Can't Beat the Virus/Trojan H-E-L-P

[chaslang]

Kendall,

If a scan showed no signs of the W32.Miroot.Worm, then don't worry about the cleanup stuff.

If it was not running well, I would assume you would notice it. But if you want to be extra sure run the READ ME FIRST again. I don't need any logs unless you think something is wrong.

As far as firewalls, a few are listed in the How to Protect thread. You will notice Norton is not on the list. Personally I like Zonealarm and there is a free version. Sygate has a free version too and is good. Kerio is very good but there is no free version.

Oh yeah! I would accept cash! Or even a few weeks in Cayman Islands would do! !

You're welcome. Let's hope eveything remains clean and calm.

[kshapi]

Right-o!! I'll re-run per "Read Me" and update per "How to protect" tomorrow and monitor system thru several shut-downs/start-ups and internet connections. Will also sort out the firewall issue and choose ONE.

Keeping my fingers crossed and will post more tomorrow or Fri with latest results.

Again...deeply in your debt!!!!! I am your humble servant!

[chaslang]

Okay! Let me know if you have anymore problems.

[kshapi]

Hi chaslang,

Well looks like I still have some bugs in the computer.

I re-ran all steps in "Read Me" and a few extra virus scans and found a few Trojan results from Norton, Trend Micro and Bitdefender... all different.

*I have attached a text file that details the results of all of my scans. and what files I was able to DELETE.
*I have also attached my latest HJT log from my last SAFE mode HJT scan.
*Additionally, I attached the logfile from PROCESS EXPLORER from SAFE MODE....you can see there are 28 iexplore.exe processes running....no Explorer windows were open.

So the issues I am experiencing are:

*Scans still detecting Trojan Virus's
*Recycle Bin Still will not function properly...open it and see no deleted files when I have not asked files to be completely deleted
*multiple iexplorer.exe process running unprompted...something is initiating this and I suspect is it some reloading .EXE file.....but where?
*firewall is still blocking a few iexplorer.exe attempts to connect to the internet...but the quantity has decreased greatly over a few days ago

[kshapi]

Here is the PROCESS EXPLORER LOG...attached

[chaslang]

Did you try manually deleting:
C:/Program Files/CashBack <--- folder
C:/Program Files/BullsEye Network <--- folder
C:\WINDOWS\sysml.dll

May need to do it from safe mode.
HJT logs from safe mode are not typically very useful. Only post one from safe mode if we ask for it or if it is the only way HJT will run.

[chaslang]

After trying to fix those items, download the following tools and have them handy:

Generic Detection Tool

http://www.downloads.subratam.org/DllCompare.exe

http://www.downloads.subratam.org/VX2Finder.exe

http://www.downloads.subratam.org/KillBox.zip


Then, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go. The tool should generate a long text file. Please attach that to your next post.

Do not reboot after that because that can cause the files to mutate.

[kshapi]

Good Morning...

You asked me to manually delete:
C:/Program Files/CashBack <--- folder
C:/Program Files/BullsEye Network <--- folder
C:\WINDOWS\sysml.dll

The Folders "Cashback" and "Bullseye network" were not present. I believe the Norton Scan said that they were compressed files hidden within other files that I was able to successfully delete the other day those files werenetut80ex.vxd,mac80ex.idf and psis80ex.ax)

I was not able to delete "sysmn.dll" in either regular or SAFE mode. ACCESS DENIED

I downloaded Generic Detection Tool , ran FINDIT and attached the log to this post.

I have loaded on my computer the following for future use if necessary.
*DllCompare.exe
*VX2Finder.exe
*KillBox.zip

over and out...thanks again!
kendall

[chaslang]

Here are the files that we need to delete using Killbox. They are all in the c:\winnt\system32 folder:

C:\WINDOWS\System32\o8840ilqe8qe0.dll
C:\WINDOWS\System32\gp80l3lm1.dll
C:\WINDOWS\System32\dlrgui.dll
C:\WINDOWS\System32\irnsl5571.dll
C:\WINDOWS\System32\e2jm0c11ef.dll
C:\WINDOWS\System32\kt0sl7d71.dll
C:\WINDOWS\System32\m8lsli3718.dll
C:\WINDOWS\System32\i2lolc331f.dll
C:\WINDOWS\System32\en44l1hq1.dll
C:\WINDOWS\System32\g6jo0g13e6.dll
C:\WINDOWS\System32\k6pm0g71e6.dll
C:\WINDOWS\System32\mrvideo.dll
C:\WINDOWS\System32\rZcpldlg.dll
C:\WINDOWS\System32\p28qlcl51fq.dll
C:\WINDOWS\System32\n08olal31dq.dll
C:\WINDOWS\System32\n4l8le3u1h.dll
C:\WINDOWS\System32\azaol9131.dll
C:\WINDOWS\System32\enr4l19q1.dll
C:\WINDOWS\System32\fp0803due.dll
C:\WINDOWS\System32\aza0l73m1.dll
C:\WINDOWS\System32\mv0sl9d71.dll
C:\WINDOWS\System32\hr0005dme.dll
C:\WINDOWS\System32\mvjol9131.dll
C:\WINDOWS\System32\n82u0if9e82.dll
C:\WINDOWS\System32\k480lelm1hqa.dll
C:\WINDOWS\System32\ktl0l73m1.dll
C:\WINDOWS\System32\fp4403hqe.dll
C:\WINDOWS\System32\p44u0eh9eh4.dll
C:\WINDOWS\System32\dnlm0131e.dll
C:\WINDOWS\System32\dn0o01d3e.dll

and c:\WINDOWS\system32\guard.tmp

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\System32\o8840ilqe8qe0.dll


1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After it reboots get another findit.bat log and post it. Also run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.

[kshapi]

OK went thru all Pocket Killbox steps and when prompted by the program to reboot, after the very last file as you indicated, I said yes.

A window popped up stating "Verifying Registry entries, PLZ wait"

Then another window popped up Named:
PendingFileRenameOperations

In that box there was a message stating:

"PendingFileRenameOperations Registry Data hes been removed by External Processes"


Computer is not shutting down on its own....shall I shut it down myself or do we have an issue?

[chaslang]

Hmmm! We get this sometimes. A piece of malware or another program is deleting the changes add to the Pendin Operations list. I doubt all (if any) of the deletions are going to work.

Reboot manually and post me a new HJT log and a new findit.bat log.

[kshapi]

Manual ReBoot completed.

Upon startup, Firewall blocked about 6 attempts for computer to connect to current homepage (WWW.Majorgeeks.com) and to Google.com (my old home page).

Ran HJT and FindIT. Logs attached.....

[chaslang]

I'm going to try this by just killing some processes before running the fix with Killbox. If this does not work, we are probably going to have to uninstall Spy Sweeper, Spyware Doctor, and Trojan Hunter.

Hang on, I working on a procedure.

[chaslang]

Well it cleaned up more than I thought! We maybe able to continue without uninstalling those programs.


Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NOW:

Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit and reboot.

Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg

Quote:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D4492B05-D449-4EF9-BEA3-1D8DF6247F1B}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]

Physically disconnect (unplug your cable - this is important) from the internet.
Doubleclick the fixvx2.reg file you created and grant it permission (when asked) to merge in the registry entries.

NEXT: Run findit.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log. Tell me if you are still getting those additional Iexplorer.exe processes starting up on there own. Do not kill any if you do, I want to see them.

[chaslang]

I just made some changed to the below procedure make sure you refresh and re-read.

[kshapi]

Ok....ran thru your steps the first time and then came back and saw your update so re-ran with the updated information.

New FindIT and HJT logs attached.

SysgateFirewall does not work on start-up is dosconnected from internet I have found So I was not directly able to see the processes starting to try to connect to the internet. So, I ran PROCESS EXPLORER and found , STILL, multiple iexploere.exe processes running.

I am restarting computer to get firewall bak up and running. Then have to be offline for several hours. Will check back later for other instructions!!

This is a tough on EH? Happy New Year and thanks for the continued support!!!!!

[chaslang]

Okay! The VX2 problem is all cleaned up now but you still have all those IE process running at startup. We need to figure out what is doing that.

I want you to use HJT to create a Startup List Log as follows.

Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

If I cannot find anything in that log loading IE, I probably will want to uninstall some items like I mentioned before. Are you up for that?

[kshapi]

Startuplist file from HJT is attached.

Let me know next steps...am willing to uninstall programs if necessary...lets get this bugger!

Happy 2005!!!

[bjgarrick]

Do you use the Verizon software?

[kshapi]

HI!

Are you referring to the folllwing line in the Startup file:

C:\Program Files\Verizon Online\ControlPad\cpad.exe

It is a control panel provided by Verizon that pops up on the screen to provide some internet shortcuts.

I don't use it..