hijacked computer...need help

I been doing some reading and have tried all the routine programs such as the online scans, CWE, Ad-aware, and spybot among others. Some things get removed and others keep comming back (virtual bouncer, addestroyer, coolWWWsearch). Heres my hijack log. Hope someone can help.

 

Hi Haugen,

You have a particularly nasty CWS infection that nobody has really figured out how to fix yet. You have other issues as well. Plus, your Windows XP is seriously out of date.

To start, please download this tool: LSP - Fix

Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the aklsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move aklsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.


Now, Reboot to Normal Windows.


THEN:
Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled .

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fakeproxy

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.microsoft.com

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com ---> These will come back
O1 - Hosts: 69.20.16.183 ieautosearch

The Following 010 items should be gone after running LSP-Fix:
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.static.topconverting.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

Reboot to Normal Windows and Scan with HijackThis and attach that log. ****Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

As I mentioned, those Hosts Redirections will reappear. The good guys are still trying to figure that one out, so you'll have to be patient.

Best
PP

 

Thanks for the help. Your advice seems to have done some good. Like you said some of those damn things still come back. Heres the new log. Please take a look when you have time. Thanks again.

 

Hi Haugen,

You need to remove these:
15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

It is a good idea to keep the Trusted Zone Empty!

We are still trying to figure out how to kill this baddie:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

You could try running the latest CWShredder Update and see if that has any effect, but I still think this is a "wait and see" proposition.

CWShredder 2.1

Also, you should update your XPto at least SP1a. But DO NOT install SP2 until your computer is COMPLETELY clean.

PP

 

I downloaded Service Pack 1a and installed it. Theres still some things I can't get ride of (crazywinnings.com and topconverting.com). I also noticed a couple new things 'intgpt' and 'ckraor'. Also, I'm now running Mozilla Firefox and I was wondering how to disable IE or if thats even a good idea. Thanks for the help, it's appreciated.

 

Hi Haugen,

You will need to keep IE in order to be able to access Windows Updates and the like. You can, however, set Firefox as your Default Browser.

I am still studying the Hosts Redirection baddie, but real work limits the time I can spend. I take it the new CWShredder did not do the job? You might try the process PJ used here:

Hijacked by Mysterious Trojan (or what?) HALP!

Regarding the Trusted Zone items, they need to be dealt with as well. These may be related to another new baddie - But I am not sure. There is a generic removal tool, however I don't know if it will recognize your entries yet.

intgpt and ckraor sound like trouble and should be deleted if possible. If they are part of the infection I described, you likely will not be able to find them.

You could try Updating Ad-aware and Spybot and running them in Safe Mode. If you try PJ's process, then it may kill two birds with one stone.
I'll try to find out if those .exes are related to this new infection when I get the time.

Hang in there
PP

 

Well I ran that process that the other guy recommended and it didn't do much good. Here's another log. Virtual Bouncer and AdDestroyer keep comming back as do ckraor.exe and intgpt.exe. I don't really know what to do. Thanks for the continuing help.

 

Hi Haugen,

You should be able to uninstall Virtual Bouncer in ADD / Remove Programs. Look for SED & AdDestroyer as well.

These should go:
C:\WINDOWS\System32\ckraor.exe
C:\PROGRA~1\VBOUNCER
C:\Program Files\SED
C:\Program Files\AdDestroyer

Fix these with HJT:
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

The fix for the Hosts Redirect remains elusive. Potterjazz was the only time I've seen this baddie removed.

For the CrazyWinnings in the Trusted Zone, try Chaslang's suggestion in Post #63 of this thread:

Help! No idea whats wrong

Sorry if I seem rushed - I Am! Life is hectic right now and I have little free time for this forum.

Hang in there
PP

 

I appreciate all the help you've give me. I've tried everything you've recommended so far and some things keep comming back. I delete virtual bouncer and addestroyer over and over again. They always come back. If you know of anyone to stop these it would be great to know. Take your time, I know your busy.

 

Hi Haugen,

Did you try Chaslang's procedure for CrazyWinnings? It should do the job for that one.

If you uninstalled VBouncer, then something must be reinstalling it. - Master of the Obvious, I am!

For the others, was system restore off when you deleted them? Perhaps you should flush prefetch and Temp folder.
I'm not sure how much of this is related to that Hosts Redirect baddie, but you ought to try the latest version of CWShredder. I think a new one just came out. Run it and see if it removes anything.

Then, please attach a fresh HJT log so I can get an idea of where you stand.
I'll check back when I can.

PP

 

as for these 2:

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

i don't know whether is some bug in immunizing by Spywareblaster or Spybot, but getting rid of them is fairly easy. There is no spyware (hopefully) that puts these things back. Just HijackThis can't delete them... prosaic? Let's hope so, as I don't know if I fully killed the CWS trojan (I used bleepingcomputer tutorial - boot in safe mode, use all trojan killers, and finish them in anti-virus software, but before you do anything, just open registry, run, runonce, everything that is related to launching programms, there is probably run services or something too and kill everything except most valid, most rural apps. kill'em all and have this in mind that you can always reinstall the needed software. so better kill it all and start anti-trojan software. i used about:blank, hijackthis, spybot, spywareblaster, ad-aware. thare are many - cwshredder etc.) delete all hijackthis processes o2,o4, r1, r2-4, o10-15 everything except most vital ones. do not launch iexplorer. it's best if you don't launch explorer(my comp) at all. or run it , open all spykillers and close the folder. windows sucks at this integrating browser.

so going back to our 2 "favorites" after you killed the cws, open registry editor and find them crazywinnings and topconverting. i don't know if it is a result of immunization, but there is a registry folder that has a whole lot of web pages listed many of them - more than 500 i think. so find the topconverting and there is a hex entry - if you are perceptive, you can see that the hex value differs than in other pages. it's hex 2 when other have hex 4. so at the folder where there are many many web pages and others have hex 4 and our 2 "favourites" have hex 2, change te value to hex 4. all.

why i am not sure i killed cws fully - read in my "iexplorer a real BROWSER now" topic

 

After a short hiatus I'm back and unfortunately so is the VX2 variant and the CWS variant. I noticed some other people were able to fix their computers. Heres a new hijackthis file and a dll compare file.

 

Hi Haugen,

Happy you posted back As you noted, a fix for this was recently devised!

Please download FRESH downloads of all of these tools including Pocket KillBox from these links (This is important):


VX2.BetterInternet Finder XP/2k - Version Msg126

Generic Find It Tool - NT/2000/XP

Pocket KillBox

NOW:

Unzip the Generic FindIt Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

Then, attach that output log. Note that, after you scan, you MUST NOT Reboot until you hear back from me.

I'll try to check back tonight.

PP

 

Here we go again. I ran the little 'findit.bat' and heres the log. Also, I keep getting 'virtualbouncer' and 'addestroyer' reinstalled on my computer. Is this part of the same problem or something totally different. Thanks for the help.

 

Man, in the time between logs, you've added malware! (se.EXE - http://www.liutilities.com/products/wintaskspro/processlibrary/se/ )

Virtual Bouncer and Ad Destroyer are not related to this infection. They should be removed via Add/Remove Programs. They should also be found in Program Files Folder and deleted.

I will try to post the initial steps of your VX2 fix tonight. It will be a long one, so be prepared!

PP

 

Hi Haugen,

Here is the "All in one" version of your fix!

Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Before you start, look in C:\WINDOWS\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINDOWS\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. If you do not find this, please continue with the other instructions. Even if you do not see guard.tmp, ENTER IT ANYWAY as per my instructions below!

This fix will take a number of steps. I will try to keep it very simple. Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\iU1xdnt5.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\k0260afsed260.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\l08mlal11dq.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

You get the idea. . . Please do the same for the following entries:

l08mlal11dq.dll
h60qlgd5160.dll
sycsccp.dll
mhcertui.dll
kgdkyr.dll
sGfrcdlg.dll
ssc.dll
en0ol1d31.dll
g022lafo1d2c.dll
n6p4lg7q16.dll
c2002cdmgf0a2.dll
winetmgr.dll
mqnsspc.dll
lnimg10N.dll
jtaw400.dll
rjcdll.dll
rLsctrs.dll
wbtdecod.dll
enj6l11s1.dll
j4l40e3qeh.dll
cMlsp.dll
PHDLIB32.DLL
cctdll.dll
sqhannel.dll
tintsvrp.dll
MJT2FW95.DLL
baackbox.dll
lv4409hqe.dll
LDCMP70n.DLL
onengl32.dll
tvrmsrv.dll
mfieftp.dll
ajrules.dll
pdofmap.dll
lotif11n.dll
lvn4095qe.dll
dvmsvinn.dll
lggif10N.dll
m0ls0a37ed.dll
pYutoenr.dll
hrnq0555e.dll
mlaudite.dll
maencode.dll
p04u0ah9ed4.dll
hrpq0575e.dll
kfdsp.dll
DAMSSPXN.DLL
MMCANS32.DLL
mcyuv.dll
lqpct10N.dll
hr6s05j7e.dll
cTrds.dll
dvmap.dll
pBqsp.dll
dcmap.dll
p06s0aj7edo.dll
ljfax11n.dll
iksetup.dll
sznymaeb.dll
jamd400.dll
nrevtmsg.dll
f4j20e1oeh.dll
fpju0319e.dll
ir80l5lm1.dll


Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO .


NOW, you will be entering more items into KillBox. However, this time just select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

C:\WINDOWS\SYSTEM32\t?skmgr.exe
C:\WINDOWS\SYSTEM32\naprup.dll
C:\WINDOWS\SYSTEM32\aqwumw.exe
C:\WINDOWS\SYSTEM32\qpouzo.dll
C:\WINDOWS\SYSTEM32\kvbuyb.dat
C:\WINDOWS\SYSTEM32\ckraor.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\intgpt.exe


When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NEXT:
Doublecheck to make sure that guard.tmp has been removed. If it somehow remains, feed it to Pocket KillBox and Delete it using Standard File Kill.

C:\WINDOWS\SYSTEM32\guard.tmp


AnyHoo, once guard.tmp is gone, run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg



REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3E31C298-A0C8-4DA2-9946-9785390437EB}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-



Now:
Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Finally, attach another Find.bat log and a Fresh HJT log and we'll finish this up!

Hopefully we will have gotten everything on this first pass. If not, we will have to start over and take it slowly a step at a time.

Let me know about any problems that you may have run into completing the above! Been very busy lately, but I will try to check back when time permits – Likely Thursday night.

PP

 

Well I think I finally got everything taken care of when I completer your recomendations today. My computer seems to be running better and nothing is downloading by itself. Further scans have not picked up any remnants of CWS or VX2. Virtual Bouncer and AdDestroyer seem to be gone as well. I did notice that a new "guard.tmp" seems to have spawned in a new folder created today called C://!Submit. However it isn't recognized in any scans. Here are the logs you asked for. Thanks again for all your help.

 

Looks like the VX2 is gone. The !submit folder may be deleted when we finish - It holds backups made by Pocket KillBox.

There is still Qoologic on your machine that needs to be dealt with. It often accompanies the VX2.
Please do the following - I'll just copy&paste:


NOW, you will be entering more items into KillBox. However, this time just select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

C:\WINDOWS\SYSTEM32\t?skmgr.exe
C:\WINDOWS\SYSTEM32\naprup.dll
C:\WINDOWS\SYSTEM32\aqwumw.exe
C:\WINDOWS\SYSTEM32\qpouzo.dll
C:\WINDOWS\SYSTEM32\kvbuyb.dat
C:\WINDOWS\SYSTEM32\ckraor.exe

C:\DOCUMENTS AND SETTINGS\ALLUSERS\STARTMENU\Programs\Startup\intgpt.exe


When the last item has been entered and you are prompted to reboot, allow KillBox to Reboot your computer.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it 2fixvx2.reg



REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDlls]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-


Now:
Click on the 2fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Now, please attach another Find.bat log and a Fresh HJT Log and we'll see where we stand. I'll try to check back as time permits.

PP

 

Here we go again. I copy and pasted into killbox as you directed. Hope it did the trick.

 

It is still there.

Try booting to Safe Mode and deleting these one by one with Pocket KillBox using Standard File Kill.

If they remain, then try again in Safe Mode but repeat the process we used before and Delete on Reboot.

Here are the Baddies:

C:\WINDOWS\SYSTEM32\aqwumw.exe
C:\WINDOWS\SYSTEM32\naprup.dll
C:\WINDOWS\SYSTEM32\qpouzo.dll
C:\WINDOWS\SYSTEM32\kvbuyb.dat
C:\WINDOWS\SYSTEM32\ckraor.exe
C:\WINDOWS\System32\t?skmgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\intgpt.exe

We must remove these. Then, when your machine is finally clean, you ought to visit Windows Updates and get updated.

PP