crapware - please help

I keep getting these pop-ups, redirects and casino crap downloading itself to my desktop. I have run ad-aware, pest patrol, microsoft antispyware. but they keep coming back. I downloaded highjackthis and made a log file. Can you help?

 

Welcome to MG

Hijack this is not the first step in solving the problems.. this forum has many good tools to use and I can see that you have tried some programs however we have a very good tutitorial and this should be done first prior to posting your HJT log.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem: read the following guide and then wait for us to ask you to post your HJT log as an attachment.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread
NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Again after you post back to let us know if you are still having the problems please be as specific as possible as to what you couldn't complete and as to what problems still exist as the more information we have the better we will be able to help you.

Please also be patient in waiting for replies and responses as there are a limited number of people who are able to help you and as you can see by the posts on this forum there are many people out there who have questions/problems. Thanks and again welcome to MG

sw

 

I do see alot of nasties in your log but I want you to first go through the read me first tutitorial and complete all steps and post back with what you could and couldn't complete and also let us know if your problems still exist.

Thanks..
sw

 

Shewolf

At the minimum Hollywood has a VX2 infection and may need a LSPfix on those line 10's, you are right about those nasties.

 

I have ran most all of those programs.

Ad-aware
Pest-patrol
Microsoft antispyware (which finds one everytime I run it, it keeps coming back)
CWShredder
spybot

I figured I would try for some help here to remove all the nasties before backing up some folders and just reformatting (I hate doing that! haha).

Thanks for any help you all can give me. The pop up advertisments and casino crap downloading and installing to my desk top is really pissin me off.

Hollywood

 

Oh yes and I forgot.........I ran spyware doctor also. When I remove the stuff it won't let me connect to the internet upon rebooting.

Hollywood

 

The PROS in this forum suggest you do not use the Microsoft Spyware program at this time. it has too many false positives and actually causes problems in some of the microsoft files and programs. if you have run through the whole tutorial then post a HJT log as Shewolf stated in the #2 post of this thread. The log should be AFTER you run all of the READ ME FIRST.

 

Most?
My suggestion. . .

close IE
run through the complete read me's (both of them)
run CWShredder and the rest given in the text(make sure they are all up to date!!)

ALSO:
Please download the following tools and have them handy (Perhaps create an Anti-Spyware Folder for them). Make sure to get them from the links below:

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox
LSP - Fix


NEXT:

Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the dolsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move dolsp.dll into the Remove section.

Please do the same for winlspak.dll.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Now, continue on with Jarcher's instructions and post a fresh HJT log.


end this task,find and remove it
C:\WINNT\system32\vmss\vmss.exe (adware)


O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch (all of them)
O1 - Hosts: 69.20.16.183 auto.search.msn.com


O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Bob Barker\Local Settings\Temporary Internet Files\Content.IE5\6CE17HK8\msconfig[1].exe /auto
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKCU\..\Run: [delmsbb] C:\WINNT\delmsbb.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan

Boot to Safe Mode with Viewing of Hidden Files Enabled and delete these Files or Folders:
C:\WINNT\system32\vmss
O4 - HKCU\..\Run: [delmsbb] C:\WINNT\delmsbb.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan

then post another HJT Log

 

Hollywood,

In addition to a fresh HJT log after doing the above, do the following:

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE:Please do not run any other options or files in the l2mfix Folder!

Please attach the l2mfix log along with the fresh HijackThis log and we’ll see where you stand. I will try to check back as time permits.

PP

 

Ok......I have done all thats been asked. I assumed I was to remove the
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch (all of them)
O1 - Hosts: 69.20.16.183 auto.search.msn.com

which I did in safe mode through the HJT? When I rebooted they were back.

After doing eveything in the read first section, These were gone:
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Bob Barker\Local Settings\Temporary Internet Files\Content.IE5\6CE17HK8\msconfig[1].exe /auto
O4 - HKCU\..\Run: [delmsbb] C:\WINNT\delmsbb.exe

Here is the log now as requested.

Also here is the report for L2MeFix

Thanks for all your help
Hollywood

 

Hi Hollywood,

Here are the NEXT STEPS:
Please make sure ALL Browser Windows are Closed!

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go wacky for a bit, but just let it run. It should eventually cough out another log in Notepad. Please attach that log.

Again, don't run any other files in the L2MFix folder.


ALSO:
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log along with the L2MeFix Log.

Will check back when I get a chance.

PP

 

Thank you so much for your time and help PhilliePhan. Here the the 2 file logs now.


Hollywood~

 

It won't let me upload the report for L2MFIX?

 

Rename the L2MeFix Log something different and try again!


On we go.......

Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST:
Please run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


THEN
Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy

Allow Machine to Reboot.


NOW, you will be entering items into Pocket KillBox. Please open KillBox and select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Also, check the box to “End Explorer Shell While Killing File” for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:


C:\WINNT\system32\wsxsvc
C:\WINNT\system32\iuzunb.dll:
C:\WINNT\system32\lmpmaw.exe:
C:\WINNT\system32\lzgzqo.dll:
C:\WINNT\system32\voyogr.exe
C:\WINNT\system32\wyqykb.dat
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kpypit.exe


When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixnrtr.reg


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-


Now:
DoubleClick on the fixnrtr.reg file you made and allow it to merge the registry entries into the registry.


Finally, reboot and give me another Find.bat Log and HijackThis Log and we'll clean out the remnants. I'll check back when I can - May be Wednesday, though.

PP

 

Here are the 2 logs you ask for.


Thanks
Hollywood~

 

You're Welcome

Fix these lines with HJT:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Give me a fresh HJT and a new Find.bat log from the Generic Detection Tool and tell me how things are running now.

PP

 

So far everything seems to be running a little quicker, and no pop up ads. Finally I don't wake up to find that crap casino downloded to my desktop!! You are a computer God!!

Here are those 2 logs.


Hollywood~

 

Happy to help

You should check your Recycle Bin and make sure it is working properly. If not, repeat the step above concerning Pocket KillBox and C:\RECYCLER\Desktop.ini . Other than that, things look good!

Be sure to have a peek at Chaslang's suggestions!!

Happy Computing
PP

 

When I did this the first time:

It said " Does not seem to exist"

I thought that was cool cause we were gonna delete it anyway. I checked the Recycle Bin and it is in good working order.

Again, I can't thank you enough!!! I sure wasn't looking forward to reformatting. I will be checking out Chaslang's suggestions!!

Thank you,
Brent AKA. Hollywood~

 

You're welcome!