Hi Crunchie,
First let me start out by saying Thank You very much for your help.
I followed your instructions for HJT and below is my log.
Just to give you a little history of my past 3 days. I have been reading different forums and tried some of the other suggestions. Hopefully in any of my previous attempts to get rid of this I have not made some devastating changes that we can not fix.
Again Thank You for your help.
Logfile of HijackThis v1.99.1
Scan saved at 10:06:02 AM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Now, let's open a command prompt by going to the start menu and then select 'Run'.
In the box that pops up type in 'cmd'. The command prompt will open.
OR
You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /usysrq32.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.
===============
Run HiJackThis and click "Scan", then check(tick) the following, if present:
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
After rebooting your PC, post back a new log and let me know how everything goes.
-
crunchie.
megab10
Apr 26th, 2005 11:14 pm
Re: VX2 virus infection
I am encountering problems posting so let's see if this one takes.
I followed all your instructions. The only thing I have not completed is the trendmicro scan. The free scan would not run. Downloaded free 30 day trial however when i went to install it wanted to uninstall my norton av. will wait to hear from you on that.
found all the files i could and deleted them.
below is a new HJT log. This one is from today.
Logfile of HijackThis v1.99.1
Scan saved at 9:07:43 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Download CWShredder 2.14 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.
===============
Download, unzip to your desktop About:Buster and run it, then:
1. Click "Update".
2. Click "Check For Update"
(If no new version is available, skip to step #4.)
3. Click "Download Update", and wait for it to be installed.
4. Click "Start".
(Wait for the initial ADS scan to complete.)
5. Click "Yes", to shutdown any IE session currently open.
(Wait for the about:blank scan to complete.)
6. Click "Ok", to scan once more.
7. Click "Yes", to shutdown any IE sessions currently open.
8. Click "Yes", to begin the second pass.
9. Click "Save log", and post this log back along with your new log.
10. Click "Exit".
11. Click "Exit".
12. "Reboot"..
===============
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Now, let's open a command prompt by going to the start menu and then select 'Run'.
In the box that pops up type in 'cmd'. The command prompt will open.
OR
You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /unthm32.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.
===============
Run HiJackThis and click "Scan", then check(tick) the following, if present:
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
After rebooting your PC, post back a new log and let me know how everything goes.
-
crunchie.
megab10
Apr 28th, 2005 10:46 pm
Re: VX2 virus infection
Hi Crunchie,
I follow all of your lastest steps. Here are the results.
Panda scan found 81 infected files and disinfected 32
CWShredder 2.14 results CWS not found
Downloaded and ran about:buster here is the log:
Scanned at: 8:59:12 PM on: 4/28/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26
No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26
No ADS found on system
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
Ran HJT
c:\windows\crkh32.exe not found
c:\windows\system32\mfcii32.exe found and killed process
went to command prompt followed instructions and received the following:
(dllunregisterserver in nthm32.dll succeeded)
Ran HJT, clicked all listed except HKLM..\RunOnce:[crk32.exe]..... Not Found
clicked fix checked
on the 4 files that you said to locate and delete, could not find 1 & 4 and deleted 2 & 3
rebooted - almost had a heartattack here, upon reboot received a message
"could not restart missing file "system32\drivers\isapnp.sys" then told me I could use setup cd to repair.
I turned the computer off/on again and it booted back up.
Below is the new HJT log (but I don't think you are going to like it) I was looking at the list and think I see a whole new list of problems. I am really hoping you tell me I am fine and just seeing things.
I also have the Home Search Assistent, Search Extender & Shopping Wizard in my programs files which I have been told are also a problem. Could these be fighting what we are trying to do?
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:28:56 PM, on 4/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Does not usually take this much to fix these days :(.
Go to http://www.majorgeeks.com/download4286.html and download then run HSremove following the instructions from the download page.
As you will still be in safe mode, run about:buster again too. Run hijackthis and fix the RO and R1 entries. They will be the obvious ones :).
IE: res://C:\WINDOWS\system32\immjk.dll/sp.html#94115
Also delete the 02 line which will be similar to this;
O2 - BHO: (no name) - {3F318FAB-0CFF-ADBF-F53E-EE626352F75C} - C:\WINDOWS\system32\iegk32.dll
