BraveSentry removed? - problems remain

[pkraft]

Removed the dllh8jkd1q8.exe file.

Rootkit Revealer log attached. Also ran the AVG Anti-Rootkit - zipped right thru it this time - nothing found.

pk

[jholland1964]

Ok....gulp....Let's try the LSPFix and see if we can get this thing back online....
Of course again you will have to download on the other computer and take it to the affected one. Follow the instructions on the download page and pray....

[pkraft]

Thank you, Thank YOU, THANK YOU!!!!

Things seem to be working ok - connected to the net, the pc is running as it should (not the slow crawl with the hourglass constantly on).

I'm sitting here smilin' BIG. Can't believe it! Not that I didn't have faith in you just kept thinking the next post Judy's going to say "nothing to do but reformat the drive".

I have ordered a router with a firewall. Will get that going soon. Do you have recommendations on what I should be using routinely - I'll buy anything & run it to help keep this from happening again!

Ok, now that I'm coming back down to earth.....what next?

Thanks, pk

[jholland1964]

YaHOOO!
Ok, now, to be absolutely certain that this junk is all gone I would like you to do a few more things.

Run the online Kaspersky Virus Scanner to see if anything remains. It won't remove anything but will produce a log telling us if anything is still there and where it is located. You can find the link for this on PP's Sticky

You also need to update the AVG Anti-spy program I believe I see in your scan logs and run a full system scan with it, allow it to fix whatever it finds.
Save the log and post it back here along with the Kaspersky log.

Download and run RegCleaner
Double click the program to open.
Choose Tools at the top and then choose Registry Cleanup, Do Them All.
The program will scan your system for old, unneeded registry entries.
It should only take a few minutes.
It will then give you a list of All Unnecessary listings.
Choose Select All.
Then Click Remove Selected in the lower right corner.
These unneeded entries will then be removed.

Once you have done all of the above then run a new scan with HJT. Save the log and post it back here with the others I have requested.


Judy

[pkraft]

Judy,

Done all of the appropriate updates & scans.

Logs are attached except the AVG Anti-Spy log. I checked 'automatically save a report' but there isn't one there. It found 9 items. It recommended quarantine for 8 of those and delete on the other. I let it do that & then I deleted the quarantine files. I don't remember what they were - I looked at them but was relying on the report and didn't make note of them. Sorry I messed this one up.

pk

[jholland1964]

Ok, Kaspersky did note some items...some are likely back-ups of Killbox and SmitfraudFix.

C:\!KillBox\ud.dll

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix

Get rid of both of those programs. If you need them again they can always be downloaded.

Some viruses were also noted in your Outlook Express so you need to go in there and delete all old mail it really is NOT a good idea to keep emails this long. This one is dated October 26, 2005.
I am going to PM you the location. It does contain an email address and it isn't a good idea to post the address on an open forum. Since the Kaspersky log also contains this address I am going to remove it from the log also and then see if I can re-attach the altered log. I will assume that you also still have the original and I will also keep a copy of the full original until we are certain it is not needed anymore.

Norton Quarentine needs to be emptied.
You also need to go in and empty;
C:\RECYCLER\
Also, if you are running Norton SystemWorks, it also has a Norton Protected Recycle Bin.. Make sure you clean that..

I would also like you to run another online scan...this time do the Panda Scan, it will often times offer you the chance to clean, if so then please do so.

[jholland1964]

You should also follow PP's instructions for using the ATF-Cleaner. Since you seem to be using Firefox be sure to use the ATF-Cleaner on the Firefox option also. If it asks if you wish to keep your Firefox passwords that is fine for you to do.
Do this in safe mode and then run another full system scan in SAFE MODE of the AVG-Anti-spy program. Have it fix everything it finds.


Another question...Do you know what THIS entry is in your HJT logs?
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon. exe
It has appeared in all HJT logs you have posted. Info is slim...though some refer to it when speaking of the Canon All-In-One printer. I see that you have a Dell Printer on the computer, do you also have the Canon printer?
It also is noted as a questionable file and that is the reason I am asking.

[jholland1964]

Just noticed in Kaspersky scan these entries;
H:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\SmitfraudFix.exe RarSFX: infected - 2 skipped
H:\i-hate-keyloggers.zip/i-hate-keyloggers.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.w skipped
H:\i-hate-keyloggers.zip ZIP: infected - 1 skipped

Assume this is usb stick you have been using to transfer and scan with...this should be cleaned also.

[jholland1964]

I am calling in "the cavalry" for the rest of this stuff...

C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.aa
C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.aa
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa

...as I don't want to remove legitimate files without some backup.
Hang in there for me please. You have done super thus far so be patient ok?
Complete the scans I have asked for and have them fix whatever they can. I will get back with you as soon as I have heard from the others.
Judy

[pkraft]

Ok, Kaspersky did note some items...some are likely back-ups of Killbox and SmitfraudFix.

C:\!KillBox\ud.dll

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix

Get rid of both of those programs. If you need them again they can always be downloaded.

Some viruses were also noted in your Outlook Express so you need to go in there and delete all old mail it really is NOT a good idea to keep emails this long. This one is dated October 26, 2005.
I am going to PM you the location. It does contain an email address and it isn't a good idea to post the address on an open forum. Since the Kaspersky log also contains this address I am going to remove it from the log also and then see if I can re-attach the altered log. I will assume that you also still have the original and I will also keep a copy of the full original until we are certain it is not needed anymore.

Norton Quarentine needs to be emptied.
You also need to go in and empty;
C:\RECYCLER\
Also, if you are running Norton SystemWorks, it also has a Norton Protected Recycle Bin.. Make sure you clean that..

I would also like you to run another online scan...this time do the Panda Scan, it will often times offer you the chance to clean, if so then please do so.

Judy, was working along thru these. Got about 3 -4 minutes into the Panda Scan & a System Shutdown box came up with a countdown timer - tried to get as much of it written down as I could. This is what I got:

NT Authority Sym???? windows/system32/sass.exe

The pc locked up. Couldn't do anything. Had to hit reset to restart it & I get through the windows login to the blue screen - then nothing. No desktop. No icons. Just the blank screen. Tried Safe Mode - same thing.

pk