Cannot get rid of several problems (virus)

Discussion in 'Malware Help (A Specialist Will Reply)' started by dkc1944, Jun 5, 2005.

  1. dkc1944

    dkc1944 Private E-2

    Followed all directions as required.
    a. turned off 'system restore'
    b. did not stop 'network Security' services as I don't think I have
    the virus mentioned in getting prepared #2.
    c. enabled hidden files and folders
    d. created a folder on desktop and downloaded/installed as appropriate all of suggested files.
    e. ran all downloaded files in 'safe mode'. Did as directed. ran all
    downloaded files in 'normal mode'.
    f. Micro: clean failed ; worm_mugly.i
    JOKERABBIT "cannot access" - moved to delete & deleted. Could not remove as 'was in use' I think I got rid of the JOERABBIT, have not seen it the last few reboots.
    g. Completely emptyed "C:Uploads folder" It keeps comming back.
    h. Symantic - Removed 'emoticons4us.exe (reported as adware.hotbar)
    Removed C:programfiles/mediaAccesss/MediaAccC.dll & mediaAcc.exe &
    mediaAccK.exe This program just keeps coming back.
    i. Ran Avert Stinger which reported 16037 clean files.
    j. closed browser & disconnected from internet
    k. ran CCleaner as directed
    l. Ran Adaware as updated with VX2 plugin. two reg keys & 4 reg
    values: Dyfuca reg key and Dyfuca reg value 3 times. SahAgent reg key
    m.
    1. HKEY_USERS:S-1-5-21-1078081533-2052111302-839522115-1003\sofware\ist\"Installdate"
    2. HKEY_USERS:S-1-5-21-1078081533-2052111302-839522115-1003\sofware\ist\"account_id"
    3. HKEY_USERS:S-1-5-21-1078081533-2052111302-839522115-1003\sofware\ist\"config"
    4. HKEY_USERS:S-1-5-21-1078081533-2052111302-839522115-1003\sofware\ist\"neverinstall
    5. HKEY-LOCAL_MACHINE: Software\vgroup\
    6. Removed all (m.1-5)
    n. ran Spybot/ran immunize. Found adanilli Service: :\Windows\system32\ide21201.vxd - DyfuCa - SearchTech.PowerScan -
    HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\main\BandRest
    1. Ran fix selected problems

    o. Restarted in normal mode with internet enabled.
    p. Got Avast warnings of most of the above- told to move to chest. Did so.

    Cannot get these off: DyfuCa - Ezula - istbar - MediaAccess - twainTech -
    HKEY_LOCAL_MACHINE\software\vgroup "SahAgent" - C:\documents and
    Settings\Dean\favorites\going places\"travel.lnk - C:\documents and
    settings\Dean\Local Settings\temp internet files\content
    i.e.5\CF1UVEEY\"istdownload [1].exe -
    HKEY_CURRENT_USER\software\menuOrder\startmenu2\Programs\PowerScan - local settings\temp Win32: Trojan-gen {VC} - C:\TempNCase Package.exe\[UPX] - 3 times for this one Win32:srchAssist-2[adw] -
    C:\documents\Dean\Locals\temp\cjjsee.exe\ [upx] - c:documents and
    settings\Dean\local settings\temp\internet files Win32:Dyfuc dldr-z [trj] &
    win32: adan-024 [adw] & \optimize.exe - c:program files\Sidefind\sfbho.dll -
    C:temp\edowpak.exe - local\temp internet files win32: Adan & trojan-gen (other) - c:temp\Sahagentl-cdt1004.exe - - temp\bb.exe

    I tried to follow all of the instructions to the letter. I hope the above makes sense and will allow you to help me out. I appreciate it - Dean
     
    dkc1944, Jun 5, 2005
    #1
  2. dkc1944

    dkc1944 Private E-2

    Help Please

    Have done all as suggested in forum post. However, the following crappola keeps comming back:
    DyFuCa "sahagent
    ISTBAR "istsve.exe
    lycosSideSearch "sidefind
    twaintech "PowerScan
    WindUpdates "mediaAccess.exe

    Can you please help me get rid of these? I'm almost smart enough to get in trouble by myself! Dean
     
    dkc1944, Jun 6, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Help Please

    Please do not make duplicate posts for your problems. You already had a thread started. I'm merging you back with your other thread.

    If you have complete all the steps in the READ ME FIRST sticky, perform the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Jun 6, 2005
    #3
  4. dkc1944

    dkc1944 Private E-2

    Hijack attached as requested. Sorry about the double post.
     

    Attached Files:

    dkc1944, Jun 7, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to stop using msconfig so we can see everything that may be on your PC.
    Run msconfig and select Normal Startup.

    Then look in Add/Remove programs and look for the below and uninstall if found.
    winupdate
    Bouncer or Virtual Bouncer
    p2pnetworking

    Then reboot and come back and post a new HJT log.

    Do you know what the below is for:
    O4 - HKCU\..\Run: [NSMAgent] "C:\Program Files\NSM\NSMAgent.exe"
     
    chaslang, Jun 7, 2005
    #5
  6. dkc1944

    dkc1944 Private E-2

    No I do not know what this file is:
    O4 - HKCU\..\Run: [NSMAgent] "C:\Program Files\NSM\NSMAgent.exe"

    Followed your directions and the HiJack file is attached. Thank you
     

    Attached Files:

    dkc1944, Jun 7, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have HijackThis installed improperly. I quote from my first message:
    So I guess none of those items were in Add/Remove programs because they are all still present.

    I still don't know what this NSMAgent.exe program is. We will leave it for now.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\p2pnetworking.exe
    C:\Program Files\Bouncer\Bouncer.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
    O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
    O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\Bouncer.exe 110
    O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\p2pnetworking.exe
    C:\Program Files\Bouncer <--- the whole folder
    C:\Program Files\winupdate <--- the whole folder
    C:\Program Files\Bouncer <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Jun 7, 2005
    #7
  8. dkc1944

    dkc1944 Private E-2

    I figured out what NSM is: Neuros Syncronization Manager. It is for my MP3 player/manager.

    I put HiJack in C:\HiJackThis.
    System restore is OFF. Viewing of hidden files is enabled.
    c:\windows\system32\p2pnetworking.exe (is not present)
    C:\programfiles\bouncer (SpyWareBouncer) is deleted as directed. Browsers are shut down and all task bar programs are shut down/exited.
    Ran the scan and checked boxes as directed.
    Safe Mode: C:\windows\system32\p2pnetworking.exe (not present)
    C:\programfiles\windupdate (not present)
    Ran CCleaner and deleted all files in C:\windows\prefetch

    I don't, at this moment, notice anything different, but will give it a workout. AVAST is not screaming at me - so that is a GOOD THING.

    HiJack post attached. Again - Thank You for the time and effort - Dean
     

    Attached Files:

    dkc1944, Jun 8, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can have HijackThis fix the below minor items:

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    But other than that you are now clean. Are you having any problems?
     
    chaslang, Jun 8, 2005
    #9
  10. dkc1944

    dkc1944 Private E-2

    You are indeed "The Virus Man"! Thank you (and this group) very much. It appears that all infestations are gone. I sincerely hope I don't have to come back, but, with the level of my computer knowledge, all bets are off ;) . WHEW! Thank you very much.
     
    dkc1944, Jun 8, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 8, 2005
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds