Trojan !update-3895

Hey guys .... (no rest for the weary) ....can not seem to get rid of this trojan that keeps popping up ....have run spy bot, adaware, ccleaner, turned off system restore ...manually deleted the damn thing 10 times ....yet each time I restart the 'puter, Mcafee virus scan reports this trojan at the time of start up ...always shows up in temp internet files ....application reported is U@oolsv.exe as a downloader-EV. Suggestions?

 

Just noticed in processes ....updaterUI running ....ended the process, going into msconfig to see if its also there!!!

 

Here is the log from the activescan:

 

As always, standard operationg procedures must be followed. I believe Halo just gave you the instructions again yesterday in another thread. See: http://forums.majorgeeks.com/showthread.php?t=92998 Why didn't you follow upi in that thread? You should not post requests for help if you do not plan on a follow up.


Please follow our standard cleaning procedures which are necessary for us to provide you support, they cover specific order of running the cleaning applications as HJT is a last resort and mop up program, Also there are steps included for installing, running, and posting HijackThis logs as attachments.


- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

.

 

Chaslang .....sorry the post the other day was from a friends 'puter ....this is one of the units at work (teaching lab) .... ran all the aforementioned scans (ad-aware, spybot, ccleaner, etc.) Did the active scan (log on previous post, but will add here also), and went in to delete as much as I could find ....could not find the first four .... deleted the rest. Still pops up in the virus alert when I restart ....so here are the hijack and active scans (appreciate your patience ....trying to clean this so it doesn't worm its way into our network.)

 

You have HJT installed wrong! Check step 7 again and install it correctly.

Where is your Bitdefender log.

Are you saying you could not find:
c:\winnt\system32\??oolsv.exe

Note this is not spoolsv.exe which is valid. It will probably look just like it but if you sort the folder in alpha order (by Name) you would notice two spoolsv.exe files and one would be out of order and is probably much newer and larger than the real spoolsv.exe

 

Also you are saying these PCs are on a school network???

Why is there no software firewall? You really should have one to protect each PC from the other PCs and from the kiddies.

Also O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto should not be used while cleaning the PCs. It prevents us from seeing what we may need to see. There is no reason to be using this anyway and Microsoft even states to not use it for long term solutions. It is only for debugging.

 

Not a school ... a training lab for the unemployment office .... firewalls are active through the routers ....disable the PCHealth thru msconfig?
And re-run hijack this?

 

I'm not finding the Also O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto ....how do I disable this?

 

Not good enough! The router is probably a switch and once MAC address are learned from each PC, they communicate directly and bypass the router portion.

Yes run MSconfig, Select Normal Startup, reboot, and attach new log.

 

Still trying to learn exactly what they have ..... wireless access points are set to only communicate to a few chosen mac addresses ...one of the routers is labeled firewall .... ? .... am still tracing each access point to assign/label with its address ....walked into a very undocumented situation ...spent a week trying to access one failed access point and reconfigure it!!
The 'puter thats causing the problems is one that one of the teachers uses and was taking an online course .... I clean out the temp files and restart and the file is full again .....
Have restarted, normal, will run hijack and post back.
Thanks!!

 

Here it is:

 

You still need a software firewall to protect the PCs from each other if they get infected.

You still have HJT here:
C:\Documents and Settings\Administrator.HEADQ\My Documents\HijackThis.exe

That is where we specify not to put it. Install it to C:\Program File\HJT as requested. Do that now and then continue.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINNT\System32\??oolsv.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {160E357A-F0B4-8C47-99AF-878AD8A4F8CF} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O4 - HKCU\..\Run: [dwvmRTf2j] blamib.exe
O4 - HKCU\..\Run: [Xlfdurs] C:\WINNT\System32\??oolsv.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\program files\MemoryWatcher <-- the folder
c:\keys.ini
c:\winnt\sepsd.bin
C:\WINNT\System32\blamib.exe
c:\winnt\system32\datastore.dll
C:\WINNT\System32\??oolsv.exe <--- Note this is not spoolsv.exe which is valid. It will probably look just like it but if you sort the folder in alpha order (by Name) you would notice two spoolsv.exe files and one would be out of order and is probably much newer and larger than the real spoolsv.exe


The below may be in email folder:
Local Folders\Deleted Items\New Net Critical Pack\Install347.exe
Local Folders\Deleted Items\Mail: Returned To Mailer\fqdpz.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yeah, I'm a goober ...moved it to program files ....running the instructions now ... will report back.Thank you!!

 

So far ....so good .... no virus pop up ....Fixed all suggested in hijack ....Couild not find C:\keys.ini
or C:\winnt\system32\blamib.exe (assume taken care of in Hijack this )
Couldn't get into the deleted items in mial folder, but set it to delete all content in deleted items on exit.
Deleted prefetch and here is latest log:

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Looked clean when I ran it ....I am so grateful for your support ....I constantly direct people to the malware section, telling them to do what's in the Read and Run first ....you'd think I wasn't such a goober, huh?
Would send you a cake or a six pack if I could!!

 

No problem! Surf safely!