Bugged by VX2 and Browser page popups - Can't get rid of them

Hi,

I am being bugged by web pages coming out of nowhere. I've run AdAware SE and Spybot and they find VX2, redirected hosts "common Hijacker" and a bunch of CoolWWWSearch. malware on my Win XP Pro. My antivirus (Norton) shows all's well. I've been reading the posts in this spyware thread and followed all the things to do in Sticky: READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
Major Attitude . I've run the web based virus tools from TrendMicro and Symantec as well as the McAfee AVERT Stinger as again all's well. I used AdAware and Spybot to try and fix the problem, but it comes back on the next reboot. I notice that my host file has a bunch of entries redirecting to 69.20.16.183 This seems to be a nasty one that a few others have had fun eradicating.
I need help as I've exhausted my virus/spam killing skills.
Awaiting instructions and guidance.
Thanks, .. Sonny

 

Hi Sonny,

We've been knocking out a lot of these lately. Please go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been busy with work and other obligations these days, but somebody will try to take a look when they get a chance.

Best luck
PP

 

Hi PhilliePhan,

I agree it has been busy times. I see that from the forums. I'll close down my browser and the systray programs and run the Hijack program.

I'll be back with the log shortly.

Thanks for taking the time to get me going again.

S

 

Hi,

I've run HijackThis and have the log, but I can't seem to attach to this post. The first time I clicked on manage attachments a new browser window opened and I was able to Browse and find my attachment. I selected it and when I tried to attach I got a "cannot find server message" DNS error.

The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

I close this new window and go back to the thread and do a Manage Attachment again and I get the "Cannot find server" window again.

This is my first time trying to attach, am I missing something on the process?

Sorry... I'll await your guidance.

Thanks, ... Sonny

 

Well OK -- I tried again and was able to attach the file.

Apologies for the misfire..

Have a gander and I await your direction

Thanks .... Sonny

 

Hi Sonny,

HJT Log not too bad. Here is what you need to do to get started on a fix:

Please download the following tools and have them handy (Perhaps create an Anti-Spyware Folder for them). Make sure to get them from the links below:

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox
LSP - Fix


FIRST:
Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the dolsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move dolsp.dll into the Remove section.

Please do the same for aklsp.dll.

Now, click the Finish Button. When the Repair Summary box appears, click OK.




NEXT:
Reboot to Normal Windows. Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE:Please do not run any other options or files in the l2mfix Folder!


ALSO:
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach the Find.bat Log along with the L2MeFix Find-Log and we’ll see where you stand. Please TRY NOT TO REBOOT after scanning for these logs! I will try to check back as time permits.

Best Luck
PP

 

Thanks for the guidance.

I've downloaded all the tools and have run l2mfix and find.bat

I'm sure you'll more fun things for me to do after you have a chance to view the logs.

I'm calling it quits for tonight, but I'll leave the machine powered up and I'll check back tomorrow to see what's next

Thanks again for your help..

Not so Frazzled now ... Sonny

 

Hi Sonny,

This should be pretty easy. You don't have the Narrator/Qoologic issues that often accompany this baddie.

I trust there were no problems running LSP-Fix??

NEXT STEP:
Please make sure ALL Browser Windows are Closed!

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually cough out another log in Notepad. Please attach that log. Also, please attach another HijackThis Log as well.

I'll try to check back Wednesday as time permits.

PP

 

Good day PhilliePhan,

I think things are looking MUCH better after running the l2mfix. I haven't seen a new browser window launch. Also I notice the my Recylce bin is back in operation. That sure is some nasty

I've attached the log files for your expert eye.

I'm off to work, I'll check back to review and when back tonight I will be able to run any more tools you suggest on this machine then.

Hope we're nearly there.

I really appreciate your guidance and assistance.

Thanks, .. Sonny

 

Hi Sonny,

We're almost done

Please scan with HijackThis and Check the Boxes for the following:
R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
Please make sure All Browser Windows are Closed when you Click FIX.


NEXT:
Check your Recycle Bin to make sure that no problems remain.
If all is NOT well with Recycle Bin, please run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


After checking on your Recycle Bin:
Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.


NEXT:
Please download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.

Finally, reboot and attach a fresh HijackThis Log and tell me how things are running. Hopefully, all will be clear!

PP

 

Hi PP,

This is looking much better everytime. THANKS for your Guidance and Expertise. I assume from more forum reading and also the fact that you had me run the l2mfix program that I had the Look2Me Virus/Malware. For my education, what pointed you to this as my problem? I assume it was something in the first HijackThis log file. I run NAV regulary with updated signature files and it must have creeped in between scans and hid itself.

Back to cleaning up..

Done, I've removed the R3 and the all the O1 entries for host 69.20.16.183

My Recycler is working fine - it got fixed after this morning's run of the malware/spyware busting tools., but I checked again tonight and a deleted file goes to the recycler and I can dispoase of it from there.

I Ran VX2Finder(126) and had only do the Restore Policy as the other 2 were greyed out.

Also restored my hosts file to the original with the HOSTER tool.

I've attached the HijackThis file for you to review.

THANKS AGAIN for your Help.

Sonny..

 

You're welcome Glad I could help! Nice to see that you are "LessFrazzled2Day"

Those 01 entries in HJT confirmed the VX2 variant on your machine.
HJT looks OK now - You should be good to go!

Have a look at Chaslang's Suggestions for Keeping Your Computer Safe From Malware

Happy Computing
PP

 

Thanks again PhilliePhan

I had browsed Chaslang's post in the last few days and reread it again tonight - It makes a lost of sense and has some really good suggestions.

I'll definitely be upgrading my defensives after this experience

Have a great evening.

Again I really appreciate your guidance and expertise.

Thanks, ... Sonny