1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus Keeps Coming Back

Discussion in 'Virus & Other Malware Removal' started by Neil Miller, Sep 3, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Neil Miller

    Neil Miller Thread Starter

    Joined:
    Sep 3, 2005
    Messages:
    23
    Hi - I recently got infected with a virus that added options to my toolbar (Fresh Search) which I managed to fix thanks to the help I saw posted here, but I still keep getting pop-ups and infections - SearchToolbar, Spyware.Msnagent and DownLoader.Trojan being the most recent. None of the anti-spyware, pop-up blockers or anti virus programs I have can stop the reinfections.

    I have gone into safe made, used CWShredder, CClean, Kill2Me, HSRemove and Stinger. Also RAVAntivirus online scan, Bitdefender online scan, AdAware SEplus and Norton Antivrus. I used Silent Runners and found some suspect entries, which I edited out of the registry using Registrar Lite, and I used Hijack This to find and fix some other suspicious entries.

    But they all keep coming back, in one form or another. Not crippling like before, but really annoying!

    Below is a recent Silent Runners report, followed by a HiJack This report:













    I run a dual OS, which explains why the current drive is D: rather than C: I have also booted into the OS and ran virus scans from there (for some reason some of the antivirus programs on D: - even in safe mode - run pitifully slowly or not at all - Norton Internet Professional seems to be woefully inadequate, and Spyware Doctor takes a few hours to complete - if it doesn't freeze. I have has SpyBot, SpywareBlaster and AdAware SEplus on my system for a long while, but they have not helped either.

    Any help at all would be very gratefully received!

    All the best,
    Neil.
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.


    You will need to download the following tools and have them ready to run.
    Do not run any of them until instructed to do so:

    Click: http://castlecops.com/zx/flrman1/cwsserviceremove.zip to download
    cwsserviceremove.zip and unzip it to your desktop.


    download cleanup


    http://cleanup.stevengould.org/

    Download Killbox here: http://www.thespykiller.co.uk/files/killbox.exe and
    save it to your desktop.

    Click here: http://cwshredder.net/bin/CWSInstall.exe to download
    CWSinstall.exe to the desktop.

    Click: http://www.downloads.subratam.org/AboutBuster.zip to download
    AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click
    "Check for Update" and download the updates and then click "Exit" because I
    don't want you to run it yet. Just get the updates so it is ready to run
    later in safe mode.


    Now go ahead and set your computer to show hidden files like so:

    Because XP will not always show you hidden files and folders by default,
    Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden
    files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View
    tab and make sure that "Show hidden files and folders" is checked. Also
    uncheck "Hide protected operating system files" and "Hide extensions for
    known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    ______________________________________________________________________

    Sign off the Internet and remain offline until this procedure is complete.
    Unplug your modem or disconnect the cable or phone line. Copy these
    instructions to notepad and save them on your desktop for easy access. You
    must follow these directions exactly and you cannot skip any part of it.
    ______________________________________________________________________



    Restart to safe mode.

    http://service1.symantec.com/SUPPOR...001052409420406

    Perform the following steps in safe mode:
    ____________________________________________________________________

    Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have its contents added to the registry.
    ____________________________________________________________________

    Go to Start > Run and type Hijackthis. Press enter to start HijackThis.
    DO NOT OPEN ANYTHING ELSE!



    Put a check by these entries in Hijack This and click the "Fix Checked"
    button:


    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ntje32.exe] D:\WINNT\ntje32.exe
    O4 - HKLM\..\Run: [crqw32.exe] D:\WINNT\system32\crqw32.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)



    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
    In the Full Path of File to Delete box, copy and paste each of the following
    lines one at a time then click on the button that has the red circle with the
    X in the middle after you enter each file. It will ask for confirmation to
    delete the file. Click Yes. Continue with that same procedure until you have
    copied and pasted all of these in the Paste Full Path of File to Delete box.



    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.


    D:\WINNT\ntje32.exe
    D:\WINNT\system32\crqw32.exe
    D:\WINNT\system32\cshbm.exe
    D:\WINNT\cshbm.exe



    find and delete these files and folders if there?


    Because XP will not always show you hidden files and folders by default,
    Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden
    files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View
    tab and make sure that "Show hidden files and folders" is checked. Also
    uncheck "Hide protected operating system files" and "Hide extensions for
    known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    cshbm.exe
    ___________________________________________________________________


    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start,
    then click OK. This will scan your computer for the bad files and delete them.
    _______________________________________________________________________

    Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix"
    (Not "Scan only") and let it do its thing.


    _______________________________________________________________________



    Now run cleanup

    _______________________________________________________________________

    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and
    go to Edit > Select All then Edit > Delete to delete the entire contents of
    the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open.
    Click Edit > Select All then Edit > Delete to delete the entire contents of
    the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under
    "Temporary Internet Files" Click "Delete Files". Put a check by "Delete
    Offline Content" and click OK. Click on the Programs tab then click the
    "Reset Web Settings" button. Click Apply then OK.
    _______________________________________________________________________



    Boot back into Windows now.



    Go to: http://housecall.trendmicro.com/ and do an online virus scan.

    Be sure and put a check in the box by "Auto Clean" before you do the scan.
    If it finds anything that it cannot clean have it delete it or make a note
    of the file location so you can delete it yourself. Housecall will detect
    the leftover files from this hijacker.


    This hijacker is known to alter or delete certain files so check this out
    please:

    Download the Hoster from:
    http://www.funkytoad.com/download/hoster.zip UnZip
    the file and press "Restore Original Hosts" and press "OK". Exit Program.

    If you have Spybot S&D installed you will also need to replace one file. Go
    to: http://www.spywareinfo.com/~merijn/winfiles.html and download
    SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Check in the C:\Windows\system32 folder to be sure you have a file named
    Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache
    folder.

    Find shell.dll and right click on it. Choose Copy from the menu.
    Open the System32 folder and right click on an empty space in the window.
    Choose Paste from the menu. Otherwise, you can download following the
    instructions here: http://www.bleepingcomputer.com/files/shellxp.php


    control.exe may have been deleted.
    See if control.exe is present in C:\windows\system32

    If control.exe isn't there, go to:
    http://www.richardthelionhearted.co...es.html#control, and download
    control.exe per the instructions at the site.

    IMPORTANT!: Please check your ActiveX security settings. They may have been
    changed by this CWS variant to allow ALL ActiveX!! Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK.
    Now press "Custom Level."
    In the ActiveX section, set the first two options (Download signed and
    unsigned ActiveX
    controls) to 'prompt', and 'Initialize and Script ActiveX controls not
    marked as safe" to 'disable'.




    download FindT

    http://bilder.informationsarchiv.net/Nikitas_Tools/FindT.zip



    - Extract the files to a folder in C:\ of your choice.
    - open the "FindT" folder and run the runthis.bat file
    - a text will open post the results


    Download rkfiles

    http://skads.org/special/rkfiles.zip

    and unzip the contents to a new folder on your desktop.


    * Unzip RKfiles.zip to the desktop
    * Double-click RKFiles.bat to run it.
    o It may take a while.
    * When it is finished a window should appear with a log.
    * Please copy the contents of the log and paste them here
    o Note: the log with be saved at c:\log.txt



    post another hijack this log, the rkfiles and Find T logs
     
  3. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    also run ewido in safe mode before fixing with hiajck this, so some of those files might be missing when you come to fix them with hijack this!
     
  4. Neil Miller

    Neil Miller Thread Starter

    Joined:
    Sep 3, 2005
    Messages:
    23
    Thanks Khazars.

    Followed all your steps in order. Some notes I made along the way:

    1. Killbox did not find any files.
    2. CW Shredder found no infected files.
    3. Shell.dll was present.
    4. control.exe was present.

    The FindT report was empty - here is the content of the text file it generated:



    It did generate a huge amount of info in the DOS box it opened, but I couldn't copy any of that stuff - didn't how to cut and paste it.

    This is the rkfiles log:



    And finally the Hijack This log:




    Thanks again,
    Neil.
     
  5. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Is your computer running any better?


    As you Paste each entry into Killbox, place a tick by any of these Selections available

    "Delete on Reboot"
    "Unregister .dll before Deleting"

    Click the Red Circle with the White X in the Middle to Delete!


    D:\WINNT\RMAgentOutput.dll


    Run an online antivirus check from

    http://www.kaspersky.com/virusscanner

    you will need to input a name
    and email adress but anyone will do & then acccept an active X control IT IS
    SAFE to do so LET IT FIX WHATEVER IT FINDS

    reboot again post a fresh HJT log




    post another log and the kaspersky
     
  6. Neil Miller

    Neil Miller Thread Starter

    Joined:
    Sep 3, 2005
    Messages:
    23
    Hi Khazars,

    Yes - it is running much better, thankyou!

    However, before I got your reply, Ewido came up with two instances of:

    Trojan.DNSchanger.u

    both located in WINNT\system32\ as yaemu.exe and hgqhp.exe

    and Norton found:

    Downloader.Trojan

    I did the killbox thing on the dll file as you instructed, then ran an online scan with Kaspersky, which only found infections in my Norton Antivirus quarantine and Norton-deleted email:

    Trojan_Spy.HTML.Bankfraud.hs
    Trojan_spy.HTML.usbankfraud.p

    So I won't bother you with this logfile. Here is the HJack This file:




    I have a query about these two files:

    ntje32.exe
    crqw32.exe

    They appear in the HJT log, even though you had me delete them. I have tried to do a google search on them, but can't find any info on whether they are legit files or not.

    Regards,
    Neil.
     
  7. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Download the pocket killbox

    http://www.bleepingcomputer.com/files/killbox.php


    Copy the contents of the below Quote Box to Notepad. Then click File and then
    Save As. Change the Save as Type to All Files. Name the file fixit.reg and
    then click save. (make sure you save it somewhere you can find it. Saving it
    to your Desktop may make that easy.) Then double-click on the fixit.reg file
    on your desktop (or locate it with Windows Explorer and double click on it if
    not saved to the Desktop) and when it prompts to Add in to the registry, say
    yes




    After the merged successfully prompt, please reboot your computer.


    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    O4 - HKLM\..\Run: [ntje32.exe] D:\WINNT\ntje32.exe
    O4 - HKLM\..\Run: [crqw32.exe] D:\WINNT\system32\crqw32.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C3542492-6015-454B-97ED-24175188D713}: NameServer = 195.95.218.5,85.255.112.13



    Double-click on Killbox.exe to run it. Now put a tick by Delete on
    Reboot. In the "Full Path of File to Delete" box, copy and paste each
    of the following lines one at a time then click on the button that has
    the red circle with the X in the middle after you enter each file.
    It will ask for confimation to delete the file on next reboot. Click
    Yes. It will then ask if you want to reboot now. Click No. Continue
    with that same procedure until you have copied and pasted all of
    these in the "Paste Full Path of File to Delete" box.Then click yes
    to reboot after you entered the last one.


    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.


    D:\WINNT\ntje32.exe
    D:\WINNT\system32\crqw32.exe
    D:\WINNT\system32\hgqhp.exe
    D:\WINNT\system32\yaemu.exe
    D:\WINNT\RMAgentOutput.dll



    reboot back to safe mode and download and run these progs!



    download FindT

    http://bilder.informationsarchiv.ne...Tools/FindT.zip



    - Extract the files to a folder in C:\ of your choice.
    - open the "FindT" folder and run the runthis.bat file
    - a text will open post the results


    Right click on

    http://www.silentrunners.org/Silent Runners.vbs

    and choose Save As...Save it to your Desktop. Make sure you have disabled any programs
    that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double
    click on 'Silent Runners' to run it. This will take a few minutes. It will
    create a file called 'Startup Programs' followed by your computer name and
    current date. Open up that file and post all the contents here in your next
    post..ph...=post&id=134981 and save it to your Desktop.




    Download rkfiles

    http://skads.org/special/rkfiles.zip

    and unzip the contents to a new folder on your desktop.


    * Unzip RKfiles.zip to the desktop
    * Double-click RKFiles.bat to run it.
    o It may take a while.
    * When it is finished a window should appear with a log.
    * Please copy the contents of the log and paste them here
    o Note: the log with be saved at c:\log.txt




    post the rkfiles log, the silent runners and the find T logs, post another hijack this with it!
     
  8. Neil Miller

    Neil Miller Thread Starter

    Joined:
    Sep 3, 2005
    Messages:
    23
    Hello Khazars - that was quick! Thankyou.

    Are you sure about removing the 017 entry?

    I did try that once before, and i could not access the internet at all, so I had to reinstall the entry.

    Regards,
    Neil.
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    I'm pretty sure that it's a rogue entry linked to the infection you have? If I'm wrong and you remove it, you can go into hijack this' backups and restore that entry!
     
  10. Neil Miller

    Neil Miller Thread Starter

    Joined:
    Sep 3, 2005
    Messages:
    23
    Ok, will do. I have just tried to merge the registry script with the registry. I got an error message something like

    "cannot merge.......not a registry script....you can only import registry scripts."

    I did not copy the "REGEDIT4" bit though - will that make a difference? Everything else I did exactly like you said.

    Regards,
    Neil.
     
  11. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    yes you have to copy the regedit4 bit with the rest!


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=-
    "System"=""
     
  12. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    also, repeat everythign again as you need to do the reg fix first or we will not beable to find the bad files!
     
  13. Neil Miller

    Neil Miller Thread Starter

    Joined:
    Sep 3, 2005
    Messages:
    23
    Thanks Khazars - it worked that time (stupid me!) and I did everything in order as stated.

    I did have to restore the 017 key, as I could not connect to the internet without.




    RKfiles log:


    FindT next:

    NB: Just like last time, it only produced a couple of lines of text. The lines following the announcement in caps were copied and pasted from the DOS window and added to the text file:



    HiJack This follows:





    Finally, I ran out of space (exceeded posting length on this message) so i will post the Silent Runners file directly after posting this lot.






    Once again, thanks for your time and efforts!
    Regards,

    Neil.
     
  14. Neil Miller

    Neil Miller Thread Starter

    Joined:
    Sep 3, 2005
    Messages:
    23
    Here is the Silent runners file missing from the last posting:

    Regards,
    Neil.
     
  15. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    aha, turn off adware's adwatch feature as it can interfere with the fixes!



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.



    O4 - HKLM\..\Run: [FLMK08KB] D:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ntje32.exe] D:\WINNT\ntje32.exe
    O4 - HKLM\..\Run: [crqw32.exe] D:\WINNT\system32\crqw32.exe



    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/activescan/

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!




    Run an online antivirus check from

    http://www.kaspersky.com/virusscanner

    you will need to input a name
    and email adress but anyone will do & then acccept an active X control IT IS
    SAFE to do so LET IT FIX WHATEVER IT FINDS

    reboot again post a fresh HJT log


    post another log , the kaspersky and active scan logs. Can you just post the log instead of putting it in quote boxes as it makes it difficult to read!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/395998

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice