cant recover from virus ...

hi,
I run out of things to fix my computer .. i've installed and run f-prot, giant, ad-aware, spywareblaster .. and found that things only stabilised (ie not hit by alerts every 5 sec) when i applied patches to win 2000 (DCOM/etc) .. still i'm in the second day of the battle and cant get to any msn related site .. suspect also that my ie search/home addresses wil be overwritten any min now like it happen before. I've downloaded and run hijack this .. but need your help to decipher it.
Any help appreciated !
Cheers
Jorge

 

Please follow all the steps in this Sticky thread <READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >


If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

 

Hi KODO,
Thanks for your quick response. Here's where I'm up to...
Steps from the sticky post:
1. Dont know how to disable coz its a Win 2000 Advanced Server machine and cant find this option anywhere in My Computer properties.
2. Done - only found Network Security Service
3. Done
4. Got and run (with updated virus def's) - Giant, F-PROT, Ad-AWARE, SpywareBlaster, CWShredder
- runned Ad-AWARE with VX2 Cleaner Plug-In - found and cleaned some ... but not VX2
- Giant F-Prot found an fixed most of the recurring files tht were being created, after i've applied the w2k patches it cant find anyhting else.
- run both Trend's and Symantec online checks in safe mode - cant find no virus

Deleted virtual java mchine & edited registry
Recreated the host files with hoster utility
Changed ie security settings according to this http://www.lavasoftsupport.com/index.php?showtopic=14537

the symptoms now are:
- cant get anywhere near a microsoft site, cant run winupdate (even added it as trusted site but no joy)
- Trusted domain sites keep getting this entry *.static.topconverting.com even though i delete it.
- Giant detects from time to time some process trying to change ie settings, all this leads me to believe there's still some rogue process/dll/etc in my computer.

I've got hijackthis and done a log and read the tutorial, but at this point in time its hard finding the wood from the trees !

Thanks for any help on this.

Jorge

 

UPDATE:
GIANT scan just found virus SDBOT in c:\winnt\system32\d3cl32.exe (Author: phatalysis) - this is a recurring problem but diferent files are shown as culprits eg. sdksq32.exe in the same directory

Jorge

 

Hi Kodo ...I've updated this log with the latest news ..can you help?

 

post your log as an attachment.

 

Hi KODO,
Here are the two logs i've done - seperated by lot of slow panic and a few more security updates for ie and win 2000. Let me know if there's anything still remaining ... i havent seen any more alerts for a while but i worry that after the anti-virus free trials finish my computer emplode again!
Cheers
Jorge

 

There are free AV's I will look at your log shortly. meanwhile..

How to Protect yourself from malware!

 

start with removing these from within HijackThis

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


O2 - BHO: (no name) - {29345A21-EA22-C0C1-AA53-8EF31BEF24CA} - C:\WINNT\system32\msor32.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


I have some questions.. Your log didn't look too different between them both. I did notice that an entry in the trusted zone changed?

from
O15 - Trusted Zone: *.static.topconverting.com
to
O15 - Trusted Zone: http://browsercheck.qualys.com


if you know what these are then it's up to you to keep them, however, if you don't know what they are, it is recommended that you reset your security settings in IE to default for all zones and remove the trusted sites.

are you using a proxy?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.18.18.6:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.*;


do you have additional TCP/IP parameters set up that you are aware of? do you know what these are?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.sapportals.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.sapportals.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = lon.sap.corp,wdf.sap.corp,lon.sap-ag.de,wdf.sap-ag.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.sapportals.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = lon.sap.corp,wdf.sap.corp,lon.sap-ag.de,wdf.sap-ag.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = lon.sap.corp,wdf.sap.corp,lon.sap-ag.de,wdf.sap-ag.de