Can't Beat the Virus/Trojan H-E-L-P

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kshapi, Dec 28, 2004.

  1. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In your startup list I requested, I noticed this:

    [91e55602-0ef7-43e5-8edf-f693bb4cc097] *
    StubPath = C:\WINDOWS\System32\hzhxuz.exe

    I don't like the looks of this file but I cannot find any info on it. Please boot into safe mode and goto your c:\windows\system32 folder and rename that file to hzhxuz-exe.bad. Now reboot in normal mode and let's see what happens.

    Also, the file you mentioned a few messages back: C\windows\jodsrv32.exe
    Was not in the StartupList Log you made for me. So It must be new if it is really there.

    By the way it looks like your Windows Firewall is enabled:
    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
     
  2. kshapi

    kshapi Private E-2

    HNY Dr C.!!!

    1) OK, I looked for the File:C:\WINDOWS\System32\hzhxuz.exe
    It was not there.

    2) C\windows\jodsrv32.exe was there but I removed that a few posts back under the direction of BJ. The last time I re-started the computer,(safrer deleting jodsrv32.exe ,SpwSweeper sent an Alert showing that the same file would auto load on next start-up. However this time, Spwsweeper was able to remove the program. Have not seen anything about this file since.

    per BJ's request
    3) Latest Spwsweeper log attached from SAFE MODE
    4)Latest Trend Micro Scan from SAFE MODE showed the following:
    FOUND: Troj Agent.cac - c:\recycler\NDprotect\000114269.dll - Trend deleted this
    Found: Trojan Small.PO C:\Windows\baled.dll and
    C:\Windows\hclqf.dll....these could not be deleted.

    The above 2 filed have been present for some time now and have not been able to be removed. If you scan back through this posting...you'll see I found these awhile back and we have not been able to get rid of them.

    5) Do you know how to disable Windows Firewall. I can only find something to turn off Windows Pop-up blocker??

    6) I believe the way to turn off and Norton Firewall function is to turn off "Norton Auto-Protect" and "Script Blocking". Auto Protect is the Norton Virus/Tojan/Worm protection function in Norton System works.

    7) BJ asked "If you try and "End Task" on one of the processes does it close just the one process or does it close all instances of "iexplore.exe" ???"
    My response: Only one iexplorer process closes per each select and end task operation.

    8) Several posts back I regained access to my recycle bin functionality. (ability to see deleted filed and permanently delete them.)
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Happy New Year!

    Make sure that C:\WINDOWS\System32\hzhxuz.exe is no longer showing in your HJT log

    SpySweeper did remove a bunch of stuff. I hope the removal of the C-dilla stuff does not mess up your ability to play some games. Usually that is what it is associated with. It's a game protection mechanism.

    You said:
    I don't remember discussing these files. What message number? Did you try Killbox on them?


    For the Windows Firewall, see if this helps:

    http://www.microsoft.com/windowsxp/using/networking/learnmore/icf.mspx

    I don't know anything about Norton's Firewall since I have never used or seen it.

    Your Recycle Bin was most likely fixed after we removed the VX2 problems.

    Do you still have multiple IE processes starting up? Any other issues?
     
  4. kshapi

    kshapi Private E-2

    Hi DrC,

    Confirmed: C:\WINDOWS\System32\hzhxuz.exe is no longer showing in the HJT log

    I just realized that the SpwSweeper Log that I attached included entries back thru 12-27 where a whole bunch of stuff was removed. I have attached ONLY the portion of the log that was run this morning.

    In message #24 I had posted a file with a summary of numerous virus/trojan scans. (12-30 virus summary pm.txt) I mentioned thefollowing files in that attachment.
    (C:\Windows\baled.dll and C:\Windows\hclqf.dll) The info probably got lost in the large amount of info. in that file.

    That being said, I had not tried to kill them will KillBox.
    I just did this and rebooted. The files were still there. So I ran Killbox again, rebooted and they were still there. So I just tried to delete them manually and this was successful I rebooted and they were gone. Am I missing something or did I do the right thing deleting them manually????

    I followed your link and turned off Windows Firewall. THANKS!

    Currently , I have no more multiple iexplorer.exe processes running..... a first in over 10 days...Woo-Hoo!!

    No issues that I can see at this time but will have to monitor thru several start-ups and internet connections. Now the challenge is that I have loaded so many new virus/trojan/spy/adware programs onto my system I need to figure out how to correctly use them and all of the correct settings :)

    I will also re-run the steps in "READ ME" and make sure all steps in "How TO PROTECT...MALWARE" are in place. And then run all the extra on-line birus scans to see If anything is discovered. Any other suggestions?
     

    Attached Files:

  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Hey, Im glad everything seems to be going good for you. The programs I had you install you dont need anymore if your clean however the one "SpySweeper" is a great program for Spyware protection. The one I had you download is only a 30 day trial, but is well worth the $26 /yr. so anyway if you have any other questions and/or problems let me know. Thanks!
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    SpySweeper was already being used from the beginning!
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Kendall,

    Sounds like you are in good shape. I'm glad we got this worked out.
    Let me know if anything elss comes up (or back).
     
  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Oh ok, I just tell most users to download it just thought I did sorry about that but anyway its a great spyware protection program.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem! It's in my How to protect thread too. But it is not free! (You get one free update). Also you need to be careful with it. It will find somethings that you may need and delete them. Don't just do a fix of everything that it finds? The items are all questionable but they are needed sometimes. For example C-dilla. Without that some people cannot play their macrovision protected games.
     
  10. kshapi

    kshapi Private E-2

    DR C and BJ,

    FREE at last
    FREE at Last
    Thank God almighty
    Free At last!!!!!!!!!!!!!!!!!!!!!!

    pardon above plagarism;)

    After multiple restarts and Internet log-on/off sessions I have seen not a single issue in the past 5 days!!!!!!

    I can't begin to thanks you guys enough for helping me rid my computer of all the nasty cr@p that was keeping me up at nights. After 11 days and over 40 hours of work, the issues all seem to be resolved and I have you guys to thanks for it!!!

    Seriously, I can't even begin to thank you enough.....the help and support you provided was absolutely invaluable.

    I have already referred several people to the MG site for help.

    YOU GUYS ROCK!!!!! :) How can I support the site further??
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds