BitDefender shows Trojan, unremoved - Help!?!

I started receiving virus alerts from Norton Internet Security and AVG. Ran scans with both programs and couldn't delete all. Ran Ad-Aware and Spybot, some items removed but kept getting alerts on infections.
Ran the tools in the Read and Run First thread on Major Geeks site. Bitdefender and Panda Scan show infections still present. I need professional help - not the first time that assessment has been made.
Here are my computer's specs: Dell Dimension 4700, P4 Processor 530 w/HT, 3.0 GHz, 1 GB DDR2 SDRAM @ 400 MHz, 128MB PCI Express x16 ATI Radeon X300 SE, 160 GB Serial ATA @ 7200 RPM, MS Windows XP Home w/ SP2. Has a DVD-ROM and DVD+RW, 3.5in Floppy, SB Audigy 2 THX.
Need any more info? Logs attached. Any advice very much appreciated.
I am getting alerts, redirects occassionally and computers processes slowed. VERY slow logging off and shutting down, which was never a problem before being hit with infections. I was viewing tawdry sites I shouldn't have been when infection occurred.

 

1. Download and Install CCleaner
   • Note that, when asked to run CCleaner, you should run ONLY the default scan (Windows Tab). Do Not “Scan For Issues”!
   
   
2. Download FixWareout by Lonny and save it to your Desktop.
   
   
   
3. Download & Install Ewido Security Suite
   • Be sure to uncheck Install background guard and Install scan via context menu when you Install Ewido.
   • After installing EWIDO, please update it’s definitions by Clicking the Update Button > Start.
   • Just leave it for now. You'll be running it shortly
   
   
4. Please locate your download of FixWareout and INSTALL it.
   • Be sure that Run fixit is checked.
   • Click Finish to begin the fix.
   • Follow the prompts and Reboot when asked to do so.
   • Upon Reboot, follow the prompts and HijackThis should open.
   
   
5. After HJT opens, Click Scan and then Check the boxes for the following, if they should remain:
   
   O17 - HKLM\System\CCS\Services\Tcpip\..\{21CD9600-9A06-4452-A399-3A5F432B65AF}: NameServer = 85.255.116.100,85.255.112.227
   O17 - HKLM\System\CCS\Services\Tcpip\..\{63B5BE77-A139-4A4E-B81C-57AEE5BAB3CF}: NameServer = 85.255.116.100,85.255.112.227
   O17 - HKLM\System\CCS\Services\Tcpip\..\{97A95D3D-279B-4AF9-8D60-825C19D826A1}: NameServer = 85.255.116.100,85.255.112.227
   O17 - HKLM\System\CCS\Services\Tcpip\..\{C7845079-2793-4606-9F0B-5A808911EBC3}: NameServer = 85.255.116.100,85.255.112.227
   O17 - HKLM\System\CCS\Services\Tcpip\..\{E88C1CA6-BBB2-4E1C-9390-837300D91E14}: NameServer = 85.255.116.100,85.255.112.227
   O17 - HKLM\System\CCS\Services\Tcpip\..\{EBB87963-B13F-4A45-9692-5664BC402326}: NameServer = 85.255.116.100,85.255.112.227
   O17 - HKLM\System\CS1\Services\Tcpip\..\{21CD9600-9A06-4452-A399-3A5F432B65AF}: NameServer = 85.255.116.100,85.255.112.227
   O17 - HKLM\System\CS2\Services\Tcpip\..\{21CD9600-9A06-4452-A399-3A5F432B65AF}: NameServer = 85.255.116.100,85.255.112.227
   
   
   
6. Now, run CCleaner, Be sure you only run the Default Scan (Windows Tab) and select Run Cleaner. Do not run any other options from other tabs.
   
   
   
7. Please Boot to Safe Mode!
   • Open Ewido and Select Scanner. Click Settings, make sure ALL boxes are checked under How to Scan & Unwanted Software and that Scan Every File has been selected.
   • When EWIDO has been configured correctly, click OK.
   • Click Complete System Scan to begin the scan. Allow EWIDO to clean all that it finds and then save the log to where you can find it easily.
   
   
8. After ALL of the above has been completed, please REBOOT to normal Windows, scan with HijackThis and ATTACH that log. Please save and attach the logs from the EWIDO scan, and the log found at C:\fixwareout\report.txt as well.

Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

 

Thanks for the advice. Couldn't get to the whole process last night. Sorry for the delay. I am very anxious to resolve this and appreciate your help.
Cannot seem to get FixWareout by Lonny to run. This is the readout when I try. Can you help me decipher?
Also, could not update Ewido in normal running mode but did so in safe mode with networking.

This batch will remove WareOutand UnSpyPC from your system.

Use at your own risk.

Press any key to continue . . .
Downloading BFU - Brute Force Uninstaller
Written by Merijn - http://www.merijn.org/

File Downloader - Version 1.01 (build 7.4)
Downloads a file from a HTTP or a FTP server.
Copyright (c) 2004, Noel Danjou <webmaster@noeld.com>.

Server: castlecops.com
Port: 80
Protocol: HTTP

bfu.zip:
Cannot create destination file: The process cannot access the file because it is
being used by another process.

Done.
Archive: bfu.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in bfu.zip,
and cannot find bfu.zip.zip, period.

Attempting download from alternate URL

File Downloader - Version 1.01 (build 7.4)
Downloads a file from a HTTP or a FTP server.
Copyright (c) 2004, Noel Danjou <webmaster@noeld.com>.

Server: www.merijn.org
Port: 80
Protocol: HTTP

bfu.zip:
Cannot create destination file: The process cannot access the file because it is
being used by another process.

Done.
Archive: bfu.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in bfu.zip,
and cannot find bfu.zip.zip, period.
BFU.exe was not present, unpacked or in proper location

Please make sure you have a working internet connection or
download bfu.zip (Brute Force Uninstaller) manualy and extract the file BFU.exe
to the fixwareout\sub folder then restart the batch, fixit.bat.
From this address please http://www.merijn.org/files/
Press any key to continue . . .

 

Attach the ewido log and a fresh HJT log.

 

The Ewido software caught and cleaned 6 infections as you will see by the log. Thanks for your assistance. I am anxiously awaiting further analysis. This is very intriguing.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/index.jsp

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{21CD9600-9A06-4452-A399-3A5F432B65AF}: NameServer = 85.255.116.100,85.255.112.227
O17 - HKLM\System\CCS\Services\Tcpip\..\{63B5BE77-A139-4A4E-B81C-57AEE5BAB3CF}: NameServer = 85.255.116.100,85.255.112.227
O17 - HKLM\System\CCS\Services\Tcpip\..\{97A95D3D-279B-4AF9-8D60-825C19D826A1}: NameServer = 85.255.116.100,85.255.112.227
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7845079-2793-4606-9F0B-5A808911EBC3}: NameServer = 85.255.116.100,85.255.112.227
O17 - HKLM\System\CCS\Services\Tcpip\..\{E88C1CA6-BBB2-4E1C-9390-837300D91E14}: NameServer = 85.255.116.100,85.255.112.227
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBB87963-B13F-4A45-9692-5664BC402326}: NameServer = 85.255.116.100,85.255.112.227
O17 - HKLM\System\CS1\Services\Tcpip\..\{21CD9600-9A06-4452-A399-3A5F432B65AF}: NameServer = 85.255.116.100,85.255.112.227
O17 - HKLM\System\CS2\Services\Tcpip\..\{21CD9600-9A06-4452-A399-3A5F432B65AF}: NameServer = 85.255.116.100,85.255.112.227

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Also, when running Spybot S&D, be sure you Immunize!

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above, reboot and attach a fresh HJT log.

 

Well, it's certainly been a prolonged ordeal. I hope this gets me back to normal. Things seem speedier. Spybot took FOREVER to run the other day and this evening it is quite zippy. I am cautiously optimistic.
What an education, too! Geeks friggin' RULE!
Thank you so much, BJGarrick. I really appreciate your time and expertise.

 

Please download win32delfkil.exe

• Save it to the Desktop.
• Double click on win32delfkil and install it (Installeren button)
• A new folder is created on the Desktop: win32delfkil
  
• Close all windows!
• Open the win32delfkil folder
• Double click on the fix MS-DOS Batch File
• The program runs and the computer reboots automatically.
  
• After the reboot, and back in Windows, search for the file: C:\windelf.txt
• Post the contents of the windelf.txt, along with a new HijackThis log.

After you do the above, see the thread below to run the smitRem.exe utility and attach its log.

SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

 

Here are the logs for HJT and windelf.txt. I will run the smitRem.exe utility next. Are we gaining?

 

Also, see if you can now run Fix wareout utility on your pc then attach this log as well.

 

I ran tje smitRem utility. I did not see any of the listed files when I ran HJT. I was able to run fixwareout and will attach report.txt and new HJT log along with smitfiles.txt and log from PAS.

 

Things are running okay. Some apps still hang. Can't run Program Scan in my NIS firewall config w/o it hanging.

Takes 5 minutes just to log off the machine. Didn't do that before my troubles. Keep seeing a couple of message windows upon logging off or shutting down. One is headed ccApp and the other is ShellIconHiddenWindow. Both are unresponsive programs, or something like that. I'll pay more attention next time.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/index.jsp

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\favset.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\Downloaded Program Files\myinitialsetup1.0.0.7.inf into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\csbhd.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and let me know what problems remain.

 

downloaded Pocket KillBox to desktop. Ran HJT and found the item you described. Checked the box, clicked FIX.
By "Locate PocketKillBox", I assumed you meant for me to run it, so I did. I was a little confused by your instructions to "Copy and Paste" the items described. Copy from where and Paste to where? I typed the descriptions into the box. None showed in blue. I selected "Delete on reboot". When I clicked on the red X, the only box that popped was one asking me if I wanted to reboot now. There was no message asking me to confirm my choice. I clicked no until I entered the last item, clicked yes to rebooting and the computer did. It seemed to load faster. I didn't take time to shut it down and reboot to see how quickly, or not, the computer allowed me to log off and shut itself down. I'll let you know about that.
When it rebooted after running PocketKillBox, and as a matter of fact, the time before that, NIS popped a box stating it was blocking an attempt to change my homepage and the attempt was by about.blank. What up with that?

 

Attached FYI. why does ActiveScan keep showing infected files?

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file iefix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the iefix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

After you complete the above, reboot and then manually locate and delete the below files/folers:

C:\!KillBox

C:\WINDOWS\system32\SBUtils

After you delete the above, reboot and attach one last HJT log.

 

Followed instructions of your last post. Attached is log file from HJT. Computer seems to be running fine. Haven't spent much time on the web. Still having trouble with NIS hanging when trying to modify configurations. And, logging off is agonizingly slow and had never been that way before infections.
Will run through READ AND RUN again to check for problems.

 

Completely disable Norton, shut it down then repeat my last post. After you do that, post your Norton problem in the Software Forum. Those guys will help you with that.

 

Disabled NIS, followed instructions for last post from you. Attached is HJT log.

 

Crap, I didnt see MSAS, disable or uninstall "Microsoft AntiSpyware" and then run the second registry patch again.

After, attach a fresh HJT log, want to make sure they entry is gone.

 

I disabled MSAS and NIS and merged second registry patch, "iefix.reg". Attached is HJT log.

 

Right click on the MS Antispyware icon in the system tray and select Shutdown Microsoft Antispyware and approve the shut down when it asks you.

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you complete the above, follow the below...

Please download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Now enter myway and post back with the results in this thread (call it regsrch.txt).

 

Hi BJGarrick-
Can I ask you to explain some of the procedures to me that you have asked me to undertake? Not that I would understand everything - I won't. Still... I would appreciate some enlightenment. Thanks for indulging me.
From a standpoint of performance, my PC is running okay. No redirects on the web, faster page loading. But Norton Internet Security is sucking the hind one. I can't even get the home page to load. Everytime I try to check any configurations, it freezes the computer. I cannot always log off successfully from MY settings, although there seems to be no problem from my daughter's or my wife's. I have had to use the power button several times to get the damned thing shut off.
Today, a message popped up about a corrupt file in Documents and Settings. It recommended running "checkdisk utility" - and I thought by clicking on the box it would bring that up. Instead, it just disappeared and I don't know anything about such a utility. Suggestions?
Well, here is regsrch.txt.

 

First, reboot into Safe Mode and manually locate the following folder and delete if found:

C:\\Program Files\\MyWay

Afterwards, please reboot back to normal windows and procede with the below.

Download the attached ZIP file. Extract the contents to your desktop and run the regfix.reg. Double click to merge, click YES when prompted.

After you complete the above, reboot and attach a fresh HJT log.

 

did not find MyWay folder/files.
regfix.reg produced the following dialogue box from Registry Editor: Cannot import C:\DOCUME~1\Dave\LOCALS\Temp\Temporary Directory\for regfix.zip\regfix.reg:Error accessing the registry.

 

I changed my home page to majorgeeks.com. but now, when I try to return there, I end up with about.blank in the address window.

 

I meant "about:blank".

 

Set your homepage manually, reboot and see if it changes, also attach one more HJT log.

 

changed homepage, rebooted. IE still loads "about:blank".

attached is hjt log

did ActiveScan last night and scanned with Norton Anti-virus. both showed no infections.

should i turn off system restore?

 

Yeah, disable it and then re-enable it to flush any bad restore points.

Does IE still show your homepage as about:blank? Your log doesnt show anything so that's why I'm asking. If you set it to something manually it should stay because you have no signs of a hijacker.

 

BJGarrick-
Thanks for all your help. about:blank is gone. I ran through the steps in READ AND RUN FIRST and Spybot picked up 3 items afn BitDefender picked upTrojan.Startpage.IX which seemed to be the problem.
Except for the shutdown problems, everything seems to be back to normal. Symantec offers little to no help. Disabling the scan at shutdown of Drive A seems to be completely ineffectual. So, I don't know what I will try next but I am sure this site can be of help.
It has been a real education. Although I was keeping my NIS updated daily with automatic updates, and ran both AdAware and Spybot regularly, something still slipped by. What a pisser that there are a**holes out there preying on us ignoramouses.
Again, thanks for your assistance. Any further instructions or advice? Need anymore logs? Let me know what your final assessment is of the condition of my computer from where you sit.
Oh yes...any opinion on using something like Registry Mechanic?

 

Registry Mechanic is good, I use Reg Supreme Pro, from what I have seen both do a good job.

If your having any software problems, you can post those issues in the software forum and they will help you with any you have.

You should see this article on How to Protect yourself from malware!

Surf Safely!