Loaded with trojans: Help please

My laptop is running Windows 2000 S/P4. It's losing the broadband connection frequently, and appears to have unauthorized processes running in the background.

I've completed the virus removal checklist listed in this Forum, including:

1) Disabled GoBack

2) Enabled viewing of hidden files/extensions

3) Booted into Safe mode and ran Bitdefender and RAV Antivirus (logs available if needed.) Discovered 12 trojan viruses in about 50 files.

4) Cleaned drive with CCleaner, and ran Ad-Aware SE and Spybot (my regular tools) to identify and clean up spyware. (None found.) Couldn't figure out how to install the VX2 plug-in, but does it really impact trojan removal?

5) Ran the secondary tools: CWshredder, Kill2Me, about:Buster, HSremove, SpywareBlaster, stinger

6) Ran additional antivirus tools in normal mode: a-squared StartCenter, Trojan Remover, TrendMicro, and Avast. Not much impact. TR found a single virus (which was not listed on Bitdefender or RAV scans) and removed it. Did not run ADS Spy.

7) Ran HiJackThis and saved log.

I tried to do some initial research on the trojan viruses that were identified by Bitdefender to identify alternate methods of cleaning, but not much luck so far.

Assuming the infected files identified are not false positives, any suggestions for the next step?

 

Re: Loaded with trojans: Addl info

Forgot to mention that I run have run Norton Firewall and Norton Systemworks / Antivirus the past couple of years, currently have the 2005 version installed, and do full system AV scans twice weekly.

This problem has been around for the past year, but this is my laptop and I use it off-line 95% of the time, so the problem hasn't been obvious (except for the fact that the hard drive is constantly active most of the time.) I'm starting to get back on the road now, and need my laptop to connect to the Internet reliably.

Thanks again to anyone who might have the time to help me on this. I'm the local PC guru for my extended family, and spend my vacations cleaning up their infected machines, so I know how much effort goes into this. I just don't have enough savvy to clean up trojans right now.

 

Ran HJT 1.99.1 and have attached the log, as requested. Thanks much.

 

Bitdefender scan lists the following viruses:

Backdoor.IRC.Zcrew
Backdoor.Irc.Flood.AO
Trojan.Fluxay.A
Backdoor.Pipecmd.A
Backdoor.Sdbot.P
Trojan.Flood.22016
Backdoor.IRC.Bnc.l
IRC-Worm.Momma.A
Backdoor.GTSE.1.0 (BAT)
Backdoor.SDBot.604487D6

Most of the infected files are in the System/AtapiDrv directory, especially the wserver.exe file (which is an obvious problem.) I've found a couple of wserver.exe files in different directories, but didn't want to delete them in a haphazard fashion. I've attached the bitdefender scan file.

My network link is cablemodem. I lose connectivity several times a day for hours at a time. I see lots of CPU and disk I/O activity even when no user processes are active. This activity goes quiet after you disconnect the network link, and resumes when you restablish connectivity.

I'm still assuming I have 1 or more current Trojan virus infections, and perhaps the remnants of former infections.

Norton AV 2005 is not showing any infections during my weekly scans.

Thanks again for the help and guidance.

 

I attached the Bitdefender scan log earlier, but it was html and perhaps you couldn't open it. I've saved it as a text file, and attached both it and the RAV scan log.

I ran both Stinger & avast in Safe mode last week and repeated the scans again today. Neither identified nor removed the netsky infected files. Strange, eh?

 

Renamed the 3 wserver.exe files to wserver.exe.xxx, and rebooted into Safe mode; no errors. Then Normal mode; no errors.

The only drivers I loaded were for an HP Deskjet printer and an IBM Thinkpad CD-RW drive. However, the dates on the AtapiDrv files are six months earlier than the CD-RW installation, so

Re-ran Bitdefender 8. Scan attached. 10 viruses in 20 different files.

I've tried to upload the scan log for the past 30 minutes using .log, .txt, and .doc files. I keep getting an error msg that the document is empty. (I've opened each version of the file and confirmed that it has the complete scan results in it, so I don't know why the server thinks the file is empty.) Unless you have any ideas on what I'm doing wrong here, I'll just try to upload this again later in the morning.

 

Edit by chaslang: The file was too large to upload as a text file. ZIP'd it and uploaded it.

 

Here's all the subdirectories and files in winnt\system32\atapidrv:

logs (subdir)
no files

rec (subdir)
keep.this.file (0 kb)

sounds (subdir)
no files

aliases.ini
cs.dat
mirc.ini
n.dat
s.dat
udp.dat
wserver.exe.xxx

 

I ran both RAV and Bitdefender is Safe mode last week and today. Ya got me why they're not finding and deleting the infected files. Heck, I'm curious why Norton AV didn't do that two years ago....

Here's what I'm seeing in the ini and bat files:

aliases.ini
"[aliases]"

mirc.ini
Looks legit. Lists different types of sound files and setting options. Let me know if you want to send you the contents.

Opened that strange little "keep.this.file" file in recv folder, but it was empty.

I'm open to deleting the infected folders and files as well. Just want to do it incrementally, and be sure we can recover in the event any of these cause us a headache.

 

bc.exe is a file; not a folder.

What's the path name of the share.bat file, and I'll check it out and get back to you.

I have no problem backing up the atapidrv director, renaming the folder, and then rebooting to see what the impact is. I'll do that and let you know how it goes.

Thanks again for taking time to help me out on this.

 

No, i renamed the file "bc.exe.xxx" as you requested earlier.

I re-verified that there is currently no "share.bat" file in the C:\WINNT\system32\AtapiDrv director.

Perhaps it was deleted by one of the BitDefender scans we re-ran last week. I did a search of the system drive for "share.bat" and found no match.

I renamed the C:\WINNT\system32\AtapiDrv as "C:\WINNT\system32\AtapiDrv.xxx" and rebooted. No problems noted on boot, and no problems associated with any of the drives so far.

 

After renaming the AtapiDrv folder, I used the PC for a couple of hours with no apparent problems.

Couldn't establish a network connection at first, but after running virus scans (Norton AV, Trojan Remover, Bitdefender) the connection worked. (This is the typical pattern, so no change there.)

Is it time to backup the AtapiDrv folder to CD, and delete this sucker?

 

Backed up the following files/folders:

C:\WINNT\system32\AtapiDrv\ (all files, including wserver.exe.xxx)
C:\WINNT\system32\bc.exe.xxx
C:\WINNT\system32\drivers\savenow.exe
C:\WINNT\system32\Libparse.exe
C:\WINNT\system32\zx\Libparse.exe <-- for this one I question the whole zx folder

The "wserver.exe" file appeared in one additional location and I backed that up and deleted it as well.

C:\Drivers\wserver.exe.xxx

I also emptied the Recycle Bin before rebooting.

Rescanned using BitDefender 8. No infected files found.

I'll run the PC thru its paces this afternoon to see how it acts, and get back to you with the results.

 

Many thanks, Chaslang. I've run the PC for 2 days with no indication of any problems connecting to the Internet, and no indication of spyware or viruses.

I started using almost all of the recommendations on the Malware checklist last year (after this laptop had been infected by the trojans), so I would hope we're in pretty good shape from here on out.

I use Norton AV and Firewall, as well as Systemworks to clean up temp files. I run Ad-Aware, Spybot S&D, and Microsoft Antispyware weekly. My IE settings were already at the level you recommended. I've been using Firefox since last November, and update as each release is announced. I'd had uninstalled MSFT java and installed Sun Java as well.

Thanks again for walking me thru the Trojan id and removal process. It's easy to know what files to delete; not always easy to know which ones not to.

Best of luck and let me know if I can ever be of help.