Frustrated

I'm not very computer literate, but it appears that my browser may have been hijacked. I am continually getting redirected to other sites. I run Spybot after being on-line, and it shows I have the following CWS files:
bootconf, loadbat, msconfd, oslogo, tapicfg, and xmlmimefilter. When I run CWshredder, it fixes the bootconf only. I run Ad-Aware, and it says I have "vx" but i can't delete all the files. I have Xoftspy which had been showing that I had the CWS Trojan combo, however that has not shown up on the last few scans.

Any suggestions would be greatly appreciated.

 

Dr. C,

Thanks for your reply. My computer seems to be operating a little better. Although, I am still getting re-directed periodically when I'm on-line. I ran all the scans that you recommended and updated all the items, however I could not run some of them in safe mode (I could not get connected to the internet in safe mode). I am running Windows XP and now have the Firefox browser.

When I run Ad-aware, it says I have the VX2 malware (although I have the VX2 plugin) and it says I have a "redirect" (69.20.16.183 ieautosearch).

Spypot and Xoftspy report nothing. CWshredder removes the bootconf file. My Antivirus (Solo) reports nothing.

Do you have any further advice or suggestions?

 

First:


Download the following items:

KILL 2 ME.zip

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

DO NOT USE ANY OF THESE TOOLS UNTIL TOLD TO!


Second:



Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT


Third:

Extract the Generic Detection Tool - NT/2000/XP to your desktop. Run findit.bat. Allow it as much time as it needs to complete. Once its completed post this log as an attachment as well.


We are very busy here at MajorGeeks.Com Chaslang will check back when time permits.!

You have to select "Safe Mode with Networking" to access the internet in safe mode.

Edit by chaslang: Also if you really cannot connect in safe mode, did you run the online scans in normal boot mode as the READ ME indicates. If not, please do so.

 

Hey guys. I hope I did this right. I've attached the first two items you requested. I'll proceed with the other process.

Thanks,

ChuckyV

 

Dr. C,

Here is the L2mfix log.

 

Hi Chucky,

Looks like BJ & Chas are tied up.

NEXT STEP:

Please make sure ALL Browser Windows are Closed!

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually cough out another log in Notepad.

Again, don't run any other files in the L2MFix folder.

Please attach that Log along with a fresh Find.bat log. One of us will try to check back shortly to take a look and give you the next set of steps!

PP

 

PP,

Thanks for your response. I've attach the log you requested.

ChuckyV

 

Dr. C,

Here are the new logs you requested.

Thanks,

ChuckyV

 

Dr. C,

I've attached the latest log. So far so good. Any other suggestions?

ChuckyV

 

Hi Chucky,

We have been seeing a lot of these cases where HJT cannot remove BHO remnants from the resistry. I'd like you to try three things to see if they work:

Plan A

Please Boot to Safe Mode.

Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: (no name) - {40276BE4-4DD4-899B-622D-F6B508F7EAA7} - (no file)
O2 - BHO: (no name) - {E4947D86-EB24-BEEA-5187-ED7ABE07B673} - (no file)
O2 - BHO: (no name) - {F5778509-07E9-0CE5-E802-9C7DFC2EF410} - (no file)

Be sure All Browser Windows are Closed when you Click FIX.

Reboot to Normal Windows and rescan with HJT to see if those 02 lines remain.



If they remain, then on to Plan B:

Please download the old HijackThis v1.98.2 from here: HijackThis v1.98.2

Extract it from the ZIP to its own folder – C:\Program Files\HJT 1982

Now, scan & fix with this version as per the previous instructions (Safe Mode, etc…) and see if that gets them!


If that fails, then on to Plan C:

Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it FixBho.reg



REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
"{40276BE4-4DD4-899B-622D-F6B508F7EAA7}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows CurrentVersion\Explorer\BrowserHelperObjects]
"{40276BE4-4DD4-899B-622D-F6B508F7EAA7}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
"{E4947D86-EB24-BEEA-5187-ED7ABE07B673}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows CurrentVersion\Explorer\BrowserHelperObjects]
"{E4947D86-EB24-BEEA-5187-ED7ABE07B673}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
"{F5778509-07E9-0CE5-E802-9C7DFC2EF410}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows CurrentVersion\Explorer\BrowserHelperObjects]
"{F5778509-07E9-0CE5-E802-9C7DFC2EF410}"=-




Now:
DoubleClick on the FixBho.reg file you made and follow the prompts to allow it to merge these entries into the registry.


With luck, one of these methods ought to do the job! Let me know how you fare and which method worked (if any ) and any problems you may have run into.

PP

EDIT PP: Remove this line too - - > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

 

PP,

No luck on removing the BHO. When I tried Plan C, I did not get any prompts after opening the file in notepad. Did I do something wrong?

 

Did you save it correctly as FixBho.reg?

This is odd - a new batch of unknown BHOs that cannot be removed from registry.

Please doublecheck Plan C procedure again and if that doesn't work, we can remove these manually via regedit.

PP

 

PP,

Sorry about the delayed response (had to work today). I think I did Plan C right that time, but it still did not fix the BHOs. However, my computer is running great!! I ran all my scans, and they all came up clean. Should I turn back on the System Restore now? I want to thank you guys so much for the help. I've already recommended the site to several friends.

Thanks again,

ChuckyV

 

You're welcome!

No harm in turning System Restore back on. Chaslang is correct that we could use a guinea pig to poke around trying to delete those BHO Remnants, but we'll figure it out on our own - No worries!

While you're here, be sure to check out Chaslang's Recommendations!!!

PP