Multiple Trojans wreaking havoc

I have spent the last week trying to remove dozens of Trojans/malware problems. I am running Windows XP on an AMD Athlon XP. I have tried all of the suggestions on your read me first post (or at least tried to). Some of the problems that I have encountered so far are Trojan.Dropper, Dropped. Trojan. Small, Dropped. Trojan. Downlodaer. Qoologic.F, Navidad Worm, and dozens of other malware. The one that I suspect is giving me the most trouble was found by House Call. It was Troj Lager A.

My computer is extremely slow, but not 100% of the time. I will spend hours attempting to remove problems and think that I have gotten rid of everything just for it to start giving me trouble again. I have a couple of new icons on my desktop, the stupd isearch program giving me fits, and cannot always open programs. My computer freezes more times a day than I can count.

I have tried running antivirusprograms in Safe Mode, but cannot boot into safe mode anymore, it freezes within a matter of seconds. When I reboot, CHKDSK goes through the first two stages, but then says there is insufficient disk space to recover lost files.

I have used Ad-Aware and Spybot for the last several months, but now Ad-Aware freezes and Spybot finds no threats. In fact, at least half of the programs I have tried found nothing.

MS Antispy finds iSearch, but cannot seem to remove it.
Spy Subtract finds nothing.
Bit Defender finds 5 trojans and 1 adware.
RAV finds 1 trojan
Trojan Scan finds nothing.
Avast finds nothing
Ad-Aware freezes up
NAV usually finds nothing, but occasionally finds a trojan dropper
Spybot finds nothing.

Please HELP!!!

 

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

 

Thank you for replying so quickly. I have been very frutrated lately... Fortunately today, my computer is behaving pretty well.

 

First:

The first thing that jumps out at me is that your Operating System & Internet Explorer is WAY out dated. After we get your system clean I would recommend your going to Windows Updates and get updated. You need to install Windows XP Service Pack 2 for security purposes.

• Platform: Windows XP (WinNT 5.01.2600)
  [*]MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Second:

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

• C:\Documents and Settings\User\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

Third:

Please close ALL browsers and any other unnecessary programs.

• C:\Program Files\Internet Explorer\iexplore.exe

Do NOT procede with the rest of this fix until doing all of the above except for Windows Updates which we will do at the end.

Fourth:

Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and continue the below steps.

After you do ALL of the above, reboot and post a new HJT log.

 

Okay, here you go...

 

I have a few questions about this new log.

• Did you install and run Microsoft AntiSpyware? What were the results?
  
• Do you have System Restore disabled?

Also, I want you to run this online virus scan, if you have already do it again as this will remove some of your problems.

• TrendMicro Online Virus Scan

After you do this virus scan attach a new HJT log. Microsoft AntiSpyware should have got rid of most of this if you ran it with all updates applied.

 

System Restore was disabled. Microsoft Antispyware only found isearch.desktop. It has consistently found this problem, says it deletes it, but it never goes away, it always comes back.

Trend Micro found TROJ LAGER.A in the following location: C:\WINDOWS\system32\lsassz.exe
It is listed as non-cleanable. When I try to delete it, I get the following message: "Unable to clean the file 'C:\WINDOWS\system32\lsassz.exe: because it is currently in use."

Here is the new HJT log.

 

Download Kaspersky Anti-Virus Personal 5.0 as it cleans this thoroughly + much of the crap that comes with it!! This version is a 30 day trial.

You should print this out for reference!

You must disable any AntiVirus programs you have installed

Now install KAV 5.0

When Installing, do the following as you come to them:

Uncheck the Operate According to Recommended Settings Box

Uncheck the Use Real-time Protection against Network Attacks Box

Uncheck the Use The iStreams Technology Box

Now, allow KAV 5.0 to download and install Updates. Then, look under Settings > Configure Updater and select Extended Database > OK > Check for Updates and allow those to install.

Then, Click Settings > Configure On-Demand Scan Settings and Set Scan Level to Maximum > Perform Recommended Action > OK

NOW, Close ALL Programs (including KAV 5.0) and Browsers!

Physically Disconnect from the Internet - Pull the Cable!!

Boot into SAFE MODE

OPEN KAV 5.0 BUT DO NOT RUN IT YET!!!

Open Task Manager (Ctrl-Alt-Del) and RightClick explorer.exe and END IT! Don't be alarmed when all of your desktop items disappear. That is normal.

Everything will go blank except for KAV 5.0 and Task Manager. DO NOT CLOSE THEM!!

Now : Start a FULL SYSTEM SCAN. Click the Protection Tab and select Scan My Computer .


This process may take HOURS . . . . LET IT RUN!

When the Scan and Cleanup are done, go to Task Manager and select File / New Task and type explorer.

Close KAV 5.0 and TaskManager and reboot to Normal Windows and get a fresh HijackThis Log and let us know how things look!

 

Okay, here is the HJT log. Sorry about the delay, I was having trouble getting online. Tonight I realized that one of the many programs that I have downloaded in an attempt to eradicate all of the viruses, worms, etc was blocking my internet access.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

• WildTangent
  
  
• Isrvs
  
  
• eAcceleration

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consume rfav&c=2c02&lc=0409

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{62ABB927-3788-4DE5-8646-0A326944A21C}\SVCHOST.EXE
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\System32\lsassz.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\RunServices: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [cBv5RgNpS] upsc32.exe

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir 2.dll?s=consumerfav&c=2c02&lc=0409


Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\WildTangent ←–– Delete this whole folder if it exist!

C:\WINDOWS\Isrvs ←–– Delete this whole folder if it exist!

C:\Program Files\Common Files\eAcceleration ←–– Delete this whole folder if it exist!

C:\Documents and Settings\All Users\Application Data\msw\MSW.exe

C:\WINDOWS\System32\Services\{62ABB927-3788-4DE5-8646-0A326944A21C}\SVCHOST.EXE

C:\WINDOWS\System32\desktop.exe

C:\WINDOWS\System32\lsassz.exe

C:\WINDOWS\System32\tss.exe

upsc32.exe ←–– Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

I removed Wild Tangent but did not find the other two. I will have to finish tomorrow, but can already see major improvements over the last 48 hours.

 

Okay! Will be awaiting results and new HJT log.

Good Luck!

 

Things are going much more smoothly now. I still have a couple of unawnted icons on my desktop, do not know where they came from. Here is my HJT log. Hoping to hear from you that it looks good...

 

Log looks good!

Are you having any further problems? Also, the unwanted icons, right click and give me some information on the target, are they website shortcuts or what?

 

Sorry, only one remains. It is Spyware Avenger. It appears to be an internet shortcut. I will just delete it. Your advise has been so easy to follow. I truly appreciate all of your help.
I am thrilled to have my computer up and running again. Now I need to figure out what product(s) I want to use to keep me virus-free since most of the programs that I installed to get rid of all the problems I was having are 30 day free trials. There are so many good ones out there, I just wish that one of them would work to keep out all the bugs!
(By the way, I will download those updates now, too.) Again, thanks for all of the help!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Browse Safely!