Cannot remove trojans

Welcome to Major Geeks!

You have some serious issues which will take some work to remove!!!

It is important that steps in the READ & RUN ME be followed in the order written. I'm not sure what you meant about running Panda Active Scan earlier but it should have been one of the last things to run.

Do you have a log from SuperAntiSpyware?

If you can run HijackThis you can easily run GetRunKey and ShowNew. Please always attempt ALL steps. Run these two programs now and attach the logs. These logs are very important in providing us the information needed to cleanup your malware.


Why aren't you using a real full blown antivirus program instead just an after the fact scanner from McAfee which is installed in a temp folder and will get deleted during cleanups?

Please download LSP - Fix

Do not attempt to use it yet! I just want you to have this on your PC incase you loose internet connectivity at any point. If you do loose connectivity the below steps will come in handy (but I repeat don't do them yet)!!


Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the msnetax.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move msnetax.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

 

Okay thanks for the additional info. I will probably have you try to re-run Panda again later after we fix a bunch of issues

Some of your system files have become infected and we need to look for an uninfected replacement on your hard disk. Begin by right clicking Start and select Explore. This should open a Windows Explorer window. Make sure the Address bar indicates C:\

• Now click the Seach icon
• then select All files and folders
• in the box title All or part of the file name: enter exactly the following with no spaces between any characters (the asterik belongs there at the end of the file name): ndis.sy*
• tell me what matches you get when you come back. One will be c:\windows\system32\ndis.sys and that is the infected one.

I will give you some stuff to install lated. A free antivirus which will auto update and save you some grief.

Note that Ewido has been replace by AVG AntiSpyware! If you bought Ewido, you update to AVG AntiSpyware. You can only get permanent realtime protection and updates for it when you buy it (no different than Ewido).


Let's Get Started!

Since the instuctions are going to be very long, I will break this into a couple messages. Complete all of this message before the next one.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to ieupdater22
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteMicrosoft IEUpdater22 into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run LSP-Fix which I had you download previously.

Check the Box labeled "I know what I'm doing" and then click on the msnetax.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move msnetax.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

If it is already in the Remove section, just click Finish.

Now repeat the above steps with LSP-fix while looking for ONLY EXACT NAME MATCHES to the below files (you may not find any).
C:\WINDOWS\system32\credgui.dll
C:\WINDOWS\system32\gdip32.dll
C:\WINDOWS\system32\mcert.dll
C:\WINDOWS\system32\msiphelp.dll
C:\WINDOWS\system32\msnetax.dll
C:\WINDOWS\system32\netp.dll
C:\WINDOWS\system32\windll.dll
C:\WINDOWS\system32\winload.dll
C:\WINDOWS\system32\ws2_32(2).dll
C:\WINDOWS\system32\wsock.dll
C:\WINDOWS\system32\ws_imod.dll

When finished, give me a list of the remain filenames you see in the Keep section. This will be the list for you to remember as being good and if you ever loose your internet connection while we are working on this malware, look to see if something new showed up in the list and remove it.

Also download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Now move on to the next message!

 

Make sure you complete the steps in message # 4 before doing the below.

Uninstall Viewpoint Media Player which should have been uninstall in step 0 of the READ ME.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Courtney\LOCALS~1\Temp\200741318713_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Courtney\LOCALS~1\Temp\20074131879_mcinfo.exe /insfin
O20 - AppInit_DLLs:
O20 - Winlogon Notify: jgmdlv - jgmdlv.dll (file missing)

NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Courtney\My Documents\HIJACKTHIS.EXE
C:\Documents and Settings\Courtney\ie_updater.exe
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\update15050767.exe
C:\WINDOWS\system32\update58336742.exe
C:\WINDOWS\system32\update86927746.exe
C:\WINDOWS\system32\update96307977.exe
C:\WINDOWS\system32\winlogon(2).exe
C:\WINDOWS\system32\credgui.dll
C:\WINDOWS\system32\gdip32.dll
C:\WINDOWS\system32\mcert.dll
C:\WINDOWS\system32\msiphelp.dll
C:\WINDOWS\system32\msnetax.dll
C:\WINDOWS\system32\netp.dll
C:\WINDOWS\system32\windll.dll
C:\WINDOWS\system32\winload.dll
C:\WINDOWS\system32\ws2_32(2).dll
C:\WINDOWS\system32\wsock.dll
C:\WINDOWS\system32\ws_imod.dll
C:\WINDOWS\nnomjk.dll
C:\cp1041.nls

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\McAfee.com

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Check this file name again! Was it NDIS.SY or was it NDIS.SY_ (yes the underscore is what I meant), or was it NDIS.SYS You don't need to do a search. Just use Windows Explorer to look in the c:\windows\i386 folder and look for yourself.

 

Did you uninstall Viewpoint Media Player? I still see it in your ShowNew log.

 

Exact details are always important as you are learning.

The underscore means that it is a compressed file and we will have to uncompress a copy.

I'll get back to you on this! I need to get some sleep!

As far as Viewpoint is concerned did you get it uninstalled? If not, run this ViewpointKiller to remove Viewpoint Media software.

 

No sleep last night at all! Too many flooding problems for me and neighbors and friends that needed help and they had worse problems then me. Thanks for asking!


Let's continue!

Download the attached irishFix.zip file to your Desktop and extract the irishFix.bat file from it to your Desktop. Then double click on irishFix.bat to run it. This will create a log file named c:\FixND.txt

Attach the FixND.txt file here along with a new log from ShowNew.

 

Will it boot in safe mode?

Do you a Win XP SP2 boot CD?

 

Okay! While in safe mode look in c:\windows\system32\drivers.

Do you see ndis.sys and also ndis.sys.bad?

Also look in C:\windows\i386

Do you see ndis.sy_ and also ndis.sys

Also does C:\FixND.txt exist?

Not yet.

 

Then the fixND.bat file did not work properly! But also, I don't understand why you cannot boot in normal mode if this file still exists. What is the file size in bytes and what is the file date. Right click on it and select Properties to get this information.

This also means the script did not work. There is command in the script that should have produces and expanded version of this file and named it ndis.sys and but it in this i386 folder and then later copied it to the system32 folder.

Get to a command prompt and type in expand and tell me what you see. You should see something like below:

Can you get me the info that is in this file.

 

I'm sorry! fixND.bat is a generic version fix file. For you, I renamed it, irishFix.bat but that is not what I wanted to know the size of. I was referring to c:\windows\system32\ndis.sys

To open a command prompt click Start, Run, and enter cmd and click OK!

 

Hmmmmm! Based on what you attached from that log file. The irishFix.bat really did not do anything at all. So now, I have to wonder why your PC will not boot in normal boot mode.?????? However the log did help me figure out a problem in irishFix.bat. I had a typo and named ndis.sy_ as ndis.s_

 

Okay that means the old ndis.sys file is still there which means nothing changed!

From the command prompt window. Type the below (besure to enter them correctly - note the one place where sy_ is used. Also note the spaces!! There is a space after the copy, after after the first ndis.sys, after the expand, and after the ndis.sy_)

copy c:\windows\system32\ndis.sys c:\windows\system32\ndis.sys.bak
expand c:\windows\i386\ndis.sy_ c:\windows\system32\ndis.sys

After doing the above what is the size and date of the ndis.sys file that is in the system32 folder.

 

They are separate commands on separate lines. So yes, just hit enter after typing the first command. And then type the second command and hit enter.

After the above two commands have been run, use Windows Explorer (right click Start and select Explore) to look in the c:\windows\system32 folder

You can then right click on the ndis.sys file in the system32 folder to get Properties (i.e., size and date)

 

And does the c:\windows\system32\ndis.sys.bak also exist?

What happens if you power down your PC now for a minute and then reboot? Can you get into normal boot mode? If you receive any error messages, please post the exact word for word message.

 

Was there anything under the Driver-IRQL-Not-Less-Or-Equal part of the message.


I don't understand how the c:\windows\system32\ndis.sys.bak file does not exist.

In message # 23 you said the April 11, 2007 version of ndis.sys existed.
In message # 24 I had you copy the above ndis.sys file into ndis.sys.bak. Didn't you do this command first. Did you get an error message?

From a command prompt window, enter the below command:
dir /s/a-d ndis.* > c:\search.txt

Note there are spaces here:
after dir
before ndis
before and after >


Now attach or post inline, the contents of the c:\search.txt file.

 

You forgot the greater than sign in between ndis.* and c:\search.txt

But I also left something out.... a \ in front of ndis.*

Use this

dir /s/a-d \ndis.* > c:\search.txt

 

What do you get with just this:

dir /s/a-d \ndis.*

 

This does not make any sense!

Does you prompt still show?

C:\ Documments and Settings\Courtney>

 

That's better! Let's do a few more things from the command prompt but I'm going to have you do this one stage at a time with a check using the dir command each time.


copy c:\windows\system32\ndis.sys C:\windows\i386\ndis.sys

dir /s/a-d \ndis.*


Give me the output.

 

In message # 13 you had the below text and I highlight in brown the important word.

Directory of c:\windows\system32\dirvers

• Was dirvers correct or was it a typo? It should be drivers
• Are you re-typing these responses to the commands or are you using copy and paste in the command prompt window.

You can use copy and past by right clicking on the top bar of the window and selecting Edit and then use Mark to highlight the lines. And then right click on the top again and select Copy. Now they are on your windows clipboard and you can paste them into your message here by hitting CTRL-V

 

Okay! I still need the output from the instructions in message # 39!

 

Okay I think we are getting close to where I want to be. I taking this slowly to avoid any possible confusion or mistakes.

The next set of steps to run from the command prompt are below (there are spaces before the -r , before the -s, and before and after the -h

del c:\windows\system32\ndis.sys
attrib -r -s -h c:\windows\system32\drivers\ndis.sys
copy c:\windows\system32\drivers\ndis.sys c:\windows\system32\drivers\ndis.sys.bad
dir /s/a-d \ndis.*


Can you boot in normal mode now? Either way we still are not finished replacing the malware version of ndis.sys. I just wanted to create some backups and get an uninfected vesion of the file ready to be copied, and that will be our next step after I see the results from above.

By now you should be an expert at using the command prompt.

 

Hmmmm! I don't understand why you cannot boot in normal mode but if we look back it started back in message # 6 where you said you

And then on the third try everything was okay! Then in message # 14, you appear to have permanently entered this state. I starting to wonder if something other than malware happened.

Let's do one more set of steps from the command line:

copy c:\windows\i386\ndis.sys c:\windows\system32\drivers\ndis.sys
dir /s/a-d \ndis.*

Give me the results of the dir command! Can you boot normal now? If not, give me the exact information on the BSOD.

 

Just say yes!

If you still cannot boot into normal mode, run System Restore and look for a restore point on April 14th or earlier and restore to that point in time. Then see if you can boot in normal mode.

 

Okay! This sounds promising! Then it seems that the root cause of not being able to boot in normal mode was the infected ndis.sys file that I was worried about and want to get replaced!

Attach current logs from GetRunKey, ShowNew, and HJT (all from Normal Boot mode).

How is everything currently working?