I've received many trojan warnings!

[stomper]

I'm using windows XP service pak 1. I have a DSL connection. All was fine in my world until last Saturday, Nov. 17. I guess I ventured into far away places ...

I came on this forum and read the posts, and followed the step-by-step instructions posted by "evilfantasy". Thank you for such easy to follow instructions!

I am attaching my 3 logs - SuperAntiSpyware, EsetOnline Scanner, and HijackThis.

Any help I am given will be greatly appreciated!


[saving disk space - old attachment deleted by admin]

[evilfantasy]

Welcome to Computer Hope.   

Please download Vundofix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes

=====

The copy of HijackThis is the old Beta version. You will need to delete/uninstall it and use the one from the link here >HijackThis

Why are you using Service Pack 1

Items needed in next post
vundofix.txt
New HijackThis log.

[stomper]

Getting hard to get into the forum - I keep getting all these pop-up sites. They seem to pop up faster than I can close them.

Oh well, here's my 2 new logs VundoFix, and the new HijackThis. Vundo found 2 files, which I removed.

When I restart the computer I'm getting the following error messages:
No disk in Drive A - insert disk.
Error loading C:\windows\system32\nvanpbip.dll - file could not be found.

Thanks so much for your help.

[saving disk space - old attachment deleted by admin]

[evilfantasy]

First, go to add/remove programs and uninstall Web Buying.

Open HijackThis and place a check mark next to:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe <--If still there

Close all windows and click Fix checked

Un-hide protected system files.
To enable the viewing of Hidden files follow these steps:
 
   1. Close all programs so that you are at your desktop.
   2. Double-click on the My Computer icon.
   3. Select the Tools menu and click Folder Options.
   4. After the new window appears select the View tab.
   5. Put a checkmark in the checkbox labeled Display the contents of system folders.
   6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
   7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
   8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
   9. Press the Apply button and then the OK button and close My Computer.
 
Now go to C:\Program Files\Web Buying\v1.8.6\webbuying.exe <--Delete this whole folder

Also delete C:\vundofix.txt

Re-hide the protected files.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log

Items needed in next post
Report.txt
New HijackThis log

Also, why is the computer running SP1 and not SP2

[stomper]

Here are the new logs - report.txt and HijackThis.

As for SP1, I once tried the update to SP2 and it locked my system - or should I say crash. Windows wouldn't start at all - not even in safe mode. I tried to reload windows, and nothing. I eventually had to reformat. I don't want to go there again.

Since then, I had internet connection problems (nothing to do with XP) so I called BellSouth for help. At the time I had a router. He took me out of bridge mode. I called Linksys for help and they wouldn't help because I had my router a long time. This left me a bit vulnerable and I got a bad virus (similar to what I have now - and still have no router connected). Didn't know about these forums back then, and once again had to reformat. I learned about Avast then, so added it for some protection. At one time I used zonealarm, but forgot to reload it after formatting.

Don't know if I'm right or wrong about any of this, but I really want to stay away from SP2.


[saving disk space - old attachment deleted by admin]

[evilfantasy]

The thing is that without SP2 you are severely vulnerable to malware. There have been many many security updates since then. Have you seen the SP2 troubleshooting guide? Your computer stops responding when you restart to complete the installation of Windows XP Service Pack 2

Or you could try installing it from a CD which is free from Microsoft. Order Windows XP Service Pack 2 on CD

OK, I am looking at the logs now.....

[evilfantasy]

Open HijackThis and place a check mark next to:
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreloa d.ocx

Close all windows except for HijackThis and click Fix checked

Restart the computer and post a new HijackThis log.

Let me know how is the computer acting after the reboot

[stomper]

Here's my latest HijackThis report.

The popup windows seem to have stopped. I haven't had any new warning from Avast. When I start up, windows is still looking for a disk in drive A, and also for nvanpbip.dll. Other than that, it seems to be stablizing.

Since I don't want to mess with SP2, will Avast and ZoneAlarm protect me enough? Or is there another software you'd recommend.

Thanks for ALL your help and HAPPY THANKSGIVING!

[saving disk space - old attachment deleted by admin]

[evilfantasy]

Thanks for ALL your help and HAPPY THANKSGIVING!

Thanks, same in return!!!

Download Killbox.exe to your desktop. Don't use it yet.

=====

Un-hide protected system files.
To enable the viewing of Hidden files follow these steps:
 
   1. Close all programs so that you are at your desktop.
   2. Double-click on the My Computer icon.
   3. Select the Tools menu and click Folder Options.
   4. After the new window appears select the View tab.
   5. Put a checkmark in the checkbox labeled Display the contents of system folders.
   6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
   7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
   8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
   9. Press the Apply button and then the OK button and close My Computer.

=====

You may want to print out or copy and paste the rest of this to notepad and save it to the desktop. You won't be able to see this page in safe mode.

=====

Reboot into Safe Mode

Safe Mode Instructions

=====

Open HijackThis (HJT) and select Do a system scan only

Place a check mark next to:

O4 - HKLM\..\Run: [B5B8B4B6B8BBBEC0] 1114101214171A.exe
O4 - HKLM\..\Run: [2cf0eb2f] rundll32.exe "C:\WINDOWS\System32\nvanpbip.dll",b
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all windows and click Fix checked

=====

Double-click on Killbox.exe to run it. Make sure Standard File Kill is selected.
In the Full Path of File to Delete box, copy and paste the following
line into the box.

C:\WINDOWS\System32\nvanpbip.dll

Then click on the button that has the red circle with the
X in the middle after you enter the file. It will ask for confirmation to
delete the file. Click Yes.

Note: It is possible that Killbox will tell you that the file does not
exist.

Reboot to normal mode and re-hide the protected files.

=====

Post a new HJT log

Let me know how things are now.

[stomper]

Here's the new HijackThis log.

This time it didn't ask for a disk in drive A, nor did it look for that dll.

I don't know how you figure all this out, but I'm sure glad you were here!

[saving disk space - old attachment deleted by admin]

[evilfantasy]

The log is clean.

OK, now to clean up what we have used.

You can delete any logs that are left over.

Also delete:
VundoFix.exe
SDFix.exe
Killbox.exe

Might as well run CCleaner with the Cleaner and Registry options.

Toggle System Restore to clear infected restore points

1. Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer

3. Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place? It mentions many free programs so it is worth a look.

If you need anything else just come back and ask, we will do our best.

Safe surfing......

[stomper]

They don't have enough "emotions" on here - I need one that's jumping up and down!!!!!

Thank you!

[evilfantasy]

No problem....

Since I don't want to mess with SP2, will Avast and ZoneAlarm protect me enough? Or is there another software you'd recommend.

Almost forgot.

Check out WinPatrol 2007 Free

The 2007 version is free, so don't click the Plus version which is not free.

SpywareBlaster Free
Note: This free version does not auto update so check once a week or so for updates.

Comodo BOClean : Anti-Malware free


These all run in the background and use little resources. Great for extra layers of protection.

[stomper]

Oh oh! I was reading the article by Tony Klien. He suggested using Firefox instead of IE. So I downloaded it. Immediately after, I'm getting the virus and trojan alerts again. 

[evilfantasy]

Were they quarantined?

What are the names?