BraveSentry removed? - problems remain

[pkraft]

You betcha! Internet cable removed.

I completed the AV Anti Rootkit scan - normal start up - it took 9 hours. I only did the 'search for rootkits' rather than 'in-depth scan'. Results showed nothing found.

Shall I go ahead with the 'in-depth scan'? would safe mode be ok or shall I stick to normal & just let it work through the night?

Startup list attached.

[jholland1964]

Ok PK, Since the Rootkit program didn't find anything, and that doesn't mean "something" isn't on the machine, I think we are going to have to go at much of this manually at first and see if we can't get much of this off here then hopefully you will be able to then use the LSPFix, get online and then you will be able to use some automated tools to go after anything remaining...

I am going to recommend something that I never do until I am certain a system is clean, but in the case of this computer I am going to ask that you go ahead and turn off system restore now, "just in case". There are obviously a lot of nasty items here and frankly I don't believe you have any risk of losing more than you all ready have by stopping system restore at this point because I doubt there are any good restore points to be had. So go ahead and turn it off now and leave it off until further notice.

You are probably going to want to print all this info out for reference since there are many files and steps involved here;

Be certain you have Enabled the Viewing of Hidden Files and Folders

All of these following steps should be taken in SAFE MODE until I tell you to try a normal boot.

I would like you to first, in SAFE MODE see if you can find and rename the following files by going to the following folders and then Right Click on each offending file and choose RENAME;

I want to caution you to only rename ONLY the items noted in RED
NOT the entire folder

C:\Documents and Settings\All Users\Documents\Settings\bot.dll
Rename bot.dll to bot.VIR

C:\WINDOWS\system32\ud.dll
Rename ud.dll to ud.VIR

C:\WINDOWS\gendel32.exe
Rename grendel32.exe to grendel.VIR

C:\WINDOWS\SYSTEM32\max1d1164v.exe
Rename max1d1164v.exe to max1d1164v.VIR

C:\WINDOWS\SYSTEM32\drivers\asc3550u.sys
Rename asc3550u.sys to asc3550u.VIR

If the system will not allow you to rename a specific file just please make a note of it and go on.

Reboot again in SAFE MODE
Check those files again and see if the renaming "stuck". If it didn't don't worry about it, just continue.


I also want to caution you to remove ONLY the items noted in RED
NOT the entire folder they may be residing in.

Now you will need to look for some running processes using Ctrl-Alt-Delete and if you find these processes running, END them;

1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort the processes.
5. Scroll through the list and look for;

Winssk32.exe.
max1d1164v.exe
gendel32.exe

6. If you find any of these running, click it, and then click End Process.
7. Exit the Task Manager.

Since you mentioned disabled items in msconfig you should try to be sure the programs are not still on the machine.

Go to Add/Remove.
Now don't be discouraged if you don't find any or some of these, they may all ready be removed. We just need to be sure.
Look for the following and remove them;

BraveSentry
SpyFerret
WhenUSaveNow
NewDotNet
New.Net Domains
Save!,
SaveNow
WhenUShop
EZthems_WhenUSaveNow_Installer

Next go to C:\Program Files\
and look for the following folders and if you find them, delete them;
BraveSentry
SpyFerret
WhenUSaveNow
NewDotNet
New.Net Domains
Save!,
SaveNow
WhenUShop

Now go to
C:\Documents and Settings\All Users\Documents\Settings\
and remove
bot.dll OR bot.VIR...whichever one is showing. If both show remove both


Next go to
C:\
Look for and delete the following;
6 65545_65536_7936.rtp
aapwab0.edb
aawdib0.edb
adwcb0.edb
auax.exe

C:\WINDOWS\
Look for the following and delete if possible;
gendel32.exe OR grendel.VIR (If both are showing delete both)
network diagnostic
IP8500
StartHtmico
iNetPal
Internet Logs
VirtualEar

Next go to
C:\WINDOWS\SYSTEM32\DRIVERS\
Look for and delete if possible;
asc3550u.sys OR asc3550u.VIR (If both are showing then delete both)

Next go to
C:\WINDOWS\SYSTEM32\
Look for the following and delete if possible;

a perfect pooh summer.scr
graphicsmill20.oca
cnmvs6l.dll
insts32k.dll
ippcpuid.dll
xfxbinimg.dll
ud.dll OR ud.VIR(If both are showing delete both)
dllh8jkd1q1.exe
dllh8jkd1q2.exe
dllh8jkd1q5.exe
dllh8jkd1q6.exe
dllh8jkd1q7.exe
max1d1164v.exe OR max1d1164v.VIR (If both are showing delete both)
smicmd16.exe
vedxg4am1et2.exe
vedxg6ame4.exe
vedxga1me4t1.exe
vedxga3me2.exe
vedxga4m1et4.exe
vedxga4me1.exe
Internet Logs

Next go to;
C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\
Look for and remove if possible;
IconCDDCBBF13.exe
IconCDDCBBF11.exe
IconCDDCBBF15.exe

If there are any of all of the above noted files that you cannot find, don't worry about it , just please make a note of it, go to the next one. When you post back here post the list of any you could not find.

Next, while still in Safe Mode, if possible I would like you to run a Full System Scan with the Norton Anti-virus program and tell it to fix anything found.
If you are unable to do this, just note that and go on to the next steps.

Once you have completed all the above I would like you to try to reboot the computer into Normal Mode and run a new scan with HJT and place a checkmark next to the following entries if they still remain;

If you still cannot run HJT in normal mode then do the following in Safe Mode.

O4 - HKLM\..\Run: [SSK Service] C:\Documents and Settings\Administrator\Desktop\your_details\detail s.pif

O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm

O17 - HKLM\System\CCS\Services\Tcpip\..\{26FB5087-36E1-4C61-8781-35A69C01309A}: NameServer = 192.168.1.254

O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll

O21 - SSODL: SxQHpRUcMid - {2C4A6A44-86E0-C0EE-91B7-B3C85FBB37F4} - C:\WINDOWS\system32\ud.dll

Once you have placed the checkmarks then click the FIX button and exit HJT.

Reboot the system in normal mode if possible, if not use safe mode, and run a new HJT scan and save the log.
Also run an new AnalyzerXP scan using the same instructions that ~TL gave you before.
Post back here with all info regarding manual removal of files, the new HJT log and the new AnalyzerXP log and we will see where things stand.
I know this has been a very long and trying process, but you have done extremely well thus far. Hopefully things will begin to look better and we can get you back online with this computer and complete anymore required steps more quickly. I am keeping my fingers crossed!
Judy

[pkraft]

Judy:

Going thru your last post - followed all the instructions & was able to complete those in normal mode that you suggested.

Was able to rename, remove all the files & folders listed except:

C:\Documents and Settings\All Users\Documents\Settings\bot.dll
Rename bot.dll to bot.VIR
On this one I didn't have Documents folder it is Shared Documents & was not able to ever rename or remove (in later instructions) this file. The message said it was 'being used by another person or program....'.

C:\WINDOWS\system32\ud.dll
Rename ud.dll to ud.VIR
Same thing on this file as above 'being used by another person or program....'.

There is a second Admin user setup - this was setup by the outfit that built the pc for me 4-5 years ago. It is no longer needed as I've relocated to another state since then. Do you think this might be why I can't do the above? Should I remove it & try again on these files?

The renaming of files 'stuck' - no problem there.

On the running processes I didn't find any of the ones listed.

The Add/Remove Programs - none were showing. Same with the next step in Program Files.

C:\WINDOWS\SYSTEM32\Internet Logs - I wasn't able to delete this folder - There wasn't one there.

Wasn't able to run Norton Full System Scan from Safe Mode.

Ran HJT in normal mode - fixed the files listed. Reboot & new scan - log attached.

AnalyzerXP ran in normal mode - log attached.

Whew! Judy, I am so grateful that you have the knowledge & expertise and are willing to share it and spend the time to help me &, I'm sure, many others. You keep your fingers crossed .....I have everything else crossed!

pk

[jholland1964]

C:\Documents and Settings\All Users\Documents\Settings\bot.dll
C:\WINDOWS\system32\ud.dll
There is a second Admin user setup - this was setup by the outfit that built the pc for me 4-5 years ago. It is no longer needed as I've relocated to another state since then. Do you think this might be why I can't do the above? Should I remove it & try again on these files?

Why not try that and see if you can remove them.
Judy

[pkraft]

I went to user accounts & all it shows is Admin & Guest Account (turned off). I thought this would be where I'd go to delete the second Admin but I don't see it there.

When I look at C:\Documents and Settings there are 2 Admin folders, one is Administrator and the other is Administrator.PRAIRIEWIND PC.

Suggestions on how to remove the second admin user?

pk

[jholland1964]

Can you log onto that 2nd account? If so then do that and try to locate and remove the files.

[pkraft]

No, can't log in. I've left a message for the fella that did this setup to call me. Will let you know when I'm able to remove it and the files.

pk

[jholland1964]

Let's try using Pocket Killbox to remove the files and see if that works.
You again are going to have to download it and then take it to the infected computer and install it.

Killbox – one by one delete on reboot

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each


C:\Documents and Settings\All Users\Documents\Settings\bot.dll

C:\WINDOWS\system32\ud.dll

C:\WINDOWS\system32\dllh8jkd1q8.exe

For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
If your computer does not restart automatically, please restart it manually.



Once you have done that then check to see if they are gone....Fingers Crossed

[pkraft]

The fingers crossed is starting to work...both the bot.dll and ud.dll are gone. But not the dllh8jkd1q8.exe file.

I heard back from the fella on the other admin account. He said it's not really there & wouldn't be causing the problem of deleting files.

pk

[jholland1964]

Go in manually and remove that dllh8jkd1q8.exe file like you did the others last night or this morning and see if that does it.
You also will probably need to run another rootkit program...Try the rootkit revealer one and see if that goes any faster.