Persistent VX2, no internet, IP reset

Thanks in advance!

Hit last week with pop-ups, explorer starting on startup & other times, odd browser behavior. Ran Adaware SE & NAV. No joy. Read other sites before this one -- added spybot & HJT. Probably deleted more than I should have.

Running Win2K. Using Netgear Firewall Router. I.E. 6. All updated. Installed updated versions of all recommended s/w.

IP keeps getting reset to 169.254.171.140

VX2 gets cleaned every Adaware cycle. Desktop refreshes during scan & clean. Explorer starts after approving 'delete on reboot'.

Spybot cleans DSO Exploit each scan. (DSO patch applied! Still repeating DSO.)

Explorer always reverts to icon display no matter how many times set in options to always use detailed.

No internet scans: can't connect to internet.


Stepping through 'READ ME FIRST...' process. (Been through it before. Repeating in *exact* order. Trying hard to follow precisely! {Bear with me.} Wanted to share odd IP & VX2 behavior.)

Attached are two HJT files. One from today after scan step #3 (Adaware/Spybot) and one from Tuesday.

Next: running secondary spyware scans. (Again. No results last time(s)). Will report back after.



Hope you are having a great holiday season!


v/r, grizzly.

 

Completed 'READ ME FIRST ...' procedure.

Notes from 4. Secondary Spyware Scan:

CWShredder: scan-HomeSearch Found; fix-generated errors, windows shutdown; scan-none found; fix-none found.

Kill2Me: none found - explorer restarted.

about:blank: none found.

HSRemove: removed 10 items; removed 8 items; removed 8 times; 8;8;8;8

 

Still hoping for a little help.

FYI: IP should be set by Netgear router DHCP to local internal IP but it is reset as previously noted. Netgear is using NAT.

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Checking logs, will post back shortly!

 

Repeated 'READ ME FIRST ...' process with similar results. All version current.
(Power went out today causing a reboot into normal mode.)
(Rebooted again is safe mode with networking.)

No online scans ... internet connection broken.
(IP address reset to other than Netgear router DHCP default)
During AdAware scan windows safe warning message pops up
(~Windows is safe mode ...)
and explorer window pops up. It pops up again during clean.
It finds 4 VX2 objects each time.
Spybot finds nothing but blocks about 2000 objects in immunize mode.
About:Buster finds nothing but causes explorer to pop up.
HSRemove removes 10 objects, then 8, then 8 then 8 again on rescan.

HJT log attached.

Thanks in advance!

v/r, grizzly.

 

BTW, rescans done in safe mode after reboot.

 

Please scan with HJT in Normal Windows - It will tell us a lot more than a scan done in safe mode.

I am not around this forum too often these days, but I imagine Chaslang or BJGarrick will check back in the evening.

PP

 

Here is the HJT log from a normal bootup.

Thanks.

v/r, grizzly.

 

Before fixing anything with HJT please close all browsers.

Run HJT and have it fix these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ureach.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.ureach.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.ureach.com


After this is complete, go into your internet properties, default all your security settings and reset web settings.

Other than these entries your log looks fine. Are you currently experiencing problems? If so let me know whats going on. Thanks!

NOTE: If your looks like this 169.254.171.140 then your not getting internet. Could be several reason causing this. Let me know if problem still exist.

 

Browsers closed. HJT fixed listed entries.
Internet properties security settings and web settings reset to default.
IP Address still reset to 169.254.171.140
Hosts file is clean --- only header rows.

According to ProccessExplorer:
Two 'svchost.exe' services are running.
'ptssvc.exe' service is running.
'rundll32.exe' service is running.

Here are some other issues of note:
Firefix startup error message: "Start Mozilla.org chould not be found."
(No internet connection -- other sites could not by found -- google/nytimes)
Norton AV Auto-Protect could not be set.

Thanks.

v/r, grizzly.

 

Do you have Norton AntiVirus or Norton Internet Security installed on the machine with no internet. If so what version? Also is it working fine or has it been corrupted and say "error"?

Those processes are legitimate.

 

Norton Anti-Virus v9.05.15 is installed. It seems to scan files fine. It hasn't found anything lately. (updates have to be made manually.) (Norton Internet Security is *not* installed.) The 'Auto-Protect' feature used to run fine.

Thanks for the info on the processes.

v/r, grizzly.

 

Is this Norton AntiVirus 2002? Does it say "Error" under Status or email scanning?

 

The System Status bar at the top says "Attention"

The info at the bottom says "Norton AntiVirus 2003"

email scanning says, 'off'. I don't use outlook or another email program. (I have a webmail account with ureach.com)

 

What is the attention? What does it point to? I need to know if anywhere on the status of Norton if it says "Error" because if it does then its corrupted and could be causing your problem.

 

If the Norton is NOT corrupted and doesnt say "Error" lets move on..

You cannot, usually, release a 169.x.x.x IP address or 'get' a new one with the Repair or Renew feature, it doesn't know what connection to repair other than the 169.x.x.x one and so will nearly always return a fresh 169.x.x.x. It could be worth a try all the same though:

1) Click Start >> Run >> Type cmd >> Click OK.

2) Type ipconfig /release then press Enter
Type ipconfig /renew then press Enter

3) If this doesnt work let me know.

 

The attention icon at the top matches the AutoScan (which won't start) and email scanning (which is off and not needed.)

There are no error indicators anywhere.

Script blocking is on. Full system scan: 12/24/2004. Virus definitions: 12/22/2004. Subscription Service: 12/18/2005. Automatic LiveUpdate : On.

All green.

 

Ok, give me a better heads up, your are on a different machine then the one with the 169 ip address correct? I know most the time you cant get online if you have the 169 ip address, im just making sure before we continue.

 

Sorry. Yes, I'm on another machine. They are side-by-side. They are both connected to the internet via a Netgear router and a cable modem.

 

Ok, I wanted to make sure before we started this. Please follow below:

You cannot, usually, release a 169.x.x.x IP address or 'get' a new one with the Repair or Renew feature, it doesn't know what connection to repair other than the 169.x.x.x one and so will nearly always return a fresh 169.x.x.x. It could be worth a try all the same though:

1) Click Start >> Run >> Type cmd >> Click OK.

2) Type ipconfig /release then press Enter
Type ipconfig /renew then press Enter

3) If this doesnt work let me know.

 

Release & renew did not work. Tried before. Tried again. Still no.

Should I be in safe mode?

BTW: error message:
All adapters bound to DHCP do not have DHCP addresses. The addresses were automatically configured and can not be released."

 

Ok, this sounds like a Winsock 2 corruption, follow below:

PLEASE MAKE A BACKUP BEFORE MODIFYING THE REGISTRY!

1) Click Start, and then click Run.

2) In the Open box, type Regedit, and then press ENTER.

3) Navigate to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock

4) On the Registry menu, click Export Registry File.

5) In the File name box, type the name of the backup file; for example, type Winsock Registry key, and then click Save. Note the name of the folder in which the registration file is saved.

6) Repeat steps 3 through 5 for the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

7) Delete the following keys from the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
NOTE: Steps 3 through 6 backed up the two registry keys. You can use the backup files to restore the keys in the event that your computer displays unexpected behavior. For more information about how to restore registry keys from .reg files, search the Registry Editor Help files for the Import or export registry keys topic.


8) Close the Registry Editor.

9) Uninstall the TCP/IP protocol. To do this, follow these steps:
a) In Control
Panel, click Network and Dial-up Connections, right-click Local Area Connection, and then click Properties on the shortcut menu.

b) Under Components checked are used by this connection, click Internet Protocol (TCP/IP), and then click Uninstall.

c) Follow the on-screen instructions to uninstall TCP/IP.

10) Restart your computer, and then reinstall TCP/IP if it is not installed automatically:
a) In Control Panel, double-click Network and Dial-up Connections, right-click Local Area Connection, and then click Properties on the shortcut menu.
b) Click Install.
c) In the Select Network Component Type dialog box, click Protocol, and then click Add.
d) Under Manufacturers, click Microsoft, click Internet Protocol (TCP/IP) under Network Protocol, and then click OK.
e) Follow the on-screen instructions to install TCP/IP.

11) Reset your modem by turning the power off and then on.

12) Test your Internet connectivity.

Let me know is this works. Thanks!

 

Dude! I'm connected!
<ouch!>
this page just forwarded to 'BuyCertifiedDiamonds.net'

What's next?

 

What exactly is going on? Are you talking about a startpage hijack?

 

Sorry. No not startup page. Firefox brings up a google page. I went to majorgeeks.com and posted a comment. Before I finished the post it brought up the diamonds thing. I finished the post. Then refreshed -- which generated and error and the PC rebooted. I'm back on the other system again.

 

So you are now connected to the internet on the machine that had the 169 ip address, correct?

 

Was. For one post. Now I'm back on the other machine. I'm still connected on the other system, but it looks infected. The firefox startup page was an ad from adserver.sharewareonline.com

 

I'm posting from the non-169 machine. The 169 system is connected to the internet but I'm getting those ads mentioned.

 

Ok, Post me a HJT log from the machine that had the 169 ip address.

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Here it is ...

 

Just to be sure, on the machine that had the 169 ip address.

Run HJT and have it fix these entries, close all browsers before fixing anything with HJT

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

After you fix these entries, reset web settings and default all security settings.

Now for the below entries you will need the tool below:

O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

1) Download LSP FIX

2) Open LSP FIX, now these 2 files MAY already be on the right all you need to do is click finish and reboot, BUT if they are not, select "i know what im doing" and click on the file calsp.dll and aklsp.dll and move th em to the right, click finish and reboot.

3) After reboot, post fresh log

 

HJT log attached.

'LSP FIX' had all files listed on the left. Selected 'I know what I'm doing.' calsp.dll and aklsp.dll moved to right. rnr20.dll, winrnr.dll, msafd.dll, rsvpsp.dll left on the left. Fixed.

Browser opened on its own to 'www.loadingwebsite.com' right before fix selected. Along with an ActiveX setting warning pop-up. Closed all & selected fixed.

I'm getting a few new shortcuts on the desktop every reboot or so. (Like Amazon.com, eBay.com, Expedia.com, Startup Inspector, Second Thought, myPCsearch)

 

NOTE: DO NOT FIX ANY OTHER FILE USING LSP FIX, DOING THIS WILL CAUSE THE LSP CHAIN TO BE BROKEN

Ok, LSP FIX took care of that problem now lets move on. Follow below:

Be sure you have "hidden files and folders" enabled per the tutorial

1) Reboot into "Safe Mode"

2) Go into the directory C:\WINNT\system32\ and find the file winupdt.exe, DELETE THIS!!!

3) Also in the same directory, locate the file stcloader.exe DELETE THIS!

4) Run HJT and fix these entries:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe

Reboot, post new log. If problem remains we will go farther.

 

I told him to remove the files first, then the 4th step was to remove it from HJT.

Whats the problem here?

 

Oh ok, I did not tell him to fix those with HJT i got him to use LSP FIX for that. That has been repaired, we are now fixing the malware problem.

 

Sorry, My mistake

Be sure you have "hidden files and folders" enabled per the tutorial

1) Reboot into "Safe Mode"

2) Go into the directory C:\WINNT\system32\ and find the file winupdt.exe, DELETE THIS!!!

3) Also in the same directory, locate the file stcloader.exe DELETE THIS!

4) Click Start, and then click Run. (The Run dialog box appears.)

5) Type, or copy and paste, the following text:

regsvr32 /u c:\winnt\system32\aklsp.dll

regsvr32 /u c:\winnt\system32\calsp.dll

6) Then click OK. If a dialog box confirming this action appears, click OK.

7) Now go into the folder c:\winnt\system32 find and delete these 2 files calsp.dll and aklsp.dll

8) 4) Run HJT and fix these entries:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe

9) Reboot and post new HJT log

 

Hmmm. I already deleted the files and ran HJT to fix. HJT generated this error:

"An unexpeced error has occurred at procedure: modMain_FixOtherItem(sItem=1 - Hosts: 69.20.16.183 autosearch.msn.com)
Error #58 - file already exists


Then I ran the unregister dll commands: "regsvr32 /u c:\winnt\system32\aklsp.dll" & "regsvr32 /u c:\winnt\system32\calsp.dll" and got this error:

c:\winnt\system32\aklsp.dll was loaded, but the DllUnregisterServer entry point was not found.
DllUnregisterServer may not be reported, or a corrupt version of c:\winnt\sustem32\aklsp.dll may be in memory. Consider using PView to detect and remove it.

<same error for calsp.dll>



I haven't rebooted yet -- are there other steps I should take before that?

 

Yes, they are deleted.

I also noticed but did not delete these probably related files:

akcore.dll
akrules.dll
cacore.dll
winupdt.001
winupdt.bin
winupdtl.exe

 

Yes, delete those file and follow below:

1) Download SpySweeper

2) After install, update definitions by clicking "Options" and selecting "Update Definitions"

3) Reboot in "Safe Mode" and run a full scan with SpySweeper

4) Post me a new HJT log and the SpySweeper log. Thanks!

 

Spysweeper is running now. It looks like it could take awhile. I'll post the logs when done. Thanks for your help!

 

Ok, I'll be here a while so I will wait on your log, hows it looking as of now as in traces found so far?

 

Spysweeper is sweeping the hard drives -- no notes from it so far. This is my first time to see it operate so I'm not sure where any 'finds' would be noted. Also, in safe mode the Spysweeper window looks like it extends beyond the screen. I hope all the buttons I'll need will be visible.

 

Yes, its supposed to look like that in safe mode due to the screen resolution in safe mode. All you will need to do is click "NEXT" when the scan is complete, you will know when its thru. After its done check all thats found and remove. You dont have to post log because Im pretty sure I know whats on there. After you remove selected items reboot and see if problem remains. If it does we will then continue into the removal of this new VX2 variant. Thanks!

 

Thanks. Its removing now ...

 

HJT log attached.

FYI: Spysweep keeps finding 69.* hosts. Removed. There they are again. Repeat ad nausium.

The VX2 tools listed preveiously are all available. Again, thanks!