trojan tutorial - scan for virus problem

I have installed the programs listed in the tutorial. I am trying the scan and cleaning steps. When using the Trend Micro virus scan, I receive a message "Housecall for Netscape Installation - it appears that the required components are not currently installed. Load this program - run it and restart Netscape browser."

After doing the above I tried the Trend scan again but keep receiving the above message.

What am I doing wrong.

 

If you are using Netscape browser it is possible there is a conflict (bug in netscape or trend hasn't caught up with the updates to netscape yet). Have you tried running the scan using IE?

 

No I haven't. I will try it and see what happens. Thanks.

 

I tried to run in IE. I keep getting an error - IEXPLORE - This program has preformed an illegal operation - Invalid page fault in Module SQLHKAA.DLL.

 

I also tried running the Symantec Security Check. A blank window pops up. Nothing seems to be running and I do not get an error.

 

If you cant run the online scans, procede with the below instructions.

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, double click the file sysclean.com

When the system cleaner loads, click SCAN to start the scanner.

After you run this scan, reboot and post a HJT log from normal mode.

 

After double clicking on the sysclean.com file I received the following error.

Pattern file "LPT$VPN" is missing. Please download a copy.

Where should I download the file from - Trend Micro?

 

Both files have to downloaded and in a folder before running sysclean. Run it again but make sure both files are downloaded before running anything.

 

When I try to download the Pattern.zip file I get an error.

Netscape smartdown load error - There is a temporary network error preventing the download of your file Trendmicro.com/ftp/products/pattern/lpt641.zip Try again?

Internet Explorer is not able to link to the web page trendmicro.com/ftp/products/pattern/lpt641.zip

What should I do?

 

Right click on the link and select "Save Target As". If this still doesnt work let me know.

 

It doesn't seem to be working. I got the same errors as before.

 

Try downloading this new update from MG's

Trend Micro Pattern File for Windows 2.657.00

 

I was able to run the sysclean.com program. Thank you for your help. The scan did detect some problems. Your past thread wanted me to post HJT log but I haven't finished the cleaning steps listed in the Tutorial. I will finish the steps in the tutorial and let you know if I have any more trouble.

 

Yeah, finish all of the steps in the READ ME and then post a fresh HJT log from normal mode.

 

I was able to run the remaining scans and cleaning tools listed in the tutorial. The blue desktop screen indicating a "trojan-spy html.smitfraud.c System can not function in normal mode" is gone now. I also used HJT and hopefully will post the log correctly.

 

Instead of me posting all of those entries in here, scan with HJT and have it fix ALL of the O9 - Extra 'Tools' entries.

Afterwards reboot and post a fresh HJT log.

 

I deleted the 09 - Extra 'tools' and I'm attaching the new log after rebooting. Thanks for your help.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Dell Home - {7B659FC0-43EF-11D5-A57B-901A55C1B297} - http://smbusiness.dellnet.com/ (file missing) (HKCU)

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\SYSTEM\WER8274.DLL

C:\Recycled\Q330995.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

I deleted the entries and ran CCleaner and Spybot S&D. I wasn't able to run cleanmgr from the Start > Run. The program was not responding. I ran HJT is normal mode. See attached log. Thanks for your help.

 

Your HJT log is clean!

Now, you must update your IE version as its way out dated and represents a major security risk. Use the link below to download and install IE 6 SP1.

Internet Explorer 6 Service Pack 1

After you update IE, reboot and see if any problems remain.

 

I upgraded my IE as suggested. I still am having pop ups with "Warning" in the blue top of the box with advertisement inside the box. Should I install something else to block these?

 

Can you better describe whats taking place? Is it your desktop background or an actual pop up? Does it say anything in particular?

 

It is a pop up. The box has the IE symbol with "Warning" at the top in blue. Then an advertisement. The last one I received was"WORK FROM HOME WITH US... ANYWHERE IN THE WORLD!" Then a description and a "Click for more..."

 

Download the following program:

Spy Sweeper 3.5.0.199

After you install, be sure you get all available updates! After you get the updates run a full sweep and remove all found infections.

Afterwards reboot and let me know how things are running.

 

Things seem to be working fine now. The Spy Sweeper did find and remove several things. Is that software one of those I should purchase after my trial 30 days? It seems to be very powerful. Thanks for all your help.

 

Looking at your last HiJackThis log you have some processes that may be causing or showing that you have problems. Check out these links.
http://www.liutilities.com/products/wintaskspro/processlibrary/mprexe/
http://www.liutilities.com/products/wintaskspro/processlibrary/msgsrv32/
http://www.processlibrary.com/directory/files/MDM/index.php

Maybe find out from bjgarrick if you could post another log, just to make sure you are clean.

 

Its a great program for Spyware Protection/Removal. I have had it for a while now. Its well worth the $30 anually.

Are you having any further problems? Also, just to be sure lets get one last HJT log.

 

I'm attaching a log file for review. I'm not having any pop ups since loading Spy Sweeper. I am having trouble updating Windows. I posted a thread in the software area. The installation failed when trying to do 23 updates (installation history lists all 23 as failed). When Windows searches for updates it is only finding 4 now.

 

Now that I say there is not a problem... Spy Sweeper seemed to lock up - "not responding" and when I ended the task I got the pop up warning me of potential viruses.

 

Scan with HijackThis and Check the Boxes for the following:

O2 - BHO: (no name) - {50052728-D66B-11D9-A57C-0002FA119ED7} - C:\WINDOWS\SYSTEM\EJDHPJ.DLL (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

What exactly did SpySweeper notify you about?

 

I could not find the 02 - BHOno name) - {50052728-D66B-11D9-A57C-0002FA119ED7} - C:\WINDOWS\SYSTEM\EJDHPJ.DLL (file missing)

After running HJT and creating the log that I had sent you I ran Spy Sweeper again. It did find and fix some things.

I didn't word my previous thread correctly. SpySweeper did not notify me with a popup. After I had ended the SpySweeper task (Ctrl-alt-del) a seperate popup warning me of a virus - it was one that I was getting before installing and cleaning with SpySweeper. The IE logo was at the top in the blue bar and the message was like it was in DOS (black screen).

 

I forgot to attach log and also attaching Spysweeper txt from last clean. Thanks for all your help.

 

Reboot into Safe Mode, scan with HJT and have it fix the below entry:

O2 - BHO: (no name) - {9998417D-D72E-11D9-A57C-0002EA111C2C} - C:\WINDOWS\SYSTEM\BHA.DLL (file missing)

Are you having any further problems?

 

Sorry to jump into the thread. When I read the page from the link, in the middle of the paragraph it said that they were hidden processes and only will show in Windows tasklist if there is a problem. Thought maybe this person maybe having a system problem. Should leave it to you guys and just monitor.

 

No problems since the last fix in HJT. Thank you for all your help.

 

Good Deal!

You should see this article on How to Protect yourself from malware!