Right its like this.I just got this lovely little trojan called vxgame1.exe /2 /3 /4, you get the picture (not to mention whatever else it bought with it :eek: .Now i aint no dipstick and the majority of problems i can solve myself but the problem with this one, or these ones if thats the case is that they will not allow me to run any spyware software or anti virus.They just keep re-starting me or giving me a critical error.Any help you could offer would be great cheers:)

Any chance you can slave the drive into another machine and run the scans from the master harddrive? as the OS on the newly installed slave will not be operational the trojans should not be active.
Do you have a spare harddrive you can put in your machine install an OS and then install antivirus, again installing the infected harddrive as a slave and running the scans that way?

Have you tried running your AV/AS programs in safe mode? You may also try turning off system restore, and searching your registry (after backing up your registry, of course), and your hard drive for any links to these files and deleting them (while in safe mode). Good luck. The #$%&*s that write that crap should be held accountable for their actions.

Beleive it or not i managed to run them in safe mode with networking and the modem switched off :cool:.The problem now is allthough i got rid of a lot i still have some straglers which i don't seem to be able to shift.Anybody know of a couple of good progs i can use in addition to my AV/AS?

What version of Windows are you using?
What antivirus and malware scanners do you have?

Usin Win XP Pro And for spyware and anti virus Adware and Norton.Tried to put Spybot search and destroy on but it won't run without an update and i can't even start the PC in normall mode (just crashes).This did the trick on my other PC so i was hoping, but no good.Anything else you think i could try?.The only way i can do it is to download it on my other PC and copy it over on disk to install.

What version of Windows and what antivirus and malware scanners have you got on your other computer?

Win XP Pro V2002 SP1 Adaware SE And Norton Anti Virus 2002

If I were in your position right now I would download a copy of AVG7 (free version) from here http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5 and a copy of Ewido from here http://www.ewido.net and install them on your other machine. Remove Norton completely from your other machine and run all the scans associated with AVG7 and Ewido, it wouldn't hurt to download and install SpyBot as well http://www.safer-networking.org/en/download/
Once you are sure your other machine is spotlessly clean install the harddrive from the infected machine as a slave and rerun the scans on the infected harddrive, all that garbage you have on there are applications that require Windows to be running in order for them to work, if Windows is not running on the infected harddrive the garbage will not initiate and will be able to be removed as nothing will be protecting it.

Right i see where your coming from.I will give it a go and see what happens.Be warned i will come back and let you know how i get on.Cheers

.Be warned i will come back and let you know how i get on.Cheers
I hope so....:)

I have made some head way :) , my PC will start in normal mode now.I managed to get a copy of the ewido scanner (if thats what its called) onto my PC which repaired enough for me to update spybot but its still a bit of a mess.To be honest when i try to run spybot it restarts my PC before its finished (allthough it did complete a couple of times and got rid of loads of stuff), and the ewido scanner picked up loads and quarantined all but one.But there are still loads od items in the startup which i can disable but how do you get em outa there?, they just come right back at ya.And i get this dialog box at startup which tells me about ibm000011.exe not being readable (which i know is a bad thing).So any help on a big cleanup would be good cos to be honest taking my drive outa one and into another is a real ball ache.Thanx (any more tips):D

Maybe it's time for a HJT scan, have a good read of this thread and then carryout the prerequisites and post a HJT log back here.
http://forum.pcmech.com/showthread.php?t=103171

I am right on it stay there (please).What really bugs me is that there is so much of this S*** that there can be no way it acctually does any good for ANYONE.

Your pain and annoyance is felt by many (carefull with the expletives even if they are starred out a few of the mod's take exception to them), personaly apart from a few little nasties that have been picked up by my scanners, I have never had the problems you are suffering but I have many customers who do and so I know how hard they can be to get rid of.

Hi there, sorry about the bad language.Beleive it or not i do my best to keep ontop of this kind of incident, my main problem being that i aint the only user on this PC (kids), anyway here is the HJT log, what you think?

Logfile of HijackThis v1.99.1
Scan saved at 19:57:22, on 26/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rpcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\windows\system32\removenot.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stu\Desktop\Net Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00011.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87185E78-A61B-4DB3-965A-3235BBD7A622} - C:\WINDOWS\system32\win32hp.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKLM\..\RunServices: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [919d1ab6.exe] C:\Documents and Settings\Stu\Local Settings\Application Data\919d1ab6.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://smartseek.biz/private/chm//x.chm::/open.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.apple.com.edgesuite.net/qtinstall.info.apple.com/lupin/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O21 - SSODL: DCOM Server 2234 - {2C1CD3D7-86AC-4068-93BC-A02304BB2234} - C:\WINDOWS\System32\2234_27.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_27.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Oh and just to let you know i wrote this post on the computer that this morning, wouldn't even startup properly:)

I am far from an expert at HJT logs but a few things look definately suspicious to me.
Do you know how to access the startup tab in MSCONFIG?
If you can, go to startup in msconfig and uncheck the boxes next to these:

These are not required to startup with Windows:
sstray.exe
atiptaxx.exe
EPSON Stylus Photo R300 Series
PCSuiteTrayApplication Nokia
realsched.exe
qttask.exe

This is very suspicious (uncheck all three entries)
removenot.exe
removenot.exe
removenot.exe

Study this one carefully, anything that has the same program name as the executable name is usually defined as a trojan, definately find this one in the startup tab and uncheck the box, do not restart after unchecking the boxes just run the scans again, we could be looking at HJT to get rid of them if your scanners fail again.

O4 - HKCU\..\Run: [919d1ab6.exe] C:\Documents and Settings\Stu\Local Settings\Application Data\919d1ab6.exe

I also noticed you are still on Service Pack 1, it is very important that you update your copy of Windows to Service Pack 2, you can then get rid of Zonealarm and use the inbuilt firewall that comes with Service Pack 2.

i ran my anti virus again and it found nothing and if i try to run any kind of malware/spyware checker my PC re-starts not long after i try (and the re-start takes ages).I have turned off nearly all the items in MSConfig startup, most of them stay off but a couple re-start themself after re-start, any ideas with HJT?

Re-run HJT and get it to fix these first:


O4 - HKLM\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKLM\..\RunServices: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKCU\..\Run: [919d1ab6.exe] C:\Documents and Settings\Stu\Local Settings\Application Data\919d1ab6.exe

I haven't used this for a while but it used to be very good at removing trojans:
http://www.moosoft.com/

O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!

This entry looks really nasty also. I have never seen this and it does not come up on any searchs.

1. Are you running you malware and anti-virus programs in safe mode?
-I noticed you keep trying to run these programs in normal mode, alot more will be cleaned up if you try to run Ad-Aware, SpyBot S&D, and ewido in safe mode

2. When you do are you turning off System Restore?
-Some items items return after a restart if System Restore is still on

I agree on the SP2 update however I would keep ZA. Windows firewall is ok for inbound traffic but does nothing for outbound traffic, it's the very basic of basic firewalls.

It may be "basic" in your eyes, but it IS a stateful packet inspection firewall - even ZA isn't that, it's a simple application-based firewall. Just because it's not constantly in your face doesn't mean it's not doing its job.

Hi people, i do have a PC that runs now allthough i suspect there are probably a million other things on it that i could probably be rid of (how can i get rid of items in the MSConfig startup tab cos the list has grown wat too much).All but about three are unchecked and i had to re-install Norton but its lookin good.And i have to give a MASSIVE shout out to rjfvillarosa
, what he did for me yesterday was near enough to a ten hour walk through.But i do value everybodies advice.Where do you search to see if reg entries, files and folders are bogus.Any help is just great.:D

Stig if you are happy with how we have got on so far and you are prepared to roll up your sleeves and get your hands dirty, there is a lot more I can give you to clean that machine up further and help to keep it clean in the future.

Yes matey i don't mind getting stuck in if you have more tips, the way i see it is the more rubbish you get off the faster my PC can work at.So bring on anything else you have in mind.:)

I notice from your HJT log that you are running Norton antivirus, unfortunately Norton doesn't have a particularly good name around here, it is a good antivirus application but a major hog of system resources.
Go here http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5 and download to your desktop AVG7 free version, this is an excellent antivirus program and requires very little in the way of system resources, after you install AVG completely uninstall Norton and everything that goes with it, all the internet security the lot.
Have you updated Windows to service pack 2 yet? this has a very good firewall built in, some people criticise the Windows firewall because although it stops everything from coming into your machine it doesn't stop much going out, well to be honest that can be changed with a few tweaks and if your machine is clean and secure why should you be worrying about whats going out? any personal data on your machine should be encrypted and if it's clean no trojans or anything should be broadcasting your information.

I can see what your saying about AVG anti virus by all accounts on this forum its better than Norton BUT can i not run AVG as auto protect and keep Norton on and only run it as backup eg stop it starting up with Windows until I want to start it.The reason i say this is i have paid for subscription an figure it would not hurt to use it as backup :confused:.And about SP2, i did try it when it was released but within a month of putting it on my PC it went belly up and i had to re-install XP.Needless to say i aint bothered with it since.

I can see what your saying about AVG anti virus by all accounts on this forum its better than Norton BUT can i not run AVG as auto protect and keep Norton on and only run it as backup eg stop it starting up with Windows until I want to start it.The reason i say this is i have paid for subscription an figure it would not hurt to use it as

most machines will have conflicts with two anti virus programs at the same time or on the same computer

I have had the free veriosn of AVG for about 3 years now and have really been satisfied.

I will give you a quick synopsis of what I do if I run into problems on a XP computer (such as my sister whom continues to amaze me with infections)

1. Update Windows

2. run disk clean up

3. turn off system restore

4. restart computer in safe mode

5. run updated versions of Ad-Aware, Spybot S & D, CW shredder, Ewido or trend online scans, and Hijack this Log. I anaylze the log run suspicious entries by google then here. I contiute to run these until they all come up clean. And I have AVG usually downloaded already on the computer.

6. restart the computer in normal mode

7. turn system restore back on

8. defrag


That ususally cleans up most crud. Good Luck and please post if you need more help.

-Matt

You made a mistake paying for a subscription to renew Norton *2002* - that's so old it's almost worthless as an antivirus. Today's malware goes right through it. I'd eat the loss and just get rid of it - there is no sense having a background process running that doesn't do anything for you. It was a good antivirus in its day - it wasn't till 2004 that Norton started going downhill fast - but I ditched my Norton 2003 last year in favor of AVG because it wasn't doing the job very well any more.

I read every post in this thread and kept wondering why no one was suggesting upgrade norton2002 to something more current (this could be half the reason you got all that junk in the first place)...then I got to the end and glc beat me to it.

Doesn't matter what you paid for it, ditch it, it's not going to do you much good. Get the free version of AVG (which will work A LOT better than norton 2002). If you want something even better, My favorite is NOD32 (http://www.eset.com/purchase/index.php) if you don't feel secure enough with AVG.

I know it's annoying to ditch something you have paid for but Norton really isn't that good any more.
In respect to SP2 it is important that you install it because of the security issues of running without it, once you have installed it we can address the problems that you are having with it.
I have a small VB script that will get rid of all of the unused entries in the MSCONFIG startup and we can do that as soon as you feel the machine is running reasonably smoother.



Jimmyrules...from post number 9
If I were in your position right now I would download a copy of AVG7 (free version) from here http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5 and a copy of Ewido from here http://www.ewido.net and install them on your other machine. Remove Norton completely from your other machine and run all the scans associated with AVG7 and Ewido, it wouldn't hurt to download and install SpyBot as well http://www.safer-networking.org/en/download/

Hi sorry i wasn't about yesterday BIRTHDAY.Anyway my machine is runnin much better now, more like before i had the attack.I have installed AVG with updates and ran it on several occations and your right it picked up about six suspect file when Norton would have passed them by :) .I am going to install SP2 as soon as i have time to read through the gumph.But whats with this VB (is that right) script that can delete MSConfig startup items that sounds pretty cool.Can you enlighten me further:D

The VB script (Visual Basic) is a small piece of code (stand alone application) that will clear away all the unchecked items in the startup list of msconfig, it will prompt you one at a time to confirm which items to delete but it only asks you about the unchecked items.
I am a fussy so and so and I just don't like things that I don't want or use, hanging around and that goes for the unchecked items in startup as well. ;) oh and Happy Birthday.

Any chance you can point me in the direction of this little bit of code as this has been one of my all time annoyancies because they just keep on building up.And thanx the grand old age of 32.I take it your from Wales or have some connection, i was born there myself and its only about 45 mins from where i live.

Go here http://www.kellys-korner-xp.com/xp_tweaks.htm and scroll down to line 148, right hand column "clear disabled items from msconfig startup & selective" left click and download it, just click on the VB file and then tell it to selectively delete the entries and you will then be prompted to confirm each deletion, it only offers to delete the entries that are unchecked.





Wales born and bred, I retired out here to Puerto Rico about five years ago, all I miss is the rugby and rain. ;)