1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can't Beat the Virus/Trojan H-E-L-P

Discussion in 'Malware Removal' started by kshapi, Dec 28, 2004.

  1. kshapi

    kshapi Private E-2

    Hey MG, I have followed your guided tour and instructions to removing Trojan's, Adware, Virus's ETC and almost have my system(WIN XP) back to normal but I need your help to get rid of the last buggers. I have attempted to religously follow chaslang's teachings..but alas I am WAY out of my league....see below.

    I started with the problem about 4 days ago..total system meltdown thru infections....all at one time. I had multiple Dialers installed, several Trojans, WWW.Cool websearch infestation, DSOExploit, common hijackers, 200+ hits from AdAware , loss of control of the recycle bin and multiple IEXPLORE.exe running hidden in the Task Manager , about Blank(I think)+ the list goes on and on.

    I have read the Tutorial Sticky: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting and

    After going thru all of the steps outlined I have gotten rid of most of the obvious problems having removed Trojan's, ADWare, WWW.CoolWebSearch etc..... I took it a step further and analyzed my HIJACKTHIS file (both in and out of SAFE MODE) however I am still having some problems. Trend On-Line's Scan found the TROJ_NARRATOR.A virus and could not remove it.

    Tonight I did the following to be double sure I covered all bases:

    1)Computer NOT in Safe mode: Restore Disabled, Hidden Files Showing.
    • AD-Aware w/ VX2 plug-in
    • CC cleaner
    • SpyBot S&D w/ DSO exploit fix
    • SpyWare Blaster
    • McAfee Stinger
    • CW Shredder
    • Kill2Me
    • About Buster
    • HS Remove
    • ADS SPY
    • Spy Sweeper
    • Trojan Hunter
    • Trojan Remover
    • Upgraded Windows Service Pack V2 for XP
    • Installed Sygate Firewall

    notable Results for the above scans:
    SpySweeper: removed 2nd Thought Trojan, 8 ADware files and 1 System monitor file
    Trojan Hunter: found one possible Trojan
    AD-Aware: found 5 objects...previously found none after my previous cleanings.
    HSRemove: removed 8 items.

    ALL OTHER SCANS resulted in nothing.

    2) Computer IN Safe mode: Restore Disabled, Hidden Files Showing.
    -Repeated all of the above steps and seemed to be able to remove the above trojan.
    -Reviewed HIJACKTHIS scan results and removed one each R0 and R3 lines as well as several O4 xxxxx.exe files

    Previous scans in days prior I had several Winsock hijacks that seem to now be gone.

    Computer now back in normal operating mode(not SAFE)

    Currently this is what I am experiencing:
    -Multiple iexplorer.exe Tasks running with no windows open
    -Firewall indicating NDISuio.sys repeatedly trying to connect to Internet
    -firewall indicating iexplorer.exe trying to connect to internet (note: no browser windows open)
    -Deleted files not accessible in recycle bin


    I am weary and bleary eyed having put in about 25 hours in the past 4 days to try to get my system back.......can you help?

    I can re-run any scan and post the logs if necessary, please advise and HUGE THANKS for providing the information to get me to where I am right now.

    kendall
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hi Kendall,

    Sounds like you have learned a lot and made quite a bit of progress. Let's continue.

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
  3. kshapi

    kshapi Private E-2

    Hi chaslang,

    OK back to it....I am home and can start to work on this bugger. I rebooted my computer to start from scratch. Got a Dr Watson's Error(never had that before) and my free Sygate Firewall failed to load. It also won't load when I try to start with the .exe file.

    I closed 7 (hidden) copies of iexplorer.exe from the Task Manager closed all open windows and ran HIJACKTHIS. I have attached the Logfile. Let's get this party started :)
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please clarify your current problems. I do not see any iexplorer.exe processes running.

    Did you keep backups from what you fix with HJT? Are you sure you did not delete something for your Sygate firewall?

    Bigger question/potential problem:
    - WinXP SP2 has a built-in firewall
    - Norton Internet Security Suite (which I believe you have) also has a firewall
    - you say you also have Sygate firewall

    You must only have one software firewall installed on your system.


    These two lines can be fixed with HijackThis
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\LastGood\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\LastGood\System32\msjava.dll (file missing)

    Do you know what this below Service is for:
    O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
     
  5. kshapi

    kshapi Private E-2

    Current Problems:
    • multiple iexplorer.exe processes running in Task Manager
    • Firewall continually blocking unprompted iexplorer.exe attempts to connect to internet
    • Firewall blocking generic svchst.exe from connecting to internet
    • firewall blocking NDIS from connecting to internet
    • Recycle bin not allowing me to see deleted files
    • Firewall notification "program NT kernal and system.....NTOSKRNL.exe" trying to connect to internet

    Answers to your Q's:
    I kept paper copies and logfiles from all recent HJT scans.

    Sygate Firewall started up with no problems when I reconnected my computer to the internet and rebooted

    Firewall issue:
    - WinXP SP2 has a built-in firewall: I elected not to enable it because I has Sygate running
    - Norton Internet Security Suite (which I believe you have) also has a firewall: Yes, does not block nearly as much as Sygate. I have Norton Systemworks 2004 installed
    - you say you also have Sygate firewall: YES - currently operating

    You must only have one software firewall installed on your system.

    What are your recommendations for only one firewall? I would like to keep some of the functionality of the Norton Package and am not sure if I can selectively not use their virus or firewall programs?? Can we tackle this after removing the bad stuff?


    I fixed the following with HijackThis Per your recommendation:
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\LastGood\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\LastGood\System32\msjava.dll (file missing)

    I did not know what this below Service is for....cleaned it out w/ HJT as well:
    O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe


    Upon reboot, I am still experiencing the firewall block all of the same items trying to connect to the internet. Multiple iexplorer.exe processes running in Task Manager.

    I ran another HJT scan and have attached it. Shall I redo this in SAFE mode?

    thanks for the continued support!
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There are no iexplorer.exe processes showing in your HJT process list. Look at it yourself.

    Try downloading and running ProcessExplorer from: ProcessExplorer for Win NT/2K/XP

    Does it show any iexplorer.exe processes running?

    Did you look into disabling Norton's firewall? I don't have it so it would be difficult for me to explain anything about it. Check your documentation, call Symantec, or post a question in the Software Forum on how to do that.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is it really saying svchst.exe or was it svchost.exe?

    Firewall blocking generic svchst.exe from connecting to internet
    svchost.exe running from c:\windows\system32 is a valid windows process that you can allow access to the internet
     
    Last edited: Dec 28, 2004
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    - Does your firewall give a filename for ---> blocking NDIS from connecting to internet

    - ntoskrnl.exe is a valid windows program but I doubt it requires internet access. Just deny it and always use that setting.
     
  9. kshapi

    kshapi Private E-2

    I think I now know what is confusing you. When reading the tutorial for HJT I believe I interpreted "close all programs including IE web browsers" as I needed to make sure to close all IE...and I closed all of them in the Task Manager as well...that is why they are not showing up I would assume.

    Running Process Explorer shows 4 current iexplore.exe's running

    Looking into disabling Norton Firewall......may take some time.

    sorry for the above confusion on the iexplore.exe

    Just saw your other 2 posts.....
    Is it really saying svchst.exe or was it svchost.exe? My typo, it was svchost.exe

    Looked in the Firewall process listing...the NDIS filename is as follows:

    C:\WINDOWS\system32\DRIVERS\ndisuio.sys

    next steps???

    thanks for the patience:)
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    ndisuio.sys is a process belonging to the NDIS User Mode I/O (NDISUIO) NDIS protocol driver which offers support for wireless devices such as Bluetooth and the like. This program is important for the stable and secure running of your computer and should not be terminated. I don't know if it needs internet access. Just deny it and tell your firewall to always use that setting.

    I would allow svchost.exe access to the internet and always use that setting.

    Okay so now you say "Running Process Explorer shows 4 current iexplore.exe's running"
    Is that with no Internet Explorer browsers actually open!

    Try rebooting your system and run absolutely (don't run TaskManager or anything else) nothing but HJT and immediately get a log. Now come here and post that log.

    If you can close them, I would expect that they are actually real IE sessions. There have been cases of IE showing up in the process list and none showed on the screen but they could not be closed. That was malware.
     
  11. kshapi

    kshapi Private E-2

    Ok, rebooted and ran HJT. Log attached.

    In the short time I rebooted and got to this site, I had about 15 different firewall blocks of iexplorer.exe trying to connect to various websites...mostly sires were completely random..probably ADWARE. I can barely type this without having to deny access to a different site every 10 seconds. It is completely out of control...worse than ever!! Ahhhhhhh!
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you get any popups at all!
    What are the websites that it is trying to connect to?

    Run CCleaner and just the cleaner (do not scan or fix any issues with it)?

    Also Reset Web Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
     
  13. kshapi

    kshapi Private E-2

    No popups at all are coming up.

    Websites that the computer is trying to connect to areas follows, per the Sygate Firewall Log:

    www.thalessecurities.com
    www.pay-ace.com
    jimsfloors.com
    www.great-hyip.com
    www.e-gold.com
    .e-gold.times.lv
    www.cloudwrangler.com
    www.owlcam.com
    httpcode.com
    www.saunalahti.fi
    cajconnections.com
    www.zonezero.com
    www.abcgallery.com
    www.comersus.com
    www.buildwebsite4u.com
    laughingsquid.net
    www.stopdesign.com
    www.google.com
    shellwindows.com
    www.microsoft.com
    www.trendmicro.com

    several instances of each attempt were found in the log.



    I ran CC Cleaner but did not see options for "not scanning or fixing issues"...my only option seemed to be "Run Cleaner" so I did that.


    Reset the web settings and followed the steps you outlined incjuding home page re-assignment.

    Now what shall we try? I reall appreciate all the help!!! :)
     
  14. kshapi

    kshapi Private E-2

    In addition.....

    The Spygate log indicated the following description for each of the sites the computer tried to connect to:

    Application Hijacking has been detected
    The application: C:\WINDOWS\system32\rundll32.exe try to launch another application: C:\Program Files\Internet Explorer\iexplore.exe to go to remote host
    www.xxxx.com (please see list of sites"xxxx.com" in last post.

    So is the rundll32.exe the culprit? It can't be as easy as deleting it now can it???? :rolleyes:
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    c:\windows\system32\rundll32.exe is a valid necessary window program. Unless overwritten by malware. Right click on it and get Properties, Version info. Make sure it is a Microsoft application

    But check for this
    c:\cmd.exe - if found delete it.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I was saying not to click the Issues tab (not very clearly). I only wanted you to run the cleaner and that's done.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also look at this:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.miroot.worm.html

    Also bring up your hosts file by click Start, Run, and enter notepad c:\windows\system32\drivers\etc\hosts and click OK

    If it has anything else in it besides what is in the below quote box, delete the other info and tell me what was there.

     
  18. kshapi

    kshapi Private E-2

    Good Morning chaslang!

    Latest Actions and results:

    1) Properties of the file c:\windows\system32\rundll32.exe

    file version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    Description: Run Once Wrapper
    copyright: © Microsoft Corporation. All rights reserved.

    2) I did a search for CMD.exe and found the following:

    CMD.exe in folder C:\WINDOWS\system32
    CMD.exe in folder C:\WINDOWS\servicepackfiles\i386
    eventcmd.exe in folder C:\WINDOWS\servicepackfiles\i386
    CMD.exe in folder C:\WINDOWS\softwaredistribution\download\6ca7b3a8efd5a9b6f87fff395a2eb989
    eventcmd.exe in folder C:\WINDOWS\softwaredistribution\download\6ca7b3a8efd5a9b6f87fff395a2eb989

    I did not find CMD.exe in the C:\ folder so I took no action. Is this correct? Note: looking at properties for 3 above CMD.exe files all seemed to be Microsoft Products.

    3) Results of the START/RUN: notepad c:\windows\system32\drivers\etc\hosts

    127.0.0.1 www.igetnet.com
    127.0.0.1 code.ignphrases.com
    127.0.0.1 clear-search.com
    127.0.0.1 r1.clrsch.com
    127.0.0.1 sds.clrsch.com
    127.0.0.1 status.clrsch.com
    127.0.0.1 www.clrsch.com
    127.0.0.1 clr-sch.com
    127.0.0.1 sds-qckads.com
    127.0.0.1 status.qckads.com
    # Start of entries inserted by Spybot - Search & Destroy
    # End of entries inserted by Spybot - Search & Destroy

    I deleted all entries except the 2 "Spybot" lines and then saved the file.

    4) Reviewed http://securityresponse.symantec.co...iroot.worm.html and loaded updates.

    OK, off to work soon, will be back on-line tonight. Again, you are a superstar, thanks SO much for the continued support!!! :)
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The rundll32.exe file is valid as I said and yours is the legit MS version.

    All the cmd.exe items you found are okay.

    The only line that should really be in your hosts file is
    127.0.0.1 localhost

    Add it in and remove anything else. You could have all the stuff from my previous post (the other lines are just comment line). You do not need those Spybot entries.

    Did anything from the Symantec link help?

    And you're welcome!
     
  20. kshapi

    kshapi Private E-2

    Hi chaslang,

    I revised notepad c:\windows\system32\drivers\etc\hosts to only read: 127.0.0.1 localhost

    I loaded the Virus definition updates from the Symantec link but can not 100% say what effect it may have had on my system. Also, there are detailed instructions on Copying Regedit.exe to Regedit.com, and reversing the changes made to the registry I am not sure this is necessary..thoughts? Honestly, I was a bit confused by the information on the Symantec Link. For reference, a system scan with Norton did not indicate any signs of the W32.Miroot.Worm.

    So at this time, I have restarted my computer 1x and have not had my firewall block anything other than "iexplorer.exe attempting to connect to the internet "www.majorgeeks.com" (which is my home page at this time).

    It appears that the system is running well but I don't want to get lulled into a false sense of security. So, I have a few questions......

    1) what should I do to make sure all is running well? Or in other words what would YOU have me do do to be sure my system is clean and free of all that is BAD. Re-run all scans and post logs?

    2)I am familiar with your posting....."How to Protect yourself from malware! " I can institute your recommendations as well as working on getting only ONE firewall running on my computer..Either Norton or Sygate any other recommendations?

    3) IF I had an enormous pile of cash in an account in the Cayman Islands would you consider accepting all of that as a sign of my gratitude for your help in resolving my issues? Hosestly, I wish I had that pile of cash for you...you are a lifesaver!!!

    But I don't want to get too ahead of myself.....let's make sure all is OK on my system before I crack the champagne a few days early!

    best regards,
    kendall
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds