Spyware that I cannot remove

I am running a Compaq Presario SR1015LA computer which seems to be a magnet for malicious software. I am located in Santiago, Chile, and use a DSL connection to the Internet.

I know for sure that I have some CoolWebSearch issues, as CWShredder identifies it. I can get a report, and scan, but when I try to fix it, I get a "program has encountered and error and must shut down" message. So obviously I cannot fix anything.

There are also some host redirects that Hijack this cannot fix. I am sure that there are other things, I tried the suggestions given (very helpful by the way) for interpreting HiJack This logs, and was successful in deleting some of them, though not all.

I have Norton AntiVirus 2003 installed, and running, though to get a system scan I had to go outside of windows and run it through a safe mode command prompt. It found no viruses.

I have run Spybot S&D and Ad-Aware SE, and Microsoft AntiSpyware, and have tried to remove what is found. some won´t remove, and some just keep coming back. I can try to identify each one if that is necessary.

I find that sometimes I cannot get to sites which seem to be security related, for instance I could not download hijack this, I had to download it on another pc and bring it to this one.

So, my question is where do I begin? My goal, once cleaned, is to have this computer auto protected to the extent that is possible. Reasons being that it is used by a 12-year-old girl who likes smilies and such - kid sites seem to be a magnet for stuff like this. She doesn't have the technical know-how to make judgments on what is safe and what isn´t. Also, since we bought this PC here in South America, windows and ie are in spanish, which my daughter barely speaks. so the warning messages are in spanish, too - which is a problem for her. So bottom line, anything I can do to background protect would be great.

Thank you so much for any help you can give,
Alisen

 

Are you using the newest version of CWShredder?


http://www.majorgeeks.com/download3019.html

 

Hi Alisen,

I think you might have the latest VX2 variant that is making the rounds these days. (Among other issues)

Please start with the Cleanup Tutorial linked below - Do as much of it as you can. Then, follow the directions for HijackThis. We'll see if we can fix you up and then help you protect your computer

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I will try to check back as time permits - Awfully busy and a bit overextended these days.

Best luck
PP

 

Thanks for the replies - this is quite an undertaking.

First of all, yes I have the latest CWShredder.

Now, what happened as I tried to run all of the different things you suggested, in the tutorial. And I notice that now since I opened this, I´ve had several popups, including some nasty porn, and online casinos

adaware was unable to remove c:windows\system32\en66l1jsl.dll and asks me to allow it to run on next reboot so I clicked yes. spybot removed all (I think, or at least gave a check mark to all)

CW shredder, same problem, shuts down on fix

about.Buster says data is corrupt or missing - didn't do anything

then I rebooted, having done all the listed steps (the online virus scans were clean)

On reboot got this message (still in safe/w/networking mode) an exception occurred in cÑ\windows\system32\iampdll",UMonitor

Adaware did not start automatically like it was supposed to, so I ran it again, and during the scan it said "explorer.exe has detected a problem and must close" send error message/don´t send --- I chose don´t send, and adaware kept going. again wouldn´t remove everything -- this time windows\system32\lv6q09j5e.dll, asks to re run on boot.

on boot, new exception windows\system32\ccmsnap.dll, UMontior

new boot, new exception windows\system32\oqeprn.dll, Umonitor

And here I am, still in safe mode, with these odd popup windows. (Did I mention I have sp2 on my windows XP? I thought that would block those, but I guess not)

Obviously something still wrong. What should I do now?

Thanks again, alisen

 

Hi Alisen,

It sounds like you do indeed have the latest VX2 variant. The removal process is lengthy, but relatively painless! Please download the following tools:

DllCompare – O^E
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox

NOW:
Unzip the Generic Detection Tool to a safe folder of your choice and run "Find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that log using the "Manage Attachments" tool when you post.


ALSO: Please scan with HijackThis (in Normal Windows boot) as per the instructions in my first post and attach that log as well.

NOTE: After scanning with the Generic Detection Tool, you MUST NOT REBOOT until you hear back from me or the malware will mutate and the scan will have to be redone!

If the HijackThis log shows too much assorted malware to proceed directly with the VX2 removal, we will first have to address that - No worries though!

I've been very busy lately, but will try to check back when time permits.

PP

 

Hi PP

Thanks for your replies

I rebooted into normal mode (so I would not have to reboot after the generic scan) and then ran the find.bat. Output.txt is attached.

Then I ran hijack this from its own folder, hijackthis.txt is attached.

I´ll leave the computer untouched till I hear from you.

Thanks again,
Alisen

 

I think the computer rebooted while I was away from it, though nobody touched it. I think it did because the "An exception occurred..." message was up and all of my items in the system tray are back on.

Could this be? And if so how can I stop it again?

Wow...
alisen

 

Hi Alisen,

Please run the Generic Detection Tool once more (to be safe) and attach the log. First one is not too bad I am in OHIO (EST) and usually have more free time for this forum in the evening - Will post a fix then.

PP

 

Hi PP

Attached is the new scan. It is 2 hours later here than EST - where are you in Ohio? I was born in Warren, southeast of Cleveland. I didn't think they allowed Phillie fans in Ohio - my grandmother would be appalled

Thanks for your help,
Alisen

 

LOL! Indians fan, huh?

I am near OSU.

Give me about 20 minutes and I'll post the first steps of the fix for you.
Will be going out shortly and probably won't be able to check back until Saturday evening.

Also, I should add before I forget - Please uninstall the MicroSoft Anti-spyware and delete it. Give them some time to work out all of the bugs before D/Ling it again.

PP

 

Well, my grandma was an Indians fan, and a Steelers fan. She was a tough fan, too. Before coming here, we lived about 30 mi from Philadelphia, so my youngest son is a big Phillies fan. The rest of my family are Mets fans, sorry to say.

Thanks, I will probably do the fix first thing tomorrow, as it is almost midnight here and we have an early day tomorrow.

Will there be a problem if the computer reboots itself again? I do have a sign on it that says don't touch, but if it does it by itself....

Again, thanks for all of your help. It's good to know people use their computer knowledge for good, and not just evil

alisen

 

Darn Mets Fans!!! They are adding some serious weapons this winter!!

Your machine is fairly clean. Should it reboot on its own, let me know. But, go ahead and follow these instructions anyway!


AllRightyThen. . . . .

Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Before you start, look in C:\WINDOWS\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINDOWS\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. If you do not find this, please continue with the other instructions & ENTER IT ANYWAY when instructed to do so.

Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\dn6m01j1e.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\ir46l5hs1.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\gpj8l31u1.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

You get the idea . . . Now do the same for the rest of these:

i0jq0a15ed.dll
s6pulg7916.dll
jtr8079ue.dll
hp2023fmg.dll
l26olcj31fo.dll


Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .


NEXT:
Doublecheck to make sure that guard.tmp has been removed. If it remains, feed it to Pocket KillBox and Delete it using Standard File Kill.

C:\WINDOWS\SYSTEM32\guard.tmp


AnyHoo, once guard.tmp is gone, run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F2249FC0-C9A5-4620-BECA-FBD4404C23F7}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]


Now:
Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Finally, attach another Find.bat log and a Fresh HJT log and we'll finish this up! Let me know if you had any trouble with the above instructions.

I will try to check back when time permits. Likely Saturday evening.

PP

 

Hi PP,

Well, I ran all of your fixes, and the only problem I encountered was that after the first reboot, I got the error that winlogon.exe encountered a problem and had to be shut down, do I want to notify microsoft blah blah blah. I just clicked no, and went on.

Otherwise, no problems in following the instructions. BUT I was sad to see the redirects are still all over the hijack this log. Let me just be sure on the HJT directory. The instructions say it has to be in its own folder, so I made one on the desktop, i.e. c:\desktop\hijackthis\hijackthis.exe . Last night was reading Chasling's postings on HJT, and it said it cannot be on the desktop. Do I need to redo this?

OK, well here are the logs, and thanks for all your help again, though I know we are not finished yet...
alisen

 

We'll deal with the HJT log after we get the rest cleaned up! Please go ahead and locate it in its own folder - C:\Program Files\HijackThis

THEN:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\ir46l5hs1.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\dn6m01j1e.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .

NEXT:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it 2fixvx2.reg



REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]




Now:
Click on the 2fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Please attach another Find.bat log and a Fresh HJT log and we'll see whre we stand! Let me know if you had any trouble with the above instructions.

A question: How many active User Accounts are on this machine?

As always, I will try to check back when time permits. I got talked into doing some pumbing this weekend!! Don't know how that happened , but heading out the door right now.

PP

 

Done

See attached I was looking at them, trying to see what had changed and see if I can learn from this experience, instead of just depending on the kindness of strangers, and was sad to see I didn't see much of a change. I will be interested to see if that is a good thing or not...

There is just the propietario account, which is the administrator account.

Well, considering how you spend your free time helping people {like me } I can figure out how you got talked into it! We need to get a plumber out here, actually, you reminded me I need to call somebody!

Thanks as always,
alisen

 

Hi Alisen,

Actually, things DID change! Things look good!

All that is left is to fix some lines with Hijack This. Now that you have cleaned up the mess, they should not be coming back - We'll keep our fingers crossed

Did you uninstall the Microsoft Antispyware program? If so, go ahead and fix that line below.

I assume akc.org is desired?

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.
Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe" --> Fix this if you have uninstalled this.

Please make sure All Browser Windows (including this one) are Closed when you Click FIX.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.
I'll check back Sunday evening and make sure all's clear. If you have any questions about safeguarding your machine, leave them for me and I'll address those as well

PP

 

Wow - I was in normal Windows before - was I supposed to be in Safe Mode? If not, what do I need to repeat?

No problems running any of these.

OK - it's now looking like it is running pretty well now. I attached the new HJT log. I see that the thing about changing the homepage to Done is still there. I did see that Spybot resident asked if it was ok to change that, I said no. Maybe should have said yes?


So now it's time to keep it that way. After reading Chaslang's suggestions I do have a couple of questions.

Windows update - When it says to do WU once a month, does that mean that keeping automatic update on does not really keep you up to date? Or should I not have automatic update on?

AntiVirus - I own this NAV2003 already. Are Avast! and AVG or AntiVir really that much better than what I have, and should I go with one of them, keeping in mind my goal of keeping this kid-used computer as automatically virus free as possible.

Firewall - I d/l Sygate, and put it on my own computer. It seems fine so far, however, it does ask every time any program needs to access the internet. And I know that my daughter doesn't have the know how to know when it is ok to say yes, and when to say no. Is there any getting around this?

Spyware - I put SpyWare blaster on my own PC, and it doesn't seem to run in the background, though I have not had much time to read how that is supposed to work. How is it different from the Spybot-SD resident mode? Also, I gathered from your comments above that removing MS AntiSpyware was a good thing, so I did it. It did seem to run nicely in the background, and scan at night when I wasn't using the PC, very convenient. What are the negatives of it?

Active X - I have downloaded and put Firefox in as the default browser, as recommended. However, I know there are some times you have to use ie (at least I think so) I will fix the security settings. Does Mozilla have active X controls that need to be set? Sorry if that's a dumb question, I have the barest understanding of Active X.

Anything else I should have to automate the protection of this computer? I am willing to pay for software if it means that it will be more automated and work as well or better.

OK - that's about it. I'll be moving on to another PC in the house next week {assuming this one is finally clean} - hopefully will be able to do most of it alone, but if not will be back!

Thanks so much for your time and help, and I hope that you have a great day!

alisen

 

Turn off the Tea Timer and fix that line with HijackThis.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

Then, reset your web settings.
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com OR www.phillies.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


I've got to run, but will address the rest of your post this evening!!

PP

 

Hi Alisen,

Hope these answers help a bit

1) The bit about rebooting to Normal Windows – I use a number of Copy&Paste boilerplates to save typing and forgot to take that out. You were OK. You do not need to repeat anything.

2) Windows Automatic Updates – I prefer to check them myself so that they don’t automatically install something I do not want. The choice is yours. I have it set to “Notify Only” (or something like that) so that it tells me when Updates are available, but doesn’t download them until I review them.
You should try to keep all Critical Updates up-to-date. They are the first line of defense!

3) As far as Anti-Virus goes:

If you want the BEST money can buy, I would go with either NOD32 or Kaspersky !
Of the free ones here at MGs, people here like AVG or Avast.

4)Firewall – Sygate needs to “Learn” what should be granted access to the net. Just answer once and check the box “Do Not Ask Again” so it will remember your preference for a given item. Make sure the Windows Firewall (which is on by default) has been DISABLED when running Sygate. And, definitely stick with Sygate – it does a fine job.

5)Spyware Blaster – This is an excellent defense against malicious Active X installs. It adds a “Kill Bit” to the registry to block a lot of baddies. Definitely keep it and Internet Update it regularly! It works well when teamed with SpyBotSD. Use them both and update regularly. Immunize!

6) As far as MicroSoft Anti-Spyware – Give them some time to work out the kinks and bugs. It is still a bit rough around the edges and I’ve seen it cause a few problems.

7) FireFox is a safe alternative to IE because it is free of ActiveX issues and the malware purveyors are out to make money and, since 90% of the world uses IE, that’s where the money is. You can bet that, if everybody were using FireFox, it would then be under the same attack! There are ActiveX plugins available for FireFox if you want them.
Also, you need IE to get those Windows Updates!!


I think you should be OK following Charlie’s suggestions – But, remember, the best defense against malware rests on your shoulders! Surf Smartly and Safely!

A few additional free tools I really like (if you want a little overkill) are these:

BHODemon
WinPatrol
SpywareGuard

ANYHOO, Let me know how your machine is working now that things are all clean.

If you need any help with the other computer, just let me know!

Best
PP