HJT candidate?

dumb_macosX_guy · Feb 8, 2005

First, thanks for all of the guidance in the pinned topics. It's starting to seem like for every person creating malware, there's two trying to eradicate it.
I'm trying to save my buddy's computer from a huge infestation of this garbage. I followed the "before you post" guidelines to the letter last night. In fact ran Ad-aware and others several times before it showed clean.
The pop-ups are still there. Not as bad, but often labeled "only the best," The home page still locks on about: blank, but there is nothing on the page anymore. The internet is fairly usable, up from completely locked. The most irritating part is the "Desktop Search" that pops up and down from under the taskbar. I can kill it from the task manager but it always comes back. (I can't find it in Add/Remove programs)
To my question, sort of, while I'm not unfamiliar with Windows -I have managed various classrooms full of them for more than 5 years. From reading around this site and others I'm worried that HJT may be slightly out of my league. I've done some minor and successful registry editing but always with web guidance. I'm guessing that it is the only course of action left. I wanted to simply wipe the disk and start over (with proper shielding in place) but my friend desparately wants to save more than a years worth of his work/family data.
I understand that if I make a mistake in HJT that I can cause more damage than I have already fixed.
I'm not sure if I'm looking for a pep talk or just good advice. I suppose either one would suffice. Basically, how screwed am I?

AliWiseman · Feb 8, 2005

Hold Fast.. there are people on here who will be able to help. I've not been here long enough to run you through the course of action to remove the "about blank" Hijack, although i have done so on other forums i dont want to tread on toes lol!

This is a common, and persistant hijack, with many variations, but i have not yet come across the need in several years of using forums to have to reformat. Dont do anything drastic, and wait for one of the top chaps here to sort you.

Alistair

shewolf · Feb 8, 2005

originally posted by dumb_macosX_guy
I followed the "before you post" guidelines to the letter last night. In fact ran Ad-aware and others several times before it showed clean.
Click to expand...

I want to be sure that you mean that you have followed the read me first (see below for the link and instructions if you haven't). If you have completed that and the problem is still there then go on and continue to the next step of reading the HJT guidlines and attach your HJT log and one of the more experienced users will assist you in determining what needs to be removed.

Remember that the Hijackthis Log is not your first step of action you need to complete the Read Me First tutitorial to try and clean up the system as much as possible.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem: make sure that you post back letting us know what you could and couldn't complete in the Read Me First guide and what problems still exist and in the meantime please read the following guide and then wait for us to ask you to post your HJT log as an attachment.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread
NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Again after you post back to let us know if you are still having the problems please be as specific as possible as to what you couldn't complete and as to what problems still exist as the more information we have the better we will be able to help you.

Please also be patient in waiting for replies and responses as there are a limited number of people who are able to help you and as you can see by the posts on this forum there are many people out there who have questions/problems. Thanks and again welcome to MG

sw

dumb_macosX_guy · Feb 8, 2005

Yeah, I see what you mean about my wording. I didn't just run Ad-aware. I meant that I did several of the steps in the "before you post topic" more than once.
I did not run ADS SPY because I didn't think I would know the difference between good and bad streams. Otherwise, I followed the instructions slowly and carefully. (I'm a little bleary eyed for it, too)

I'm now onto Chaslang's topic on the "Generic solution for only the best..."
I can't get past the sentence "It appears that the more times an incorrect or incomplete fix is attempted the more EXE file names will be spawned."
So I'm a little nervous about the attempt.
Further, this thing seems to be actually protecting itself, for instance, accessing Symantec's page causes an explosion of Popups, Adaware would cause the Finder (or whatever the GUI is called in Win - Windows Explorer maybe?) to quit and restart, etc.

I will run it and post back tonight.
Thanks

dumb_macosX_guy · Feb 8, 2005

Alright, here's my log. I ran HJT in safe mode to get it, as it is impossible to kill all applications in normal mode.

shewolf · Feb 8, 2005

I will have chas or PP take a look at your log as they are more experienced in the logs then what I am but from looking at it I do see alot of nasties and either chaslang or Philliephan will be able to help you better then I can.

Best of luck

sw

chaslang · Feb 8, 2005

dumb_macosX_guy said:

Alright, here's my log. I ran HJT in safe mode to get it, as it is impossible to kill all applications in normal mode.
Click to expand...

Please post logs from normal boot mode as indicated in the HJT tutorial. Safe mode logs will not reveal all the potential problems.

Did you try to shut this down as per step 2 in the READ ME FIRST:
O23 - Service: Network Security Service - Unknown - C:\WINNT\system32\ntdb32.exe

You have a bunch of problems! We'll get to them. In the meantime, please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the links below:

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

LSP - Fix

Do not run them until told to. Just tell me when you have them all.

chaslang · Feb 8, 2005

Download one more item:

http://ralphcaddell.com/Uploads/deldomains.zip and unzip it to your desktop. Do not run it yet.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Look in Add/Remove programs for DMVLite and uninstall it if found (Please tell me if you find this).

YOU HAVE A LOT OF BAD STUFF! WHERE HAVE YOU BEEN SURFING? YOU MUST INSTALL A FIREWALL.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

First Step:

Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the winlspak.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move winlspak.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Repeat the above for dolsp.dll

Second Step:
If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (Since your log was from safe mode, I don't know what will be running in normal boot. Thus many of these may not be seen running. )
C:\Program Files\Witriwq <-- the whole folder
C:\Program Files\Windows AdStatus <-- the whole folder
C:\WINNT\appgm.exe
OC:\WINNT\System32\tibs5.exe
C:\WINNT\System32\sm.exe
C:\WINNT\isrvs\desktop.exe
C:\WINNT\isrvs\ffisearch.exe
C:\Program Files\Hqxwp\Wucuv.exe
C:\WINNT\system32\n20050308.exe
C:\WINNT\System32\wsxsvc\wsxsvc.exe
C:\WINNT\System32\vmss\vmss.exe
c:\winnt\system32\eliteajg32.exe
c:\winnt\system32\ehksaouo.exe
c:\winnt\system32\hlpszhc.exe
C:\Documents and Settings\STACEY~1\Local Settings\Temp\95.tmp.exe
C:\Documents and Settings\STACEY~1\Local Settings\Temp\6.tmp.exe
C:\WINNT\System32\sm.exe
C:\WINNT\System32\gluapi32.exe
C:\WINNT\System32\drmclien.exe
C:\WINNT\system32\ntdb32.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\ojmym.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\ojmym.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\ojmym.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\ojmym.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {19322D45-2480-112D-0E5F-0BEA88E1675B} - C:\WINNT\apprt32.dll
O2 - BHO: (no name) - {1B0E2941-1C3E-BCDD-72A0-8F6528D74FC4} - (no file)
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: (no name) - {2A6CD7EC-2DAA-0422-BCF0-60604DFD11ED} - (no file)
O4 - HKLM\..\Run: [Fkxvyxnu] C:\Program Files\Witriwq\Ziqmddn.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [appgm.exe] C:\WINNT\appgm.exe
O4 - HKLM\..\Run: [95.tmp] C:\DOCUME~1\STACEY~1\LOCALS~1\Temp\95.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs5] C:\WINNT\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINNT\System32\sm.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Zpyelpy] C:\Program Files\Hqxwp\Wucuv.exe
O4 - HKLM\..\Run: [ntechin] C:\WINNT\system32\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [antiware] c:\winnt\system32\eliteajg32.exe
O4 - HKLM\..\Run: [ehksaouo] c:\winnt\system32\ehksaouo.exe
O4 - HKLM\..\Run: [u3FW36Q] hlpszhc.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\STACEY~1\LOCALS~1\Temp\6.tmp.exe 4 10001
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\STACEY~1\LOCALS~1\Temp\6.tmp.exe 1 10001
O4 - HKCU\..\Run: [Web Service] C:\WINNT\System32\sm.exe
O4 - HKCU\..\Run: [f0w6RWcFO] gluapi32.exe
O4 - HKCU\..\Run: [drmclien] C:\WINNT\System32\drmclien.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING9.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp.coupons.com/v3123/cpbrkpie.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing)
O23 - Service: ncazynfjhrqr - Unknown - C:\WINNT\system32\dpxdearc5.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINNT\system32\ntdb32.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINNT\ojmym.dll
C:\WINNT\apprt32.dll
C:\Program Files\Witriwq <-- the whole folder
C:\Program Files\Windows AdStatus <-- the whole folder
C:\WINNT\appgm.exe
OC:\WINNT\System32\tibs5.exe
C:\WINNT\System32\sm.exe
C:\WINNT\isrvs\desktop.exe
C:\WINNT\isrvs\ffisearch.exe
C:\Program Files\Hqxwp <--- the whole folder
C:\WINNT\system32\n20050308.exe
C:\WINNT\System32\wsxsvc <--- the whole folder if found
C:\WINNT\System32\vmss <--- the whole folder if found
c:\winnt\system32\eliteajg32.exe
c:\winnt\system32\ehksaouo.exe
c:\winnt\system32\hlpszhc.exe
C:\Documents and Settings\STACEY~1\Local Settings\Temp <--- delete all files and subfolders in this folder
C:\WINNT\System32\sm.exe
C:\WINNT\System32\gluapi32.exe
C:\WINNT\System32\drmclien.exe
C:\WINNT\system32\dpxdearc5.exe (file missing)
C:\WINNT\system32\ntdb32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Then, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install

Third Step:

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment (do that later when we reconnect). Make sure you wait long enough for it to complete. A notepad window will popup when finished. Do not run anything else during this time.

Fourth Step:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Fifth Step:

Get a new HJT log.

Now reconnect and come back here and post as attachments the l2mfix log the find.bat log (normally already named output.txt) and the new HJT log (this will require two posts as only two attachments can be made in a message). Based on those logs, we will determine the next steps. Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

dumb_macosX_guy · Feb 8, 2005

Chaslang,
Thank you for the reply. Just for the record, this is not my computer. I'm doing this for a very dear friend who is more technically challenged than myself. (but, no, I don't know where he's been surfing)
Yes I did disable Network Security Service as per step 2.
I will run through these instructions when I get home and report back with the required logs. I have his machine on a KVM switch with my trusty G4 so I have no problem communicating and keeping it in its current state.
Again, thank you for all the help.

Help2Go's automatic HJT analyzer called this the VX2. Do you think that's what I'm looking at?

chaslang · Feb 9, 2005

dumb_macosX_guy said:

Chaslang,
Thank you for the reply. Just for the record, this is not my computer. I'm doing this for a very dear friend who is more technically challenged than myself. (but, no, I don't know where he's been surfing)
Yes I did disable Network Security Service as per step 2.
I will run through these instructions when I get home and report back with the required logs. I have his machine on a KVM switch with my trusty G4 so I have no problem communicating and keeping it in its current state.
Again, thank you for all the help.

Help2Go's automatic HJT analyzer called this the VX2. Do you think that's what I'm looking at?
Click to expand...

You have a whole lot more that that! Yes you have the Look2Me VX2 problem. But as you can tell from my directions, your friend is over run with crapware.

Becareful if you are sharing drives on your network. This PC is pretty infected. Make sure your PC had all protections in place as indicated in: How to Protect yourself from malware!

dumb_macosX_guy · Feb 9, 2005

I had planned to run through these steps early this morning but, naturally, my kids woke up and wouldn't allow me to do so. I don't want to do any of this half-assed so I will wait until this evening to continue.

I physically unplugged my PC from the network. Although it's pretty well protected, It's home built especially for use with 3ds Max and I can't risk losing it. I don't think my Mac is at risk in the slightest so it will be my communication and download machine. I'm using a pen drive in the KVM hub as a sort-of network storage device and I'll wipe it when I'm done with this nightmare.

I am assuming that you wanted me back in normal mode for all of these steps. That is how I'm planning to continue.
I upgraded his machine from Win2k to XP pro before I started working on it. I assume it's wise to turn the firewall on now?!

dumb_macosX_guy · Feb 9, 2005

O.K. I reread. Normal mode for LSPfix and HijackThis then safe mode for all else, right?
Hence the word "dumb" in my handle. I'll print out, highlight and read through all of this several times before I do anything.

dumb_macosX_guy · Feb 9, 2005

Chaslang,

"Look in Add/Remove programs for DMVLite and uninstall it if found (Please tell me if you find this)." -- Yes, it was there, it required a download to uninstall, I was wary, but I did it.

"I don't know what will be running in normal boot. Thus many of these may not be seen running. )" -- Yes, many were not, do you need to know which ones? Two of them would not be killed;
C:\WINNT\System32\drmclien.exe
C:\Program Files\Windows AdStatus
They would immediately start again after being killed
I just continued...

Many of the HJT entries you told me to fix were not there. There were similar looking entries, but I only fixed exactly what you told me to.

Also, some of the files you told me to delete were not there.
Do you need to know which files were missing?

I am stuck on steps 3, 4 and 5.
Should I boot back into normal mode before collecting these logs?
I'm currently in Safe Mode from the end of step two.
I don't want to screw anything up.

dumb_macosX_guy · Feb 9, 2005

I'm almost positive this is wrong but I generated the reports while still in safe mode. I still have not rebooted. Should I go to normal and generate them again?

dumb_macosX_guy · Feb 9, 2005

Here's the third

dumb_macosX_guy · Feb 9, 2005

Decided it was wrong and I ran the reports from normal mode

dumb_macosX_guy · Feb 9, 2005

and the third

chaslang · Feb 10, 2005

Okay! We still have some work to do! But to answer a few of your questions. It is always best to tell me when something does not work (like deleting a file) or you cannot find a file etc (always be specific). Remember I only know what you tell me.

Make sure you read these instructions first and follow them exactly. It is slightly different than last time.

Step 1:

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Again, don't run any other files in the L2MFix folder.

Step 2:

Run "find.bat" from the Generic Detection Tool again!

Okay after doing the above DO NOT REBOOT.

Now reconnect to the internet and come back here and post and attach the find.bat log along with the L2MeFix Log.

dumb_macosX_guy · Feb 10, 2005

O.K.
I ran L2Mfix exactly as instructed and went through the reboot. However, the computer neither went bazonkers or generated a report. It simply rebooted normally. I tried it again, same results.
I generated the find.bat report and will attach it here.

chaslang · Feb 10, 2005

dumb_macosX_guy said:

O.K.
I ran L2Mfix exactly as instructed and went through the reboot. However, the computer neither went bazonkers or generated a report. It simply rebooted normally. I tried it again, same results.
I generated the find.bat report and will attach it here.
Click to expand...

Run the L2Mfix again. It did not work. If it works, I need the log.

dumb_macosX_guy · Feb 11, 2005

I had installed AVG, Sygate and Firefox while I was waiting for a reply from you but I didn't reboot until you told me to. AVG is popping up a registration screen on restart. Perhaps that is stopping L2MFix from doing its job?
I will temporarily uninstall AVG and try L2MFix again when I go home for lunch.

dumb_macosX_guy · Feb 11, 2005

I removed AVG and still no go. L2Mfix option 2 runs, reboots, then nothing.
Tried it several times no change. No error messages, just doesn't do anything or generate a log.
Any suggestions?

chaslang · Feb 11, 2005

dumb_macosX_guy said:

I removed AVG and still no go. L2Mfix option 2 runs, reboots, then nothing.
Tried it several times no change. No error messages, just doesn't do anything or generate a log.
Any suggestions?
Click to expand...

Try running L2Mfix option 2 after booting in safe mode.

chaslang · Feb 14, 2005

That probably will not work either but it may be worth a try. You have many problems and they are making it difficult to proceed. One of them is due to a file named soft.exe you can see in your HijackThis log as:

F3 - REG:win.ini: run=C:\WINNT\System32\soft.exe

It is a real nasty and probably has caused your explorer.exe (the system shell) to be infected. And all copies of it on your system are more than likely infected.

Do you have a bootable WinXP SP2 CD or did you upgrade to SP2 from a previous version?
If you do not have a bootable SP2 CD do you have another Win XP SP2 PC where you can get a good explorer.exe copy from (like on to a CD to bring it to this PC)?

There are a bunch of other issues too including:
- HSA hijacker
- VX2 Look2ME problems we have been trying to fix
- iSearch problem (noted by O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe)
- Windows AdStatus problem (noted by O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe)
- a trojan (C:\winnt\system32\eliteajg32.exe)

dumb_macosX_guy · Feb 14, 2005

Dr. C,
After many unsuccessful attempts at L2MFix. And, yes, I tried in safe mode - my friend and I collectively decided to do a few DVD backups of his data and reinstall XP with a low level format of the disk.
This morning I finished the reinstall by following ALL of the prevention guidelines pinned in this thread. Including replacing MS java with Sun and setting FireFox as the default browser. I also threw in a little 6GB slave drive to use as sort of a "rescue disk" should this happen again. Everything seems to be working great so far.
My last question involves restoring some of his data. I am assuming there is nothing dangerous in there - it is mostly word files and pictures of his children but I also did a backup of his outlook data and some MP3 files and I plan to restore them as well.
Is there any danger of putting the malware back here? From what I've learned, I'm guessing that I'm safe but I thought it wouldn't hurt to ask if that crap "rides along" on anything.
Thanks again for all the help. Is there any way I can pay you back? I can't find anything on the site as far as donations, etc.
My friend has promised me a bottle of Makers Mark for service, should I have the two drinks that I deserve and send you the rest of the bottle?

chaslang · Feb 14, 2005

You're welcome! I would run a full virus scan and spyware scan on all the backed up data just to be safe. Make sure your virus scan includes all file types and it scans compressed files too.

HJT candidate?

dumb_macosX_guy Private E-2

AliWiseman Private First Class

shewolf Specialist

dumb_macosX_guy Private E-2

dumb_macosX_guy Private E-2

Attached Files:

shewolf Specialist

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dumb_macosX_guy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dumb_macosX_guy Private E-2

dumb_macosX_guy Private E-2

dumb_macosX_guy Private E-2

dumb_macosX_guy Private E-2

Attached Files:

dumb_macosX_guy Private E-2

Attached Files:

dumb_macosX_guy Private E-2

Attached Files:

dumb_macosX_guy Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dumb_macosX_guy Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dumb_macosX_guy Private E-2

dumb_macosX_guy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dumb_macosX_guy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member