Trojan Help...PLEASE!!

OK, here's the deal. Although I don't like TrendMicro, it's what my company has decided to use on all of our laptops, and I don't have a choice. I'm also not "supposed" to disable the real-time scanning, although I have done that temporarily to circumven the issue. again, it's not FIXING the problem, just avoiding it.

When I launch IE, OfficeScan (the TrendMicro AV software) is detecting a trojan (TROJ_AGENT.KX) in a hidden file in the System32\Drivers folder called nxlcqiee.sys. Apparently, this file is being created when IE launches. None of the other AV or Adware/Spyware software is picking this up. However, it is essentially disabling use of IE, because for OfficeScan to remove this file, it kills IE. I'm using firefox for browsing, but there are some pieces of software that use IE integrated, and it's affecting those as well. That sys file is obviously not supposed to be there, and it just comes right back after it's deleted and IE is relaunched. Office Scan is detecting the sys file, but not the file CAUSING the sys file to be created. Someone PLEASE help me fix this! I don't want to wipe and reload my machine, but it's becoming the only option I have!

I've included my HJT log file:



Thank you to anyone with solutions!!!

~Derek

 

Welcome

The first step is not a HJT log.
We ask that you first try to do ALL the TUTORIAL listed below. We will then ask you for a HJT log. It must not be inline but rather as a .log or .txt attachment. Be sure to close all unnecessary programs, it makes it much easier to read the HJT log when you submit it.

This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure someone will help you. Everyone is quite busy, as you can see by the number of posts, so hang in there.
Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

You have got a lot of processes running. You should try and turn off the non-essential programs. Be sure to not have more than 1 anti-virus program running.

 

I've tried AdAware, Spybot S&D, MS AntiSpyware, TrendMicro OfficeScan, and Avast! AntiVirus. All of them come up clen, but when I launch IE, OfficeScan comes up with the same message. If I disable OfficeScan, I can use IE just fine, but the .sys file is still created. This is getting really frustrating. Please help, if anyone knows how...

 

One thing that I noticed is that your Operating System is not updated. Please make sure you keep your computer updated with the latest security patches and fixes from Windows Updates as these are critical. You also need Service Pack 2 installed. Do NOT install anything until your system is clean. Ill assure you, your not clean at the moment.

You have multiple issues to deal with! Go ahead and download the following tools but DO NOT USE THEM UNTIL TOLD TO!

KILL 2 ME.zip

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

LSP-Fix

 

You have NOT ran all the steps in this sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.

MAKE SURE YOU RUN ALL THE STEPS IN THIS STICKY. YOU HAVE NOT RAN TRENDMICRO'S ONLINE SCAN EITHER! PLEASE PAY CLOSE ATTENTION AND DO EVERYTHING THAT WE TELL YOU SO THAT WE CAN BEST ASSIST YOU!

Now that being said, go back and run EVERYTHING in the sticky before we procede!!

 

Sorry, guys...got back from a margarita binge right before my last post. Will go through all the cleanup steps as required and report back here later today. Sorry about that....

 

First of all, thanks to all of you who actually monitor these threads and help us all out. It's really appreciated!

Now, to summarize what I've done so far. I updated all windows components via Windows Update until there was nothing left to update. Next, I rebooted into safe mode and ran TrendMicro's Free Online Virus Scan. That came up clean. Next, I ran Symantec's Security Check. It found 11 Spyware/Adware/Trojan instances. As per their provided instructions, I deleted the culprits and their corresponding registry entries. Then I ran AVERT Stinger and it came up clean.

Now for the Cleaning. I ran CCleaner to remove traces of anything leftover. I checked every box I could to make sure I got everything.

For removal...I ran Ad-Aware SE with the VX2 Cleaner Plugin. Both came up clean. Next was Spybot S&D with the DSO Exploit patch. It found 4 bastards and removed them.I then ran CWShredder, Kill2me, about:Buster and HSRemove. They all came up clean. I even ran Microsoft AntiSpyware for grins, and it came up clean as well.

Next, I rebooted into normal mode and repeated the entire process. Everything came up clean except for the Symantec scan, which again found 2 culprits: AdStatServX.dll and WinServAdX.dll. I looked in the directory that it pointed me to, and they were not there. For kicks, I ran a Windows search for those 2 files, and it said they were in the folder, but damned if they weren't visible. So I went into DOS and entered the path to the directory. Sure enough, they showed up in DOS. I deleted the little bitches and ran a regedit search for both of those files and found them embedded in the registry in about 5 places each. I deleted them all ran another browser search. Gone. I re-ran Symantec. Gone. So now, everything is coming up clean.

Excited that I may have finally licked this thing, I rebooted. When I launched IE, OfficeScan came up with the now all-too-familiar virus notification. This is driving me mad, and I'm at a loss as to how to fix this. I looked through the HJT log, and don't see anything suspicious. I won't post it here until it's requested.

To save anyone from having to scroll, I'll remind you here what the original problem was...

When I launch IE, OfficeScan (the TrendMicro AV software) is detecting a trojan (TROJ_AGENT.KX) in a hidden file in the System32\Drivers folder called nxlcqiee.sys. Apparently, this file is being created when IE launches. It is essentially disabling use of IE, because for OfficeScan to remove this file, it kills IE. I use some software that integrates IE, and it's affecting those as well. That nxlcqiee.sys file is obviously not supposed to be there, and it just comes right back after it's deleted and IE is relaunched. Office Scan is detecting the sys file, but not whatever is CAUSING the sys file to be created.

Thanks for taking time to investigate, and I really hope someone can help here. THANKS!!!!!!!!

 

You still have some problems that these will NOT fix, that being said if you havnt already download the tools I asked you to download in post 5

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Here is my HJT log file. I didn't want to remove anything without the advice of a pro here, so here it is in all its glory.

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

TpKmpSVC.exe

TpScrLk.exe



Now scan with HijackThis and Check the Boxes for the following:

Again, make sure All Browser Windows are Closed when you Click FIX.


O2 - BHO: (no name) - {08DE7FF5-6730-72BF-2D6E-A6F8015ED893} - (no file)

O2 - BHO: (no name) - {5AE70B1D-98E7-5F0E-B59D-95F816B26072} - C:\WINDOWS\System32\ltxluzxv.dll

O2 - BHO: SDWin32 Class - {85210522-C068-46AB-BAF8-20207E3CECC4} - blank (file missing)

O2 - BHO: (no name) - {E99E3BC2-9AFC-3E0C-44FB-9DD999C0F958} - C:\WINDOWS\system32\apuslgeb.dll

O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll

O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)



NOW: After fixing the above with HJT, please follow me below.

1) Run LSP-Fix that I had you download

2) After you have opened this program the file dolsp.dll should already be in the right column, If NOT then select "I know what im doing" and select the file dolsp.dll on the left and move it to the right side.

After the file dolsp.dll is on the right side, Click Finish!

NOTE: DO NOT REMOVE ANY OTHER FILE WITH THIS PROGRAM AS IT WILL BREAK YOUR LSP CHAIN CAUSING YOU TO LOSE INTERNET ACCESS


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\ltxluzxv.dll

C:\WINDOWS\system32\apuslgeb.dll

c:\windows\system32\dolsp.dll

C:\WINDOWS\SYSTEM32\ckpNotify.dll



NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

Good Luck!

 

TpKmpSVC.exe and TpScrLk.exe are running, but they are "system" files and will not end. Should I continue with the other steps anyway?

 

Yes!

 

Spybot S&D found and fixed doubleclick and Avenue A, Inc. The only problems I had were not being able to kill the .exe file as you requested in Task Manager and that two of the entriese that I "fixed" with HJT have returned (as you'll see in the log). Problem appears fixed (so far!!). What was the beast that CAUSED all of this trouble??

Another problem that I've been having that appeared at the same time as this one, although it may be unrelated, is with my recycle bin. When I delete files, they are immediately deleted, never going into the bin. I do get prompted with the "are you sure you want to delete this file" question, but if I click "no", the file just remains where it was. "Yes" sends it away for good. I have checked the Recycle Bin properties, but the "Do not move items to the recycle bin" is UNCHECKED. My C: drive does not appear as a tab at all. This is pretty annoying, too, and I'd appreciate any help you could offer there as well.

Thanks so much for the time and efforts you've already invested in helping with this!!

 

Please post a fresh HJT log!


As far as the problem with the Recycle Bin goes, Post this problem in a new thread in the Software Forum as we stay busy in here with spyware/virus related infections.

 

Gak! Sorry, was so excited that my problem seems to be fixed that I forgot...

 

Run HJT again and have it fix the below entries. Be sure all open browsers are CLOSED before fixing anything with HJT!

O2 - BHO: (no name) - {08DE7FF5-6730-72BF-2D6E-A6F8015ED893} - (no file)

O2 - BHO: (no name) - {5AE70B1D-98E7-5F0E-B59D-95F816B26072} - (no file)

O2 - BHO: (no name) - {E99E3BC2-9AFC-3E0C-44FB-9DD999C0F958} - (no file)

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)


NEXT, reset your web settings.

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com OR www.phillies.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Reboot to Normal Windows and Scan with HijackThis and attach a fresh log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

Thanks Bj

 

I have tried deleting the three O2 files three times now, with ALL windows closed, especially browser and explorer windows. They keep coming back!!

 

These 3 seem to be coming back, so lets try running Ad-Aware SE.

1) Download Ad-Aware SE 1.05

2) Install, after installation is complete, make sure you have the latest reference file, do this by clicking on "Check For Updates"

Note: The latest ref file should be SE1R28

3) Once you have updated, Click start!

4) When you get to where it ask to choose a scan mode, be sure you check "Perform Full System Scan" and then do your scan.

5) Remove all found entries!


After you have completed this, reboot and post a fresh HJT log. Please not that if the 3 below entries appear have HJT fix them with ALL browsers closed!

O2 - BHO: (no name) - {08DE7FF5-6730-72BF-2D6E-A6F8015ED893} - (no file)

O2 - BHO: (no name) - {5AE70B1D-98E7-5F0E-B59D-95F816B26072} - (no file)

O2 - BHO: (no name) - {E99E3BC2-9AFC-3E0C-44FB-9DD999C0F958} - (no file)

 

Ad-Aware (with updated components) and Spybot (also updated) both came up 100% clean. However, those 2 entries in HJT keep reappearing, even after several removals with all browser/explorer windows closed, and reboots.

 

Download, Install and Run BHODemon

When you run this, it will show all BHO's installed on your system. The imaged I attached, I want you to copy one and paste one for me so I can see what all BHO's are installed on your system. To do this press the Print Screen|SysRq key and then paste it into MS Paint.

Attach that image so I can see whats installed.

 

Forgot to attach the image, Not a good day today. Got tons of things to do!