Help Please! Re: VX2 problems, CWS, still getting pop-ups

Hi. I am a semi-novice computer person. For the past year we have had a ton of pop-ups, extremely slow surfing, random shut downs. Finally got McAffee anti-virus updated, and installed McAfee Firewall. It removed a few dozen viruses. I thought that would solve problems, but still had pop-ups and slow surfing and shut downs. I found this web site a few weeks ago and have followed every step in the FAQ "before you post Hijack this log file...". However, I am still getting pop-ups and slow surfing. I have rerun Ad-Aware at least 20 times, and still am getting CWS which it removes, and VX2 which it says it can't remove, but will try upon reboot. It never can remove it, even when I run and reboot in Safe Mode. I also run the VX2 tool in Ad-Aware, but it says my system is clean, even though the main Ad-Aware finds it! Aditionally, whenever I logon the internet I get an error message saying something like "error in running dll for UMonitor" which I assume is left over from some spyware, but how do I get rid of that error message? And is there any way to keep the CWS off the computer? Once I remove it it seems to get back on here somehow. I have SpyWare Blaster.

I need help! Does anyone have a suggestion? I feel I am not savvy enough to do this Hijack This file, but I am getting there.

Any advice/commisseration is appreciated!
Thanks
Nancy

 

Hi Nancy,

We have seen plenty of these the last few months! Please send me a HijackThis Log. Be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.


PP

 

Here is my hijack this log file, I hope I did it right and uploaded it right.

Thanks
Nancy

 

Hi Nancy,

Please download the following tools and have them handy (Perhaps create an Anti-Spyware Folder for them). Make sure to get them from the links below:

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox




NOW:
Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Uninstall Viewpoint in Add/Remove Programs

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =64.136.29.30;64.136.21.30;64.136.29.34;. . . .

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
These will come back
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - Global Startup: kfgipn.exe

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\o4lu0e39eh.dll

O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\A3K3ABOX\cwshredder[1].exe (file missing)
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if it should remain:

C:\WINDOWS\system32\n20050308.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


NOW:
Reboot to Normal Windows. Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE:Please do not run any other options or files in the l2mfix Folder!

Please attach the l2mfix log along with a fresh HijackThis log and we’ll see where you stand. Please TRY NOT TO REBOOT after scanning for these logs!! I will try to check back as time permits.

Best Luck
PP

 

Uninstall Viewpoint in Add/Remove Programs- This wasn't listed as a program when I opened it???

Now scan with HijackThis and Check the Boxes for the following:

O4 - Global Startup: kfgipn.exe: this wasn't found in the new Hijack This log

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if it should remain:

C:\WINDOWS\system32\n20050308.exe- This wasn't found

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

I ran CCleaner OK. I ran Spybot and it found IGetNet, 2 instances of "Common Hijackers", and 6 different CoolWWWSearch. When I clicked Fix, it showed 3 fixed (first 3), but none of the CoolWWWSearches. I ran CWShredder and it got rid of 2 things (I hope that was okay to do )

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK. Done


I rebooted and ran L2MeFixTool then HijackThis. Here are the two new files.

By the way, as I connected to the internet I had 2 pop-ups try to redirect me.

What next?

Thanks,
Nancy

 

Hi Nancy,

Sorry about the Viewpoint thing - Bit rushed

Please don't run any tools other than the ones I list - We'll get you fixed up! It is a fairly long process, but usually a successful one

I am heading out the door, but here is next set of steps:

Please make sure ALL Browser Windows are Closed!

NOW
Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go wacky for a bit, but just let it run. It should eventually cough out another log in Notepad. Please attach that log.

Again, don't run any other files in the L2MFix folder. And, again, try not to reboot!

ALSO
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log along with the L2MeFix Log and we’ll see where you stand.

I will try to check back when I can.....Likely early Saturday evening.

PP

 

Hi PP

I ran the L2MFix Fix, I'll attach the log.

I ran the find.bat, I'll attach that as well.

Thanks
Nancy

 

I also reran HijackThis. I didn't select any fixes, I just generated a new log. Here that is.

Nancy

 

Hi Nancy,

Let's see if we can wrap this one up!!

Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


NOW, you will be entering items into Pocket KillBox. Please open KillBox and select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Also, check the box to “End Explorer Shell While Killing File” for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

C:\WINDOWS\SYSTEM32\ispnua.dll
C:\WINDOWS\SYSTEM32\liuqzp.dll
C:\WINDOWS\SYSTEM32\lxuamq.exe
C:\WINDOWS\SYSTEM32\vqugok.exe
C:\WINDOWS\SYSTEM32\wgukyv.dat
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kfgipn.exe

When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixnrtr.reg



REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-



Now:
DoubleClick on the fixnrtr.reg file you made and allow it to merge the registry entries into the registry.



Now scan with HijackThis and Check the Boxes for the following:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
Again, make sure All Browser Windows are Closed when you Click FIX.


NEXT:
Check your Recycle Bin to make sure that no problems remain.
If all is NOT well with Recycle Bin, please run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


After checking on your Recycle Bin:
Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy

Allow Machine to Reboot.


NEXT:
Please download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.


Finally, reboot and give me another Find.bat Log (From Generic Detection Tool) and HijackThis Log and tell me how things are running now and whether you had problems with the above instructions! Will check back as time permits.

PP

 

Hi PP,
I did everything in your previous post. When I ran HijackThis the first time, there was no O1 - Hosts: 69.20.16.183 auto.search.msn.com, but the other 2 were there so I checked them.

There was nothing extra in the Recycle Bin, so I didn't do the Pocket KillBox for the Recycler.

I ran the VX2.Finder and clicked the UserAgent$ Button and the Resotre Policy. Guardian.reg was not enabled.

I downloaded Hoster and followed the instructions with no problems. But I do have a question on this- when I opened the program it had a button saying my Hosts files are writable, do I want to make them "Read Only". I didn't click it, but is this something I should go back and do? Will it keep my computer safer?

I reran the Find.bat and the first time it quit so I started it again and I'll attach that log.

I reran Hijack This and will attach that log too.

I haven't had any pop-ups yet this time on the internet, so I hope this spyware stuff is finally gone! Thank you for your help- these forums are lifesavers for computer illiterates like me!

Nancy

 

In theory, making the Hosts file "Read Only" so that it cannot be altered is a fantastic idea. In reality, most malware laugh at this and abuse the Hosts file anyway! Still, if you want to do that, go ahead!

You're Welcome! Happy to help

Your Logs look OK. Things should be running properly now. While you're here, have a peek at Chaslang's Commandments!! to help safeguard your machine against further infections.

Happy Computing

PP