Help plz!

First run this:

CoolWWWSearch.SmartKiller (v1/v2) MiniRemoval

Then try running CWShredder and see if it works now.

If you still have a problems, follow the below guidelines and post a HijackThis log attachment.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Please remember that you must exit all browsers before running HijackThis. You had this running:
C:\Program Files\Internet Explorer\iexplore.exe

Also please disable the MD5 calculation in HJT. We don't need it and it just adds to cluttering the log file.

You have the lastest VX2 infection problem. Download the below tools (only run what I specify):

http://www.downloads.subratam.org/DllCompare.exe

Pocket KillBox

VX2.BetterInternet Finder XP/2k - Version Msg126

Generic Find It Tool - NT/2000/XP

Extract all the files from the Generic Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

 

You have picked up another problem since your last HJT log too. I see Virtual Bouncer.

C:\PROGRA~1\VBouncer\VirtualBouncer.exe

Goto Add/Remove programs and see if there is an uninstall for it. If so, uninstall it.
If not post a current HJT log now while I work up a procedure for the VX2 problem you have.

 

Here is a list of files that we need to delete using PocketKillbox.

C:\WINDOWS\System32\kt86l7ls1.dll
C:\WINDOWS\System32\k8js0i17e8.dll
C:\WINDOWS\System32\mdc71d.dll
C:\WINDOWS\System32\mpang.dll
C:\WINDOWS\System32\n22ulcf91f2.dll
C:\WINDOWS\System32\f42m0ef1eh2.dll
C:\WINDOWS\System32\mmc70u.dll
C:\WINDOWS\System32\ntrses.dll
C:\WINDOWS\System32\LRTIF12n.DLL
C:\WINDOWS\System32\pod.dll


and C:\WINDOWS\System32\guard.tmp

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\System32\kt86l7ls1.dll

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally. Tell me if you get any error messages on reboot and tell me the exact messages.

After it reboots get another find.bat log and post it. Also run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.

Also post a new HijackThis log.

Important:
Also run Windows Explorer and look in C:\WINDOWS\System32 for the file guard.tmp. Tell me if you see it or not.

Looks like I beat you in posting this before you responded to my last message.

 

Okay! I beat you back! Your fingers must be slower than mine!
Did it uninstall?
Run the steps below.

 

I have to get some sleep soon! So if you don't get back to me in a little while with those results, here is a VERY important piece of info. DO NOT REBOOT after getting the find.bat and DLL Compare and HJT logs. If you do, odds are that the VX2 infection will spread again and change file names which means will will have to repeat the first step all over again.

You can disconnect from the internet (physically unplug your internet connection) but do not reboot.

 

I'm sorry about that Brandon! But none of the items I was having you fix should have caused this to happen. We have fixed these issues many times with the same procedure and it has always worked. If you can put this drive in another as a slave (or if you have a bootable WinXP CD around to use Recovery console), you may be able to restore those files we were deleting from the c:\!Submit folder where PocketKillbox saves backups. You can just copy them from c:\!Submit back to the C:\Windows\System32 folder. But I'm not sure they have anything to do with this problem. The NTLDR file is in the c:\ folder and we were not doing anything there.

It does not make sense for this to happen though. Does it indicate to you a DLL filename that is missing in the error message? Is that the complete error message?

You may be able to just copy the NTLDR file from another XP system to the root folder (that's C:\ ) of your system. I need to check on that. In fact, the NTLDR file should still be available on your PC in the c:\i386 (sometimes it is c:\windows\i386) folder. But you would still need to boot from a WinXP CD to get to the recovery console to copy this. Does any you know have a WinXP CD that you can use just to boot from? If so, here is how you should be able to fix this:

[font=MS Sans Serif, Trebuchet MS][size=-1]1. Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

3. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.

4. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

5. At the command prompt, type the following command, and then press ENTER:

copy C:\i386\ntldr c:\[/size][/font]
[font=MS Sans Serif, Trebuchet MS][size=-1](but that assumes you have the c:\i386 folder. Otherwise just copy it from the CD drive's \i386 folder.)

6. To exit the Recovery Console and restart the computer, type exit at the command prompt, and then press ENTER.[/size][/font]

 

Okay! I'm happy to here that you got it all fixed up again! I'll be posting the next steps as soon as I finish looking at your logs.

 

Okay run KillBox and Delete C:\WINDOWS\System32\guard.tmp using Standard File Kill. This setting does not require a reboot. After doing this look again in that folder to see that it really deleted (let me know the results.)

After that file is successfully deleted the next steps are as follows:

Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

Now run VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit and reboot.

NEXT: Run findit.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log

Note: we have to keep doing the findit.bat because after every reboot the infection typcially changes which registry keys it is hiding in and our next step is to remove that registry key. So this time after posting your log, do not reboot. Wait for my next steps. You can go offline but no reboots!

 

Run HJT and select but do not click Fix the below items:


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Now Exit all browser Windows including this one and click Fix.
Then exit HJT.


Click START, RUN, and enter regedit into the box and click OK. This will open the registry editor. Navigate to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL

Backup this key by clicking File, Export and then enter a File name and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the URL one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.

NEXT: Run find.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log

We may be finished if everything checks out.

 

Those registry entries are OK! Your VX2 problems are now gone!

You log is almost clean. I've been ignoring one other problem until we got the VX2 fix.
You need to be careful and where you are going and what you have been downloading. When you first started this thread, you had a particular problem set. Then in message # 11 I commented on your HJT log from message # 7 saying you now picked up VirtualBouncer. Well someplace after that you picked up AdDestroyer (shown below) . It has been in you HJT log since message # 19.

So goto Add/Remove programs and look for an uninstall for it and use it if found.


Then run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe <--- just in case no uninstall

Then reboot in safe mode and delete:
C:\Program Files\AdDestroyer <--- the whole folder if still there.

Now you should be clean and I would assume everything is working better now.
So now it is time for you to follow the steps in the below link:
How to Protect yourself from malware!

 

I don't see a firewall. Did you install one? Don't just try using the one built-in to WinXP SP2. Disable it and get one of the others mentioned.

Did you install SpywareBlaster? Did you install Spybot and have it immunize and did you enable its SDhelper resident shield.

 

ZoneAlarm should have worked okay! My kids play all kinds of games and have no problems with ZA running. You may have needed to tweak something. Give Sygate Personal Firewall Free a try. I think it would be worth it to have the software firewall in place. But make the one in SP2 is off. It is enabled unless you disable it. They could have been your problem with ZA.

 

Ok! Good luck!