virus in archives will not be deleted

I have run all of the spyware programs required. I have Antivir Guard that keeps popping up with a "trojan". I have tried to delete it .. I have tried moving it . I have gone down the entire list on antivir guard and the bloody thing is still there,, when I run a full system scan with it . I get the error that trojans in the archive will not be deleted etc.... I have attached my hijacklog ..please if someone knows how to finally get rid of that trojan .. I have emptied the internet temp files over and over again. and manually removed the folder the "trojan" sits in ..and it keeps returning ..

 

Major Attitude is correct.
Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

prutqct.exe

Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\system32\prutqct.exe
O9 - Extra button: Support - {20783850-D5E0-41BD-A7A9-9964BB2431A2} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {B137BBA6-5A3C-4F0C-A81A-EB299EB4E12D} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {FB61B875-3FBB-451A-878D-4C1ABF0EA57A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {20783850-D5E0-41BD-A7A9-9964BB2431A2} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {B137BBA6-5A3C-4F0C-A81A-EB299EB4E12D} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {FB61B875-3FBB-451A-878D-4C1ABF0EA57A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file if it should remain:

C:\WINDOWS\system32\prutqct.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Make sure you turn off system restore before doing any of this.

 

Programs CAN NOT delete files that are in system restore. That is why it should be turned off until your computer is clean, then turn it back on. It is also possible that Adaware will find some in Spybot's save files.

Aslo, I am curious - is this an E-Machine?

 

I made sure my pc was in safemode for everything that needed to be done .. I ran spybot in safe mode and as soon as I was finished . I got the same virus warnings from antivguard .. I copied them so you can see

C:\DOCUMENTS AND SETTINGS\DONNA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8TCPC3W9\IEBHOS[1].DLL
The Trojan horse TR/VB.qn.C

C:\PROGRAM FILES\E2G\IEBHOS.DLL
The Trojan horse TR/VB.qn.C

I still continued to do the last steps and have enclosed the newest hijack log

 

1) Download Trojan Hunter 4.2
You should be able to D/L this and update it 1 time for free. If you can't do it for free let me know.

2) Install this program!
Note: After installation setup will prompt you to download the latest update, be sure you do this!

3) Now run a FULL SCAN and let it do its job, after the scan is complete it will display a window and allow you to clean the infections

After this scan is complete, post new HJT log and let me know how things are working.

 

Should I run this program in safemode as well?

 

Try it in normal mode first.

 

Be sure you have the latest Definitions for TrojanHunter.

Download Virus Definitions

NOTE: Just extract this .zip file to C:\Program Files\TrojanHunter

 

the scan came up with trojan file ceres.dll (Adaware.VX2.104) I was under the impression this is the update for adaware ? do I still remove it??

 

ok now I am really confused . it gave me list of 3 trojans and one possible trojan then shut down ...... it wouldnt let me jot down what they were or remove them ...... does it remove them automatically then shut down ???

 

Is this coming up anymore.

I believe TrojanHunter asks you to fix but it may do automatically.


Post another HJT log.

 

ceres.dll with this clsid {00000049-8F91-4D9C-9573-F016E7626484}is a problem.

 

Right .. I ran that remover a second time and this time it let me remove ..with prompt .. so I ran another HJT and notic that the same prutqct.exe is back again .even after removing it from the last HJT I am so depressed . I have this feeling this virus whatever it is . is here to stay ... attached is the latest HJT log

 

That line is there but I do not see the process running. So let's try this:
Make sure your browser is closed. It looks like it was open when you ran this HJT log.

Please look in Add or Remove Programs for the following and
Uninstall them if found:

E2Give (Let me know if you find this)

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

prutqct.exe

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\system32\prutqct.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file and folder if they should remain:

C:\WINDOWS\system32\prutqct.exe
C:\PROGRAM FILES\E2G ----> The Folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

How do I remove this then ????

ceres.dll with this clsid {00000049-8F91-4D9C-9573-F016E7626484}is a problem.

 

I have just noticed. Do you have two AV programs running. If so delete the one you don't want. You should only run 1 Anti-Virus program. To be specific do you have Norton and AVPersonal running. Is AVPersonal an anti-virus program like Norton.

 

Do you have ceres.dll still on your machine. Do a search and find if you are worried. Look and see what the properties/Version are.

 

Just to let you know if you didnt, This ceres.dll with this clsid {00000049-8F91-4D9C-9573-F016E7626484} is a BHO known as Betterinternet/Transponder

The file ceres.dll is usually located in C:\WINDOWS and usually is a part of VX2


Download the following items:

KILL 2 ME.zip

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox


Unzip the Generic Detection Tool to your desktop, locate find.bat and run it, allow it as much time as possible to run. After its complete attach this log.

 

Thanks BJ but I did know that. I am hoping it was deleted by TrjonHunter. If she did find it I wanted to see what it said. I believe sometimes that a buddy.exe can show up with it. I don't see any of the VX2 indications - do u? Why don't we wait on all of those D/L's for now. It may not even be on her machine still.

 

I have nortons and antivir guard ...

 

Donna

Did you do #16 post yet. Are you having any more problems. Be sure to post log after doing it.

 

yes I did #16 and I found the E2G .. I tried to remove it from add/remove programs but it wont delete . the entry is still there .. I did remove the folder and was not able to find the other one *prutqct.exe*
Now should I remove the trojan guard and antiVir guard and just leave nortons??

 

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\system32\prutqct.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab


Again, make sure All Browser Windows are Closed when you Click FIX.




NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\system32\prutqct.exe



NEXT:
Run CCleaner
(First two scans only)

Now Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

BJ

Let me handle this for now. I appreciate your help but I think we will only confuse Donna with both of us working on this thread. I will let you know if I want you to take over.

Thanks

 

You wasnt on when she posted back, so I figured you would appreciate it so she didnt have to wait, sorry wont happen again. Its yours pal

 

Thx BJ

 

actually I appreciate BOTH of you for helping me .... here is the latest HJT log

 

Ok Donna
A few questions
You said you couldn't remove E2G with the add/remove. Does it still show up in the Add/remove? What did it say when u tried to delete it?
Is the E2G folder gone?

The file prutqct.exe does not show up in C:\WINDOWS\system32\prutqct.exe - Correct?

Do you mean TrojanHunter that I had you D/L. If you mean that don't worry about it now - it's OK. As far as the antivir guard, get rid of either that or Norton if they are both Antivirus programs. Did you pay for either of them. If one is just a guard and not an actual AV program then they both can run. If you paid for AV program and you can still update it then keep it.

Did you find a ceres.dll file?

 

e2g is showing in add/remove.. I click on it and it just blinks . but then stays .. I was able to remove the folder however...I dont see prutqt.exe is not anywhere in windows system32 ...
I downloaded antiV Guard ((it is an antivirus program ))from the original link given by this forum as one of the things needed ..Nortons came with my pc **its a Dell**

 

Are you having any problems or are your programs picking up any problems as before?

Also was the Add/Remove E2g or actually E2Give?

if you have AntiVir Personal Edition 6.29.00.03 (Update) from Major Geeks you must delete either it or the Norton AV. You shouild not run both.

 

so far so good..... antiVir guard hasnt popped up with the warning any longer.. I am going to remove it now .. thank you BOTH sooooooooo very much for ALL your help . I didnt know what to do .. you are both "4 star generals" in my book!!!!

 

I see that:

O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\system32\prutqct.exe

is no longer in your HJT log.

 

Your Welcome

Glad you got it all fixed. You should check this out now: How to Protect yourself from malware!

Once everything seems OK be sure to turn System restore back on.

Use Firefox as your browser not IE.