Still Can't Get Rid of This Thing

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Daniely, Dec 6, 2004.

  1. Daniely

    Daniely Private E-2

    I have been trying to get rid of multiple viruses for weeks with no luck. I am unable to access the internet unless in safe mode and unable to get any updates on Norton. I have gone through all of the steps of "DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal"
    Please help. We are at the point where we think we just need to wipe everything out and start over.
     
    Daniely, Dec 6, 2004
    #1
  2. PhilliePhan

    PhilliePhan Guest

    Hi Daniely,

    If you have exhausted all of the options in the Cleanup Tutorial, please go ahead and send us a HijackThis Log. Be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I have been tied up with work lately, but somebody will take a look when they get a chance.

    Best luck :)
    PP
     
    PhilliePhan, Dec 6, 2004
    #2
  3. Daniely

    Daniely Private E-2

    Thank you so much. Let me know what else you need.
     

    Attached Files:

    Daniely, Dec 7, 2004
    #3
  4. Kodo

    Kodo SNATCHSQUATCH

    Please try the alternate scans in the tutorial. you have tons of trojans on your machine.
     
    Kodo, Dec 7, 2004
    #4
  5. IrOnMaN

    IrOnMaN Specialist

    I havent read the tutorial so i dont know if they mention this but The Cleaner at www.moosoft.com is a pretty good trojan scanner
     
    IrOnMaN, Dec 7, 2004
    #5
  6. Kodo

    Kodo SNATCHSQUATCH

    Kodo, Dec 7, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Daniely,

    After trying the Alternative Scans Kodo mentioned. Here are somethings to do (some of them may get cleaned up by those scans and may no longer exist).


    Please remember that you must exit all browsers before running HJT. You had IE running shown by the below line:
    C:\Program Files\Internet Explorer\iexplore.exe
    Question: Do you use this HPTOOKKT Toolbar?
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

    Make sure you have system restore disabled and viewing of hidden files enabled.

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below processes and if found, end them (you probably will not see any of them based on your previous log):
    csmss.exe
    ipcon32.exe
    sync64.exe
    videopci.exe
    itkpsrv.exe
    dxterm5.exe
    lsvchost.exe
    svhost.exe
    rtli.exe
    nt.exe
    ddrawex.exe
    l?gonui.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    O2 - BHO: Microsoft Configuration - {40205287-E793-41AC-B95C-D8D064BA33CA} - C:\WINDOWS\system32\mscfg.dll
    O4 - HKLM\..\Run: [WIN95DEFVIEW] C:\WINDOWS\System32\csmss.exe
    O4 - HKLM\..\Run: [IpCtrl] C:\WINDOWS\ipcon32.exe
    O4 - HKLM\..\Run: [Sync32x2] C:\WINDOWS\sync64.exe
    O4 - HKLM\..\Run: [videopci] C:\WINDOWS\videopci.exe
    O4 - HKLM\..\Run: [ItkpSrv32] C:\WINDOWS\itkpsrv.exe
    O4 - HKLM\..\Run: [DirectX Video Driver] C:\WINDOWS\dxterm5.exe
    O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
    O4 - HKLM\..\Run: [.mscsbl] C:\WINDOWS\system\svhost.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunServices: [microsoft software] rtli.exe
    O4 - HKCU\..\Run: [OLE] C:\WINDOWS\nt.exe
    O4 - HKCU\..\Run: [ddrawex] C:\WINDOWS\System32\ddrawex.exe
    O4 - HKCU\..\Run: [Xbtli] C:\WINDOWS\System32\l?gonui.exe
    O4 - HKCU\..\Run: [videopci] C:\WINDOWS\videopci.exe
    O4 - HKCU\..\RunServices: [microsoft software] rtli.exe
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb026.cab
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/080e53ebd832ef851120/netzip/RdxIE2.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
    O19 - User stylesheet: (file missing)
    O21 - SSODL: Microsoft DirectXb - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Aoilcbmn.dll

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\mscfg.dll
    C:\WINDOWS\System32\csmss.exe
    C:\WINDOWS\ipcon32.exe
    C:\WINDOWS\sync64.exe
    C:\WINDOWS\videopci.exe
    C:\WINDOWS\itkpsrv.exe
    C:\WINDOWS\dxterm5.exe
    C:\WINDOWS\system\lsvchost.exe
    C:\WINDOWS\system\svhost.exe
    C:\WINDOWS\System32\rtli.exe
    C:\WINDOWS\nt.exe
    C:\WINDOWS\System32\ddrawex.exe
    C:\WINDOWS\System32\l?gonui.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 7, 2004
    #7
  8. Daniely

    Daniely Private E-2

    I am now able to get onto the internet in normal mode. Thank you! I am still not able though to get updates on Norton. I appreciate all of your help!
     

    Attached Files:

    Daniely, Dec 8, 2004
    #8
  9. Daniely

    Daniely Private E-2

    I got Norton working now too- I am very excited. This computer has been infested for weeks. Thank you. Please let me know if there is anything else that I need to do.
     
    Daniely, Dec 8, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your log is now clean.
    You should check this out: How to Protect yourself from malware!

    I would also recommend looking into changing your OS to WinXP SP2. WinNT is rather old but that decision is yours.
     
    chaslang, Dec 9, 2004
    #10
  11. Daniely

    Daniely Private E-2

    Something is obviously still lurking within. After 3 days of being able to run IE in normal mode, it is not working again. I am also not able to download the WMI updates from Norton. I installed security pack 2. ANy idea as to what is going on? SHould I send another HT log?
     
    Daniely, Dec 12, 2004
    #11
  12. PhilliePhan

    PhilliePhan Guest

    Sometimes Norton has issues with SP2.

    Are you running a Firewall? If so, did you disable the Windows Firewall?

    Go ahead and attach a fresh HJT Log. Somebody will check back when they get a chance.

    PP :)
     
    PhilliePhan, Dec 12, 2004
    #12
  13. Daniely

    Daniely Private E-2

    I turned off Personal Firewall and now I can get internet access again. Why is that? Is something wrong with firewall? Should I leave on intrustion, privacy control, and security within personal firewall? Are firewall and SP2 not compatible? If not, is it better to have firewall or SP2? Sorry for all the questions. I'm just confused. I appreciate all of your help.
     
    Daniely, Dec 12, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to use only one firewall. XP SP2 has a built in firewall which is enabled by default. So you probably had conflicts. Use one or the other, not both.
     
    chaslang, Dec 12, 2004
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds