix installed in that system are all outdated and it's risky to run an outdated CF file.
Please delete all versions and download the latest one.


Regarding Gmer, did you do this:
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Ok I will download the lastest version at home and bring in for some reason my firewall and i can;t find where is blocking my downloading combofix.

Anyway i thought I was using the latest version.I wills tart fresh

GMRER yes i did it but when done there is no option to copy the button was gone when scan completed.

rpggamergirl: downloaded new version but it will not run says it ahs been compromised by a  Virut virus.

At this point I am frustrated and beleive I will go the format the drive route and start fresh unless you all ahve other ideas.

although we tried everyting nothing seemed to work so we format.
I want to thank you all for your support