in agony :(

Just today it seems that my computer has been infested up the wazoo with various bad things. Every 30 seconds or so, Norton antivirus pops up windows that says it found Download.Trojan in a couple files and deleted them, but a)these files don't exist, or at least I can't find them, and b)it keeps on doing it over and over, and c)a full system scan doesn't find the virus. I also am having a lot of bad random IE windows popping up. I've run AdAware, and am still having the problem, I even ran Norton in windows safemode. Please help!

(I'm running Windows XPHome SP1)

Thanks in advance!

 

Welcome

We ask that you first try to do ALL the TUTORIAL listed below.

This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure someone will help you. Everyone is quite busy, as you can see by the number of posts, so hang in there.
Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

By the way. You might want to go here also and read what Symantec says about Download.Trojan.

Download.trojan

 

So I have tried all of the scans/cleaning programs listed in that tutorial, and I'm still having the same problems (and have noticed a few more). Here is a bried summary of what I found:

Trend micro's scan found several Trojan files (Agent.AAB, Agent.BT, Narrator.A, Bispy.B) and said it couldn't clean, but deleted the files.

Symantec's scan results are attached as a file.

McAfee Avert Stinger didn't find anything.

Ran CCleaner fine.

Ad-Aware deleted several files, but could not remove c:\windows\system32\o484lelq1hqe.dll.

SpyBot found several things, and removed most of them except for the CoolWebSearch ones (CoolWWWSearch.Bootconf, .Loadbat, .MSconfd, .Oslogo, .Tapicfg, .Xmlmimefilter).

CWShredder only found/removed the Bootconf one, not any of the others that SpyBot found.

HSRemove and AboutBuster were fine.

I did all of the above in SafeMode, then ran HiJack this when I rebooted into normal mood. However, rebooting also gave me several rundll error popup windows, e.g. "error loading E6F1873B.dll".

I only have these Norton windows popping up finding "download.trojan" when I am in normal mode, and I have tried Symantec's removal instructions but they have apparently not worked.

My computer is effectively unusable at this point, as I can't type for more than 30 seconds without the Norton warnings or some random IE page opening up.

Please help me, without saying I should just reformat.

 

Hi hmorrison,

You have a number of issues to deal with. Please download the following tools and have them handy (Perhaps create an Anti-Spyware Folder for them). Make sure to get them from the links below:

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox
LSP - Fix


FIRST:
Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the dolsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move dolsp.dll into the Remove section.

Now, do the same for aklsp.dll.

Then, click the Finish Button. When the Repair Summary box appears, click OK.


NEXT:
Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Uninstall Viewpoint in Add/Remove Programs

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

winupdt.exe
wsxsvc.exe
Iywhtd.exe
sysmonnt.exe

Now scan with HijackThis and Check the Boxes for the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
These will come back
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Muusbe.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Iywhtd.exe
O4 - HKLM\..\Run: [oiqpkqp] c:\windows\system32\oiqpkqp.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt

O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
These should be gone due to LSP Fix
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\winupdt.exe
E6F1873B.DLL --> You'll have to run a search for this one
C:\WINDOWS\system32\n20050308.exe
C:\WINDOWS\System32\wsxsvc --> the Folder
C:\WINDOWS\System32\Muusbe.exe
C:\WINDOWS\System32\Iywhtd.exe
c:\windows\system32\oiqpkqp.exe
C:\WINDOWS\System32\sysmonnt
C:\Program Files\Viewpoint --> the Folder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


NOW:
Reboot to Normal Windows. Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE:Please do not run any other options or files in the l2mfix Folder!

Please attach the l2mfix log along with a fresh HijackThis log and we’ll see where you stand. Please TRY NOT TO REBOOT after scanning for these logs!! I will try to check back as time permits.

Best Luck
PP

 

Thanks, PP -

I followed all those instructions, with the exception that I couldn't delete winupdt.exe, oiqpkqp.exe, or E6F1873B.dll because I couldn't find them anywhere on my harddrive.
Also, SpyBot again found the same CoolWWWSearch problems as before that CWShredder didn't fix.

I am noticing fewer popups, and the download.trojan problem seems to be gone (for now), but I do still get random IE popups now and again.

I have attached the l2mfix and the new HiJack this logs.

 

Looking better Here is the . . . .

NEXT STEP:

Please make sure ALL Browser Windows are Closed!

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go wacky for a bit, but just let it run. It should eventually cough out another log in Notepad. Please attach that log along with a fresh HijackThis log.

Again, don't run any other files in the L2MFix folder. And, again, try not to reboot!

PP

 

Here's the new l2mfix and HiJackThis logs.

 

Hi Hmorrison,

Please scan with HijackThis and Check the Boxes for the following:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
Be sure All Browser Windows are Closed when you Click FIX.


NEXT:
Check your Recycle Bin to make sure that no problems remain and that it is working properly.
If all is NOT well with Recycle Bin, please run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


After checking on your Recycle Bin:
Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy

Allow Machine to Reboot.


NEXT:
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log along with a Fresh HijackThis Log and we’ll see if we got everything.

How are things running now? These last two logs will tell me if you have one last hidden baddie - other than that, you should be OK. I will check back as time permits. Probably Tuesday evening - It's getting late in my neck of the woods!

PP

 

Here's the new logs. The recycle bin seems to be okay. Everything is running much smoother - haven't been noticing anymore problems.

Keeping my fingers crossed....

 

I think we can just about pronounce your computer healed!

Just DELETE this folder ---> C:\WINDOWS\System32/vmss
Let me know if it gives you problems. You'll likely need to do it in Safe Mode.

Then, have a peek at Chaslang's Commandments!!


Happy Computing
PP

 

I deleted that folder (in normal mode without any problems).
Thanks so much for all your help, you're amazing! I'll definitely be recommending your site to my friends in the future. Now I'm off to update all my internet safeguarding!

 

You're Welcome!