Solved

VIRUS FROM HELL!!!!!!!!!!!!!!!!!

Posted on 2004-09-21
32
12,133 Views
Last Modified: 2008-01-09
Ok, I am used to viruses.  Disable System Restore - Go to Safe Mode - Run Stinger - Delete Temp Files - Run Adaware , Spybot & Spysweeper. BUT THIS ONE WON'T DIE.  I have analyzed the hijack this log but changes aren't made.  I can't install Norton or AVG or a Firewall  I can't pull up a internet page to scan for viruses on line because it keeps putting me back to my home page.  All windows want to scroll to the bottom.  If I hold my shift key in I can get the computer to listen to some of my commands.  Please HELP!!!!  Some viruses removed were: w32/sdbot.gen.j - qhosts.apd & blooodhound.w32.ep.
0
Comment
Question by:kimscpu
32 Comments
 

Author Comment

by:kimscpu
ID: 12113795
Logfile of HijackThis v1.98.2
Scan saved at 8:22:35 PM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\System32\videosd32.exe
C:\WINNT\System32\securitychk.exe
C:\WINNT\System32\Nortonupd.exe
C:\WINNT\System32\wissmsgr.exe
C:\WINNT\System32\cerf.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\usbsvc.exe
C:\WINNT\System32\WinSound1.exe
C:\WINNT\win32dlli.exe
C:\WINNT\System32\wuaultc.exe
C:\WINNT\System32\csmss.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Documents and Settings\Sharon\Application Data\m?????.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
C:\Documents and Settings\Sharon\My Documents\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Norton Antivirus tools] NAVscan2.exe
O4 - HKLM\..\Run: [Norton AV Update] Nortonupd.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] winupdt.exe
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Microsoft Register] msreg.exe
O4 - HKLM\..\Run: [Microsoft service Machines] wissmsgr.exe
O4 - HKLM\..\Run: [Windows Network Controller] Win9x.exe
O4 - HKLM\..\Run: [Advanced Internet Protocol] cerf.exe
O4 - HKLM\..\Run: [Msn Messengers] msnmsgr.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [USB Host Service] usbsvc.exe
O4 - HKLM\..\Run: [Sound System] WinSound1.exe
O4 - HKLM\..\Run: [Microsoft Secure Messenger.NET Service] securitychk.exe
O4 - HKLM\..\Run: [ctfmonn] C:\WINNT\win32dlli.exe
O4 - HKLM\..\Run: [WindowsUpdate Service] wuaultc.exe
O4 - HKLM\..\Run: [SP2Fix] c:\sp2fix.exe
O4 - HKLM\..\Run: [MsgApi] C:\WINNT\System32\csmss.exe
O4 - HKLM\..\Run: [MSCommX] C:\WINNT\System32\mscommx.exe
O4 - HKLM\..\RunServices: [Microsoft Register] msreg.exe
O4 - HKLM\..\RunServices: [Workstation Services] wrkstn.exe
O4 - HKLM\..\RunServices: [Norton Antivirus tools] NAVscan2.exe
O4 - HKLM\..\RunServices: [Microsoft service Machines] wissmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winupdt.exe
O4 - HKLM\..\RunServices: [Norton AV Update] Nortonupd.exe
O4 - HKLM\..\RunServices: [Windows Firewall Security] winmep.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunServices: [Windows Network Controller] Win9x.exe
O4 - HKLM\..\RunServices: [Advanced Internet Protocol] cerf.exe
O4 - HKLM\..\RunServices: [Msn Messengers] msnmsgr.exe
O4 - HKLM\..\RunServices: [USB Host Service] usbsvc.exe
O4 - HKLM\..\RunServices: [Sound System] WinSound1.exe
O4 - HKLM\..\RunServices: [Microsoft Secure Messenger.NET Service] securitychk.exe
O4 - HKLM\..\RunServices: [WindowsUpdate Service] wuaultc.exe
O4 - HKLM\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunOnce: [Microsoft Secure Messenger.NET Service] securitychk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Register] msreg.exe
O4 - HKCU\..\Run: [Norton Antivirus tools] NAVscan2.exe
O4 - HKCU\..\Run: [Microsoft service Machines] wissmsgr.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] winupdt.exe
O4 - HKCU\..\Run: [Norton AV Update] Nortonupd.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [Windows Network Controller] Win9x.exe
O4 - HKCU\..\Run: [Msn Messengers] msnmsgr.exe
O4 - HKCU\..\Run: [USB Host Service] usbsvc.exe
O4 - HKCU\..\Run: [Sound System] WinSound1.exe
O4 - HKCU\..\Run: [Microsoft Secure Messenger.NET Service] securitychk.exe
O4 - HKCU\..\Run: [Sdet] C:\Documents and Settings\Sharon\Application Data\m?????.exe
O4 - HKCU\..\RunServices: [Msn Messengers] msnmsgr.exe
O4 - HKCU\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\RunOnce: [Microsoft Secure Messenger.NET Service] securitychk.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: desktop alert.lnk = C:\Program Files\Common Files\desktop alert\TrueWeather.exe
O4 - Global Startup: HP OfficeJet Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0D432806-1130-4588-B436-9294A427FC86} (SecCheck Class) - http://secchecktest.mynetwatchman.com/AXSecCheck.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=01fd3e5f78bc3d8e066d3bc6e669ff0d7a5533c3cdc849a3f43a7737780f8e76ac3665f47dba62a84bafbb038aad94a7200d2470:f7775abcd73d2fa63daf646f61636257
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12113801
Hello kimscpu =)

Take out ur hard drive and hook it as a Slave drive in another system...... now from the other system's hard drive u can run AV and online scans to eliminate all viruses !!
Otherwise ur system is looking like badly infected, that a Format and Clean Install is the Best Solution here !!  =\

!! GOOD LUCK !!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12113834
just look at ur log,,,,, it contains NOTHING Except JUNKS !!!  =\
and u have to manually delete those running junk files one by one in safemode.... do u think u will be able to do the cleaning Manullay !!  :-?
0
 
LVL 1

Expert Comment

by:sevie
ID: 12114870
Check urself the meaning of the .LOG file here: http://www.hijackthis.de/index.php
 special treatments are here: http://www.pchell.com/support/onlythebest.shtml  for files marked as  res:// hijacker......

If u still think u have a virus make an online scan with one of the AV scaners here:
http://antivirus.about.com/cs/softwarereviews/tp/aaonline.htm

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12114921
lol sevie.. where can u see that res:// hijacker !!  :D
its not the case of hijacking..... just all craps are running on the system and that's why they are conflicting with the cleaning process !! =\
0
 

Author Comment

by:kimscpu
ID: 12115112
I have checked the log and am aware of how nasty it is.  I believe I agree whith SheharyaarSaaihil that I need to do a clean install at this point.  I have already spent too much time looking for needles in a haystack.  Everytime I find some I realize the stack full of needles.  This lady just let these viruses run too long.  I did slave the drive and remove 9 more infections.  Some new ones were w32/sasser.worm!ftp - w32/gaobot and proxy-melt.  I will be reloading later today.  If you have any last ditch efforts let me know.
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12115213
>> If you have any last ditch efforts let me know.

Im too afraid my friend,,,, that even if we will remove everything,,,, the infection is too strong that there are too much chances that the system will get reinfected..... and all yours and ours efforts will become useless !!  =\

A fresh install will hardly take one hour and system will be up and running with all fresh files and programs.... after that install a Good AV and firewall software.... and install Adaware and Spybot and turn on the Auto Protection... so that they will be able to protect the system and it will not get messed up as badly as now !!  :)

Good Luck =)
0
 

Author Comment

by:kimscpu
ID: 12115520
Thanks!!!!!!!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12115611
u are very welcome ^_^
0
 

Expert Comment

by:cee1891
ID: 12180477
well kimscpu
do one thing just start ur PC in the safemode with networking install EZ antivirus then upadte it and that moment its automatically start scanning automatically will clean all the viruses then after doing this before restarting install service pack 2 u will alll clear
regards
THE CEE
0
 

Expert Comment

by:dldigital
ID: 12182019
Just a stupid question but do you have "system restore" disable on your XP machine cause if you don't every time you reboot XP kindly replaces everything you just so painstakingly removed?
0
 

Expert Comment

by:kazuma666
ID: 12197903
Maybe read the question before answering no? "Ok, I am used to viruses.  Disable System Restore". 7 th 8th and 9th word. Obviously u didn't read up to there.
0
 
LVL 1

Expert Comment

by:drunkenlogic
ID: 12211295
for resolving the " back to my home page" problem

open
"C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts"
with notepad
clear every thing and
put
"local host 127.0.0.1"
0
 

Author Comment

by:kimscpu
ID: 12214587
I also cleared the host file.  Wasted tooo much time.  I do enjoy the ideas though - may be it will help for the next time.  Because we always know there will always be a next time.
0
 

Expert Comment

by:Guda
ID: 12221099
if the user has data they cant live without, run as secondary drive to a system with current virus def.  also adaware 6 etc.. can be ran against secondary drive. back up data... and start over. it sounds like you already spent enought time on this one. i hate it when that happens... more often that not though, a good troubleshooter wants to find the real fix rather than the quick fix so as not to lose the confidence.  it's called EGO and is a necessary evil in our line of work.
0
 

Expert Comment

by:dllfile
ID: 12254116
Run HiJackThis and Delete the Following..

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Norton Antivirus tools] NAVscan2.exe
O4 - HKLM\..\Run: [Norton AV Update] Nortonupd.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] winupdt.exe
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Microsoft Register] msreg.exe
O4 - HKLM\..\Run: [Microsoft service Machines] wissmsgr.exe
O4 - HKLM\..\Run: [Windows Network Controller] Win9x.exe
O4 - HKLM\..\Run: [Advanced Internet Protocol] cerf.exe
O4 - HKLM\..\Run: [Msn Messengers] msnmsgr.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [USB Host Service] usbsvc.exe
O4 - HKLM\..\Run: [Sound System] WinSound1.exe
O4 - HKLM\..\Run: [Microsoft Secure Messenger.NET Service] securitychk.exe
O4 - HKLM\..\Run: [ctfmonn] C:\WINNT\win32dlli.exe
O4 - HKLM\..\Run: [WindowsUpdate Service] wuaultc.exe
O4 - HKLM\..\Run: [SP2Fix] c:\sp2fix.exe
O4 - HKLM\..\Run: [MsgApi] C:\WINNT\System32\csmss.exe
O4 - HKLM\..\Run: [MSCommX] C:\WINNT\System32\mscommx.exe
O4 - HKLM\..\RunServices: [Microsoft Register] msreg.exe
O4 - HKLM\..\RunServices: [Workstation Services] wrkstn.exe
O4 - HKLM\..\RunServices: [Norton Antivirus tools] NAVscan2.exe
O4 - HKLM\..\RunServices: [Microsoft service Machines] wissmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winupdt.exe
O4 - HKLM\..\RunServices: [Norton AV Update] Nortonupd.exe
O4 - HKLM\..\RunServices: [Windows Firewall Security] winmep.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunServices: [Windows Network Controller] Win9x.exe
O4 - HKLM\..\RunServices: [Advanced Internet Protocol] cerf.exe
O4 - HKLM\..\RunServices: [Msn Messengers] msnmsgr.exe
O4 - HKLM\..\RunServices: [USB Host Service] usbsvc.exe
O4 - HKLM\..\RunServices: [Sound System] WinSound1.exe
O4 - HKLM\..\RunServices: [Microsoft Secure Messenger.NET Service] securitychk.exe
O4 - HKLM\..\RunServices: [WindowsUpdate Service] wuaultc.exe
O4 - HKLM\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunOnce: [Microsoft Secure Messenger.NET Service] securitychk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Register] msreg.exe
O4 - HKCU\..\Run: [Norton Antivirus tools] NAVscan2.exe
O4 - HKCU\..\Run: [Microsoft service Machines] wissmsgr.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] winupdt.exe
O4 - HKCU\..\Run: [Norton AV Update] Nortonupd.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [Windows Network Controller] Win9x.exe
O4 - HKCU\..\Run: [Msn Messengers] msnmsgr.exe
O4 - HKCU\..\Run: [USB Host Service] usbsvc.exe
O4 - HKCU\..\Run: [Sound System] WinSound1.exe
O4 - HKCU\..\Run: [Microsoft Secure Messenger.NET Service] securitychk.exe
O4 - HKCU\..\Run: [Sdet] C:\Documents and Settings\Sharon\Application Data\m?????.exe
O4 - HKCU\..\RunServices: [Msn Messengers] msnmsgr.exe
O4 - HKCU\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\RunOnce: [Microsoft Secure Messenger.NET Service] securitychk.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: desktop alert.lnk = C:\Program Files\Common Files\desktop alert\TrueWeather.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O16 - DPF: {0D432806-1130-4588-B436-9294A427FC86} (SecCheck Class) - http://secchecktest.mynetwatchman.com/AXSecCheck.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=01fd3e5f78bc3d8e066d3bc6e669ff0d7a5533c3cdc849a3f43a7737780f8e76ac3665f47dba62a84bafbb038aad94a7200d2470:f7775abcd73d2fa63daf646f61636257
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

You have tons of crap on your system m8, delete the above using HiJackThis, then reboot,

after a reboot goto http://housecall.trendmicro.com/housecall/start_corp.asp

Scan for Viruses, make sure to check automatic clean,

after this is finished I recommend installing a good virus scanner, throw away Norton, IMHO Norton is trash..

Try a free trial of Kaspersky AV, its a very good scanner and does not report alot of false infections..
http://www.kaspersky.com/

0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Expert Comment

by:dllfile
ID: 12254132
oh, and I notice it looks as if you have AVG and Norton already in your system??
Or at least they used to be?

If so its not wise to run 2 virus scanners, I would be sure to uninstall them both before installing another AV
0
 

Author Comment

by:kimscpu
ID: 12258323
This user wanted to have her cousin reload the computer.  Not really afraid of losing data-rather afraid of paying the bill.
0
 

Expert Comment

by:redcelica67
ID: 12261759
Try running System Security Suite 1.04. this will delete all temporary files etc and has just help me get rid of a very stubborn version of Istbar. Nothing else would remove it! Shot in the dark but maybe worth a try. It is at  http://www.igorshpak.net/software/3ssetup104.zip.
0
 

Expert Comment

by:dllfile
ID: 12264504
the steps I provided above should solve the prob, main prob is all the trash that is bloating the system, specially the sections of stuff that have "hijacked" the browser.. This is what is causing you to not be able to run/install virus scanners, follow my steps and let me know.
0
 

Expert Comment

by:pbno12004
ID: 12274926
i'd try dllfile's suggestion bfore clean install, that should let u run most virus scanners after reboot.

sounds like you do need to do a clean install if u can't clean up manually. try spywareblaster after adware and spoybot
i've found that it cleans up what they can't or miss, also AVG Free is an excellent free AV i use it to find viruses that pccillin, norton and vet
can't detect. get AVG Free at http://www.grisoft.com/us/us_index.php




0
 

Author Comment

by:kimscpu
ID: 12275769
The question states I couldn't install any anti-virus program and I couldn't get online to run a scan. I did try spyware blaster & Spybot and deleted all temporary files.  I am very well versed in the removal of viruses.  I usually have no problem but once in a while I believe we do more disservice to our customer to remove most of the viruses and return the machine in kind of a crippled condition.  Yes I would run system file checker but don't you agree that if a customer has allowed viruses to have their fun for months.  The best thing is to totally wipe it clean and reinstall.  It costs a bit more and it elimates any mess left behind.  I know it is more money but it is a good lesson learned.
0
 

Expert Comment

by:phnxb
ID: 12278647
hmmm... that one sounds like a pickle... im not sure exactly what i would do to fix it... perhaps if you found the file....you could boot into command prompt with a system disk and delete it. but that is assuming that there is only one file that u know of... i reload windows all the time so its not really anything for me to do it but if you have stuff that u need kept i would goto a computer place to get it backed up... theni would format. I just recently purchased two very good applications, symantec GoBack and norton Ghost, if you not sure, norton ghost makes images of ur hard drive contents and saves it to a file so it can esily and quickly be restored to, norton goback on the other hand keeps a very detailed log of pretty much everything that gets done to your computer and makes vey frequent safe points that u can revert back to in a matter of minutes out of the two, i liked GoBack better because if ur like me and always f-in' around with your computer its very easy to fx ur f-ups... otherwise spybot  S&D for spyware and i use norton antivirus for viruses and i also use norton internet security for hackers.... soo good luck with the virus from hell and i hope i didnt tell you everythig that u already know
0
 
LVL 7

Expert Comment

by:Focusyn
ID: 12289238
FYI - for everyone interested in this, I have noticed a couple of recent virii and spyware (particularly WinTools but others as well) are, in addition to running themselves as services etc, are embedding a reg file in a system folder, then adding a command to the startup of often used programs like explorer.exe or iexplore.exe that tells it to silently execute the reg file.  The reg files, when I've found them, have been the startup (Run, RunOnce, RunServices etc) files which you likely removed if you ran hijackthis, adaware etc.  There is usually a third file, a DLL, embedded somewhere that runs a couple of checks to make sure the malware is still there, and to download it if it's been moved/deleted.  There is no sure way to find this stuff, but a search of local drives for *.reg and then sorted by date helps.  Remember to search hidden/system folders because that's where they always are.
0
 

Expert Comment

by:pbno12004
ID: 12295235
i had to remove viruses and trojans couple of weeks ago on one our staff who works from home pc's.  it took almost 2days to remove. had over 1400 hundred trojans and viruses
couldn't connect the pc to the network or internet at all because as it soon as it detected a connection it would start downloading new
viruses and trojans.  Had to manually delete all the trojan and virus files from windows, sys32 and corresponding registry entries and empty the recycling bin every couple of minutes and check the virus hadn't restarted because if it did it put all the registry entries back.  Safe mode didn't acheive anything either

Deleted all entries from HKLM\Software\Microsoft\Windows\Currentversion\Run and Runonce and also
HKLM\Software\Microsoft\WindowsNT\Currentversion\Windows then removed the data only from AppInit_DLL'S

Delete any apps that shouldn't be in system32 and windows, they'll most likely all around the same size BE CAREFUL U DON"T DELETE WINDOWS FILES IF UR NOT SURE WHAT SHOULD BE
THERE I SUGGEST U DON'T DELETE ANYTHING AND DO A CLEAN INSTALL
, also manually delete all the crap listed on the hijackthis log as already advised if it wont delete automatically.

Also shut down down processes u don't u need running from task manager.  helps a lot when manually removing crap.

0
 
LVL 1

Expert Comment

by:quantum2
ID: 12316544
Easier solution,
Get a Norton 2004 / 2005 CD. Place in CD Rom and boot from CD. From there you can do a remove. The Virus Definition files wont be as new as what is available online, so if you can get 2005 do. They will be newer on the CD.

Then once the AV runs reboot the machine in Safe mode and try installing Norton from there. If that works, run live update and get the newest definitions form Symantec and run the AV again.

After the second run you should be good to go.

Next go to Sygate.com and download their Free Personal Firewall. Install it and then block everything. What will happen is the log file will fill up with any programs that try and access the net. If you see anything other than the Generic Host from Winodws, IE or a few other normal Windows applications, then take that list and uinstall the offending programs. Sygate will show you the EXE name and the directory it is located in. Make note of these names and after you delete / uinstall the files you can go into RegEdit and eliminate the keys.

one all of this is done... DEFRAG the drive and reboot yet again.

As someone mentioned here, if there is data you can afford to lose then try these steps. If not, I would format the disk and start from scratch. The above steps will get you there, but if you can afford to rebuild the machine then do it. And before you get online, isntall a firewall and AV software.

Q2
0
 
LVL 5

Expert Comment

by:godd31
ID: 12325433
Are you sure you disabled System Restore?





lol - :-)
0
 

Author Comment

by:kimscpu
ID: 12327400
Yes I know system restore was disabled.  I even slaved the drive in another computer and scanned with McAFee.  It removed viruses but there were still more lurking when I returned it to the computer.
0
 
LVL 3

Expert Comment

by:Informative
ID: 12351715
I run this to boot suspect systems from CD to avoid running the virus using this PE boot usually.

http://www.nu2.nu/pebuilder/

Once you boot from it you will be able to peruse the drives even on XP NT secured type drives to find and delete naughty files or copy your endangered documents to floppy or even to the network.

You can find many more similar bootable admin CD's just by going to google.com and search for BOOT CD ISO

I also run a free spyware found here http://toolbar.yahoo.com
my favorite price.





0
 

Expert Comment

by:eSolutionist
ID: 12373731
did you try NAV from the other box when you had it slaved
0
 
LVL 5

Expert Comment

by:godd31
ID: 12376560
Well sometimes you need to just cut your losses and start from scratch. Rebuilding the machine is probably the best course of action. IF you do recover from the viruses you still have a build that has been just raped by viruses and you have to ask what prepercautions can come from that. I would back up any data you have and do a complete rebuild. It truely is the best course and I am sure most people that work IT would have long ago rebuilt the PC 1 to save time and 2, our job is to make end users PC's and servers as stable and reliable as possible. If I can't find a fix within all of my resources then it's time to start from scratch.


Best of luck to you sir!!

Cheers!
0
 
LVL 3

Expert Comment

by:Informative
ID: 12381297
Another tip I will share is I also like to build machines which are vital as multiboots.  This means install one copy of the OS to the C:\ and another to the D:\ my personal preference is to use like XP media center on C:\ and XP pro (or server 2003) on D:\ this way if the first OS ever starts to act odd, I can simply select the other boot and see if it is software or hardware immediately.  

If the secondary boot partition loads to desktop and runs perfectly you know its not hardware.

Some of the silly stuff can be ruled out that way.  One good example was my left mouse button started not holding down solidly (so whan blocking text it would act weird) and I suspected a virus immediately.  Booted to alternate partition and it did the same thing.  Replaced the mouse and was back to work in almost no time.  Didn't waste any time trying to figure out if it was an infection because the other inactive partition D:\ would not have likely been corrupted by a virus and the mouse did the same thing there.


0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now