Another Guy with VX2 Variant

Hi,
I think I have a vx2 variant or something. It looks remarkably close to what TexasBlaze had in a recent thread.

I ran through the Do This First page but had two problems:
1. I had problems running some of the tools in Safe Mode (no mouse); so I did everything in Normal Mode as well.
2. I couldn't run Trend's tool, either the IE version or the java version. The other virus checker's worked fine and I also ran a full system scan with the Norton AV that I have installed and running.

Secondly, since yesterday, I somehow seem to have gotten more infected with spyware, and spybot and adware didn't remove it (reappeared on reboot) and spyware blaster didn't prevent it. I really don't know how that happened (note the entries in HJT for VBouncer and maybe SED and I don't know what else).

I've got the tools ready that PP mentioned in the other thread working with TexasBlaze.

Here's my hijackthis.log and output.txt

Thanks for your help.
-Immovable

 

Oops sorry, I guess I was supposed to wait until someone asked for the HJT files. I just noticed that at the top of the screen. Sorry.

 

Hi Immovable,

I trust you have the following on hand:
Pocket KillBox, VX2 finder etc... ??

Pleas look in ADD/Remove Programs and Uninstall:
Virtual Bouncer
SED
if you see them.
Then, go to the Program Files folder and remov any traces of them from there as well.


NEXT:
Please download the following tool:

LSP - Fix

NOW: Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the calsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move calsp.dll into the Remove section.

Now, do the same for aklsp.

Now, click the Finish Button. When the Repair Summary box appears, click OK.



NOW: Reboot and then scan with HijackThis and attach the log. Be sure to follow these instructions:
Note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.


I'll also need a freshFind.bat log.

NOTE: Once you have scanned with Find.bat, you MUST NOT REBOOT until you hear from us - The malware will mutate if you reboot.

Will try to check back tonight.

PP

 

Thanks PP

Here's the new logs.

In the meantime, I noticed a file named strings.exe in my startup folder (using Codestuff Starter). Should I remove it?

Thanks.
-Immovable

 

Hi Immovable,

Don't worry about strings.exe right now.

Please remove Ad Destroyer via Add/Remove Programs and then do the same for any traces of this left in Program Files Folder.

I'm giving you the "All in one" version of the workthrough in the hope of saving some time. With some luck, things will run smoothly - Otherwise we may have to repeat a few steps!

Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Before you start, look in C:\WINDOWS\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINDOWS\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. If you do not find this, please continue with the other instructions.

Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\mv0ul9d91.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\g0040adqed0e0.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\lvns0957e.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .


NEXT:
Doublecheck to make sure that guard.tmp has been removed. If it remains, feed it to Pocket KillBox and Delete it using Standard File Kill.

C:\WINDOWS\SYSTEM32\guard.tmp


AnyHoo, once guard.tmp is gone, run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09CEC285-276B-4AA4-8AE1-8B7A7940F571}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]


Now:
Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Finally, attach another Find.bat log and a Fresh HJT log and we'll finish this up!

I will try to check back when time permits.

PP

 

Hi PhilliePhan,

I followed your instructions and everything went smoothly except for one thing.
The file C:\RECYCLER\Desktop.ini was not found by Killbox.
Otherwise, the rest went just fine.

Here are my updated HJT and Find.bat logs.

Sorry I didn't get back to you sooner, but I had to go for a while...
Thx. What next?
-Immovable

 

Hi Immovable,

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\g0040adqed0e0.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it 2ndfixvx2.reg:


REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]


Now:
Click on the 2ndfixvx2.reg file you made and allow it to merge the registry entries into the registry.

Now, scan with HijackThis and check the boxes for the following:

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - Global Startup: strings.exe

Make sure All Browser windows are Closed when you Click FIX.

Then, attach another Find.bat log and a Fresh HJT log and we'll see if we got it all. Let me know of any problems and tell me how things are running now. Will try to check back Friday evening.

PP

 

Thanks PP,

New logs attached.
(Things went well but the strings.exe was gone when I went to Killbox it).

I seem to be running fine now, I'm so happy

Just a few questions:
1) I've got a few files in system32 that I seem to have picked up recently, during some of this spyware incident, but before the fixes.
mtvcp60.dll - i don't know what this is, google doesn't help; it is size 219 KB
casync.dll and cacore.dll - isn't this Coupon Age dlls?

2) do i clean the dll stubs and wpa.dbl in system32?

Thanks
-Immovable

 

Hi Immovable,

Things look good - I expected strings.exe to be gone.

casync.dll and cacore.dll should be removed.

mtvcp60.dll --> I don't know what this is either. I suppose whether it lives or dies is in your hands . . . You could rename it to mtvcp60.bad and wait a few weeks to see if you need it.

Cleaning the stubs may be a little much.

I'd fix these with HijackThis, though:

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab


How's the machine running? Things back to normal?

PP

 

PhilliePhan,

Everything is running well now. No ads, no nothing.
I really appreciate your help!
Now hopefully I've learned some lessons.

Thanks Again!
-Immovable

 

You're Welcome!

Every battle with Malware is a good learning experience!

Be sure to check this out: Chaslang's guide to Malware Protection

PP