Advanced help for advanced problems

Hi ... I accindentilly entered post before finishing. The Title should read: Please Help for advanced problem.

I wish I found you earlier as I have been having serious trouble fiting infections ... I have elaborated details and scans/logs in the attachments.

I have followed the instructions in the thread of what to do before posting which I think cleared some issues, however since its serious, its still not fully removed by nature of this infection. also, some online scans I had difficulty running.

thanx4ur-help!

 

Boot to Safe Mode and delete these 3 files:

Ad-Aware reports Nail in the registry, but your HijackThis log shows no signs of a Nail infection.

 

Hi there & thanx for your speedy response!

I just looked again and couldnt find any of those files ... I think counterspy actually removed them whilst during the trial (so too adaware seemingly removed 'nail' ...) (the only thing which came up in search is totally different: 'w3ssl.dll' in system32 but it was only accessed now, created/modified in 2004...also the only 'zq' which comes up is 'ZQ561....' a 'cabinet file' in 'MSOCache' .... surely I wouldnt have to delete them, or...?)

Main problem now seemingly is the constant return of last 3 registry entries which counterspy picked up (end of 'updated' notepad I attached )... where are they coming from to be constantly reproduced ... also there's a lot of registry cleaning I need to do, but scared to delete things that might unstable my system ...

please direct me to the source of these problems, as strange things are still happening (as if someones watching ...) and I nearly couldnt get my system running (it crashes and things like that ...)

Thanx so much for your continued help!

(btw: can I mention the infection names here or is it better not ? it seems newish as so many powerful scans cannot pick it up... it also hides itself extremely well which bothers me to no end as how will I ever know its completely out?)

 

Hi Shadow_Puter_Dude (or any authorised helper) ... while awaiting your response just want to ask if it is a good idea to delete all '*.tmp' files on my pc, or is it better to wait till we work through systematically ...?

thanks4ur-help

 

What I need at this point are logs from BitDefender Online and Panda ActiveScan; aong with a fresh HijackThis log. After I get those we'll move forward from there.

 

Hi ... the others I should be able to supply, but panda doesnt work on my system (I used it in the past, but after uninstalling it hasnt worked since) ... do you want any other ?

 

If you can't run Panda ActiveScan, use CounterSpy.

 

Hi, BitDefender gave an all clear (however, it finished 2 short of the files it calculated originally, but nonetheless seemed to finish ok...)

CounterSpy scan attached (however, it was done after the trial expired as the 'scan' capability seemingly continues as normal ... however, the 'update' facility hasnt worked since it expired ... hence not getting the very latest definitions ...)

new hjt attached,

Thank You!!!

 

Follow the directions for Running Ewido Anti-Malware.

Post the Ewido log when finished.

 

Hi, I can assure you that ewido comes out clean (also in safe mode) as I have run it a few times recently ...

Thanks for your speedy response!

 

The only thing being found by CounterSpy is a left over Haxdoor Registry Key and your HijackThis log is clean. Copy the below registry patch to Notepad and Save As FixReg.reg to your Desktop.

Close Notepad.

Boot to Safe Mode.

Double Click FixReg.reg; answer 'Yes' when asked if you want to merge with thr Registry.

Reboot to Normal Mode.

Post a fresh CounterSpy log.

 

Hi, that seems to have done the trick on those counterspy finds, as the scan I just did came out clean! (even though it hasnt been updated for a few weeks as the trial has expired and I wouldnt upgrade on a dubious machine...)

However, there are still mysterious unexplainable things happenning on my machine (eg, programs suddenly exiting, programs not opening, slowness etc. etc. ) and having researched on this infection it is known to hide itself extremely well (perhaps into other programs ... my avast seems to be changing often as reported by zonealarm ...). I am wondering:

1. is that possible that its lurking in other programs undetected (btw, only counterspy picked up on those infections and its left-overs, whilst all others - some online some offline - didnt...) ?

2. How is it possible to know when an infection/s are completely gone? any thorough tests available?

3. would it help to fix issue problems showing in cleaning programs, like ccleaner, spybot (advanced mode), regcleaner ... (also cleaning out all *tmp files...) ?

4. does the kaspersky find in the attachment of another anti-virus program (xoftspy) a reason for concern?

Thanks for your help!! You are doing a great invaluable service to the online community!!

 

Yes, haxdoor does hide extremely well; however, it is also very well documented.

Avast updates frequently, that may be way ZoneAlarm is reporting changes. I haven't run ZA in awhile because I run Avast on my Windows Box. Avast and ZA don't play well with each other, unless the incompatiblity issues have been resolved, recently.

Different scanners pickup things that others don't. You could run a bunch of different scanners and they'll all find something another one didn't. You an never be absolutely positive that every single file or registry entry created by a virus has been removed from a computer. However, I can tell you with reasonable certainty that the parts of the infection have been killed and removed.

Running a registry cleaner and a tmp file cleaner at regular intervals is a decent way to remove stuff that isn't needed anymore; and reclaim some of your drive space.

Sometimes scanners report the signature/definitions files of other scanners. Their getting betterat not doing that, but it still happens.

Lets take a deeper look at you file system and registry for other locations malware hides.

Follow the directions Running WinPfind by OldTimer.

Post WinPFind.txt and a fresh HijackThis log.

 

Hi...I'm writing this from a different pc because after downloading and running winpfind I did a scan but it completely stopped in the middle and a box came up stating: invalid data type for " ...and then it just hanged. after trying in normal mode i tried with safe mode but with the same result...

the problem is after that when i rebooted into normal mode nothing worked, ie, i wasnt able to open any programs etc. and things went bezerk and crashing all over the place... i wasnt even able to retrieve the first part of the winpfind log which i saved into notepad, nor prepare another hjt log, all this whilst the internet connected was unplugged throughout!

afterwards i booted into safe made where programs seem to be working so far without too much hassle, but i still cannot get the winpfind log onto any kind of cd-rw or dvd-rw, which i would need to get it onto this site (i did manage to get a copy onto a floppy but that wont help me on this pc)... reading from the log on the other pc, it seemed to get stuck at [hkey_local_machine ... shellobjectDelayLoad] at %systemroot%\system32\shell.dll ...??

I had strong suspicions that I was being watched/hacked for a while ... now I'm convinced.... pleaaaaaaaaaase help!!!

Thanks again 4 letting me rave on ... hopefully we'll very soon get to the bottom of this!

 

Hi again... one more observation: counterspy (in system tools) was showing an unknown/questionable "shell" with no available information about it (others shown did have)... I found it in shell\cache in registry editor but I wasnt sure if it was smart to delete the entry without checking if it was safe to do ...? I'm not sure where it came from, nor if it has anything to do with the above... thanks again!

 

Post a new CounterSpy log. Try WinPFind again. It may take a tries to get it to run completely.

 

Hi ...counterspy(not recently updated) comes out clear ... winPFind just cant get past that point/pop up however many times I try it (normal mode or safe) ...

Thanx

 

If CounterSpy is not current and is an expired trial version then uninstall it. Something is preventing WinPFind from running completely.

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

 

Ok ... blbeta seemed to come out clear, and after uninstalling counterspy, winPFind still stops at exactly the same place ...!? but I attached the first part of the unfinished log...

Thanx again for ongoing support

 

Your logs are not showing anything to account for the behavior you are experiencing. You may want to post in the Software Forum, describing your problem and reference this thread.