followed advice in "read this first"

Hi,
I started out by having this huge problem where I could not even access IE anymore without it telling me that it could not connect to server. It had nothing to do with a connection problem, rather I had some trojans on comp which downloaded things like elitebar, searchmiracle, about:blank, etc. I was not even able to register on this website because I was constantly redirected to a not-able-to-connect-to-server page. I don't know what happened but all of a sudden I could register, so here I am.
So I read the "read this before you post". Initially, I was only able to do steps 1 through 3 because I wasn't able to download any of the virus scanners in step 4 (for same reason as couldn't register). In step 2 I found none of the exact services listed... I did find RPC on its own, and RPC locator but deleted neither as you specifically said to delete only exact matches (RPC helper). I also followed step 3 and did all as specified. As I was unable to download anything I used the virus scanners I already had, which did included ad-aware and spybot as well as Norton and AVG. THe last two found nothing, spybot found the usual (elitebar and other pests) and ad-aware found over 400 bugs once the hidden files were unhidden. When I rebooted I was finally able to download the other programs listed in step 4 and followed the instructions. I rebooted in safe-mode with networking support, however for some reason I was unable to access the internet as my connection program said it failed to load a driver... So I could not scan with trend micro or symantec in safe mode. I was able to scan with all the other programs. Everything came back clean. I rebooted back to normal, scanned with trendmicro and symantec, found nothing. Then I read the hijackthis tutorial on this web-site. I followed the instructions but there were many things in section 04 that I could not find using the search on sysinfo and look fishy.... So to conclude this long post (my apologies), may I post the hijackthis log so someone can tell me if there are other things in 04 I should delete? Searchmiracle and elitebar seem to be officially killed. The only thing I dont understand is how come all the websites i go to with javascript tell me my java is disabled when it clearly isn't according to the settings in internet tools. So then I need help with two things, 1-the 04 items in hijackthis, and 2-how to enable java again, or to get it to stop telling me its disabled. Thanks very much... eagerly waiting for a response. And by the way those spyware tutorials (including hijackthis) were very very helpful. Nancy in Montreal.

 

attach your log to a post please.

 

Here it is: thanks Kodo.

[Log file removed]

 

Chloe,
your version is old. please download the latest version, run again and attach it as a text document to the post.

http://www.majorgeeks.com/download3155.html

 

how do i attach?

 

Try it again with all your browser windows closed..

don't run it from your desktop either.. put the exe into its' own folder like C:\HJT\Hijackthis.exe


to attach, scroll down where it says MANAGE ATTACHMENTS

 

here it is

 

I thought the trojans were gone. For the last few hours everything was working fine but now they've popped up again. Both AVG and Norton tell me I have a trojan in C:/for.exe. Was i supposed to hide those files again from step 3 in read-this-before-u-post.... Should I try booting in safemode and scan again? Argh. Am I correct in thinking the trojans were related to me getting all those elitbar-searchmiracle things on my comp to begin with?

 

once you take care of what chas said. you have problems

you have some worms on your machine too..

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.zcrew.b.html

and

http://www.sophos.com/virusinfo/analyses/w32duloada.html

Boot to safe mode and try
http://www.majorgeeks.com/download172.html
|MG| Free Download - a-squared (a²) Personal Edition 1.1

To get rid of your trojan problems.. then run the AV tools suggested in the tutorial again as well as your scanner.

 

I had closed all the IE windows, I have no clue why it said I had 4 open. I misunderstood about the folder. HJT isnt on the desktop, it was in a different folders with all the other stuff asked to download in the read-this-before-you-post. I created a separate HJT folder in C:.. .hope it works this time.

 

ok, i'm going to redo the read-this-before-you-post tutorial. You never told me if I should set back system restore and hidden files after I'm done. I can't do the symantec online scan because it says I have no java. I still don't know how to fix the java problem (like i said, doesn't appear to be disabled in internet tools). About the line you pointed out with microsoft updates, i recently reinstalled microsoft security pack 2... isn't that it? (i had to reinstall all after comp was emptied with sys restore). Anyway, I will be back later when this is all done. Thanks for all your help so far chas and kodo.

 

Ok, I did everything as indicated. The a-square program found 4 probs. I didn't know I had to write the stuff down so I only remember one sdbot.worm.gen.t... I remember it said it deleted stuff in the c:/for and c:/sys. The worm name doesnt match any of the other worm/trojan norton and AVG keep telling me about, but it does match the c:/for folder I norton/avg told me it was in. Odd thing, norton changed some things when I was in safe mode- neither email scan nor automatic update were working anymore. I've checked now and it seems to be fixed. Other thing, I can't run the AVG program anymore (technician guy told me this program was much better then Norton... dont know how true that is) because I'm apparantly missing the Core driver. It was working fine until now. I ran all the other programs in the read-this-before and everything came back clean, including ad-aware. I also used the two other programs, nothing to report there either. I still can't do a virus check on symantec because of the scripting prob. I dont have java virtual machine, I installed javasun myself some time ago as comp didnt come with java because of some issue with jvm manufacturer i think. Anyway, thats pretty much all I can say right now. I'm attaching the new HJT log. All IE windows were closed and I didn't run it from desktop so if it says otherwise its not me! Thanks again guys (or gals?). I'm gonna stay online a few more hours to see if anyone replies tonight, or else I'll be back in the morning.

 

I noticed a maxspeed thing in my IE tools section. I don't recall that ever being there before and I notice that its in the HJT log... perhaps thats something that shouldn't be there?

 

@chase
she's got norton and avg running would those clash?

 

I did. Peperfix found nothing. In safe mode unists just opened up a grey window a few second then dissapeared. I ran it again and it sais it "memory watcher installing files", stayed on perhaps 5 seconds and dissapeared again.

 

Im still trying to figure out this java thing so I downloaded it again from the website listed in read-this-first... still doesnt work. I checked in javasun control panel and it is indeed set to IE. In my internet tools, in browsing, both "disable script debugging (IE)" and "disable script debugging (other)" are checked. Scolling down javasun is checked as well (thus enabled...) and it says "javasun2 v.1.42_05 for <applet> (requires restart)". Is that normal?

 

Ok. Did exactly like you told me. Everything went fine until came time to delete/rename stuff.... I only found 3 of the names. So I was successful at renaming servicelog.exe, clbcatex.exe and audiosrv.exe. All the other files were nowhere to be found. So I did a search, here's what I found:

1-?ttrib.exe does not exist, however the search returned "attrib.exe" and it was created on the 1st of october as all these other nasty things have (thats the day system restore happened, 110$ of hard-earned student money down the drain)

2-sp2update.exe and atiphexx.exe do not exist

3-qu8RB.exe, ksyd.exe and iuwo.exe exist but their name doesn't end at exe. For example, qu8RP.exe is called qu8RP.exe-ID303586.pf. The two other files are also "pf" files and all three are in windows/prefetch. I did not delete them yet, want to be sure its ok.

As a sidenote, the computer no longer takes 5 minutes to load up all the icons on the desktop (I'm not exagerating for the time). That's very good. However, I just about uninstalled AVG as everytime i reboot it tells me i'm missing that core driver. So I click uninstall and it asks me if I want to take care of the "virus vault" first, I click yes. This window opens up with all these names of things I dare not disturb as I have no instructions on what to do with them. Interestingly, atiphexx is sitting right there.

Lastly, I've attached my new HJT log.

Chas, I'm sending you a big virtual kiss for all your help so far. For a lack of icon, I'll let you imagine it.

 

Ok, again did as instructed. There are no changes in the results, i still can't find ?ttrib.exe or sp2update.exe, even with hidden file option. I deleted the three files in prefetch. I've uninstalled AVG. I deleted the files in the virus vault but when I ran uninstall it still told me that virus vault was not empty, run yes/no. I clicked no and it uninstalled. I don't know where all the avg viruses went but they aren't in recycle bin. I've tried to uninstall norton because I want to put the new 2005 version... it won't budge. It tells me that uninst.isu is not valid or the data has been corrupted. I tried reinstalling my old version of norton (i got rid of system works but can't get rid of utilities) and it tells me I can't install because old files still on computer. So now I have neither norton nor avg. I was finally able to do a scan on symantec, it came back negative. I figured out my java script problem, i checked "allow active content to run in files on my computer" and now all is fine. Microsoft update sp2 is very very security conscious... I kept having this bar showing up on top of all websites saying it wouldnt allow active content from the website. Having clicked allow active content, that bar is now gone, I don't know if that's a bad or good thing. Lastly, I found a folder called "mui", i recall having to delete this folder some time back when I had trojan problems... does that ring a bell?
thanks again and again.

 

was it this folder?

Windows\srchasst\mui

if so , then it's ok.

How to remove norton
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606

 

Thanks for the link kodo. I will check it out after this message. As for mui, there is indeed a mui in srchasst but also in windows/syst32/oobe, programfiles/commonfiles/system, windows/syst32, programfiles/moviemaker, programfiles/internetexplorer, and in windows..... the mui folder in windows has nothing in it.

 

Was finally able to uninstall norton. I installed the free version of norton 2005 which will last 15 days... is it really worth the 50$ investment or will all the other programs I've downloaded since my problem occured be enough? Should i be uninstalling any of them (there are so many!)? I know I've said thank you many times but I just wanted to tell you I really really appreciate all the help you've given me. Seriously, I was just about to go out to buy a new computer (and when I do, it WILL be a Mac). You guys are great, your website is very informative, even for those computer illiterate people like me. Your staying in my favorites. All the best! Mwaaa!

 

Chloe,
I would ditch Norton al-together and use Avast Home Edition. It's free and very good.

http://www.majorgeeks.com/download1968.html
Avast! Home Edition 4.1.418

 

Ok, cool. Will do. Did u see what i wrote about mui?

 

I take it i can put back system restore right?...

 

Me again.... I have this IE window that pops up in the toolbar at the bottom of the screen called media4.fastclick.... if i click on it nothing happens (no IE window opens up)... should i redo again the steps in read-this... looks like something fishy.