Malware issues (BO2K?)- downloading, antivirus, performance

This is a very long post, for which I am sorry. As you'll see, I am unable to gather information about my system state in the "preferred" ways of the forum, so I have attempted to compensate for this by describing my issue as precisely as I can.

I recently performed a full reformat and clean reinstall on my computer because it was having major performance issues caused at least partially by viruses, particularly "Back Orifice 2000." Symptoms included extreme slowdowns, issues with anti-virus software, system hangs, etc.

After the reformat, my system somehow got reinfected by the virus. I suspect that a removable drive I was using and did not separately reformat was the cause of the issue. Regardless, this was when I actually discovered the nature of the virus through Windows Defender. I googled steps to remove it, and did. However, periodically (every day for a certain period of time, in fact), the virus would reestablish itself on my computer, and I would have to follow certain other steps for protection.

This went on for a certain period of time, and for a while the virus was off my computer. However, yesterday my system had a lockup and I realized the virus was back. For a while, I grappled with it trying to remove it- it would automatically reestablish its registry keys on reboot even if I purged it with REGEDIT using the process I was instructed to from googling the virus. Eventually, I managed to delete the registry keys and UMGR32.exe (the virus executable), but... the symptoms have continued. Here are the issues I am experiencing:

- Cannot run Windows Defender. It gives me a runtime exception at startup and when I try to run the executable.
- Cannot operate Norton Anti-Virus. It runs, but has a runtime error and crashes when I try to scan the system.
- Cannot run Spybot. An MS-DOS prompt comes up, but the program does not execute.
- Cannot download files from the Internet. The downloading dialog progresses all the way through to 100%, and then promptly closes, without the file appearing where I've designated it to download to.
- Periodic full system lockups or system slowdowns.
- I strongly suspect there are other issues. The virus is a Trojan that allows "remote administration," so I can't shake the feeling that typing in a password (or, God forbid, a credit card number) is going to just make things worse. I had to convince myself strenuously just to register here, as I'm currently on the infected machine.

I did manage to System Restore once and in that time run a scan with Norton, which found and (said that it) deleted BO2K.exe on my hard drive. I also downloaded Avast at this time. Avast, unlike Norton and Windows Defender, seems to work, although its system scan does not find anything on my computer (neither does AdAware). On its "first reboot scan," it did discover Micro-Joiner on my computer (which I gather is a masking tool), which I instructed it to delete.

The UMGR32 (Back Orifice 2000) virus reproduces itself spontaneously, without warning, on my computer while it is running. I just ran regedit and saw its keys again, even though I clearly remember deleting them and rebooting until it was completely gone just a few hours ago.

I have also disabled Windows' RemoteRegistry service, judging (incorrectly) that the way the virus was reestablishing itself was through remote registry manipulation. It is now disabled, but the virus still reproduces, so it would seem like something local is doing the trick.

I'm literally at my wits' end here. I can't get any work done on my computer because I am afraid that it will not be held confidentially due to the Trojan that (I suspect) is on it. I can't download utilities from the Internet that would help me fix the problem, if I even knew what to download.

On to the "READ & RUN ME FIRST Before Asking For Support" sticky post. I'm really sorry, but I just wasn't able to do much of this. I did read the full post before I made this post, and made a conscientous effort to apply its recommendations. I'll list my issues below.

0: None of these programs are installed on my computer, and none show up in Add/Remove Programs.

1: I'm too afraid to do this. The only thing that (even temporarily) worked to remove the virus, so far, was to System Restore to a date at which I did not remember the virus being on my computer. The last time I did this was this morning, when I restored to a 3/15 state and managed to get in a Norton scan and an installation of Avast before the system was once again compromised. The results of the scan were detailed above. Judging by the wording of the tip, you don't want me to disable System Restore anyway until the system has already been cleaned.

2: I've had this on for months.

3: I can't. I was only using Norton, but it crashes when I run it and when I tried to remove it using the Add/Remove Programs toolbar, the uninstall was unsuccessful (it simply quietly closed midway through the Windows Installer dialog). I have since installed Avast!. I can uninstall it if you like, I think, but I'm leery to, since it (unlike Norton) is at least "working" for the time being even if it's not detecting anything.

4: I have Ad-Aware SE, which does not detect anything. I have SpyBot - Search & Destroy, which does not run. I have Microsoft Windows Defender, which does not run. I cannot download the rest because the virus is preventing me from being able to.

5: I ran Safe Mode with my network cable unplugged.
Ad-Aware SE produced no results. SpyBot produced one result in safe mode. I attempted to use its “Fix selected problem” feature, but it produced the error “Failed to load UNZDLL.dll” and then proceeded to tell me the problem was corrected. Scanning again revealed the same problem, with the same error of deletion. I cannot find the identified key in the registry. SpyBot’s error report is attached. I ran SpyBot again after “removing” this issue twice, with no errors detected this time.
Norton and Windows Defender continued to have the same errors that they had outside of safe mode.
Avast!, which had reported two MicroJoiner trojans at boot time (which I instructed it to delete), reported no results when run in safe mode, and took a really long time to do so- over an hour. :|
In safe mode, CPU Usage would spike to 100% with actions as simple as moving the Task Manager window from right to left. I don’t know if this is intended behavior.

6: Logs attached. Afterwards, I ran Avast! yet again, which detected MicroJoiner in the initial memory scan and ran another boot time scan. The boot time scan detected a “pskavs.dll” infected by “Win32: CTX.” I moved it to the chest. Symptoms continued after boot.

7: Can’t do this- I can’t download HijackThis!

8: Can’t download SpySweeper. Can’t download Ewido. TrojanScan reports nothing. Kaspersky found 3 things; the log is enclosed. I was able to manually delete both things that weren’t in the System Volume Information (is this System Restore?). I ran it again immediately afterwards, finding 2 things (log enclosed) both in System Volume Information. TrendMicro failed completely; a picture of the error is attached. Can’t download a-squared.

The computer in question is a ThinkPad T41 with a 1.7 GHz Intel(R) Pentium(R) M processor and 1 gig of RAM, running Windows XP SP2.

If you have any questions, I would be more than willing to answer them. Any helpful tips or answers would also be much appreciated.

Thank you in advance.

 

Sorry for immediately glomming on to my own post, but there is a maximum of 4 attachments and I have a few extra logs to post. Attached here are two Kaspersky logs, the runtime error received from Norton, and the log from one of my (many) Avast! scans.

EDIT: attachments in the previous post were 3 items from SpyBot!, described in the post, and the error given by TrendMicro!

The screenshot of the Windows Defender error has not been included. It says: "Application failed to initialize: 0x80070002."

 

Nobody can help with this? I guess I'll have to go back to the drawing board, then.

 

Thanks a lot for your reply.

Sort of. Every once in a while, the registry keys mentioned reestablish themselves in my registry at "HKLM\SYSTEM\ControlSet001\Services\Remote Administration Service," like it says. I always delete them and then delete UMGR32.exe. The symptoms I described in the initial post persist even when I delete the registry keys and the executable. I can't reboot into the MS-DOS prompt because, well... there is no MS-DOS prompt in XP. Should I try to find the other files (not registry keys) mentioned on the webpage? Will they also be masked like UMGR32.exe?

 

Should I run the Safe Mode w/ Command Prompt to try and do what the website tells me to? How do I do a full system scan from DOS, like it asks? And what exactly should I be searching for?

I see nothing that begins with the name EXE in the WINDOWS/system folder.

EDIT: However, there is an "exe2bin.exe" in the system32 folder.

 

I assume you mean "look" manually, as in to go into each of those folders with "show hidden" and "show system" checked in windows explorer and see if any of those files are present. I checked and they are not.

Perhaps BO2K is not the only problem on the computer, and maybe not even the most prevalent one? Right now I can't see any trace of it (registry keys, anything) on the computer. Yet I still can't, for example, run Windows Defender, or download any files.

EDIT: I have a semi-updated version of Norton on my computer. As i said in my original post, it is currently not working- it immediately crashes when i attempt to scan and gives a run-time error that I attached to my second post.

I also have Avast!, which is fully updated and functioning. I have been using it in place of the broken Norton.

 

Give me a minute or two to reconnect my network cable to the computer and try to do what you have just described (I've been typing from another laptop).

I may be able to burn some extra programs that I am able to download onto a CD from this laptop, then transferring them over to my own laptop and attempting to run them there. Would you recommend that? Which programs should I start out with?

 

I am now typing from the infected computer. When I click the link to that direct exe for HijackThis, it gives me the run/download dialog. I selected "Run," and then "Run" again (rather than "Don't Run"). Nothing happened after that. No new dialog box, no actual running, nothing.

It's the same story with opening/downloading any file from a website or any file sent in attachments. If I download a file, the download "finishes" (in the sense that progress goes to 100%), and then the window closes without any further action.

If I forgot BitDefender, I'll do it now.

 

RE: Norton

That was my opinion as well, but I cannot uninstall it. When I attempt to remove the program, the "windows installer" box comes up, and then disappears without a word. It's like I tried to download something!

So, instead of choosing "Remove" from the Add/Remove Programs toolbar when I selected Norton, I selected "Change." I got this error:

Error 25009. There was an error loading NavCust2.dll.

I'm not sure what this means- navigation customizer? huh?

RE: the programs you listed

I'll try to load all of those programs onto a CD and tossing them into the infected computer and running them. Since it's getting late and I have to wake up in a few hours for the night shift at work, I'll probably get to this sometime later today. Thanks for all of your help so far. I really appreciate you taking your time and energy out to work with me on these issues.

 

I might as well post the results of my BitDefender scan before I go to bed. If you need some sleep (and, living in North Jersey, I'd assume you would want some at this point!), feel free to ignore this until whenever it's convenient.

BitDefender creates logs in HTML, so I pasted them into a Notepad file and saved it as a .txt, which is attached.

 

Okay. Here's an update on my situation. Before I ran these scans, BO2K appeared on my computer yet again. I deleted the "ImageMap" registry entry, ran Avast! which detected MicroJoiner in my memory, deleted that, rebooted with a full Avast! scan at boot time (which found nothing), deleted UMGR32.EXE, rebooted again, and deleted the rest of the registry key corresponding to BO2K (HKLM/System/CurrentControlSet/Services/Remote Administration Manager).

Avast! Cleaner (which "could not scan" two files, log attached) and McAfee Stinger found nothing.

Windows Malicious Software Removal Tool found nothing.

Ewido and SpySweeper found nothing.

I used CCleaner to clean out as much as I could.

I also used GetRunKey and HijackThis. The logs of both are attached.

On a hunch, I also ran Rootkit Revealer, which appears to have found one thing. I do not know how to, or whether I should, remove this.

 

The rest of the attached files mentioned above (HijackThis!, GetRunKey) are below.

 

Just to reiterate the continuation of symptoms on my machine- at the moment there is still no sign of BO2K, but a few minutes ago CPU Usage spiked to about 100% for a period of time. I remain unable to download files or run Norton/Windows Defender.

 

There is no version tab or any apparent signature on notifyf2.dll. Furthermore, it is not from my ThinkPad. The file was created on February 2nd, 2006 3:09:26. I have been using my ThinkPad since August.

AND looking at HijackThis, notifyf2.dll seems to be accessing winlogon? (It appears as an O20)

The RootkitRevealer result is probably from DAEMON Tools, yes. I do have that installed, but I didn't know whether the file found by RKR was still an issue.

I fixed "O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)"

Should I also attempt to fix "O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll" even though I probably can't, or should I just not bother?

 

Should I save the text in the quote box with or without the leading line skip?

 

Okay. I'll try this now and tell you how it goes.

 

So far, chaslang, you have been a lifesaver. By following the steps you just outlined, I was able to regain the use of downloading- in fact, I just uninstalled and reinstalled Windows Defender successfully without having to rely upon another machine for the download.

I have attached the new HijackThis! log. If there are any other outstanding issues, please let me know.

Additionally, I have a few other questions, if you're not too busy tonight.

1) Norton is still crashing. I don't think this is a malware problem, but rather a Norton problem. However, I am trying to uninstall Norton from Add/Remove Programs- and not being successful at all. What can I do to get it off my computer so that it doesn't conflict with Avast! ?

2) I suspect that my current malware problem started on a removable drive. I have that drive sitting in front of me. I haven't turned it on in more than a week, afraid that the virus would get worse if I did. What should I do when reconnecting this drive to ensure that it does not reinfect my system? This is a USB external 300 gig hard drive from Fantom Drives.

 

Also, should I be flushing my System Restore now?

 

I don't see Norton AntiVirus Server, only Norton AntiVirus Client. Should I follow the same steps, but for the different service?

 

I'm also having an additional issue in the "How to protect yourself from malware" thread, which I've been working through while I wait to find out about the Norton services.

When I try to put a password on my administrator account, I get the error message "Windows cannot change the password." What gives? Is it because I'm currently logged into the administrator account?

 

Okay, thanks. I'll do that right now. BTW: I have experienced no problems so far with the computer since the steps you previously gave me.

 

I can't seem to Delete NT Service for DefWatch. It states that "The service you entered is system-critical! It can't be deleted."

As for Norton AntiVirus Client, it said that it could not be found in the registry.

 

Umm... probably not, then. I'm in normal mode, trying to change the password of my own login name. To change the passwords, should I login to Safe mode and then amend both the Administrator and my own password?

 

As an addendum to this, I *did* disable these from services.msp, and they no longer appear as O23's in HijackThis!. It's just in deleting them as NT services that I received the disparate errors listed above.

 

OK, thanks. What should I do to finish cleaning up Norton?

 

Yes, the O23 lines are gone. I was unable to use the HijackThis "Delete NT service" function, but should I go ahead and delete the directory that you mentioned anyway?

 

One further question: I just installed ZoneAlarm as part of the "protecting computer from malware" steps. Should I allow Generic Host Process for Win32 Services access to the Internet?

 

Hehe, I sense that you're getting frustrated with me. Sorry about that. I'm just trying to make sure that I don't do anything wrong now that my computer is finally working properly after more than a month of errors.

I just deleted the NavNT folder, and am now rebooting to see if Norton will finally 'give up the ghost,' as it were. After that, I will try to reconnect the removable drive.