Can't Beat the Virus/Trojan H-E-L-P

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kshapi, Dec 28, 2004.

  1. kshapi

    kshapi Private E-2

    Hey MG, I have followed your guided tour and instructions to removing Trojan's, Adware, Virus's ETC and almost have my system(WIN XP) back to normal but I need your help to get rid of the last buggers. I have attempted to religously follow chaslang's teachings..but alas I am WAY out of my league....see below.

    I started with the problem about 4 days ago..total system meltdown thru infections....all at one time. I had multiple Dialers installed, several Trojans, WWW.Cool websearch infestation, DSOExploit, common hijackers, 200+ hits from AdAware , loss of control of the recycle bin and multiple IEXPLORE.exe running hidden in the Task Manager , about Blank(I think)+ the list goes on and on.

    I have read the Tutorial Sticky: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting and

    After going thru all of the steps outlined I have gotten rid of most of the obvious problems having removed Trojan's, ADWare, WWW.CoolWebSearch etc..... I took it a step further and analyzed my HIJACKTHIS file (both in and out of SAFE MODE) however I am still having some problems. Trend On-Line's Scan found the TROJ_NARRATOR.A virus and could not remove it.

    Tonight I did the following to be double sure I covered all bases:

    1)Computer NOT in Safe mode: Restore Disabled, Hidden Files Showing.
    • AD-Aware w/ VX2 plug-in
    • CC cleaner
    • SpyBot S&D w/ DSO exploit fix
    • SpyWare Blaster
    • McAfee Stinger
    • CW Shredder
    • Kill2Me
    • About Buster
    • HS Remove
    • ADS SPY
    • Spy Sweeper
    • Trojan Hunter
    • Trojan Remover
    • Upgraded Windows Service Pack V2 for XP
    • Installed Sygate Firewall

    notable Results for the above scans:
    SpySweeper: removed 2nd Thought Trojan, 8 ADware files and 1 System monitor file
    Trojan Hunter: found one possible Trojan
    AD-Aware: found 5 objects...previously found none after my previous cleanings.
    HSRemove: removed 8 items.

    ALL OTHER SCANS resulted in nothing.

    2) Computer IN Safe mode: Restore Disabled, Hidden Files Showing.
    -Repeated all of the above steps and seemed to be able to remove the above trojan.
    -Reviewed HIJACKTHIS scan results and removed one each R0 and R3 lines as well as several O4 xxxxx.exe files

    Previous scans in days prior I had several Winsock hijacks that seem to now be gone.

    Computer now back in normal operating mode(not SAFE)

    Currently this is what I am experiencing:
    -Multiple iexplorer.exe Tasks running with no windows open
    -Firewall indicating NDISuio.sys repeatedly trying to connect to Internet
    -firewall indicating iexplorer.exe trying to connect to internet (note: no browser windows open)
    -Deleted files not accessible in recycle bin


    I am weary and bleary eyed having put in about 25 hours in the past 4 days to try to get my system back.......can you help?

    I can re-run any scan and post the logs if necessary, please advise and HUGE THANKS for providing the information to get me to where I am right now.

    kendall
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hi Kendall,

    Sounds like you have learned a lot and made quite a bit of progress. Let's continue.

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
  3. kshapi

    kshapi Private E-2

    Hi chaslang,

    OK back to it....I am home and can start to work on this bugger. I rebooted my computer to start from scratch. Got a Dr Watson's Error(never had that before) and my free Sygate Firewall failed to load. It also won't load when I try to start with the .exe file.

    I closed 7 (hidden) copies of iexplorer.exe from the Task Manager closed all open windows and ran HIJACKTHIS. I have attached the Logfile. Let's get this party started :)
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please clarify your current problems. I do not see any iexplorer.exe processes running.

    Did you keep backups from what you fix with HJT? Are you sure you did not delete something for your Sygate firewall?

    Bigger question/potential problem:
    - WinXP SP2 has a built-in firewall
    - Norton Internet Security Suite (which I believe you have) also has a firewall
    - you say you also have Sygate firewall

    You must only have one software firewall installed on your system.


    These two lines can be fixed with HijackThis
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\LastGood\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\LastGood\System32\msjava.dll (file missing)

    Do you know what this below Service is for:
    O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
     
  5. kshapi

    kshapi Private E-2

    Current Problems:
    • multiple iexplorer.exe processes running in Task Manager
    • Firewall continually blocking unprompted iexplorer.exe attempts to connect to internet
    • Firewall blocking generic svchst.exe from connecting to internet
    • firewall blocking NDIS from connecting to internet
    • Recycle bin not allowing me to see deleted files
    • Firewall notification "program NT kernal and system.....NTOSKRNL.exe" trying to connect to internet

    Answers to your Q's:
    I kept paper copies and logfiles from all recent HJT scans.

    Sygate Firewall started up with no problems when I reconnected my computer to the internet and rebooted

    Firewall issue:
    - WinXP SP2 has a built-in firewall: I elected not to enable it because I has Sygate running
    - Norton Internet Security Suite (which I believe you have) also has a firewall: Yes, does not block nearly as much as Sygate. I have Norton Systemworks 2004 installed
    - you say you also have Sygate firewall: YES - currently operating

    You must only have one software firewall installed on your system.

    What are your recommendations for only one firewall? I would like to keep some of the functionality of the Norton Package and am not sure if I can selectively not use their virus or firewall programs?? Can we tackle this after removing the bad stuff?


    I fixed the following with HijackThis Per your recommendation:
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\LastGood\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\LastGood\System32\msjava.dll (file missing)

    I did not know what this below Service is for....cleaned it out w/ HJT as well:
    O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe


    Upon reboot, I am still experiencing the firewall block all of the same items trying to connect to the internet. Multiple iexplorer.exe processes running in Task Manager.

    I ran another HJT scan and have attached it. Shall I redo this in SAFE mode?

    thanks for the continued support!
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There are no iexplorer.exe processes showing in your HJT process list. Look at it yourself.

    Try downloading and running ProcessExplorer from: ProcessExplorer for Win NT/2K/XP

    Does it show any iexplorer.exe processes running?

    Did you look into disabling Norton's firewall? I don't have it so it would be difficult for me to explain anything about it. Check your documentation, call Symantec, or post a question in the Software Forum on how to do that.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is it really saying svchst.exe or was it svchost.exe?

    Firewall blocking generic svchst.exe from connecting to internet
    svchost.exe running from c:\windows\system32 is a valid windows process that you can allow access to the internet
     
    Last edited: Dec 28, 2004
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    - Does your firewall give a filename for ---> blocking NDIS from connecting to internet

    - ntoskrnl.exe is a valid windows program but I doubt it requires internet access. Just deny it and always use that setting.
     
  9. kshapi

    kshapi Private E-2

    I think I now know what is confusing you. When reading the tutorial for HJT I believe I interpreted "close all programs including IE web browsers" as I needed to make sure to close all IE...and I closed all of them in the Task Manager as well...that is why they are not showing up I would assume.

    Running Process Explorer shows 4 current iexplore.exe's running

    Looking into disabling Norton Firewall......may take some time.

    sorry for the above confusion on the iexplore.exe

    Just saw your other 2 posts.....
    Is it really saying svchst.exe or was it svchost.exe? My typo, it was svchost.exe

    Looked in the Firewall process listing...the NDIS filename is as follows:

    C:\WINDOWS\system32\DRIVERS\ndisuio.sys

    next steps???

    thanks for the patience:)
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    ndisuio.sys is a process belonging to the NDIS User Mode I/O (NDISUIO) NDIS protocol driver which offers support for wireless devices such as Bluetooth and the like. This program is important for the stable and secure running of your computer and should not be terminated. I don't know if it needs internet access. Just deny it and tell your firewall to always use that setting.

    I would allow svchost.exe access to the internet and always use that setting.

    Okay so now you say "Running Process Explorer shows 4 current iexplore.exe's running"
    Is that with no Internet Explorer browsers actually open!

    Try rebooting your system and run absolutely (don't run TaskManager or anything else) nothing but HJT and immediately get a log. Now come here and post that log.

    If you can close them, I would expect that they are actually real IE sessions. There have been cases of IE showing up in the process list and none showed on the screen but they could not be closed. That was malware.
     
  11. kshapi

    kshapi Private E-2

    Ok, rebooted and ran HJT. Log attached.

    In the short time I rebooted and got to this site, I had about 15 different firewall blocks of iexplorer.exe trying to connect to various websites...mostly sires were completely random..probably ADWARE. I can barely type this without having to deny access to a different site every 10 seconds. It is completely out of control...worse than ever!! Ahhhhhhh!
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you get any popups at all!
    What are the websites that it is trying to connect to?

    Run CCleaner and just the cleaner (do not scan or fix any issues with it)?

    Also Reset Web Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
     
  13. kshapi

    kshapi Private E-2

    No popups at all are coming up.

    Websites that the computer is trying to connect to areas follows, per the Sygate Firewall Log:

    www.thalessecurities.com
    www.pay-ace.com
    jimsfloors.com
    www.great-hyip.com
    www.e-gold.com
    .e-gold.times.lv
    www.cloudwrangler.com
    www.owlcam.com
    httpcode.com
    www.saunalahti.fi
    cajconnections.com
    www.zonezero.com
    www.abcgallery.com
    www.comersus.com
    www.buildwebsite4u.com
    laughingsquid.net
    www.stopdesign.com
    www.google.com
    shellwindows.com
    www.microsoft.com
    www.trendmicro.com

    several instances of each attempt were found in the log.



    I ran CC Cleaner but did not see options for "not scanning or fixing issues"...my only option seemed to be "Run Cleaner" so I did that.


    Reset the web settings and followed the steps you outlined incjuding home page re-assignment.

    Now what shall we try? I reall appreciate all the help!!! :)
     
  14. kshapi

    kshapi Private E-2

    In addition.....

    The Spygate log indicated the following description for each of the sites the computer tried to connect to:

    Application Hijacking has been detected
    The application: C:\WINDOWS\system32\rundll32.exe try to launch another application: C:\Program Files\Internet Explorer\iexplore.exe to go to remote host
    www.xxxx.com (please see list of sites"xxxx.com" in last post.

    So is the rundll32.exe the culprit? It can't be as easy as deleting it now can it???? :rolleyes:
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    c:\windows\system32\rundll32.exe is a valid necessary window program. Unless overwritten by malware. Right click on it and get Properties, Version info. Make sure it is a Microsoft application

    But check for this
    c:\cmd.exe - if found delete it.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I was saying not to click the Issues tab (not very clearly). I only wanted you to run the cleaner and that's done.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also look at this:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.miroot.worm.html

    Also bring up your hosts file by click Start, Run, and enter notepad c:\windows\system32\drivers\etc\hosts and click OK

    If it has anything else in it besides what is in the below quote box, delete the other info and tell me what was there.

     
  18. kshapi

    kshapi Private E-2

    Good Morning chaslang!

    Latest Actions and results:

    1) Properties of the file c:\windows\system32\rundll32.exe

    file version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    Description: Run Once Wrapper
    copyright: © Microsoft Corporation. All rights reserved.

    2) I did a search for CMD.exe and found the following:

    CMD.exe in folder C:\WINDOWS\system32
    CMD.exe in folder C:\WINDOWS\servicepackfiles\i386
    eventcmd.exe in folder C:\WINDOWS\servicepackfiles\i386
    CMD.exe in folder C:\WINDOWS\softwaredistribution\download\6ca7b3a8efd5a9b6f87fff395a2eb989
    eventcmd.exe in folder C:\WINDOWS\softwaredistribution\download\6ca7b3a8efd5a9b6f87fff395a2eb989

    I did not find CMD.exe in the C:\ folder so I took no action. Is this correct? Note: looking at properties for 3 above CMD.exe files all seemed to be Microsoft Products.

    3) Results of the START/RUN: notepad c:\windows\system32\drivers\etc\hosts

    127.0.0.1 www.igetnet.com
    127.0.0.1 code.ignphrases.com
    127.0.0.1 clear-search.com
    127.0.0.1 r1.clrsch.com
    127.0.0.1 sds.clrsch.com
    127.0.0.1 status.clrsch.com
    127.0.0.1 www.clrsch.com
    127.0.0.1 clr-sch.com
    127.0.0.1 sds-qckads.com
    127.0.0.1 status.qckads.com
    # Start of entries inserted by Spybot - Search & Destroy
    # End of entries inserted by Spybot - Search & Destroy

    I deleted all entries except the 2 "Spybot" lines and then saved the file.

    4) Reviewed http://securityresponse.symantec.co...iroot.worm.html and loaded updates.

    OK, off to work soon, will be back on-line tonight. Again, you are a superstar, thanks SO much for the continued support!!! :)
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The rundll32.exe file is valid as I said and yours is the legit MS version.

    All the cmd.exe items you found are okay.

    The only line that should really be in your hosts file is
    127.0.0.1 localhost

    Add it in and remove anything else. You could have all the stuff from my previous post (the other lines are just comment line). You do not need those Spybot entries.

    Did anything from the Symantec link help?

    And you're welcome!
     
  20. kshapi

    kshapi Private E-2

    Hi chaslang,

    I revised notepad c:\windows\system32\drivers\etc\hosts to only read: 127.0.0.1 localhost

    I loaded the Virus definition updates from the Symantec link but can not 100% say what effect it may have had on my system. Also, there are detailed instructions on Copying Regedit.exe to Regedit.com, and reversing the changes made to the registry I am not sure this is necessary..thoughts? Honestly, I was a bit confused by the information on the Symantec Link. For reference, a system scan with Norton did not indicate any signs of the W32.Miroot.Worm.

    So at this time, I have restarted my computer 1x and have not had my firewall block anything other than "iexplorer.exe attempting to connect to the internet "www.majorgeeks.com" (which is my home page at this time).

    It appears that the system is running well but I don't want to get lulled into a false sense of security. So, I have a few questions......

    1) what should I do to make sure all is running well? Or in other words what would YOU have me do do to be sure my system is clean and free of all that is BAD. Re-run all scans and post logs?

    2)I am familiar with your posting....."How to Protect yourself from malware! " I can institute your recommendations as well as working on getting only ONE firewall running on my computer..Either Norton or Sygate any other recommendations?

    3) IF I had an enormous pile of cash in an account in the Cayman Islands would you consider accepting all of that as a sign of my gratitude for your help in resolving my issues? Hosestly, I wish I had that pile of cash for you...you are a lifesaver!!!

    But I don't want to get too ahead of myself.....let's make sure all is OK on my system before I crack the champagne a few days early!

    best regards,
    kendall
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Kendall,

    If a scan showed no signs of the W32.Miroot.Worm, then don't worry about the cleanup stuff.

    If it was not running well, I would assume you would notice it. But if you want to be extra sure run the READ ME FIRST again. I don't need any logs unless you think something is wrong.

    As far as firewalls, a few are listed in the How to Protect thread. You will notice Norton is not on the list. Personally I like Zonealarm and there is a free version. Sygate has a free version too and is good. Kerio is very good but there is no free version.

    Oh yeah! I would accept cash! Or even a few weeks in Cayman Islands would do! LOL!

    You're welcome. Let's hope eveything remains clean and calm.
     
  22. kshapi

    kshapi Private E-2

    Right-o!! I'll re-run per "Read Me" and update per "How to protect" tomorrow and monitor system thru several shut-downs/start-ups and internet connections. Will also sort out the firewall issue and choose ONE.

    Keeping my fingers crossed and will post more tomorrow or Fri with latest results.

    Again...deeply in your debt!!!!! I am your humble servant!
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Let me know if you have anymore problems.
     
  24. kshapi

    kshapi Private E-2

    Hi chaslang,

    Well looks like I still have some bugs in the computer.

    I re-ran all steps in "Read Me" and a few extra virus scans and found a few Trojan results from Norton, Trend Micro and Bitdefender... all different.

    *I have attached a text file that details the results of all of my scans. and what files I was able to DELETE.
    *I have also attached my latest HJT log from my last SAFE mode HJT scan.
    *Additionally, I attached the logfile from PROCESS EXPLORER from SAFE MODE....you can see there are 28 iexplore.exe processes running....no Explorer windows were open.

    So the issues I am experiencing are:

    *Scans still detecting Trojan Virus's
    *Recycle Bin Still will not function properly...open it and see no deleted files when I have not asked files to be completely deleted
    *multiple iexplorer.exe process running unprompted...something is initiating this and I suspect is it some reloading .EXE file.....but where?
    *firewall is still blocking a few iexplorer.exe attempts to connect to the internet...but the quantity has decreased greatly over a few days ago
     

    Attached Files:

  25. kshapi

    kshapi Private E-2

    Here is the PROCESS EXPLORER LOG...attached
     

    Attached Files:

  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you try manually deleting:
    C:/Program Files/CashBack <--- folder
    C:/Program Files/BullsEye Network <--- folder
    C:\WINDOWS\sysml.dll

    May need to do it from safe mode.
    HJT logs from safe mode are not typically very useful. Only post one from safe mode if we ask for it or if it is the only way HJT will run.
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After trying to fix those items, download the following tools and have them handy:

    Generic Detection Tool

    http://www.downloads.subratam.org/DllCompare.exe

    http://www.downloads.subratam.org/VX2Finder.exe

    http://www.downloads.subratam.org/KillBox.zip



    Then, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go. The tool should generate a long text file. Please attach that to your next post.

    Do not reboot after that because that can cause the files to mutate.
     
  28. kshapi

    kshapi Private E-2

    Good Morning...

    You asked me to manually delete:
    C:/Program Files/CashBack <--- folder
    C:/Program Files/BullsEye Network <--- folder
    C:\WINDOWS\sysml.dll

    The Folders "Cashback" and "Bullseye network" were not present. I believe the Norton Scan said that they were compressed files hidden within other files that I was able to successfully delete the other day those files were:(netut80ex.vxd,mac80ex.idf and psis80ex.ax)

    I was not able to delete "sysmn.dll" in either regular or SAFE mode. ACCESS DENIED

    I downloaded Generic Detection Tool , ran FINDIT and attached the log to this post.

    I have loaded on my computer the following for future use if necessary.
    *DllCompare.exe
    *VX2Finder.exe
    *KillBox.zip

    over and out...thanks again!
    kendall
     

    Attached Files:

  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Here are the files that we need to delete using Killbox. They are all in the c:\winnt\system32 folder:

    C:\WINDOWS\System32\o8840ilqe8qe0.dll
    C:\WINDOWS\System32\gp80l3lm1.dll
    C:\WINDOWS\System32\dlrgui.dll
    C:\WINDOWS\System32\irnsl5571.dll
    C:\WINDOWS\System32\e2jm0c11ef.dll
    C:\WINDOWS\System32\kt0sl7d71.dll
    C:\WINDOWS\System32\m8lsli3718.dll
    C:\WINDOWS\System32\i2lolc331f.dll
    C:\WINDOWS\System32\en44l1hq1.dll
    C:\WINDOWS\System32\g6jo0g13e6.dll
    C:\WINDOWS\System32\k6pm0g71e6.dll
    C:\WINDOWS\System32\mrvideo.dll
    C:\WINDOWS\System32\rZcpldlg.dll
    C:\WINDOWS\System32\p28qlcl51fq.dll
    C:\WINDOWS\System32\n08olal31dq.dll
    C:\WINDOWS\System32\n4l8le3u1h.dll
    C:\WINDOWS\System32\azaol9131.dll
    C:\WINDOWS\System32\enr4l19q1.dll
    C:\WINDOWS\System32\fp0803due.dll
    C:\WINDOWS\System32\aza0l73m1.dll
    C:\WINDOWS\System32\mv0sl9d71.dll
    C:\WINDOWS\System32\hr0005dme.dll
    C:\WINDOWS\System32\mvjol9131.dll
    C:\WINDOWS\System32\n82u0if9e82.dll
    C:\WINDOWS\System32\k480lelm1hqa.dll
    C:\WINDOWS\System32\ktl0l73m1.dll
    C:\WINDOWS\System32\fp4403hqe.dll
    C:\WINDOWS\System32\p44u0eh9eh4.dll
    C:\WINDOWS\System32\dnlm0131e.dll
    C:\WINDOWS\System32\dn0o01d3e.dll

    and c:\WINDOWS\system32\guard.tmp

    And here is how you need to do it.

    Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

    Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\System32\o8840ilqe8qe0.dll


    1) Now, Copy and Paste fullpathfile into the box
    2) Check the option to Use Dummy.
    3) Now, Click the Red X and Yes to the confirmation message.
    4) A message will ask if you want to reboot now – Click NO.
    5) Repeat for all files except the last one

    For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

    Now, Copy and Paste C:\WINDOWS\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

    After it reboots get another findit.bat log and post it. Also run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.
     
  30. kshapi

    kshapi Private E-2

    OK went thru all Pocket Killbox steps and when prompted by the program to reboot, after the very last file as you indicated, I said yes.

    A window popped up stating "Verifying Registry entries, PLZ wait"

    Then another window popped up Named:
    PendingFileRenameOperations

    In that box there was a message stating:

    "PendingFileRenameOperations Registry Data hes been removed by External Processes"


    Computer is not shutting down on its own....shall I shut it down myself or do we have an issue?
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmm! We get this sometimes. A piece of malware or another program is deleting the changes add to the Pendin Operations list. I doubt all (if any) of the deletions are going to work.

    Reboot manually and post me a new HJT log and a new findit.bat log.
     
  32. kshapi

    kshapi Private E-2

    Manual ReBoot completed.

    Upon startup, Firewall blocked about 6 attempts for computer to connect to current homepage (WWW.Majorgeeks.com) and to Google.com (my old home page).

    Ran HJT and FindIT. Logs attached.....
     

    Attached Files:

  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm going to try this by just killing some processes before running the fix with Killbox. If this does not work, we are probably going to have to uninstall Spy Sweeper, Spyware Doctor, and Trojan Hunter.

    Hang on, I working on a procedure.
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well it cleaned up more than I thought! We maybe able to continue without uninstalling those programs.


    Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

    NOW:

    Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

    Then click on these buttons in the right pane unless they are "greyed" out:

    - UserAgent$ Button to remove the UserAgent from the registry
    - Guardian.reg
    - Restore Policy

    Exit and reboot.

    Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg
    Physically disconnect (unplug your cable - this is important) from the internet.
    Doubleclick the fixvx2.reg file you created and grant it permission (when asked) to merge in the registry entries.

    NEXT: Run findit.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log. Tell me if you are still getting those additional Iexplorer.exe processes starting up on there own. Do not kill any if you do, I want to see them.
     
    Last edited: Dec 31, 2004
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I just made some changed to the below procedure make sure you refresh and re-read.
     
  36. kshapi

    kshapi Private E-2

    Ok....ran thru your steps the first time and then came back and saw your update so re-ran with the updated information.

    New FindIT and HJT logs attached.

    SysgateFirewall does not work on start-up is dosconnected from internet I have found So I was not directly able to see the processes starting to try to connect to the internet. So, I ran PROCESS EXPLORER and found , STILL, multiple iexploere.exe processes running.

    I am restarting computer to get firewall bak up and running. Then have to be offline for several hours. Will check back later for other instructions!!

    This is a tough on EH? Happy New Year and thanks for the continued support!!!!!
     

    Attached Files:

  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! The VX2 problem is all cleaned up now but you still have all those IE process running at startup. We need to figure out what is doing that.

    I want you to use HJT to create a Startup List Log as follows.

    Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

    If I cannot find anything in that log loading IE, I probably will want to uninstall some items like I mentioned before. Are you up for that?
     
  38. kshapi

    kshapi Private E-2

    Startuplist file from HJT is attached.

    Let me know next steps...am willing to uninstall programs if necessary...lets get this bugger!

    Happy 2005!!!
     

    Attached Files:

  39. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Do you use the Verizon software?
     
  40. kshapi

    kshapi Private E-2

    HI!

    Are you referring to the folllwing line in the Startup file:

    C:\Program Files\Verizon Online\ControlPad\cpad.exe

    It is a control panel provided by Verizon that pops up on the screen to provide some internet shortcuts.

    I don't use it..
     
  41. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Actually im referring to:

    Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe

    If you do NOT use the Verizon software, go into Add/Remove programs and uninstall this software, reboot and see if it still loads "iexplore.exe" like it did.
     
  42. kshapi

    kshapi Private E-2

    Hmmmm not sure what exactly this program does.

    I use Verizon DSL service for my internet cnnection and e-mail.

    Not sure what deleting this fprogram would do?? Thoughts?
     
  43. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Ok, if your ISP is Verizon then I wouldnt suggest removing it then, reason I asked to uninstall because that file I posted is said to access the internet and I thought maybe it could be a cause. Can you post me a current HJT log so I can look at it as well?
     
  44. kshapi

    kshapi Private E-2

    Hi bjg,

    Latest HJT log attached

    Thanks for the assist!!

    kendall
     

    Attached Files:

  45. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Have you ever had the MyDoom worm or any other worm infections on this machine lately? Reason I ask is there is a few startup files that "possibly" could have been replaced by a worm or malware that could be doing this.
     
  46. kshapi

    kshapi Private E-2

    Well, all my problems started on 12/22. In one shot it seemed all kinds of stuff downloaded onto my machine and wreaked havoc. Over the past week, with the help of this site, I have removed a whole bunch of stuff BUT never specifically knew if I had or removed the MyDoom worm. It is certaintly possible that I had a different Worm infection but I can not 100% tell you if it was a worm. I distinctly know that I have removed several problems labeled as Trojan's. Malware has definately been a problems and removed on more than one occaison over the past week.

    Let me know if you need more info
     
  47. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Also, one quick question, Are you using Windows XP Service Pack 2s built in firewall? Or do you use just Sygate FIREWALL?
     
  48. kshapi

    kshapi Private E-2

    When I was prompted to use Windows XP firewall (upon installation of a windows Serv Pck 2), I elected to not have it run because I had Sygate running. So at this time I don't think the XP firewall is running....but I honestly am not 100% sure.

    Just had an interesting SPYSweeper ALERT that the following file will start when windows starts: I did not just install a new program??

    Location: C\windows\jodsrv32.exe
    Registry or Startup folder: HKLM : Run

    Haven't see this one before. I try to remove it is SPySweeper and the same alert keeps coming back up.

    I'm dying here of sleep deprivation
     
  49. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    MAKE SURE SYSTEM RESTORE IS DISABLED TEMPORARILY!

    Ok, I want you to do this. First of all lets delete that file your getting the alert about.

    1) Boot into "Safe Mode..With Networking"

    2) Go into the directory "C:\WINDOWS" and delete the file jodsrv32.exe

    3) Open SpySweeper, update definitions and run a full system scan. Remove anything it detects and post me a log for this.

    4) Run TrendMicro's Virus Scan
    NOTE: I know you have already but it seems like there's still some on here.

    Reboot and let me know if problem remains.

    Reason I asked about the Firewall is that its not a good idea to run 2 firewalls. Just making sure you wasnt.
     
  50. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    One thing I want to ask about the multiple instances of "iexplore.exe" process. If you try and "End Task" on one of the processes does it close just the one process or does it close all instances of "iexplore.exe" ???
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds