Need help with multible Viruses

Yes! I got the log. I want you to try something. Open up two command prompt windows.
And in one of them do what you did last time to get to the c:\windows folder (cd c:\windows)
In the other one do nothing for now.


Note the below steps will cause your Desktop to go blank (icons will disappear) the command prompt windows and HJT will remain open and running.

EDIT to move opening HJT earlier: run HijackThis and just leave it open.

Read the following first before doing it so you understand everything. Print if necessary because now you need to close down all you browser Windows and anything else you have open. Do that now before continuing.

Now in HijackThis, click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the c:\windows\explorer.exe process and kill it by selecting it and then click "Kill process". Then click yes.

Now in the first command prompt window (at the C:\windows prompt) do the following:
attrib -s -h -r RECOVMR.TXT
copy RECOVMR.TXT c:\Badfile.txt
explorer.exe

The explorer.exe will bring back your desktop.

Leave the command prompt window open and now if the above worked, upload as an attachment, the c:\Badfile.txt file we just created.

 

Yes do it after booting to an MS DOS prompt. Do you know how to do that?

Please don't post images unless really necessary (you could have just said you got the same error).

 

You click Start and then Shutdown and in the Window that comes up choose the one that says Restart the computer in MD-DOS mode.

When it boots you will be at the command prompt (full screen) try the same commands and then when finished type win and hit enter. That should bring you back to Windows where you can tell me what happened. Upload the file if it worked.

 

By the way I found a list of more mad files in your c:\windows\system folder that need to be deleted:

Code:

ALJ	  EXE		 7,681  03-03-05 10:39p Alj.exe
BBE	  EXE		 7,681  03-03-05 10:39p Bbe.exe
GNS	  EXE		 7,681  03-03-05 10:39p Gns.exe
HBQ	  EXE		 7,681  03-03-05 10:39p Hbq.exe
ILE	  EXE		 7,681  03-03-05 10:39p Ile.exe
ISADSR   EXE		 7,681  03-03-05 10:39p isadsr.exe
JHP	  EXE		 7,681  03-03-05 10:39p Jhp.exe
KJH	  EXE		 7,681  03-03-05 10:39p Kjh.exe
KRC	  EXE		 7,681  03-03-05 10:39p Krc.exe
LDP	  EXE		 7,681  03-03-05 10:39p Ldp.exe
MLQ	  EXE		 7,681  03-03-05 10:39p Mlq.exe
NTU	  EXE		 7,681  03-03-05 10:39p Ntu.exe
QJM	  EXE		 7,681  03-03-05 10:39p Qjm.exe
SND	  EXE		 7,681  03-03-05 10:39p Snd.exe
TPG	  EXE		 7,681  03-03-05 10:39p Tpg.exe
VVN	  EXE		 7,681  03-03-05 10:39p Vvn.exe

 

Those files are part of what we classify as unknown trojans. You had a bunch of them from the very beginning that were loading and spreading.

Please use Windows file search and look for a file named xyu.dll . Do not do anything with it if you find it. Just tell me if you do. It could be anywhere but if it exists it is most likely in c:\windows or c:\windows\system

The file named RECOVMR.TXT that I had you copy to c:\Badfile.txt is actually not a .txt file at all. It is actually an executable file that is being load and run as a service each time your PC starts up. We will be trying to fix that soon but first I want to find out if the xyu.dll file exists.

 

That's why they are called unknown! We see hundreds of the unclassified trojans per week.
They are not always easy to catch. If they show visible signs, like appearing in a HijackThis log or affect the behavior of your PC in some visible manner then we find them. Also when someone finally does determine what they do, they normally get some kind of name and they become detectable via some scanners who build in detection/removal capabilities.

Post a current HJT log.

 

First print the below steps of save locally so you can work offline and with ALL browsers like IE closed. Do not continue while online or if any browsers are open.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A9B179A2-8BF1-11D9-9BD1-000597CA9C69} - C:\WINDOWS\SYSTEM\NEMODA.DLL
O15 - Trusted IP range: 67.19.185.246
O18 - Filter: text/html - {A9B179A1-8BF1-11D9-9BD1-00056718021E} - C:\WINDOWS\SYSTEM\NEMODA.DLL
O18 - Filter: text/plain - {A9B179A1-8BF1-11D9-9BD1-00056718021E} - C:\WINDOWS\SYSTEM\NEMODA.DLL

After clicking Fix, exit HJT.

Now boot to the MS-DOS prompt like I had you do earlier.
And locate the below files and delete them using the below steps.

cd C:\WINDOWS
attrib -s -h -r RECOVMR.TXT
del RECOVMR.TXT

cd c:\windows\temp
attrib -s -h -r se.dll
del se.dll

cd c:\windows\system
attrib -s -h -r NEMODA.DLL
del NEMODA.DLL

Now boot to normal Windows but enter:
win
Post a new HJT log.

 

Also do the following when you come back.

Please download: Generic Detection Tool - NT/2000/XP

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

 

Re: It's Gone!!!! Yahoo!!!

I gave you the wrong link to use for the Generic Tool. I'll post the Win9x link in a minute.

 

Re: It's Gone!!!! Yahoo!!!

Download this tool and run find.bat - let it run for as long as it needs and please attach the output file.

Generic Detection Tool for 9x/ME ---> You’ll need to Click “Agree”

 

Okay you can close that down. I don't see any problems in that log.

If you go to IE, Tools, Internet Options, Security and choose Trusted Sites and the click on the Sites button, do you see anything listed. If that IP address is list try removing it.

 

You're welcome.

The firewall will help and so will all the other steps (which you should observe) in the below thread:

How to Protect yourself from malware!

But security starts with you! None of the steps in that thread protect you from things that you enable to happen yourself. Make sure you read notices that popup before clicking sometime the correct answer is the opposite of what you think. Also read software licenses and privacy notices before installing them.

Those trojans I had you delete were all fairly new, like from this month. Shows you how fast problems can occur and how bad they can get quickly.