Hijackthis will not scan - need to get rid of this virus!

Welcome to Majorgeeks!

You really should be running ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support before posting a HijackThis log. I will give procedure below to try to help work around your current problems. But based on what I see, you could have other hidden problems and the READ ME should be run afterwards to make sure you are clean.

Download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the newdotnet7_22.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move newdotnet7_22.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\system32\elvnwrtp\csrss.exe
C:\WINDOWS\system32\elvnwrtp\smss.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - <default> - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\elvnwrtp\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\elvnwrtp\csrss.exe
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewizzle.com/installfiles/powertools.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Accoona <--- the whole folder
c:\program files\newdotnet <--- the whole folder
C:\WINDOWS\system32\elvnwrtp\csrss.exe
C:\WINDOWS\system32\elvnwrtp\smss.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Re: Hijackthis will not scan -cannot follow instructions given

Locate hijackthis.exe and right click on and select rename. Change the name to myhjt.com

Now try to run myhjt.com

If that runs, complete the procedure!

 

WinXP does not have DOS but you could try running the whole procedure in safe mode to see if it will work.

The two processes below that are running are what's causing you this problem.
C:\WINDOWS\system32\elvnwrtp\csrss.exe
C:\WINDOWS\system32\elvnwrtp\smss.exe

Do not confuse these with the below which are valid:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\smss.exe

If you cannot do the procedure in safe mode, let me know if you can get the below program to run:

ProcessExplorer for Win NT/2K/XP

 

Not yet! Which version of Windows XP do you have? Is it Home, Media, or Pro. Do you have a bootable Windows XP SP2 CD?

Tell me if you can run Windows notepad or Windows wordpad.

Also tell me if you can get this to run: Pocket KillBox

Also tell me if you can open a command prompt window by clicking Start, Run and enter cmd and click OK.

Also see if you can follow the directions in the below links and run the scans.

Running Spy Sweeper

Running Ewido Anti-Malware

If you can run the above scans, attach the two requested logs here.

 

See if the below will run (it needs regedit to work and the malware could block it):

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

If it does add into your registry, IMMEDIATELY REBOOT.
And then try to complete those steps with HijackThis from message # 3.

 

You need to attach the Spy Sweeper log. Also download and try the registry patch again. I had a typo in it. You must download and save it again.

Since you have Win XP Pro.

• goto a command prompt and enter the below command
  • tasklist /svc > c:\tasks.txt
• then upload that tasks.txt file her (it should be located in the root folder of drive C)

 

• Please download The Avenger by Swandog46 to your Desktop.
• Double click on Avenger.zip to open the file and extract avenger.exe to your Desktop
• Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL+C

• Now, run The Avenger program by double clicking its icon on your Desktop.
• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

• It will Restart your computer. (When the script being executed contains "Drivers to Unload", The Avenger will actually reboot your system two times.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the reboot, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please copy/paste the content of c:\avenger.txt into your next message.

 

If the steps in my last two messages do not help, try the below:


Download MsnVirRem.exe to your desktop.

• First close any other programs you have running as this will require a reboot
• Double click MsnVirRem.exe to run it
• Once open, click the button labeled Search and Destroy Your computer will now be scanned for Infected Files
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the REBOOT Button.
• After the Reboot, you will receive file not found errors! Please acknowledge them and continue.
• A Message should popup from MsnVirRem if not, double click the program again and it will finish.
• Please Post the contents of C:\msnvirrem.log
• See if you can now run HijackThis to get a new log. If so, attach it.

 

That's great news! I'm happy to hear we beat this baddie.
Since you can now run programs let's immediately add a firewall to your system ASAP. So goto to step 3 in the below link and download and install ZoneAlarmFree.

How to Protect yourself from malware!

You will need to reboot after installing ZoneAlarm. After reboot continue with the below.

Since you already Ewido from my previous instructions, see if you can complete a scan with it now. Attach the log.

Uninstall Spy Sweeper unless you plan on buying it.

Rename myhjt.com back to hijackthis.exe to avoid having it look like malware itself.
Run MSconfig and select Normal Startup!!!!

Use HJT to fix the the items previously listed in message # 3. Some lines are already gone.

Then after the fix and the reboot. Attach a new HJT log.

Since you had such a baddie installed we probably should be safe and run all steps in the READ & RUN ME now.

 

Re: Hijackthis will not scan (you Killed IT!! THANK YOU!)

Well Veronica, it seems we are not finished yet!

You have about 8 to 10 more new malware problems that have showed up. They may have been hiding and were not able to show themselves before or they may have found a way in before you got the firewall. And if Norton is broken, that makes it easier too.

Before I can work up a fix I want to see if any of them are in Add/Remove programs.

Let's get an installed programs list from HijackThis!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

Actually it would be best not to run or install anything unless I request it. You could just keep changing the symptoms or cause things to spread by doing so.

The only thing I note from your Uninstall Programs list is that you do not have the current versions of the below programs:
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
Mozilla Firefox (1.5)
Spybot - Search & Destroy 1.3

Do not do anything with the above yet! We will update these later after removing any malware.

Okay since you ran Norton again and things may have changed, I will need to see a new HijackThis log. After attaching it, do not run anything else to try and fix any malware issues. Please wait for my next instructions.

 

Okay! It's good we got a new log! Two more baddies showed up! I going to give you a quick fix with HijackThis and then afterwards I want you to run a couple scanning tools. I will tell you what to run and when.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [SearchEnhancement] "C:\Program Files\scbar\v1\scbar.exe" /U
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
O4 - HKLM\..\Run: [msnarrator] C:\WINDOWS\msnarrator.exe
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Xupiter <--- the whole folder
C:\Program Files\PrecisionTime <--- the whole folder
C:\Program Files\Common Files\GMT <--- the whole folder
C:\Program Files\Date Manager <--- the whole folder
C:\Program Files\scbar <--- the whole folder
C:\Program Files\Power Scan <--- the whole folder
C:\WINDOWS\System32\stcloader.exe
C:\WINDOWS\System32\internetfeatures.exe
C:\WINDOWS\System32\iefeatures.exe
C:\WINDOWS\Belt.exe
C:\WINDOWS\msnarrator.exe
C:\WINDOWS\MSMGT.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I do not see Ewido installed anymore. Did you uninstall it? Looks like you may have uninstalled it when I asked you to uninstall Spy Sweeper, but I only wanted Spy Sweeper uninstall and I did ask for you to retry Ewido in message # 18.

I want you to run a full scan with it (per the instructions for Ewido in message # 9) and attach the log.

 

Yes, just continue thru ALL steps and attach the new HJT. Then run Ewido and attach the log .

It was not in your last HJT log things were getting added each time you posted a new one. I would delete it!

 

I don't know what you are referring to.

 

Okay now you can uninstall Ewido! Don't uninstall anything else (like CCleaner), the other tools are all good to keep around.

You still have one problem that seems to have been missed from my previous instructions. So let's repeat the steps for just it.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [msnarrator] C:\WINDOWS\msnarrator.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\msnarrator.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes! It mayhave been remove by HJT this time or even the previous time.

If it is gone from your log, you should be ready for the final steps below!

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Veronica,

If you still have the C:\msnvirrem.log file. Please attach it here. It really should not be an empty file. There should be something in it even if it is only some default text information.

 

Thanks for attaching it. I guess Avenger had actually removed the files first.

MSN is not the cause of the problems. It is where the you surf and what you download/install or even click on that can be the problems.

You're welcome again and thanks for the plugs with your fellow workers.