Tech Support Forum - View Single Post - HJT Log, Trojan found, web pages not connecting or slow and computer freezing!

Ried · 04-19-2006, 06:29 PM

Hi disco,

Ok, let's go after all of it now.

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please disable the following program as it may hinder our fixes below:

Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye].
Click on "Security Agents Status".
Click on "Disable real-time protection".
Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.
Click on the Options menu and choose Settings. In the left pane column click on "Real Time Protection".
Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
Click the Save button and close Microsoft AntiSpyware.
Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware".

Click Start->Run - type SERVICES.MSC & then click on the OK button
*Locate the service - NetBTD(ntbtd)
*Double-click on it to open the Properties dialog.
*Under the General tab: : <--Take note and write down the *Service name given --It is case sensitive, note which one it is using, either ntbtd or NetBTD as we will need it shortly.
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Still within services.msc:
*Locate the service - Windows web messenger
*Double-click on it to open the Properties dialog.
*Under the General tab: <--Take note and write down the *Service name given as we will need it shortly.
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the *Service Name you found in the General Tab for Windows web messenger . Do NOT allow a reboot yet.

Still within Delete an NT service, type in the exact *service name as it appeared under the General tab for NetBTD. Click OK and allow the reboot.

---------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe
O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe
O4 - HKLM\..\RunServices: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing)
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe (file missing)

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following Files and Folders if they still exist.

C:\WINDOWS\System32\cnkdsk.exe
C:\WINDOWS\system32\netbtd.exe
C:\WINDOWS\Msnweb.exe
C:\WINDOWS\SYSTEM32\eraseme_63476.exe
C:\WINDOWS\SYSTEM32\i
msngrs.exe <--Do a search via Start>Search>All files and folders and delete if found.

---------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

---------------------------

Run Ewido again with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

---------------------------

Reboot into Normal Mode.

---------------------------

Run another scan at Kaspersky and post the results here along with the Ewido results and a new HijackThis log.

04-19-2006, 06:29 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,112 OS: WinXP and Vista	Hi disco, Ok, let's go after all of it now. Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Please disable the following program as it may hinder our fixes below: Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye]. Click on "Security Agents Status". Click on "Disable real-time protection". Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware. Click on the Options menu and choose Settings. In the left pane column click on "Real Time Protection". Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)" Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended). Click the Save button and close Microsoft AntiSpyware. Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware". Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - NetBTD(ntbtd)* Double-click on it to open the Properties dialog. Under the General tab: : *<--Take note and write down the Service name given --It is case sensitive, note which one it is using, either ntbtd or NetBTD as we will need it shortly.** Stop the service by using the Stop* button. Change the Startup type to Disabled* & then click on the OK button Still within services.msc: Locate the service - Windows web messenger* Double-click on it to open the Properties dialog. Under the General tab: *<--Take note and write down the Service name given as we will need it shortly.** Stop the service by using the Stop* button. Change the Startup type to Disabled* & then click on the OK button Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in the Service Name you found in the General Tab for Windows web messenger . Do NOT allow a reboot yet. Still within Delete an NT service, type in the exact service name as it appeared under the General tab for NetBTD. Click OK and allow the reboot. --------------------------- Next, please reboot your computer in Safe Mode* by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. --------------------------- Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe O4 - HKLM\..\RunServices: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing) O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe (file missing) Click 'Fix Checked' and close HijackThis. --------------------------- Delete the following Files and Folders if they still exist. C:\WINDOWS\System32\cnkdsk.exe C:\WINDOWS\system32\netbtd.exe C:\WINDOWS\Msnweb.exe C:\WINDOWS\SYSTEM32\eraseme_63476.exe C:\WINDOWS\SYSTEM32\i msngrs.exe <--Do a search via Start>Search>All files and folders and delete if found. --------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" *Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. --------------------------- Run Ewido again with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop --------------------------- Reboot into Normal Mode. --------------------------- Run another scan at Kaspersky and post the results here along with the Ewido results and a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."