Trojan horse Downloader virus

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Okay now we need to use a new tool.

* Download and save to RenV.exe from following link to Desktop (
must be on the Desktop)
* Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).

Code:

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
C:\Program Files\Dell\Media Experience\PCMService .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\Logitech\Video\ManifestEngine .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger        .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger       .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger      .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger     .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger    .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger   .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\WINDOWS\SYSTEM32\hkcmd .exe
C:\WINDOWS\SYSTEM32\igfxtray .exe
C:\WINDOWS\SYSTEM32\LVCOMSX .EXE
C:\WINDOWS\SYSTEM32\mobjchku .exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe

* Now using your mouse, drag Log.txt onto RenV.exe
* When finished, RenV.exe will produce a new log names Log.txt on your Desktop I will ask for this log later.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 8

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: On The Net Search Helper - {4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A} - C:\WINDOWS\system32\memolxsk.dll (file missing)
O4 - HKLM\..\RunOnce: [SpybotDeletingA3006] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1950] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6796] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1627] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [mocu] C:\WINDOWS\system32\mobjchku.exe G
O4 - HKCU\..\RunOnce: [SpybotDeletingB367] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6494] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB88] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3811] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Quote:
Files to delete:
C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\SYSTEM32\memouint.exe
C:\WINDOWS\SYSTEM32\memolxsk.dll
C:\WINDOWS\SYSTEM32\rushitvz.exe
C:\WINDOWS\SYSTEM32\bkmoopob.exe
C:\Temp\liHco0109.exe

Folders to delete:
C:\WINDOWS\SYSTEM32\vt8
C:\WINDOWS\SYSTEM32\nz0
C:\WINDOWS\SYSTEM32\mp2
C:\WINDOWS\SYSTEM32\ez4
C:\WINDOWS\SYSTEM32\che9
C:\WINDOWS\SYSTEM32\edcA01
C:\Temp\tn3

[/quote]

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
Then attach the new logs:

* Log.tx from running RenV
* c:\avenger.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Did you infact take the code that I gave you and drag and dropped it on the RenV.exe ?

Let's do a few more things:
Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).

Code:

C:\Program Files\Common Files\Symantec Shared\ccApp .exe

* Now using your mouse, drag Log.txt onto RenV.exe
* When finished, RenV.exe will produce a new log named Log.txt on your Desktop I will ask for this log later.

* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger and the new log from RenV.

 

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below quote box into it:

Code:

File:
C:\Program Files\Common Files\Symantec Shared\ccApp .exe

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt

Attach the Combo Log and tell me how things are running.

 

In Firefox...under tools / options...on the general tab..what is set for the home page?
MSN Messenger is showing in your logs ...so I'm not sure why it is giving you the error message.
Also, what is this:
C:\WINDOWS\system32\drivers\ULTRAA.sys --->? Memory stick?

We still have to remove a few stubborn files:
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
Then attach the new logs:
* c:\avenger.txt
* C:\MGlogs.zip

 

Copy the bold text below to notepad. Save it as Log.txt to your desktop.

Code:

C:\Program Files\Common Files\Symantec Shared\ccApp .exe

* Now using your mouse, drag Log.txt onto RenV.exe
* When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.

Now go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

 

Bitdefender just removed all the malware in the system restore files and the quarantine folders.

We still need to remove that last Vundo file.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below quote box into it:

Code:

C:\Program Files\Common Files\Symantec Shared\ccApp .exe

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
*Attach this log to your next reply.

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

The core.cache.dll is back...so please run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

 

Well, we have the same two to remove.

But first, run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).

Code:

C:\Program Files\Common Files\Symantec Shared\ccApp .exe

* Now using your mouse, drag Log.txt onto RenV.exe
* When finished, RenV.exe will produce a new log names Log.txt on your Desktop I will ask for this log later.

* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger and the new REnV log.

 

Norton Antivirus is infection and it cannot be repaired. This requires that all of Norton be uninstalled and then this should be run afterwards: Norton Removal Tool (SymNRT)

Then you should reboot and continue on with the below steps.


Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_03


Run avenger.exe by double-clicking on it.

• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Does it give you this error message after you physically power down and then do a reboot?

Does it give it to you if you try to boot in safe mode?

Does last known good boot work?

Do you have your Windows XP bootable CD?

 

What you are going to need to do is use your recovery cd ...when you boot with the cd in the drive ...then hit enter to boot to the cd ...it "should" give you an option to either do a fresh installation or allow you to do an installation that keeps your settings and data ....let me know if it does.

 

Based on all info I can find this probably occurred due to the scan disk (chkdsk) that was run after that reboot when the last Avenger fix was run. The fix with Avenger was not a problem we do this dozens of times per day. Something occurred within your OS to cause a chkdsk to run and some kind of corruption occurred.

We already tried last know good. And I think we tried safe boot mode but all you said was you pressed F8. Did you ever actually choose safe boot mode or did the PC bypass the Window where options for the type of boot appear?

Can you give me the names of the last 5 or 6 files you say you saw appearing on the screen from the system32 folder.



Next step I want you to try doing is the below using your Windows Reinstallation CD.

Start Recovery Console


To start Recovery Console, do the following:

• Start your computer with the Windows Reinstallation CD in the CD drive.
  • Make sure the boot order in your BIOS is set to boot from CD before booting from your hard disk
• At the Welcome to Setup screen, press R to start the Recovery Console.
• Select the Windows installation that you want to repair (which should just b C:\Windows), and then press ENTER
• Type the Administrator password, and then press ENTER. If the administrator password is blank, just press ENTER.
  • Note: The Recovery Console uses the Administrator password that you configured when you installed Windows XP.
• Once you get to the command prompt window of the Recovery Console enter the below commands ech followed by the enter key.

cd C:\Wiindows\System32

ren Ntoskrnl.exe ntoskrnl.new
cd C:\Windows\$NtUninstallKB931784$
copy Ntoskrnl.exe C:\Windows\system32\
Exit

The exit should cause a reboot. Can you boot now?


If you wish to have more information about the Recovery Console, see the below:

http://support.microsoft.com/kb/307654/en-us

 

Please try the steps that Chas posted in the previous post. Let us know if that was helpful.

 

When you first boot up ..there is usually a brief message about hitting a key to get into the bios menu ...could be F2 or F11 ....from there you will go to the (?) 2nd or 3rd tab for the startup order ...you scroll thru to make the first choice the cd drive..then hard drive ...F10 to save the changes and exit ...it should then boot into the cd.

 

Do you have another system that you could slave the drive to?

Back in the recovery console

C:\Windows> now type cd =
C:\Windows>cd --> to get you to:
C:\> NOw type each command and hit enter after each:
C:\>ATTRIB -H C:BOOT.INI
C:\>ATTRIB -R C:BOOT.INI
C:\>ATTRIB -S C:BOOT.INI

Then type:
C:\>DEL BOOT.INI

C:\>BOOTCFG /REBUILD

you will now get a system file rebuild at the end of which you will be back to:

C:\>

and type:

C:\>CHKDSK /R /F


Then after that is done:


C:\>FIXBOOT


Finally exit and see if you can boot.

 

My only other suggestion is to do a repair install ....so when you boot to the cd ...your first choice is:


-To set up Windows XP, now press ENTER. ---> Chose this!!
-To repair a Windows XP installation using Recovery Console, press R.
-To quit Setup without installing Windows XP, press F3.

You will go to the agreement page (F8 to agree) ..then it will find the previous install of xp ...that is when you opt for Repair (R) ...let it rip.

Tell me if this works or you have problems with it.

 

Repair install ...if it works ...will preserve all your files and data ....and malware.

 

no...not until it is totally finished ...takes about 30 -60 minutes.

I didn't see the previous message ...it is looking like your hard drive is dead ...or dying...
http://www.seagate.com/www/en-us/support/downloads/seatools ...seagate tools for dos ...save to cd and boot to it.

 

We posted over each other ..you can get the tools here:
http://www.majorgeeks.com/download2858.html

 

You are saying that once you select the cd as first boot device ...then hit f10 to save and exit ...it should reboot to the cd ....I suspect you are not saving the changes in the Bios menu.

 

Try removing any and all accessories (printers / scanners / etc.) and try rebooting.
Do you feel capable of opening the box and removing the hard drive so that we can instruct you how to put it into another computer as a slave drive?