Need help with spyware and popups

Are you saying you followed ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal ?

If the answer is yes and you still have a problem, follow the guidelines below for HijackThis log posting.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

You have a lot of problems! We will have to save one set (the one with O1 - Hosts hijacks) for later after fix a bunch of other issues.

You have to remember that browsers MUST be shut down anytime you use HJT. You had the following running:
C:\Program Files\Internet Explorer\iexplore.exe

Do you know what this is: D:\ORANT\BIN\OLITERM.EXE

Edit: Okay looks like OLITERM.EXE is part of Oracle. Right?

 

Download LSP-Fix to your other computer and then get it on to your broken one.
Download it here: http://www.majorgeeks.com/download4180.html
Unzip it and run it. Check the Box labeled "I know what I'm doing" and then click on the aklsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move aklsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.


Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
kwuvik.exe
??rvices.exe
C:\WINNT\Profiles\Administrator\Application Data\upum.exe
C:\WINNT\system32\WpdBbw.exe
C:\WINNT\system32\FaqupP4.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [F9.tmp] C:\WINNT\Profiles\ADMINI~1\LOCALS~1\Temp\F9.tmp.exe 0 10001
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [27Y#7@Q2ATNJEW] C:\WINNT\system32\Pvbl73i.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [F9.tmp.exe] C:\WINNT\Profiles\ADMINI~1\LOCALS~1\Temp\F9.tmp.exe 0 10001
O4 - HKCU\..\Run: [Afxehv] C:\WINNT\system32\??rvices.exe
O4 - HKCU\..\Run: [Zou2RkjEO] dspint35.exe
O4 - HKCU\..\Run: [Dlbt] C:\WINNT\Profiles\Administrator\Application Data\upum.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)


Boot into safe mode and use Windows Explorer to delete:
C:\WINNT\system32\kwuvik.exe
C:\WINNT\system32\Pvbl73i.exe
C:\PROGRA~1\VBouncer <---- the whole directory
C:\Program Files\CSBB <---- the whole directory
C:\Program Files\AutoUpdate <---- the whole directory
C:\WINNT\Profiles\Administrator\Application Data\upum.exe
C:\WINNT\Profiles\Administrator\Local Settings\Temp\F9.tmp.exe
C:\WINNT\system32\WpdBbw.exe
C:\WINNT\system32\FaqupP4.exe
C:\WINNT\system32\dspint35.exe
C:\Program Files\PartyPoker <-- the whole directory

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Did you remember to kill the processes before fixing with HJT? Did you follow steps exactly as written. The kwuvik.exe should have been deleted. Now your system has mutated and new names for files are there.

I don't understand why you could not find all those other files and folders. Check again!

 

Make sure you have viewing of hidden files enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINNT\system32\kwuvik.exe
C:\WINNT\system32\Jwc2dLPf.exe
C:\WINNT\system32\IshV4.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [27Y#7@Q2ATNJEW] C:\WINNT\system32\Mobr9V45.exe
O13 - WWW. Prefix: http://

Make sure you click Fix. Then exit HJT. Note the O1 - Hosts problem will come back. That's know problem we have to work after fixing current problems.


Boot into safe mode and use Windows Explorer to delete.
C:\WINNT\system32\kwuvik.exe
C:\WINNT\system32\Jwc2dLPf.exe
C:\WINNT\system32\IshV4.exe

If you have a problem deleting any of these, run Task Manager again and shut down the process if found to be running. Let me know if there is a problem doing this delete.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I'm very surprised that all those O1 - Hosts: 69.20.16.183 lines went away so easily.
This is the first time just fix them with HJT work. I wonder if they are still gone.

Please download the following tool: Pocket KillBox : http://www.downloads.subratam.org/KillBox.zip

Unzip Killbox to a place you can find it. Close all open programs, windows and browsers and run Killbox. Copy and paste the below filename into the box for Full Path of File to Delete:

C:\WINNT\system32\kwuvik.exe

Select the options Delete on reboot and End explorer shell before deleting.
Now press the Delete button (red circle with the white X) and then Yes or OK until your machine reboots.

After your machine reboots, post a new HJT log.

 

Okay! That process (C:\WINNT\system32\kwuvik.exe) is still running. I'm not sure how it is loading.

Make sure you have the following setup properly.

- Right click Start and select Explore.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Files and Folders heading
- Make sure you put a check on Display the contents of system folders
- Under the Hidden files and folders heading put a check on Show hidden files and folders.
- Uncheck the Hide extensions for known file types option.
- Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

Now use Windows Explorer and goto C:\WINNT\system32
Tell me if you can see the file kwuvik.exe
If so, right click on it and get Properties, Version info.
How big is the file? What is the date of creation?

Please download and unzip ProcessExplorer to your PC: ProcessExplorer for Win NT/2K/XP
Put it in a directory named c:\SysInternals

From now on run it instead of TaskManager. It is better at showing processes and it is better at killing them. Has some other great features too. Configure it like this:

Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".

Now click on File and then Save As. And save the process list . Now upload that process list here as an attachment.

 

What about the settings I asked you to check? You need to provide me feedback on things like this and answer my questions too.

Did any of your settings need to be changed to match what I wanted?

What about answers to:

I also see at least two firewalls running. One from ZoneLabs (ZoneAlarm) and one from CA (eTrust EZ Firewall). You must not use more than one software firewall. You must pick one and uninstall the other.

 

Okay! The Display contents of system folders does not apply to Win 2000!

I did some additional searching around. I think that eTrust EZ Firewall must use some of Zonelabs software. I'm pretty sure that is why the process is there. Just leave vsmon.exe be

 

1) go here and download Registrar Lite and install it: http://www.majorgeeks.com/download469.html
2) Run it, click on the magnifier glass to do a search and then enter the following string to look for kwuvik (yes without the .exe) and hit Enter

Copy back here all the matches you get.

The download this Generic Detection Tool (for VX2 problems)

Then, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that to your next post.

Do not reboot after that because that can cause the files to mutate.

 

Copy the text below in the quote box into notepad and save it to a file called history.reg file where you can find it (the Desktop is an easy place). Now double click on the history.reg file and say yes when prompted about merging into the registry.

After doing this run Registrar Lite again and do the same search. Let e know if you find anything else.

 

Run Killbox again.
1) Click "Replace on Reboot" and check the "Use Dummy" box.
Paste the below file into the top "Full Path of File to Delete" box.

C:\WINNT\System32\mv82l9lo1.dll

(Make sure you cut & paste in the filenames. If you try typing, you will get an error on the c: )

2) Click the "Delete File" button which looks like a stop sign.
3) Click "Yes" at the Replace on Reboot prompt.
4) Click "No" at the Pending Operations prompt.
5) Repeat steps 1-4 above for these files:

C:\WINNT\System32\m2lslc371f.dll
C:\WINNT\System32\mvlql9351.dll
C:\WINNT\System32\n8r20i9oe8.dll
C:\WINNT\System32\p28qlcl51fq.dll
C:\WINNT\System32\p0n8la5u1d.dll
C:\WINNT\System32\Jwc2dLPf.exe
C:\WINNT\System32\IshV4.exe
C:\WINNT\System32\Mobr9V45.exe
C:\WINNT\System32\GntQDB55.exe
C:\WINNT\System32\l4p20e7oeh.dll
C:\WINNT\System32\gcmf32.dll
C:\WINNT\System32\Qyaj.exe
C:\WINNT\System32\Onq3e.exe
C:\WINNT\System32\Jygj0V.exe
C:\WINNT\System32\DcnNRaMV.exe
C:\WINNT\System32\Han442nJ.exe
C:\WINNT\System32\Upwt.exe
C:\WINNT\System32\Wprx.exe
C:\WINNT\System32\Pvbl73i.exe
C:\WINNT\System32\RazhIQ.exe
C:\WINNT\System32\Ejg4g9Ss.exe

Now still in Killbox Copy and Paste C:\WINNT\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue underneath the filename box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After your PC reboots run find.bat again and post the new output.txt (you will have to rename it to output2.txt to upload it).

Also use Windows Explorer and please Navigate to C:\windows\SYSTEM32 and look for a file named guard.tmp. Tell me if it is still gone.

Do not reboot your PC after this or the problem can spread and mutate. You can remain offline and disconnect your connection to the internet while wiating to come back.

 

Okay we're almost done!


Using START > RUN > regedit, please open the registry editor and navigate to the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs

Backup this key by clicking File, Export and then enter a File name and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the SharedDLLs one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.

That should be it for the VX2 infection you had. But now we need to get back to the below file we were having a problem deleting:

C:\WINNT\system32\kwuvik.exe

I'm still not sure what is allow this to hide from us and how it is starting up.

 

Copy and past the contents of the quote box below into notepad and then save it to your Desktop as Ms4Hd-fix.reg. Then double click on the Ms4Hd-fix.reg desktop icon and say yes to confirm the merge into your regstry. Immediately after that reboot your PC and then post a new HJT log.

 

That process is still running. Let's check one more thing. In message #23 where you posted output4.txt, there were two places where a quesionable file was mentioned and the name changed during the capture of the log:

First the file was called:

Directory of C:\WINNT\System32
12/08/2004 09:35a 389,120 ??rvices.exe

Then later at the end of the log, it was called:

C:\WINNT\SYSTEM32\
rvices~1.exe Wed Dec 8 2004 9:35:36a ..SHR 389,120 380.00 K

Both are really referring to the same file but the name must be corrupted. Please goto c:\winnt\system32 and see if you can locate the above file. Use the file date and time and size to recognize it. Then look at the name. It maybe similar to one of the above. See if you can delete this file (if not in normal boot, try a safe mode boot). Becareful, there is a valid file in the system32 folder named services.exe. It is around 90k bytes though. Do not delete the valid services.exe file.

 

I'm pretty sure that the file for Windows should be called services.exe not service.exe The 380kb file was definitely not a valid file and was show up in logs with the question marks. Are you saying Windows Explorer showed it as services.exe?

Post a current HJT log.

 

Okay! I just booted up a Win2K SP4 system, and I was right the 88kb file should be named services.exe not service.exe.

Perhaps that malware file renamed it so it could take over.

 

If you deleted services.exe, how do you still have services.exe?

What name did the one you deleted actually have?

Post another findit.bat log after reboot and we will see if it came back.

 

Okay that bad ??rvices.exe file it gone. Now the other one (C:\WINNT\system32\kwuvik.exe
) I assum is still there. Download this other version of findit.

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip

Extract it to a folder and run find.bat. Post the log.

 

Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg. Doubleclick it and grant it permission to merge in the registry entries.
Quote:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-

We have some more files that we need to delete using Killbox. They are all in the c:\winnt\system32 folder:

C:\WINNT\system32\aepioa.dll
C:\WINNT\system32\pculyp.dll
C:\WINNT\system32\qhulzq.exe
C:\WINNT\system32\vpuwav.dat


and C:\WINNT\system32\kwuvik.exe

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINNT\system32\kwuvik.exe (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\system32\aepioa.dll


1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINNT\system32\kwuvik.exe into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After reboot post another log from this new find.bat program and also post a new HJT log. Please note any error messages that you see during reboot and copy down the exact full message if you do get any. This could occur due to us removing this malware as it attempts to reload itself.

 

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

nhgkun.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\kwuvik.exe
O4 - Global Startup: nhgkun.exe

After clicking Fix, exit HJT.

We have a couple more files that we need to delete using Killbox.

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\nhgkun.exe

and C:\WINNT\system32\kwuvik.exe still shows in you HJT log.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for each of the two files. Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\nhgkun.exe
and the second time paste in C:\WINNT\system32\kwuvik.exe

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for each

Now we need to fix that registry key again!

Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg. Doubleclick it and grant it permission to merge in the registry entries.

After reboot open Windows Explorer and look to see that the below two files have really been deleted:

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\nhgkun.exe
C:\WINNT\system32\kwuvik.exe

Now post another log from this new find.bat program and also post a new HJT log. Please note any error messages that you see during reboot and copy down the exact full message if you do get any. This could occur due to us removing this malware as it attempts to reload itself.

 

Use Windows Explorer to go to C:\WINNT\system32 and look for the file kwuvik.exe
If found, right click on it and select delete.

If that works, reboot and tell me if you get anymore error messages and what they are.

If you cannot delete it, use Killbox and paste in C:\WINNT\system32\kwuvik.exe but select Standard File Kill and then click the Delete button.
If that work then do the reboot and tell me what happens (error messages?)

 

Sounds good! Let's see a hopefully final HJT log.
How are things working?

 

Your log is clean now. Check the below out and see what else you need to do from this thread:
How to Protect yourself from malware!

 

You're welcome. I'm happy I could help.