Spy/Adware attack....

My computer is infected with some spy/adware programs. I've run Spybot Search and Destroy, and it cleaned most of it, but couldn't do anything with something called "SearchForIt". Even when no browser window is open, in a span of about a minute, 3 or 4 ad popups appear on the screen.

Attached is a log from HijackThis. What do I need to fix?

Thank you in advance!

 

Something called "CashBack" has also installed itself on the computer. There is an icon for it in the status bar, with a little dog's face. Of course, they've automatically created a temporary username and password for me at their website!

 

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

Download the following removal tools:

• Trojan Vundo Removal Tool
• Trojan Vundo B Removal Tool

Now, Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Run both removal tools! Run each one letting it complete. Afterwards procede with the rest of this fix!


Please look in Add or Remove Programs for the following and Uninstall them if found:

CashBack

BullsEye Network

NaviSearch

ipee

sf


Please download this trial version of ewido security suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, after rebooting continue with the below steps.

Open up Ewido and do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • 
    [*]Binder
    [*]Crypter
    [*]Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

After you have completed all of the above come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Done. Logs are attached.

I'm still getting some popups, lesser frequency than before however. What else should be done?

Thanks for all your help!

(I'm having trouble attaching the logs files to this message. The upload function is giving an error...hang on..)

 

Here we go....

 

Getting a new error now:

Every few minutes, a windows dialog box pops ups with
"Microsoft Visual C++ runtime Library" title, and saying that

"Buffer overrun detected. C:\WINDOWS\system32\rundll32.exe.

A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated."

Mal/Adware running in the background causing this?

 

First, uninstall Ewido, disable any antivirus or antispyware programs you may have so they will not block this fix!

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\system32\wjee1.dll (file missing)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\90vt4q.dll
O2 - BHO: Cas - {B5F3970B-745E-46AC-B890-E08F69777D80} - C:\WINDOWS\System32\ca2.dll (file missing)

O3 - Toolbar: (no name) - {C109664B-CEB1-420b-B353-D55A561536DD} - (no file)

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [boeline] C:\WINDOWS\boeline.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O4 - HKCU\..\Run: [Pzopsc] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\RunOnce: [rgbkk.exe] C:\WINDOWS\System32\rgbkk.exe /k

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://domino2.ncat.edu/iNotes6.cab

O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\czgbkend.dll

O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\BullsEye Network ←–– Delete this whole folder if it exist!

C:\Program Files\NaviSearch ←–– Delete this whole folder if it exist!

C:\Program Files\CashBack ←–– Delete this whole folder if it exist!

C:\Program Files\ipee ←–– Delete this whole folder if it exist!

C:\Program Files\sf ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\l?gonui.exe
(The ? represents a unprintable character)

C:\WINDOWS\system32\90vt4q.dll

C:\WINDOWS\System32\winupdt.exe

C:\WINDOWS\System32\rgbkk.exe

C:\WINDOWS\system32\czgbkend.dll

C:\WINDOWS\System32\wintask.exe

C:\WINDOWS\cfgmgr52.dll

C:\WINDOWS\boeline.exe

AUNPS2.DLL ←–– Search for this file and delete when found!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Done.

I remember deleting the cfgmgr52.dll in system32 folder, but it's showing up on the logfile.

Also, as I am typing this message, the cursor turned to an hourglass, and AdDestroyer just installed itself. Virtual Bouncer "Parasite Alert" just also popped up on screen.

What did I miss, what am I doing wrong?

Thanks for your help. It's frustrating that these people are resorting to such stupid tactics. I've already spent over 4 hours doing cleanup, and you're spending your valuable time as well.

 

Think I know what it is. Did the HijackThis Fix in safe mode, but then when it restarted the computer, I came back in normal mode, and did the rest of it in normal.

When the registry is cleaned, how can it still re-install itself?

 

Attach a fresh HJT log from normal mode.

 

Please find attached.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Virutual Bouncer or VBouncer


Now please download Pocket KillBox but do not run it yet.


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\auvapi32.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\VBouncer ←–– Delete this whole folder if it exist!


NEXT:
Run CCleaner to clean up cookies and temp files.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\wintask.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\exp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now, Copy and Paste C:\WINDOWS\system32\auvapi32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\AUNPS2.DLL into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you have completed ALL of the above, reboot once more and then attach a fresh HJT log.

 

Followed the instructions exactly. Please find the logfile attached.

When I came back in to the system after two reboots, and launched IE browser window and typed the url from these forums, got two popups. One is for http://www.booksellersnow.com/geeks.htm.

This booksellernow.com/geeks popup comes up everytime I come to the forums from a fresh window.

auvapi32.dll is still in the logfile. I had fixed it from HJT and then deleted it with KillBox.

Thanks for your help!

 

The frequency of the popups has gone down, a couple of popups once every 4-5 minutes now.

 

Look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

othb.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun

O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe

O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\auvapi32.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\cfgmgr52.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Program Files\ipee\othb.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\auvapi32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above REBOOT BACK INTO SAFE MODE and delete the following folder:

C:\Program Files\ipee

NEXT:
Run CCleaner to clean up cookies and temp files.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Logfile attached (again, followed the intructions completely).

This entry is not going away:
"O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\auvapi32.dll"

Popups are still appearing. Anything more drastic we can do?

Thanks!

 

Trying to delete this file C:\WINDOWS\system32\auvapi32.dll thru KillBox, it's undeletable!

 

If this helps somehow, I'm also getting popups from MSN search, like the one here....

http://search.msn.com/results.aspx?q=money+market+account

 

First download: - ProcessExplorer for Win NT/2K/XP

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of auvapi32.dll once and then click the kill button. After you have killed all of the auvapi32.dll's under winlogon click ok.

Next double click on explorer.exe and again click once on each instance of auvapi32.dll then click the kill button. Once you have done that click ok again.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [pEoi3nT] etecr71.exe
O4 - HKCU\..\Run: [Yp7sRhfqe] emsax2.exe

O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\auvapi32.dll

Copy the bold text below to notepad. Save it as fix.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.
In Killbox - put a check next to "Delete on Reboot"
Copy & paste the following lines in bold into the "Full Path of File To Delete" box:

C:\WINDOWS\System32\emsax2.exe

C:\WINDOWS\System32\etecr71.exe

C:\WINDOWS\system32\auvapi32.dll

Then click the red button with the X and allow Killbox to reboot then post a new HijackThis log.

 

Please find the logfile attached.

I didn't see auvapi32.dll in the threads tab for winlogon and explorer as specified in the instructions.

Also, the "04" entries in HJT weren't there either. Only the "20" entry. I fixed it, but it keeps reappearing.

While looking thru the folders on under Program Files, came across a hidden folder named "aprps". Looked suspicious, so I did a search on Google. Supposedly, two files in the folder are infected:
C:\Program Files\Aprps\CxtPls.dll is infected with Spyware.Apropos
C:\Program Files\Aprps\CxtPls.exe is infected with Spyware.Apropos

Of course, they didn't delete - Access is denied error.

 

While making this previous post, something happened on my computer screen, and all the blue color (Task Bar) turned white. It froze momentarily, and was followed by the infamous "Blue Screen of Death" from the DOS days, and my laptop rebooted automatically after that.

 

Thanks Chas, I was wanting to see if that could do it but apparently it didnt so I will try the L2MeFix now.

pip_finn,

Download the L2MeFix Tool.

DO NOT RUN ANYTHING YET!

Now please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log along with a fresh HJT log.

Please don't run any other files in the L2MFix folder.

 

Nice to be able to type in forums.majorgeeks.com, hit enter, and not see the annoying http://www.booksellersnow.com/geeks.htm popup!

Entry "20" is finally gone.

How clean are things now? (I did get one popup in the last couple of minutes)

Thank you very much for all your help!

 

Download the Generic Detection Tool - NT/2000/XP but dont run it yet.


Please look in Add or Remove Programs for the following and Uninstall them if found:

AutoUpdate

Aprps


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\System32\stlb2.dll

O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\System32\stlb2.dll

O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [pEoi3nT] wlnpsnap.exe
O4 - HKCU\..\Run: [Yp7sRhfqe] wexocmgr.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Aprps ←–– Delete this whole folder if it exist!

C:\Program Files\AutoUpdate ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\wlnpsnap.exe

C:\WINDOWS\System32\wexocmgr.exe

C:\WINDOWS\System32\stlb2.dll

C:\WINDOWS\System32\E6F1873B.dll

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

Once you have completed ALL of the above, Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

 

Logfile for generic detection tool is attached.

Thanks!

 

Reboot into Safe Mode and navigate to and delete the following 2 files.

• C:\WINDOWS\System32\l?ass.exe
• C:\WINDOWS\System32\l?gonui.exe

The ? indicates an unprintable character. Manually locate these two files and delete them once located.

These are NOT to be confused with the legit files, lsass.exe & logonui.exe in the System32 directory.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\gyh.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\egqy.sys into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot into normal mode and get me a fresh HJT log along with one last log from the Generic Detection Tool.

 

Here they are...

 

Your logs are clean, are you having any further problems?

 

I've been on the Internet for the past 20 mins or so, things seem to be fine.

Thank you very much for your help, bjgarrick!

 

Your Welcome!

I would now recommend your following all of the steps in this thread on How to Protect yourself from malware!

Surf Safely!