MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #21  
Old 12-30-04, 02:26
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,599
Thanks: 62
Thanked 7,744 Times in 4,184 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Kendall,

If a scan showed no signs of the W32.Miroot.Worm, then don't worry about the cleanup stuff.

If it was not running well, I would assume you would notice it. But if you want to be extra sure run the READ ME FIRST again. I don't need any logs unless you think something is wrong.

As far as firewalls, a few are listed in the How to Protect thread. You will notice Norton is not on the list. Personally I like Zonealarm and there is a free version. Sygate has a free version too and is good. Kerio is very good but there is no free version.

Oh yeah! I would accept cash! Or even a few weeks in Cayman Islands would do! !

You're welcome. Let's hope eveything remains clean and calm.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #22  
Old 12-30-04, 02:33
kshapi kshapi is offline
Private E-2
 
Join Date: Dec 2004
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Right-o!! I'll re-run per "Read Me" and update per "How to protect" tomorrow and monitor system thru several shut-downs/start-ups and internet connections. Will also sort out the firewall issue and choose ONE.

Keeping my fingers crossed and will post more tomorrow or Fri with latest results.

Again...deeply in your debt!!!!! I am your humble servant!
Reply With Quote
  #23  
Old 12-30-04, 15:04
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,599
Thanks: 62
Thanked 7,744 Times in 4,184 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Okay! Let me know if you have anymore problems.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #24  
Old 12-31-04, 01:24
kshapi kshapi is offline
Private E-2
 
Join Date: Dec 2004
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Hi chaslang,

Well looks like I still have some bugs in the computer.

I re-ran all steps in "Read Me" and a few extra virus scans and found a few Trojan results from Norton, Trend Micro and Bitdefender... all different.

*I have attached a text file that details the results of all of my scans. and what files I was able to DELETE.
*I have also attached my latest HJT log from my last SAFE mode HJT scan.
*Additionally, I attached the logfile from PROCESS EXPLORER from SAFE MODE....you can see there are 28 iexplore.exe processes running....no Explorer windows were open.

So the issues I am experiencing are:

*Scans still detecting Trojan Virus's
*Recycle Bin Still will not function properly...open it and see no deleted files when I have not asked files to be completely deleted
*multiple iexplorer.exe process running unprompted...something is initiating this and I suspect is it some reloading .EXE file.....but where?
*firewall is still blocking a few iexplorer.exe attempts to connect to the internet...but the quantity has decreased greatly over a few days ago
Attached Files
File Type: txt 12-30 virus summary pm.txt (5.5 KB, 2 views)
File Type: log hijackthis12-30pm safe md.log (7.0 KB, 1 views)
Reply With Quote
  #25  
Old 12-31-04, 01:25
kshapi kshapi is offline
Private E-2
 
Join Date: Dec 2004
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Here is the PROCESS EXPLORER LOG...attached
Attached Files
File Type: txt Procexplorer log12-30pm.txt (4.1 KB, 1 views)
Reply With Quote
Sponsored links
  #26  
Old 12-31-04, 01:45
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,599
Thanks: 62
Thanked 7,744 Times in 4,184 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Did you try manually deleting:
C:/Program Files/CashBack <--- folder
C:/Program Files/BullsEye Network <--- folder
C:\WINDOWS\sysml.dll

May need to do it from safe mode.
HJT logs from safe mode are not typically very useful. Only post one from safe mode if we ask for it or if it is the only way HJT will run.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #27  
Old 12-31-04, 01:54
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,599
Thanks: 62
Thanked 7,744 Times in 4,184 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

After trying to fix those items, download the following tools and have them handy:

Generic Detection Tool

http://www.downloads.subratam.org/DllCompare.exe

http://www.downloads.subratam.org/VX2Finder.exe

http://www.downloads.subratam.org/KillBox.zip



Then, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go. The tool should generate a long text file. Please attach that to your next post.

Do not reboot after that because that can cause the files to mutate.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #28  
Old 12-31-04, 11:57
kshapi kshapi is offline
Private E-2
 
Join Date: Dec 2004
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Good Morning...

You asked me to manually delete:
C:/Program Files/CashBack <--- folder
C:/Program Files/BullsEye Network <--- folder
C:\WINDOWS\sysml.dll

The Folders "Cashback" and "Bullseye network" were not present. I believe the Norton Scan said that they were compressed files hidden within other files that I was able to successfully delete the other day those files werenetut80ex.vxd,mac80ex.idf and psis80ex.ax)

I was not able to delete "sysmn.dll" in either regular or SAFE mode. ACCESS DENIED

I downloaded Generic Detection Tool , ran FINDIT and attached the log to this post.

I have loaded on my computer the following for future use if necessary.
*DllCompare.exe
*VX2Finder.exe
*KillBox.zip

over and out...thanks again!
kendall
Attached Files
File Type: txt FINDIT output.txt (10.3 KB, 4 views)
Reply With Quote
  #29  
Old 12-31-04, 14:07
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,599
Thanks: 62
Thanked 7,744 Times in 4,184 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Here are the files that we need to delete using Killbox. They are all in the c:\winnt\system32 folder:

C:\WINDOWS\System32\o8840ilqe8qe0.dll
C:\WINDOWS\System32\gp80l3lm1.dll
C:\WINDOWS\System32\dlrgui.dll
C:\WINDOWS\System32\irnsl5571.dll
C:\WINDOWS\System32\e2jm0c11ef.dll
C:\WINDOWS\System32\kt0sl7d71.dll
C:\WINDOWS\System32\m8lsli3718.dll
C:\WINDOWS\System32\i2lolc331f.dll
C:\WINDOWS\System32\en44l1hq1.dll
C:\WINDOWS\System32\g6jo0g13e6.dll
C:\WINDOWS\System32\k6pm0g71e6.dll
C:\WINDOWS\System32\mrvideo.dll
C:\WINDOWS\System32\rZcpldlg.dll
C:\WINDOWS\System32\p28qlcl51fq.dll
C:\WINDOWS\System32\n08olal31dq.dll
C:\WINDOWS\System32\n4l8le3u1h.dll
C:\WINDOWS\System32\azaol9131.dll
C:\WINDOWS\System32\enr4l19q1.dll
C:\WINDOWS\System32\fp0803due.dll
C:\WINDOWS\System32\aza0l73m1.dll
C:\WINDOWS\System32\mv0sl9d71.dll
C:\WINDOWS\System32\hr0005dme.dll
C:\WINDOWS\System32\mvjol9131.dll
C:\WINDOWS\System32\n82u0if9e82.dll
C:\WINDOWS\System32\k480lelm1hqa.dll
C:\WINDOWS\System32\ktl0l73m1.dll
C:\WINDOWS\System32\fp4403hqe.dll
C:\WINDOWS\System32\p44u0eh9eh4.dll
C:\WINDOWS\System32\dnlm0131e.dll
C:\WINDOWS\System32\dn0o01d3e.dll

and c:\WINDOWS\system32\guard.tmp

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\System32\o8840ilqe8qe0.dll


1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now Click YES and allow your machine to reboot Normally.

After it reboots get another findit.bat log and post it. Also run DLL Compare Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #30  
Old 12-31-04, 18:12
kshapi kshapi is offline
Private E-2
 
Join Date: Dec 2004
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

OK went thru all Pocket Killbox steps and when prompted by the program to reboot, after the very last file as you indicated, I said yes.

A window popped up stating "Verifying Registry entries, PLZ wait"

Then another window popped up Named:
PendingFileRenameOperations

In that box there was a message stating:

"PendingFileRenameOperations Registry Data hes been removed by External Processes"


Computer is not shutting down on its own....shall I shut it down myself or do we have an issue?
Reply With Quote
Sponsored links
  #31  
Old 12-31-04, 18:55
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,599
Thanks: 62
Thanked 7,744 Times in 4,184 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Hmmm! We get this sometimes. A piece of malware or another program is deleting the changes add to the Pendin Operations list. I doubt all (if any) of the deletions are going to work.

Reboot manually and post me a new HJT log and a new findit.bat log.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #32  
Old 12-31-04, 19:10
kshapi kshapi is offline
Private E-2
 
Join Date: Dec 2004
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Manual ReBoot completed.

Upon startup, Firewall blocked about 6 attempts for computer to connect to current homepage (WWW.Majorgeeks.com) and to Google.com (my old home page).

Ran HJT and FindIT. Logs attached.....
Attached Files
File Type: txt findit output 12-31.txt (6.4 KB, 2 views)
File Type: log hijackthis 12-31 .log (7.4 KB, 1 views)
Reply With Quote
  #33  
Old 12-31-04, 19:20
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,599
Thanks: 62
Thanked 7,744 Times in 4,184 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

I'm going to try this by just killing some processes before running the fix with Killbox. If this does not work, we are probably going to have to uninstall Spy Sweeper, Spyware Doctor, and Trojan Hunter.

Hang on, I working on a procedure.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #34  
Old 12-31-04, 19:34
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,599
Thanks: 62
Thanked 7,744 Times in 4,184 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Well it cleaned up more than I thought! We maybe able to continue without uninstalling those programs.


Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NOW:

Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit and reboot.

Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg
Quote:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D4492B05-D449-4EF9-BEA3-1D8DF6247F1B}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
Physically disconnect (unplug your cable - this is important) from the internet.
Doubleclick the fixvx2.reg file you created and grant it permission (when asked) to merge in the registry entries.

NEXT: Run findit.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log. Tell me if you are still getting those additional Iexplorer.exe processes starting up on there own. Do not kill any if you do, I want to see them.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 12-31-04 at 19:41..
Reply With Quote
  #35  
Old 12-31-04, 19:43
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,599
Thanks: 62
Thanked 7,744 Times in 4,184 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

I just made some changed to the below procedure make sure you refresh and re-read.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #36  
Old 12-31-04, 20:11
kshapi kshapi is offline
Private E-2
 
Join Date: Dec 2004
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Ok....ran thru your steps the first time and then came back and saw your update so re-ran with the updated information.

New FindIT and HJT logs attached.

SysgateFirewall does not work on start-up is dosconnected from internet I have found So I was not directly able to see the processes starting to try to connect to the internet. So, I ran PROCESS EXPLORER and found , STILL, multiple iexploere.exe processes running.

I am restarting computer to get firewall bak up and running. Then have to be offline for several hours. Will check back later for other instructions!!

This is a tough on EH? Happy New Year and thanks for the continued support!!!!!
Attached Files
File Type: log hijackthis 12-31 #3.log (7.7 KB, 2 views)
File Type: txt findit output 12-31 #3.txt (6.1 KB, 3 views)
Reply With Quote
  #37  
Old 12-31-04, 20:30
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,599
Thanks: 62
Thanked 7,744 Times in 4,184 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Okay! The VX2 problem is all cleaned up now but you still have all those IE process running at startup. We need to figure out what is doing that.

I want you to use HJT to create a Startup List Log as follows.

Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

If I cannot find anything in that log loading IE, I probably will want to uninstall some items like I mentioned before. Are you up for that?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #38  
Old 01-01-05, 04:48
kshapi kshapi is offline
Private E-2
 
Join Date: Dec 2004
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Startuplist file from HJT is attached.

Let me know next steps...am willing to uninstall programs if necessary...lets get this bugger!

Happy 2005!!!
Attached Files
File Type: txt startuplist.txt (13.6 KB, 2 views)
Reply With Quote
  #39  
Old 01-01-05, 05:04
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

Do you use the Verizon software?
Reply With Quote
  #40  
Old 01-01-05, 05:08
kshapi kshapi is offline
Private E-2
 
Join Date: Dec 2004
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Can't Beat the Virus/Trojan H-E-L-P

HI!

Are you referring to the folllwing line in the Startup file:

C:\Program Files\Verizon Online\ControlPad\cpad.exe

It is a control panel provided by Verizon that pops up on the screen to provide some internet shortcuts.

I don't use it..
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 21:00.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger