Trojans Bitdefender couldn't remove...

Discussion in 'Malware Help (A Specialist Will Reply)' started by Texan, Jul 20, 2005.

  1. Texan

    Texan Private First Class

    Hello. I appreciate any help or direction that can be provided. I was having some problems found here: http://forums.majorgeeks.com/showthread.php?p=618489#post618489

    I was directed to go through the pre-hijackthis procedures and all went well except HSRemove always claims to removed 8 items but never says what they are.

    I was told to come here before proceding to the hijackthis forum if some problems could not be removed.

    I used Bitdefender's on-line scan and the following trojans were found and not removed.

    C:\WINDOWS2\ounost.exe
    Infected with: GenPack:Trojan.Downloader.IstBar.ER

    C:\WINDOWS2\ounost.exe
    Disinfection failed

    C:\WINDOWS2\ounost.exe
    Deleted

    C:\WINDOWS2\nxscript.exe=>(NSIS o)=>zlib_nsis0002
    Infected with: Trojan.Clicker.Vb.DN

    C:\WINDOWS2\nxscript.exe=>(NSIS o)=>zlib_nsis0002
    Disinfection failed

    C:\WINDOWS2\nxscript.exe=>(NSIS o)=>zlib_nsis0002
    Deleted

    C:\WINDOWS2\nxscript.exe=>(NSIS o)
    Update failed

    C:\WINDOWS2\nxscript.exe=>(NSIS o)=>zlib_nsis0003
    Infected with: Trojan.Vb.SY

    C:\WINDOWS2\nxscript.exe=>(NSIS o)=>zlib_nsis0003
    Disinfection failed

    C:\WINDOWS2\nxscript.exe=>(NSIS o)=>zlib_nsis0003
    Deleted

    C:\WINDOWS2\nxscript.exe=>(NSIS o)
    Update failed
     
    Texan, Jul 20, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You only need to run HSRemove for HSA or about:blank hijacker problems which I would bet you do not have. It always says 8 items removed on clean systems. It's a bug that has never been fixed.

    Did you complete all the steps in the READ ME FIRST?

    Delete those two files manually after booting into safe mode (if they still exist):
    C:\WINDOWS2\nxscript.exe
    C:\WINDOWS2\ounost.exe
     
    chaslang, Jul 21, 2005
    #2
  3. Texan

    Texan Private First Class

    Thanks for your reply.

    Yes, I followed the steps closely in the READ ME FIRST.

    So after re-booting in safe mode, when searching for these files do I just put ounost.exe in the search window and search in C drive or do I type all of this...

    C:\WINDOWS2\ounost.exe
     
    Texan, Jul 21, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do not search for them using Windows search. Just open Windows Explorer (click Start and select Explore) and navigate to the C:\windows folder. Scoll around and locate the files and right click on them and select Delete.

    If you still have problems afterwards, follow the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Jul 21, 2005
    #4
  5. Texan

    Texan Private First Class

    Thanks. I only found nxscript.exe

    Attached is my Hijackthis log as I suspect there are more than one problem with my system.

    I appreciate and further help looking at my log. I feel this is something that is long over due. Thanks again for your help!
     

    Attached Files:

    Texan, Jul 21, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must remember to exit all browsers before using HJT. You had the below running:

    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    Do you require the below proxy server settings?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;gopher=localhost:8080;http=localhost:8080;https=localhost:8080



    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {8B50176C-DD6E-4C14-A603-727A859337CD} - (no file)
    O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
    O3 - Toolbar: (no name) - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - (no file)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    Also fix the below two lines unless you know them to be safe?
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab

    After clicking Fix, exit HJT.


    In order to properly diagnose and possible problems on your PC, you really should not be running MSCONFIG to control what is loading at startup. Please run msconfig now and select Normal Startup then reboot and post a new HJT log. What is it that you were using msconfig for?
     
    Last edited: Jul 21, 2005
    chaslang, Jul 21, 2005
    #6
  7. Texan

    Texan Private First Class

    Thanks for your help!
    I am not sure if I require,
    "the below proxy server settings?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;gopher=localhost:8080;http=localhost:8080;https=localhost:8080"

    Sorry about the browser being open.

    I removed everything you listed and created a new log that I will attach here.

    Regarding the msconfig, I usually use 'Startup Mechanic' to prevent that from opening because, for some reason, I no longer have that in my msconfig startup list to disable. I used Spysweeper and it placed itself in the startup menu. When that happens msconfig always starts up on it's own until I use
    Startup Mechanic to disable it. I used to get a warning stating, 'A program is trying to join your startup menu' (worded something like that) but that stopped working along with Spywareguard and my Norton won't startup on boot or it's live update won't work either. Also something kept disabling my Earthlink toolbar popup blocker and scamguard. I suspect it was from the Backdoor.Surila virus I had or one of the problems you helped me with.
     

    Attached Files:

    Texan, Jul 21, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is now clean! Are you having any other malware problems?
     
    chaslang, Jul 21, 2005
    #8
  9. Texan

    Texan Private First Class

    Not that I am aware of.

    Thanks again for all of your help!
     
    Texan, Jul 21, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 22, 2005
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds