pretty sure I have a trojan - can't get rid of it - need help

I got a coolwebsearch trojan infection thanks to my brother (idiot). I've gone through blackspears general virus and trojan removal instructions. None of the programs are detecting anything anymore BUT

What's left of it (I think) has taken over my ati driver files for the graphics card. The file sizes are way bigger than they should be and tiny firewall stops an ati executable from doing something nasty (after boot) that it never used to do before...

I'm trying to get rid of it but the computer only works sporadically. Right after boot up windows is frozen. The task bar, start button, icons on the desktop etc. are unusable. I have to do stuff through task manager while it's like that and it's a bit difficult to say the least. When you exit a program, it exits but the image remains on screen. An active window leaves trails all over the place if you move it around.

After 45 minutes or so (haven't timed it) all the crap just disappears and windows seems to operate normally. Sometimes it will lock up again and I have to resort to task manager to start programs again. Then after another very long time it will pop back to normal again.

I've previously downloaded new drivers for the ati card but not installed. (lost the original cd)

I don't really know how to proceed. I've tried to replace the .dll files and .exe's that I have .dl_ and .ex_ files for but some of them keep regenerating.

If I just try and install the new drivers won't that installation just get infected as well?
(if that's the problem)
If I try to uninstall all the ati stuff (what I want to do, then power down to wipe memory) how will I see what I'm doing before installing the new drivers?

 

Have you tried CWShredder?

http://www.spywareinfoforum.com/~merijn/downloads.html

This is a program designed to find and remove Cool Web Search components, and it seems to work sometimes.

 

just discovered this
'iexplore.exe' tries to 'SeTakeOwnerShipP'

I think that's what ati2evxx.exe tries to do as well

I normally use firefox. I was going to use internet explorer for the online virus scan and windows update.

The windows screen has died again (before I tried to use iexplore).

 

Yes, CWShredder doesn't really do much.
It stops after displaying Vrape then continues when windows wakes up. Nothing.

It's part of the cleaning instructions blackspear recommends.

Way, I got windows back again. This would be funny if it wasn't so damn annoying.

 

I work at an IT Help Desk, and I seem to battle these cases every day. Unfortunatly, I generally end up reformatting these machines, because there is always a trace of CWS left on the machine. It will continue to reinstall its components in the system files and in the registry. Even Hijack This! will not get rid of all components. Good luck!

 

Eveningall

The problem with Collwebsearch is that there are so mmany variants of it in the wild. CWShredder while it is still a usefull tool, has I feel slipped back since its change of ownership, (tho i see that there is a new version available so it may improve). There are a lot of variant specific CWS removal tools around, but the problem is to identify the variant, and despite its limitations, HJT is still the main analysis tool in use. I would suggest that you may find it usefull to post a HJT log in one of the forums where they are analysed and get help there, there are a number of sites that carry out analysis, but for starters try

www.tomcoyote.com
www.geekstogo.com
www.spywarewarrior.com

Remember that HJT will only be as succesfull as the skill of the analyst advising you, so dont try it yourself, and avoid the autoanalysers like the plague.
Good luck.

Jock

 

I have hijackthis1991 now and it helped me identify a few unwanted items in the Downloaded Program Files directory. I deleted them. I will try posting a log soon.
Meanwhile..
An online virus scan from
http://housecall.trendmicro.com/
revealed ntosv.dll as troj_agent.nl
so I renamed it ntosv.dl_ and replaced the ntoskernel exe file (it had become quite bloated) with the one off the windows cd.
This has stopped windows from doing it's 50 minute freezing cycle thing. The desktop would freeze on startup, then start working after about 50 mins then after another 50 mins or so it would freeze again and so on.
Really weird.
Most of my system files and ati drivers are still infected with whatever it is. They are way bigger than they should be.
I still can't believe nothing is detecting it except my firewall when the trojan? tries to do something nasty (usually only once per boot).

At least windows is useable again (kinda).

Why won't sfc work in safe mode? It would be very handy if it did.

 

Hi, depending on the version of ATI driver you have, there should be a utillity found in add/remove programs to uninstall all ATI software.

If you havent already done so, go to Start > Run > type "msconfig" enter > check the startup list for unknow entries also look in the services tab, click hide all MS services. Research the start up programs and services on the web, WinTasks is a very good site. look for entries that are not supposed to be there.

As for the regenerating .dll/.exe files, if they are apart of your Windows OS they will automatically be restored.

The 'Sfc' function has limited abbilities. if the registry has been modified manually it must be restored manually (certain functions such as installation histroy, date stamps etc.)

Generally i would strongly reccomend against renaming files, registry entries, systems files/folders etc. If multiple scanning programs are not detecting anything then the problem may not be a trojan etc, but the damage it had done before/during removal.

If you have your Windows CD, you can repair the installation, boot to the CD and follow the prompts.

 

I think you are right Ms Sweetie. Everything _seems_ to be okay now.

Thanks for the link to the process library. It was very helpful.


I like your avatar.

 

My pleasure Erik, I hope it all goes well.
If you have any further problems don't hesitate to post back.

 

Now it's really screwed...

Everything was cool so I thought, 'I should update windows to maybe prevent problems in future'. I guess that's the right idea but it had the wrong result.

The computer doesn't get past the boot screen any more. The lights on the keyboard flash and everything locks up. The little gauge on screen stops moving and there is no hard drive activity, no nuthin'.

So, I wasn't clean after all. It was just wishful thinking.

I CAN still boot in safe mode. (using my boss' pc to write this) It's time to execute plan A; backup what I want to keep and reformat the hard drive. I'm not looking forward to that. The damn thing is forcing me to learn and do things I really did not want to deal with. "It'll be a good learning experience", yeah.. I know...

This is a _great_ introduction to the world of pc's for someone who hasn't touched a computer since his amiga over ten years ago... I'm thinking I should have stayed away.

 

Hi, sorry to hear that.

You do have a few options;

Repair the Windows installation;​

XP Repair install

1.Boot the computer using the XP CD. You may need to change the boot order in the system BIOS so the CD boots before the hard drive. Check your system documentation for steps to access the BIOS and change the boot order.

2.When you see the "Welcome To Setup" screen, you will see the options below
This portion of the Setup program prepares Microsoft
Windows XP to run on your computer:

To setup Windows XP now, press ENTER.

To repair a Windows XP installation using Recovery Console, press R.

To quit Setup without installing Windows XP, press F3.


3.Press Enter to start the Windows Setup. (do not use the recovery console)

4.Accept the License Agreement and Windows will search for existing Windows installations.

5.Select the XP installation you want to repair from the list and press R to start the repair.

6.Setup will copy the necessary files to the hard drive and reboot. Do not press any key to boot from CD when the message appears. Setup will continue as if it were doing a clean install, but your applications and settings will remain intact.

Slave your hard drive to another PC​

1.Shut down your system, remove the power plug from the PSU.

2.Open the case and remove the power cable and data cable from the hard drive.

3.Remove the screws from the hard drive and take it out of the case.

4.reverse this procedure to install on a clean system, there should be spare power and IDE/Sata cables already there.

5.When the clean system loads it will auto detect the hard drive, the system will not boot from the "slaved" drive it will just be data.

6.Using reliable and updated security software scan the troubled drive and fix any problems. (note; this will take a bit longer than usual)

This method is actually quite easy though care should be taken when working inside the case of your PC. A few basic tips;

Place the PC on a clean table in a well lit room.

You can earth yourself (static electricity) by briefly holding the kitchen tap or by buying an anti static wrist band.

Keep all screws, cables and small parts in a container etc.

Try not to touch anything you don't need to.

If you are concerned about where everything goes take a digital photo before you start.

 

got rid of it with a format

She's all clear now.

A friend came over on the weekend and we basically did your second option there (didn't see your msg til just now).

In his computer we copied the files I wanted to keep from my drive to his drive. Then repartitioned and formatted my drive, copied the files I wanted to keep back to the second partition on my drive, then put the drive back in my computer and reinstalled windows.

That's a lot of stuffing about but whatever was bugging me is gone now and that's the main thing.

If I experience any more weirdness you'll be sure to hear from me, cheers.

Hopefully that won't be any time soon.