Re: Can't get rid of Trojans and other malware

Hi

This is my second message, with the 2nd lot of attachments of logs from getrunkey, shownew and hijack this.
I hope you received the first message, because I repeatedly get a message from your system saying I am not allowed to be on this page - not registered?, banned? etc. - this is when I proceed from one step to another. I then log in again and sometimes that lets me through to the next step. Weird.
Anyway - i really hopre this gets through.

Yech! the next step, managing attachments, has again led me to a message saying I have been banned by the administrator.
I do NOT understand this.
I am going to try and send this message without the attachments - in the hope that it gtes through and you can sort out this problem with the posting and I can finally get my malware problem sorted! I have been at this for 4 days now!

 

I am not sure what this is ( a "Quote", with the previous message repeated).
Anyway, I am finding it very difficult to send any messages, especially with attachments. I am now going to try to attch the logs I could not attach with the previous message.

 

Well, guys, I'm stuck again. managed to get my previous post through to you - with attacchments, yay! However, all subsequent attempts to post have met with failure - and funny, despite having logged in about a thousand times subsequently, every time I log in I am told that the last login was yesterday at 15.48. Once again I am reduced to my ip address having been banned. And once again I am going to try and send this message without attachments, in the hope that someone will pick up on my distress and DO SOMETHING. PLEASE - I'm going nuts!

 

Hi trevorpen!
Welcome to Major Geeks!
Try clicking on the Remember Me button when you log in. I think that might be what the problem is.
abri

 

Ok so that worked, and I got a response which I hope will sort out my problem with sending posts - thank you Abri - I suddenly feel smiley again!
Right, so let me repeat my FIRST message, which had a few logs attached, because that did'nt get through.

I seem to be infected wqith a large number of trojans and viruses which just won't go away, never mind having run (repeatedly) Spybot, AVG Anti-spyware, Counterspy, Super anti-spyware, combo fix, etc.
I have also done the entire initial list of initial stuff recommended in the thread - hey I'm getting the hang of this - "Read and run me first", but to no real avail.
When I boot normally, NOD32 immediately upon loading posts a pop-up saying a threat has been detected - "Win32\Hoax.Renos.LQ application" in file "Windows\system32\sulimo.dat". Deleting this with NOD does not seem to work, it keeps repeating. A little later, Microsoft anti-spyware pops up a message saying that a file "del.bat" has been stopped from executing because it may be malware. Some time later, if attempting to access the internet via addresses favourites the system hangs, and - perhaps, eventually, if one waits long enough - a message comes back saying that Windows - (not IE) - cannot find the address.
Then there are the threats detected when the anti-spyware is run, which just don't seem to get eliminated either - there are quite a few, but I think they are shown in the logs attached, so I won't repeat those I did note down.

Well, I sincerely hope this post goes through to you, and my problem can get tackled! I feel positive.
Thanks everyone!

 

Thanks Abri I think that has worked!

 

Hi trevorpen!
It appears you have both Nod32 and McAfee running. You need to get McAfee all the way off your system if you're using Nod32 for your antivirus. Please run the McAfee Consumer Product Removal Tool (SymNRT)

Also, did you put the following on your computer? NetOp Remote Control

abri

 

I have run the McAfee removal tool as requested.
NetOp Remote Control was put on my computer to allow technical support guys from two of my business software suppliers (Spotlight & Liberty Life) to provide remote assistance.
Some interesting stuff has happened since my last post. I ran Counterspy that detected two trojans (see attachment for details). Putting these into into quarantine required a reboot. This caused windows problems and required a reboot in safe mode with two attempts. A boot scan was then run automatically. I then rebooted in normal mode and ran Counterspy again. The trojans were still there, and quarantining led to reboot problems again as described earlier.
On reboot into normal mode, as soon as NOD32 is loaded it warns of the Hoax.Renos.LQapplication threat - deleting does not remove it.
Lastly, perhaps an hour after reboot, windows popped up a message that the file xlavba3.exe had encountered a problem and needed to be closed - this is the file implicated in one of the trojans (see attached counterspy log). I recall having seen this message before since the spyware problems started.
Over to you - and thanks for the help!

 

Hi trevorpen,


1) Please begin by going to add/remove programs and uninstalling Counterspy. We no longer need it.

- Sunbelt Counterspy


2) After that, check for the following folders and if found, please delete them from Windows Explorer:

C:\Documents and Settings\Trevor Pennels\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Norton Removal Tool (SymNRT)

5) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit HJT.


6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) After you have completed ALL of the above in the correct order, please attach the following logs.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

abri

 

Thanks for instructions.
I got as far as step 4 (Norton Removal tool). After running that I was told to reboot. I tried to reboot in normal mode, because the instructions I have for the next step - Hijack This - state that it must be run after booting up normally.
The system will not boot normally - the message I get is this:
"A problem has been detected and Windows has had to shut down to prevent damage to your computer.
IRQL_NOT_LESS_OR_EQUAL
Technical info:
***STOP: 0X0000000A (0X00000002, 0X00000001, 0X804F9982) "

This message also appeared at one stage yesterday, but by some fluke the system eventually booted normally. I have today made more attempts to reboot normally than I did yesterday, but withiut success. I am not sure how to proceed from here.
What do you suggest?

 

Hi trevorpen!
Can you boot into safe mode? If so, make sure you're disconnected from the internet and then try deactivating NOD32. Also see if anything in the taskmanager is running that could relate to ANY antivirus programs. If so, turn them off. If that doesn't help, make sure you have the information you need to reinstall NOD32 (registration or activation keys, etc.) and uninstall it completely. Although the error message can relate to a hardware problem, it can also be the result of antivirus programs. See if you make any progress this way. Also, if you can run another HJT, I would like to see it.
Do you have System Mechanic? If so, what have you used it for?
abri

 

Hi Abri
Mesage 1 of 2
Thank goodness for geniuses like you!
In safe mode, I uninstalled NOD32, checked taskmanager for other anti-virus applications and found none, and was then able to reboot normally!
I then completed all the remaining steps as in your previous post, starting with #5, scan with Hijack This, then #6 Run Avenger, which asked for reboot which gave problems, so had to go back to safe mode before running CCleaner. Then did #7 download and run ATF cleaner. I was the able to reboot normally. In step #8 you asked also for logs of GetRunkey and ShowNew, so I ran these again.
Because you asked for 4 attachments, I will post a second reply with the log of GetRunkey.

You asked what do I use System Mechanic for: I use the Scheduled Maintenace feature to do this:
*Find & remove junk and obsolete files(every 7 days) - last run on24/10/2007 at 12:05 am. A log is available
*Clean registry every 30 days. last run 04/10/2007
*internet clutter every 29 days, last run 02/10/2007
*system malware and PC parasite removal, every 5 days, last run 22/10/2007 at 12:01 am. Log is available.
*disk defrag every 7 days, last run 19/10/2007.

I have unchecked the enable button for all of the above until I hear back from you.

Thanks and bye for now.

 

Hi Abri!

Message 2 of 2 - with GetRunKey log

Also, on last reboot MS anti-spyware again blocked the file del.bat from executing, and a shortcut del.bat was placed on desktop. ?

 

Hi Trevorpen!

Please continue as follows. I want to get the McAfee all the way out so we can get your Nod32 back in.

Please upload the del.bat on your desktop to
jotti or VirusTotal

It will have this pathway: C:\Documents and Settings\Trevor Pennels\Desktop\del.bat

I'm wondering if the del.bat might be part of one of the removal tools and that MS Antispyware is preventing it from running. Do you remember if it started appearing AFTER you ran the Norton Removal Tool? However, it could be ANYTHING! so it is better to check before you continue. Do not do anything to it, but let me know what joti or virustotal reports back on it.

Before you continue with the following, if the above file does not come back as having a virus, please disable MS Antispyware and then go on with these instructions. If it does contain a virus, please stop here and tell me.

1) We need to remove a service, please follow the below…

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to McAfee Managed Services Agent
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now Click OK until you get back to Windows.
• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste myAgtSvc into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
2) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

4) Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) After you have completed ALL of the above in the correct order, please attach the following logs.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

abri

 

Hi Abri

Uploaded del.bat to Jotti - nothing was found, file ok.
Note: the file del.bat appeared on the desktop before I ran the Norton Removal Tool (in fact I had previously deleted it from the desktop), and the MS anti-spyware blocking also took place regulalry before running Norton removal.

.. and did the rest (McAfee removal, HJT,The Aneger, Ccleaner, ATF-cleaner, GetRunKey, ShowNew)

Pls Note: With Hijack this a Line you asked me to check was not there : "O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)".

NBB! Omitted to save a log after running HJT. Sorry. Went back and ran it again, checked for the items you had earlier asked me to check and fix, and they were no longer there. myAgtSvc also no longer in registry.

Over to you
Trevor

 

Please uninstall Microsoft Antispyware if you haven't already. Then reboot and if that seems okay, try reinstalling Nod32 and see if you have the same problems or if they are gone.

Was the 20 line in HJT also gone?

abri

 

Ok, MS anti-spyware uninstalled, NOD32 re-installed and updated. Ran system scan with NOD32, no threats detected!!! Yippee!

You asked whether the line 020 was gone - yes it was (that's the one that ended .......\sulimo.dat).

Wow, I feel quite relieved, there was a point where I thought I was going to lose everything on my pc. Thank you very very very much for your help.

What now? Any checks to be done to confirm no malware left, system settings to change, advice on spyware to install, etc?

The mysterious del.bat file, shall I delete it from desktop?

Trevor

 

Hi Trevorpen!
The mysterious del.bat - if you can, please put it in a Zip file and attach it to your next post. Then run the final cleaning instructions in the box which will remove all the tools and logs we used here.

Wait with the step to disable and re-enable System restore until we've had a look at the del.bat file and get back to you, but you can remove all the other things that are relevant.

abri

 

Hi Abri

Fantastic! Seems the problems have been solved; I have done all you requested, and our hopefully soon-to-be-unveiled lurker del.bat has been zipped and attached for your scrutiny.

I am going to rum a system check with Spybot as soon as I post this message, and trust that all will be well.

Cheers for now

 

Hi trevorpen!
The del.bat file is not bad, but I'd like to know more about the file(s) it's referring to. Please scan the following file(s) with either
jotti or
VirusTotal and let me know the results.

abri

 

Hi Abri

Oi, it's been a battle posting a reply - kept getting errors accessing your site.

Anyway, had VirusTotal check the two xlabva files; the results were identical. I have attched a summary of the results for xlabva3.exe, which show that the file is is infected with or is a trojan downloader.

Regards,
Trevor

 

Hi Trevorpen!


1) Please download a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.*(or on the folders option)*
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\xlavba3.exe
C:\WINDOWS\xlavba6.exe
C:\Documents and Settings\Trevor Pennels\Desktop\del.bat

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

2)

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


3) Please post a fresh newfiles.txt log

abri

 

Hi Abri,

I don't have ATF-Cleaner.
Please give me the URL for a download - or can I use CCleaner (which I have)?

 

CCleaner's fine.

Sorry for the delays and server problems. You got caught in the server changes.

abri

 

Hi Abri,

I have run Pocket Killbox. In fact, ran it four times because although I clicked "all files" it deleted the files one at a time - and the fourth run was because I discovered del.bat was not only on the desktop but also one level higher in the directory.
Ran CCleaner, and ShowNew.
Newfiles.txt is attached.

 

Hi Trevorpen!
It looks good. When you follow the instructions for removing Pocket Killbox, it should delete the backups it made. Please keep your eyes open for that del.bat file again. It's not clear what the function of it is, but from the title, it almost appears it was a program to delete the infected file. I will ask about this and post back to you.
Please follow the standard finishing instructions in the box.

abri

 

Wow, a "clean", uninfected computer!!
Feels good - now to keep it that way.
I have done all as per the instructions in your last post.

Thanks you so very much for your assistance, you guys do a marvellous job!
I shall wait to hear from you regarding the del.bat file you were going to ask about.

Trevor

 

Trevorpen,
If the del.bat file was not written by you or someone who put it on your computer for you, then it seems probably it was meant to be run by your antivirus, but was being blocked by the Microsoft Antispyware. I would like for you to simply keep your eyes open for that file and see if it appears again. If so, post back to us. We've removed several things on your computer that were bad and it's possible the file was coming from there. I would like to give you a more exact answer, but that's what I've got for now. Please follow the advice in How to protect your computer from malware and check for a couple of weeks every so often if you get a file like this: C:\WINDOWS\xlavba3.exe. It might have a different number, but it seems to be maintaining a similar appearance.
abri