tried everything, can't get ride of this trojam

[puter illit]

Hi, I'm reading everyoes notes, but it seems I've done all already. Caught a Virus this morning from a bad web page. Ran avast in boot, first it found 6, than 4, than 2 but into virus chest, deleted it from virus chest, tried to run Microsoft's care one. wasn't preforming as it should so I stopped it. Ran malwarebiytes, found 6, removed them. Avast still keeps popping up with every page I go to saying maliouse URL. OK so now I stop system restore, go to safe mode, run Avast - comes up clean, run malwarebytes, come up clean. Come out of safe mode and try running windows security again, Avast keeps warning of malisious URL. Can't log onto IE, can't get Microsoft update page. Run windows security again, says Troj/dos partial removal?
When I run boot scan first line reads: NTCreateFile- log Error 0xc0000022 (access denied)

Help can't get ride of this thing,

[Pondus]

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI

Essexboy will look at the logs when he arrive here later today...

[NerdrageXZ]

If you deleted the files from the Avast chest, it may have deleted some windows files that the trojan latched onto. From what it sounds like, you have a browser hijacker.

As Pondus said, post an OTS log here.

[puter illit]

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI

Essexboy will look at the logs when he arrive here later today...

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6593

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/22/2011 1:50:37 PM
mbam-log-2011-05-22 (13-50-37).txt

Scan type: Quick scan
Objects scanned: 154681
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\mspa32.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbexewukuwupo (Trojan.Hiloti) -> Value: Mbexewukuwupo -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\mspa32.dll (Trojan.Hiloti) -> Delete on reboot.
c:\documents and settings\Lynn\application data\Adobe\plugs\mmc205.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Lynn\application data\Adobe\plugs\mmc243.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[Left123]

Trojan:Win32/Hiloti.  is a trojan horse that may download potentially malicious files from a remote server and report system information back to the server.Please attach the OTS log.

[puter illit]

Trojan:Win32/Hiloti.  is a trojan horse that may download potentially malicious files from a remote server and report system information back to the server.Please attach the OTS log.

Thought I did? What is OTS?

[Pondus]

Thought I did? What is OTS?

It is explained in the guide i posted above if you read it all   

[puter illit]

Thought I did? What is OTS?

It is explained in the guide i posted above if you read it all   

Issue resolved
This is a nasty trojan, embeds itself in the registry and deleting it from the registry is the only way to get rid of it with backup of a rootkit killer. Ran Micro's Malisious software removal tool, only deleted it partially and said I needed to finish the job manually, so not knowing how I called Microsoft (free tech support) She found the sucker and deleted it. Wow,nasty nasty virus.  Thanks guys for all your suggestions.

Didn't want to go to geeks to go, had a bad experiance with them some years back, cost me $450 to install a program and he knew nothing about the program or how to instal it and I had to pay for his time anyway.

[Pondus]

Issue resolved 
This is a nasty trojan, embeds itself in the registry and deleting it from the registry is the only way to get rid of it with backup of a rootkit killer. Ran Micro's Malisious software removal tool, only deleted it partially and said I needed to finish the job manually, so not knowing how I called Microsoft (free tech support) She found the sucker and deleted it. Wow,nasty nasty virus.  Thanks guys for all your suggestions.

That is why you should post the OTS log so Essexboy can see if everything is removed....

[SafeSurf]

Next time you have a problem, let us know and we can help you here...for free.

Please remember that when you get an alert from Avast to put something in the Virus Chest, do NOT delete it...keep it in there where it is safe for several weeks.  You can rescan the file(s) by right-clicking on them after getting virus updates.  You can also upload the file to Avast to have it tested to see if it is a true malware or a false positive by right-clicking.  Sometimes it may be a false positive (FP) and then you may be able to restore the file.  If you delete the file, that file may have been an important file needed to run your machine then you are out of luck.  So keep the file in the Chest...this way we know what the file is, the name of the malware, etc. so we can help you...and it is safe there and may be restored in the future.

I'm glad to hear that things have resolved themselves.  Feel free to come back any time you need help, to learn something new, or just to ask questions.  We are here 24/7 for your convenience.  Thank you.

[essexboy]

Didn't want to go to geeks to go, had a bad experiance with them some years back, cost me $450 to install a program and he knew nothing about the program or how to instal it and I had to pay for his time anyway

Definitely not the forum that I work at - as all is free 

[puter illit]

Didn't want to go to geeks to go, had a bad experiance with them some years back, cost me $450 to install a program and he knew nothing about the program or how to instal it and I had to pay for his time anyway

Definitely not the forum that I work at - as all is free 

Your right it wasn't the forum, but the Company. I contacted to have a Geek-To-Go come to my home and install a very difficult program, I asked all the right questions, explained the level of difficulty of the program and what I required before committing and they assured me he would be able to do it. When he got here, I had to pay for him to read the instruction some 30 pages, than call the company's tech support team for instructions and end result was he still couldn't get it installed and running. And to add insult to injury charged me from the time he came thru the complex gatehouse, parked the car, a lesially stroll through the parking garage, come up the elevator to my apt and go back an additional 1/2 hour.   

[essexboy]

Try the forums next time - there is always someone who know the problem and how to resolve it

[puter illit]

Try the forums next time - there is always someone who know the problem and how to resolve it

Thanks, understood - point well taken, lol I use malwarbytes, virus wouldn't let me update it. it did find first 6, than 4, than 2 and inbetween false neg's. I'm not as illit as my name probably know more than most my age and even some younger but when it come's to things I'm unfamilar with experiance has taught me better to leave it to those that are. This time I was extreamly frustrated as I couldn't even log into Avast forum without Avast giving me warnings and was concerned the longer I stayed connected the higher the risk the virus would spread and open ports, so I didn't have time to wait for replies. Also it seemed to block all lititamete downloads and I was to nervious to download anything it would allow for fear it wasn't legitamente. I never would have been able to find it in the registry on my own, let alone delete it for fear I would be deleting a critical process. But I thank U and all the Guys on the forum for being there when we newbee's need them. Will update my profile, been wanting to do it anyway.   

[essexboy]

Our pleasure to assist