trojan.downloader.xs - not positive

I'm not certain what I've got, it's really good at hiding. Thursday morning, my husband was on the computer - he *says* he was on ebay at the time. The desktop turned black and gives this message:
Warning! Spyware threat as been detected on your pc!
Your computer as several fatal errors caused by spyware activity. Your IP adress is xx.xx.xxx.xx and via this adress, an unauthrorized access was gained by another computer. It is strongly reccommended to install antispyware software to close all security vulnerabilities.


Then he started getting security alerts from the taskbar (a little yellow triangle with ! that dissappears if you right click it), followed by popups for Dio Cleaner. We also get Windows Security Alerts (most likely fakes) that tell us TrojanDownloader.exe was found on our system; ActivMonAgent; Accoona, and a few others I didn't write down.
The first thing I did was update and run my Norton, which froze up and things went from bad to worse as soon the computer was running very slowly and after a while, refused to start up Windows entirely. I finally managed (on attempt to boot in safemode) to do a checkpoint restore from Monday. It worked for about 3 hours, then the mess started happening all over again. I was able to do a Norton scan, which found 394 infected files, and fixed all but two. One was a trojan it deleted, the other was a trojoan that was quarantined - though it seemed to dissappear from the quarantine list when I went to view the report.
Doing a search for DIO on my C:/ drive, I deleted 2 applications, a folder, and an .exe. I also found the path and deleted the two html's that had been popping up on alert.
I tried to use the task manager to halt the virus's progress, it has been "Disabled by the Administrator", AKA the bad nasty itself. All attempts following online instructions have failed to reenable it.
I downloaded and installed Spyware Doctor (unregistered) and while it won't get rid of anything, it keeps putting up alerts that it has "blocked malicious actions" by lpcywinp.exe and iexplorer.exe.
I believe I have a virus that allows other viruses onto my computer. Norton got rid of a few, the goodies in the "Windows XP cleaning procedue" got rid of a bunch of others.
I came here and followed all of the steps found in "Read and Run me first", it took the full day since the computer is running very slowly.
When I ran AVG antispyware, I checked the box to make a report after each scan, and unchecked the second box, but after the 4 hour scan it said there was no report available. I also could not find a Norton Recycle bin. Other than that, I've followed all procedures requested.
As of this morning, the computer seems to be running a bit faster, though still slow and locks up on heavy graphic/traffic websites, or for no reason at all. Spyware Doctor has stopped putting up alerts for blocking malicious actions, and things seem a bit better. Though I still get the annoying triangle in my taskbar telling me there is spyware installed on the computer, the desktop still displays the alert, despite all attempts to remove it, and if I'm right and this virus is acting like a gateway for other baddies to get into my PC, I know it's only a matter of time before another system failure.

If you can help me, I'd GREATLY appreciate it!

The requested logs are attatched, minus the AVG log. .... For some reason, it's not allowing me to attatch Combofix.txt. Any suggestions for that?

 

hi joefenten!
I see with 6 posts, you are already an old hand here in the forum

Your computer is badly infected. I will post some instructions to you after I've finished going through your logs. However, to begin with, please do the following:

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

How are things working now?

After completing the above, please run the MGtools.exe file and post a fresh MGlogs.zip file.

When you finish these steps, you will have two posts. The first one with rapport.txt from the first box of instructions and in the second post you will have rapport.txt and MGlogs.zip so ... 3 attachments in 2 posts.

Thanks.
abri

 

Thankyou so much abri! I appreciate your help! Here is the first log.

 

You're awesome!!! We're getting somewhere! When I rebooted, the desktop background is back to blue, and I've not been getting the alerts from the taskbar, or the fake windows security alerts. My task manager is also enabled!

It's just pretty slow still, and when I opened my browser it tried again to find the page "C:\Windows\System32\drivers\detect.html", which is the name of the page I deleted telling me to download Dio Cleaner.

Here are the new logs!

 

Hi joe!

Please continue as follows. If some things are not there, just continue. We'll see if this helps a bit more.

1) You have Teatimer running which will block the fixes we need to do. Please disable it as per these instructions:

2) If Uniblue and Spyware Doctor are trial versions, please uninstall them.


3) Run HijackThis and select Do a system scan only. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: egmulhxk.msdn_hlp - {E78B911A-6F68-4B84-8C19-EC417C9590E2} - C:\WINDOWS\system32\egmulhxk.dll
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://members.driverguide.com/director/dispatch_getfile.php?mode=toolkit_lite


After clicking Fix, exit HJT.

4) Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Make sure you tell me how things are working now!


6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


7) Please post a fresh MGlogs.zip and let me know how things are running now?

abri

 

OMG! I'm on my other computer right now, after I posted my last response I shut the laptop down to run some errands. Now, it won't start back up! I get the message:

"Windows could not start up because the following file is missing or corrupt"
<Windows root>\system32\ntoskrnl.exe.
Please reinstall a copy of the above file."

Please tell me there is no need to panic! I do not have a restoration CD, we bought this laptop used from a refurbisher and he told us the manufacturer (HP) does not supply a restore disc for our computer! :cry

Is there anyway to locate the above file from my working computer and somehow upload it to the laptop??? Ugh.

 

Hi joefenton!
Thanks for being patient while I get more information.
abri

 

Thank you, I'm trying not to freak. I hope it's something fixable...

 

Hi joefenton!

Sorry it took me some time to get back to you. There are a number of reasons why the ntoskrnl.exe file could be corrupt or missing, including the possibility that your hard drive is failing. In order to boot back up, you need to repair the file, which you'll have the best chance to do if you have a cd, however it does not necessarily have to be your own. It does need to be the right one. Halo is our authority on Windows operating systems and he has several suggestions. Please read through them all before you decide which one might be easiest for you to try.

At this point, we are not worried if your malware comes back, because it can be refixed. It is only important to try getting your computer to boot up again.

abri