big hault in the process to clean up my pc

[chrisdee]

Probably a week or so ago Norton antivirus found a trojan (download.trojan)on my system and had failed to permanently delete it so I figure it must be one that has to be manually fixed. Well 2 days ago as I was trying to sign online (AOL) I received a notification popup that a worm (long name.. something with veritas? which i believe is part of the norton company?) was trying to invade my system and would be blocked, therefore I was not able to sign online. It would only detect and block this worm while dialing up, almost connecting, then disconnecting. So, I temporarily turned off my norton worm detector to allow me to connect so I could see the processes I need to do to fix these problems. I've got the HJT program from a previous issue I had, so I went in to start on the first couple steps. I think this is where I made a mistake!
I turned off system restore in normal mode. I then restarted the computer... in safe mode. I went thru and deleted all my cookies (cept for index) and then was going to go thru and all allow all internal files/folders to be seen when I was to do a follow-up scan.. then did a HJT log.
Went to restart the computer and it starts back EVERY time in safe mode!
I know when I first turned off system restore in normal mode it said that all previous restore points would be erased, etc... but i thought this was just a normal procedure in the process.. ugh HOPE this is not permanent and I didn't really screw up my whole system.
Every time I restart, shut down, and then reboot, it brings up the Black blank screen with small "safe mode" in the corners. I run Windows XP. I have no access to the start menu, desktop, or anything of that matter.. or atleast if theres a way I do not know of it. Any process I do right now in safe mode is by ALT CTRL DEL and starting a new process that way. Please tell me what I might be able to do, thank you

 

[N3051M]

hmm.. so you;ve muddled around with HJT and removed some entries your not supposed to? hmm...

if you still have acces to explorer.exe on task manager, then go uninstall norton including its liveupdate module it leaves behind. have you considered doing a windows repair?

https://www.techspot.com/vb/topic8356.html

 

[chrisdee]

actually I hadn't even got to start "fixing" anything in HJT yet. I turned off system restore in normal mode, rebooted in safe mode, cleaned out cookies for all users, ran HJT made a log, then went to restart in normal mode and it brought me back to safe mode. Its as if I lost all starting points and since I had turned off system restore that would make sense, altho I surely hope there is a way around it.

 

[N3051M]

ah.. that makes a bit of differences.. it would be the virus that may have messed up your system..

usualy if you wnat to clean anything sucessfully is to run it through safe mode.

NAV + AOL combo may prove leathal when a nasty do strike, since if NAV is unsuccessfull tehn the other option would be to scan using an online scaner, which AOL sometimes wont let you connect to teh net.. but i see that you've found a way to do so..

download.trojan wont be the culprit, but it could be one of the thing it downloaded.. my advice is to scan using ewido, trendmicro housecall and panda online (choose one or a few), then download adaware, spybot, update def. and scan. remove all the nasties.

hopefully it was not damaged enough to do a repair or a format..

after all thats done, goto [run>msconfig], goto boot and check that /safemode booting is not checked, also check the command lines is correct..

I have no access to the start menu, desktop, or anything of that matter..

so i guessed you've tried the start button onthe keyboard etc... in task manager, do you see explorer.exe as one of thoes processes active? if not, then try running that through the new tasks thing and see what happens...

post back

 

[chrisdee]

AH you got it! Well we're back to being able to start up in normal mode. I guess during my manual fix attempts I had checked the "safeboot" option in msconfig. I knew as soon as I seen where you said about msconfig it looked familiar. Thanks so much,whew.

I have trojan hunter guard, aluria, spydot S&D I will go run all these, download and run ewido and then come back and post a fresh HJT log. Maybe we can get the virus/trojan issues out of my system

While I was in msconfig I noticed under the "services" and "startup" tabs that there are a lot of programs or startups in each of the list. Is there a general know of ONLY what programs must be kept for the computer to start and run smoothly?
It seems for a while now every time I reboot my computer and then open AOL to sign online I get an IE popup error that says "Web page unavailable while offline" and gives me an option to connect or stay offline. I'm thinking this must be a nasty pop up just trying to open yet i'm not connected to the internet yet. No matter what option I choose the error stays until I connect to AOL, then IE opens up blank page, so I exit it. Just rather annoying

 

[Tedster]

removal:

boot in safe mode
turn off system restore

removal instructions

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) or VGA mode (Windows NT).
4. Run a full system scan and delete all the files detected as Download.Trojan.
5. Clear Internet Explorer History and files, if needed.

 

[chrisdee]

Ok I did full system scans with Ewido, trojan hunter, and S&D while in safe mode with system restore disabled. I let them remove/fix all potential problems that were found, however I did not ever come across one named download.trojan. There were many with trojan in the name tho. I made a HTJ log (attached).
Now after a restart to normal mode, I opened AOL, tried to connect.. first thing I got was the IE popup "Web page unavailable while offline" with option to connect or stay offline. ARGH
Then as AOL dialed up to connect at like 99% almost to connect it disconnects and Norton Security Alert pops up and says Norton Internet Worm Protection has detected and blocked an intrusion attempt.
Intrusion: Veritas Netbackup Shared Library BO.
Intruder: 172.164.202.154 (1048)
Protocol TCP
Attacked IP 64.12.8.61 (13784)

Followed up by another block by norton
Default Block Bla Trojan Horse
Local address 127.0.0.1 (1042)
Remote address 172.164.202.154 (1042)
Protocol UDP

When I go to IPchicken.com none of these IP's match my IP. I dont know what norton is finding or what it means? After doing all those full system scans and it still shows that I have trojans trying to invade my PC?
Could it have anything to do with the mulitiple scanners that I have running at the same time? Right now I had to turn off my Norton worm protector to make myself able to bypass the 2 blocks listed above.

 

[chrisdee]

Also as in some of the sticky posts made to help remove the nasties, searchweb?, etc thread it says
Reboot in Safe Mode (press F8 a few times when booting or see how here).

XP/ME only: DISable System Restore, see how here.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.

How do I access windows explorer while in Safe Mode? While in safe mode I have no start menu, control panel, desktop or anything. I can only start new process by doing alt control delete to run a process or if theres other ways please let me know

 

[Tedster]

go to the symantec website after you have identified what you got and remove as stated on the site.

I don't have the time to read HJT logs, there are far too many people that need help.

 

[N3051M]

ok.. the offline thing: goto [file] in internet explorer and unchecked it. when that thing is active, you wont be able to open any webpages or let anything connect to the net like MSN etc.. even if your modem is connected to the ISP. thats why you get that popup in IE telling you to connect etc...

type in "explorer" in the new task window (aka Run) (without " "s)
i believe you can also type in control panel the same way, as well as hotshot to different directories eg [C:/documents and settings/user/desktop/folder etc] (without [])

try using the [start+r] combo key and see if it works (it will save you from doing the [ctrl+alt+del>processes>new task] thing all the time)

safe mode (f8) + system restore disabled will garuntee that the nasties will be eliminated properly.... and do find out what the exact name (or what Norton calls it) of the worm thats poping up, then go google.com and search it.. read about it and how to remove it is what tedster's saying to do next, and hopefully if all goes well we can just have a quicker run through the HJT logs to see if theres any rogues and loose ends to tie up..

While I was in msconfig I noticed under the "services" and "startup" tabs that there are a lot of programs or startups in each of the list. Is there a general know of ONLY what programs must be kept for the computer to start and run smoothly?

there is no real answer to this and it varies through every pc (exept for the first day you get it out of the factory if its prebuilt model etc), although windows has its own preselected few that will run the system on minimum (just select diagnostic or selective boot in the main msconfig tab), but some things like your video card and other devices may have its own services it needs to run in order to it work properly.

google has most if not all of the answers, and i think someone should write up a faq on how to find and use google (or any search engines) properly to find stuff.. and also posting it on forums wont hurt as well...

see how it goes.. good luck!

 

[chrisdee]

ok.. the offline thing: goto [file] in internet explorer and unchecked it.

I do not know what file or site is trying to be opened when I get this error. It gives no information of such, just that "webpage is unavailable while offline."

Well, one step of improvement.. I disabled trojan hunter (versus keeping both Norton and trojanhunter running at the same time) and then went to sign on to AOL, and no longer receive the notice from internet worm protection. It must have been conflicting between the two.

I think I'm almost there to having this cleaned up as it seems my computer is already running better (Ewido now scans and finds nothing! Also, now when I boot into safe mode I see things I had never seen before, I do have access to the Start menu, desktop, etc.. complete 180 of what it was before!)

I have attached a final HJT log if you would please look at it and see if you notice any things that should be fixed. I've reviewed it a few times using all the information off of the sticky 'how to' threads and believe to have it looking right.
Only a few points in the HJT log that I have in question, if maybe they strike notice with you.
04.. HKLM Run [juxyh] C:\Windows\juxyh.exe
04.. HKLM Run [WF4U36V] nwpamon.exe
04.. HKLM Run [*runkb] C:\Windows\config\runkb.exe

Would it be safe for me to search for these .exe programs and try to run them to see what they might be?

 

[RealBlackStuff]

This is your 'junk':
O4 - HKLM\..\Run: [*nutmsvc] C:\WINDOWS\Driver Cache\nutmsvc.exe
O4 - HKLM\..\Run: [*asfax] C:\WINDOWS\Help\SBSI\asfax.exe
O4 - HKLM\..\Run: [*runkb] C:\WINDOWS\Config\runkb.exe
O4 - HKLM\..\Run: [wF4U36V] nwpamon.exe
O4 - HKLM\..\Run: [juxyh] C:\WINDOWS\juxyh.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\NuzK63G.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

Boot in safe mode, press Ctrl/Alt/Del and STOP every single one of the above processes.
Then delete those junkies.