First thread - pls help - completed tutorial

Have read and completed the tutorial.

History:
Win 98
500mhz
Never a virus/troj or worm (till last week)
Very limited security software as have had 6 yrs safe surfing

Initial problem:
Bad click and a plug-in started. Shut down pc. Too late.
Google homepage hijacked to //213.159.117.134/index.php

Immediately researched and loaded ad-aware, spybot, trend micro.
Home page is back to google via a fix from one of the above, but on
occasion the default arrives as the nl version of google which must
be part of the problem.

Today's effort and in conjunction with your tutorial..with the
exception of: not being able to run McAfee in safe as well as not
running about:buster and HS remove per a note in the instructions.

Results

Trend Micro - Infected
Pop up saying "Please reboot to completely clean Trojan"
Clicked ok and began scan.
Troj agent.bt non cleanable c:\windows\system\akrules.dll
" " \temp\akrules.dll
Troj narrator non cleanable c:\windows\hlhuum.exe
" " \clcuuz.dll

(note: found troj small.01 2 days ago but not in this effort)

Symantec
C:\program files\common file\install.exe infected with
W32.friendgreet.dr
C:\program files\common file\launch.exe infected with
W32.friendgreet.worm

Ccleaner - okay

Ad-aware
Consistenly mentions "program has performed and illegal operation"
Then proceeds
Finds 100+- items to include Coolwwwsearch, alexa, peopleonpage,
Click spring, re-direct host file 69.20.16.183 ieautosearch,
Ad-destroyer amoung others
Quarantine bar loads, then delete bar loads and pc freezes at that point.
This leaves me feeling nothing occurred here.

Spybot
Finds:
Common Hijacker
Coolwwwsearch.bootconf
.loadbat
.msconfd
.oslogo
.tapicfg
.xmlmimefi
Igetnet
DSO Exploit
PeopleonPage

Is never able to fix coolwwwsearch items.

Cwsheddar run - First attempt was "program performed illegal operation"
And froze. I then did a scan only, and then fix and it found
Nothing.

Kill2me - nothing to report.

I also ran HJT and have a log if a review is requested.

Many thanks in advance for the efforts to help out.

Also, as a side the pop up that seems most prominent after
all these efforts, and seems ready to visit as soon as I boot up is
has the following in its border s.clkoptimizer.com

Regards.

 

If you have followed ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal please read below:

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

As requested. Please forward next steps.

Regards.

 

I thought I had posted properly - my apologies.

Now, I am getting an error message stating the upload is in progress. It is not attaching to this thread.

Thanks.

 

Once HJT posts its log I make a copy in notepad as a .txt(and this is what I am trying to attach)

In this case I named the HJT file hijackthis_0101511 (date and time is the extension)

I just renamed the file hijackthis_0102 (date only) to see if it would work - it did not. Maybe the underscore is an issue?

I hit post reply
Manage attachments
browse
open
upload

and in your control panel the message is upload error, upload already in progress. There is also a delete function that I tried in an effort to start over, but it does not want to delete the original log.

 

Okay, got it to attach this time. Not sure what was happening prior. Could someone please review and forward your reccomendations.

Many thanks.

 

Ok, Before we fix anything with HJT lets start with removing the "files" follow me below:

1) Boot into Safe Mode

2) First be sure you have "Hidden files and folders" enable per the tutorial. Now look for the following folders:

C:\PROGRAM FILES\SED <--- Delete this whole folder!

C:\PROGRAM FILES\VBOUNCER <--- Delete this whole folder!

C:\Program Files\AutoUpdate <--- Delete this whole folder!

3) Now go into the directory "C:\WINDOWS\SYSTEM" and find the file aklsp.dll and delete it!

4) Reboot, post new HJT log so we can fix further problems.

 

Now, lets start with the below entries:

O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll

1) Download LSP - Fix

2) Run LSP-Fix, now the file aklsp.dll should already be on the right all you need to do is click "finish" but if NOT, select the file aklsp.dll on the left and select "I know what im doing" and move it to the right. Then click finish, Reboot!

NOTE: DO NOT CLICK ON ANY OTHER FILE OTHER THAN AKLSP.DLL, DOING THIS WILL CAUSE THE LSP CHAIN TO BE BROKEN!!

3) Now lets fix these entries with HJT, please close ALL browsers before fixing anything with HJT!

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Dell Home - {21946AE0-2271-11D3-9010-B00650C10000} - http://www.dell.com/ (file missing) (HKCU)
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {48BAE8BB-A034-11D2-B9D3-00C04F753F09} (BridgeChannel) - http://etrade.bridge.com/bc1/java/install.cab

NOTE: Some of these MAY already be removed but just in case fix all the above, reboot and post new HJT log. Let me know how things are running!

 

Thanks bj.

Questions prior to my beginning. I am all set(understanding your direction) with your first post.

Do you need to see the HJT log (following first efforts) prior to my addressing the 010's and downloading LSP Fix? Also, I would download LSP fix prior to doing anything with the 010's correct?

Lastly, I will need to be in normal mode to download the LSP does the present any problem.

Thanks.

 

1) Complete everything in post #9 FIRST! (HJT log can wait until all steps are complete)

2) After removing those entries, reboot and procede to post #10

3) After both post are complete, post new HJT log

 

Started in on post #9

1. Deleted SED folder

2. No VBouncer in program files. Did search and found vbouncer folder in:
c\windows\all users\application data

Also found VBouncer, Vbouncer 1,2,3,4 in c\windows\application data\spybot-s&d\recovery

Prior to deleting that folder I just want to make sure with you that "where" it resides is okay. Just want to be safe not sorry.

3. Auto update folder is in program files and will be deleted upon hearing back from you on the Vbouncer question.

 

Delete everything that says Virtual Bouncer

 

It is safe in this location. But remove it from any other location.

 

Hello.

Too late on the last message I dumped everything that had Vbouncer. As well as the SED and Auto Update folders.

At reboot (normal) spysubtract noticed a bad set-up in the start configuration and prompted for a fix yes or no. I said no the first time tried the IE tab and had no connection to the net. At second boot said yes, it fixed what it needed and am able to connect although I have google set as homepage I can see it redirect through some 64.XXX.XXX.XXX on its way to google.

I cannot seem to get the link to LSP fix to generate anything. I hit your link it brings me to your download where 4-5 locations are listed. I have hit them all, but all end up with an IE page stating "cannot find page". Help!

Thanks.

 

1) Download LSP-Fix

2) Post me current HJT log after downloading this tool. Do not run it yet.

 

hey oz151, I'm sorry to bail out on you like this but I have to, chaslang will complete your thread. Nice working you!

 

Chaslang,

Would you please detail the fix for me?

Thanks.

 

Hi Chaslang-

Here is the most recent HJT file. Yes I now have LSP fix downloaded.

Thanks.

 

Thanks. Do I need to do anything with the LSP fix prior to this effort as it was part of the prior posts?

 

Hi Chaslang-

Currently on a different pc. Couple of questions/commets prior to the new boot in normal mode.

1. Did not find HKHGGP.EXE in Startup (it may have already been deleted)
2. Progra~1\toolbar (cannot locate the folder)
3. Did not find Program files limeshop (may have already been deleted)
4. Proga~1\common~1\wintools (cannot locate folder)

5. Question on deleting chngline.exe - this appears to be an original file from Dell Corp dated back upon purchase date. It say it alters lines in the autoexec.bat
DELETE ANYWAY?

6. I found 3 other suspicious files created around the event of this takeover while undertaking this effort.

a. C:\CXTPLS_Loader.exe DELETE OR KEEP
b. C:\Icon reads INSTALLER INSTL~1.EXE DELETE or KEEP
c. C:\hlhuum.exe DELETE OR KEEP

At this point I have hundreds of files in my recycle bin - should I purge it or keep these thing around in case of a need to restore.

Thanks.

 

Chaslang-

Regarding the chngline.exe question. I right clicked on the file, properties and under the general tab it does not show a "created" date, but does show a modified date of 05/99 (when I purchased the pc). The under the versions tab under corporation it reads Dell.

Thoughts? Thanks.

 

Hi Chaslang-

Completed the efforts of post #24 along with our follow-up communication.

Things are better, but I know(feel) I'm not completely out of the woods. Anyway I ran a HJT immediately following the normal boot, and then I surfed a couple of places cnn.com being one spot, and I did get a popup (lending tree or one of those I've seem before and consider harmless).

Attached is the HJT following the minor surfing effort. The only difference in the two logs is this one (post surfing a bit) has the following line.
c:\windows\system\DDHELP.exe otherwise they match line for line.

I am still getting a default to the google netherlands site vs. the traditional site which leads me to believe something is still lurking. Any other advice would be greatly appreciated. Thanks so much for your time thus far.

 

Hi Chaslang,

I went directly to Trend Micro this morning after completing the fixes and forwarding the post last evening.

They found (narrator Troj) in two instances. hlhuum.exe, clcuuz.exe

Symantec would not let me connect due to some activex need.

Ran ad-aware in safe and normal found: 24 negligable objects in safe 10 in normal

Ran spybot in safe and normal found: DSO expoit in both instances

Ran Spysubtract found (these seem to be the most persistent):

IBIS,LLC 24 items
Effective-i inc 1 item
Apropos media 4 items
Clear search Inc 2 items
Messenger plus 9 items
Spyware labs (vbouncer install)

I did change my internet home page to majorgeeks per your comment, and it worked fine, but the fact that I can't direct to google.com without being hijacked to google.nl alerts me to believe there is still some cleaning to be done.

Thanks very much.

Also, would you know what lpt$vpn.333, vptnfile.333 and TSC.exe represent.

 

Hi Chaslang-

Nothing builds into the contents file while scanning; therefore no file is attached.

Thanks.

 

Hi oz151,

Download this tool and run find.bat - let it run for as long as it needs and please attach the output file so Chas can take a peek.

Generic Detection Tool for 9x/ME ---> You’ll need to Click “Agree”

PP

 

No problem!
I've got to find the time to play around with Agent Ransack and see if we're configuring it properly. . .

PP

 

Hello.

Here is the find-it output file.

Thanks.

 

Hi Chaslang,

I have been traveling for a few days....anyway...did you see anything in this find it file of interest?

Thanks.