hit with vx2, isearch, ezula and some trojans

all at the same time...somewhat.

my computer's been out of commission for 2 months, and i just recently got it back (like half a day). after initial scans with adaware...i was surprised to see so much stuff hanging around. doing all the initial scans in the tutorial, along with some of my own adjustments and removals haven't really been much help. i think i got rid of the vx2, i THOUGHT i got rid of ezula, and i know that isearch is still on here (its where the google search bar should be). also have edmond.exe trojan (think i got rid of it but not sure) and aklsp.dll which i think is one too
i am seriously running out of ideas.

[edit] just to clarify why im not sure about the trojans...internet dosen't seem to work on networked safe mode...so those are just from norton or tds-3

ithink i am ready to attach my hijack log...i think i followed all the tutorial instructions already... thanks for the help in advance

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

here it is

 

You have MANY problems, lets take them one at a time.

First:

• Download LSP-Fix

• After download is complete, Run LSP-Fix

• Check the Box labeled "I know what I'm doing" and then click on the files aklsp.dll & calsp.dll (in the “Keep” section) to select them.

• Then, Select the >> button to move aklsp.dll & calsp.dll into the Remove section.

• Now, click the Finish Button. When the Repair Summary box appears, click OK.

• (Note: If the files aklsp.dll & calsp.dll are already in the remove section, then just click FINISH.)

Second:
Download the following items:

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

DO NOT USE ANY OF THESE TOOLS UNTIL TOLD TO!

ALSO:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log.

Please don't run any other files in the L2MFix folder.

 

here it is

 

Okay Great!

First, I want to be sure you have System Restore disabled as this will create a few problems.

Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps. After you have downloaded ALL updates

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

REBOOT INTO SAFE MODE!

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and continue the below steps.


NOW:

After doing the above, please procede to the following:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post along with a current HJT log.

 

one thing that happened to me while i was posting this was anispyware came up with a block on an unclassified spyware...not sure if that would screw up the log any

 

sorry here is my hjt log too

 

Lets start with the nail.exe:
- Click Start > Run and type: cmd and then click OK! This brings up a command prompt window.
- At the command prompt opens, type the below command and then hit the enter key:

nail.exe /FullRemove

NEXT:
Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file VX2FIX.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the VX2FIX.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


NOW:
Please look in Add or Remove Programs for the following and Uninstall them if found:

picsvr

vmss

nsvsvc

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

picsvr.exe

lqpzmb.exe

firefox.exe <-- End every instance of this process as requested!

vzrzra.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS2\system32\n20050308.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS2\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [aounqys] c:\windows2\system32\lqpzmb.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS2\System32\vzrzra.exe

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS2\svcproc.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS2\System32\picsvr ←–– Delete this whole folder if it exist!

C:\WINDOWS2\System32\nsvsvc ←–– Delete this whole folder if it exist!

C:\WINDOWS2\System32\vmss ←–– Delete this whole folder if it exist!

C:\WINDOWS2\system32\lqpzmb.exe

C:\WINDOWS2\System32\vzrzra.exe

C:\WINDOWS2\system32\n20050308.exe

C:\WINDOWS2\System32\fp8o03l3e.dll

C:\WINDOWS2\svcproc.exe

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After doing ALL of the above, Scan with HijackThis and attach the new log along with one last log from the Generic Detection Log.

 

a quick glance at the logs tells me stuff is still there =(

some notes:

the system startup service was already stopped and disabled


C:\WINDOWS2\system32\n20050308.exe and
C:\WINDOWS2\system32\lqpzmb.exe were not found

 

hm..im not sure where the edit post button is...

anyways...one other thing is when i start up i get this unclassified spyware popup from antispyware...jsut removed it

 

You had the right version the first time, please delete HJT 1.99.0 and use 1.99.1 from now on.

Attach a fresh log using Hijack This 1.99.1.

 

sorry bout that, turns out i have 2 different hijack this folders =|

 

Are you aware you have "C:\windows2" directory instead of the normal "C:\windows" directory??



Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [jusuoeq] c:\windows2\system32\fwimqy.exe

Make sure All Browser Windows are Closed when you Click FIX.


NEXT:
Run CCleaner


NOW:
Locate PocketKillbox

Now, Copy and Paste C:\windows2\System32\fwimqy.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

After you reboot post a fresh HJT log using HJT 1.99.1

 

i think i have a windows2 because i did a reinstall once and never fully removed the original windows...folder is still on my computer because im not too sure what to do with it

everything worked out in the last set of steps

 

Okay! Just so there's an explanation for it, was kinda worried when I noticed that.

Your log is clean!

Are you having any further problems?

 

everything seems good...except with mozilla, instead of the google search field in the toolbar it is still isearch.

thanks for all the help

 

I have been wanting to see if this works, so lets give it a shot!

Isearch Removal Tool

Let me know the results!

 

one last thing...everytime i start up...the ms antispyware always claims that there is a unclassified spyware.57 is trying to install...so i did a scan with antispyware which showed up 180search assistant and also unclassified.spyware57...in the locations it states c:\windows2\system32\xxxxxx...

when i used the isearch removal antispyware tolld me that it was trying to reinstall...and the toolbar is still around

here is the hjt log...sorry for being so bothersome but it seems it pops up everytime...

 

Did you run the removal tool for isearch? If so, did it remove the toolbar?

Also, Post the results from Microsoft AntiSpyware so I can see what its finding and where.

 

yes i ran the isearch toolbar removal...windows spyware indicated that isearch was trying to install the isearch assistant on my computer...and i blocked it.

i realized that it was just a plugin in mozilla and a simple removal did it...back to google now =)

im not too sure so i just copied, pasted, and attached from the windows spyware program

 

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post both logs as attachments.

 

here u go

 

in the qoologic program it stated that cmd.exe could...not be scanned i think because of some error...everything else went okay

just wondering...what program should i have running in the background at all times for security? currently im using symantec client security which is basically their firewall and antivirus and also ms antispyware

 

Your logs are clean!

Are you having any further problems?

Also, regarding the protection, please see the thread below.

How to Protect yourself from malware!

 

seems like its gone now...but then again same thing happened a couple posts ago. lets hope i get lucky this time...gonna try out the other firewall/av programs.

also with isearch toolbar...i can delete it fromt eh mozilla searchplugins folder, but it seems to always come back. im thinking of switching back to ie or something

 

HJT log is clean!

Download the Removal Tool

Reboot into Safe Mode, run the tool

Reboot into Normal Mode, see if problems remains.

 

i used this site:
http://durban.lti.cs.cmu.edu/cgi-bin/blog/blog.pl?id=13

to get rid of it..

hopefully everything stays...thanks for all the help !

 

Okay! So the removal tool did NOT remove it?

 

the removal tool actually tried to add more stuff on, because after running the install i got messages from antispyware teling me isearch was trying to install

 

The uninstaller has to load temp files in order to successfully remove it.