Malware

I am using Dell 8200 laptop. My middleschooler has been on AOL-IM, BearShare and whatever and the pc has been inundated with browser hijacking. I have been through your protocol page and followed all steps, but still get hijacked to downloadwebsite and when using adaware-se with plug the vx2 shows up. When you delete it, it says it can't fix them all and My Documents opens up. I have downloaded a hosts file from mvps.org.
I have also had ezula, coolwebsearch, scbar, search-exe hijacker, targetsoft, CoolWWWSearch, IGETNET show up on the various programs you directed to run in safemode.
Buster Report-No ADS
HSRemove-12 items removed
CWShredder-CWS Bootconf removed,
Symantec Security Response-No viruses detected in Memory. Your computer is infected with at least one known virus or Trojan horse.
BTW, I have been getting Fatal Error Message about Windows Logon process system. You don't say whether to start back system restore. Is that the problem?
Will you help me?

 

Hi Lasale,

If you have exhausted all Cleaning Options, go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work lately and cannot visit this forum too often these days, but somebody will try to take a look when they get a chance.

PP

 

difficult to complete tasks because of browser opening. log attached.

 

it is reading errors for the attachment process? how do I get the log file up?

 

I apologize for copying the logfile, but I got errors trying to upload as attachment.

 

Hi Lasale,

I'll have to check back tonight when I get some free time, but to get started, please do the following:

FIRST:
Please EXTRACT HijackThis from the ZIP File to C:\Program Files\HJT. Let me know if you need help doing this.

THEN:
Please download the following tools and have them handy (Perhaps create an Anti-Spyware Folder for them). Make sure to get them from the links below:

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox


Try to attach (or copy and paste) a Fresh HijackThis log and I'll get back to you tonight. This particular cleanup procedure is a long one, but it is quite painless!!

PP

 

Let me know when you are ready to begin

 

sorry for delay. went to see the aviator. hughes would have been even worse with a computer in his hands.
the zip for hjt is just there but has been extracted already.
I ran the four tools but I guess there is nothing to do for the killbox yet...
attached are the logs.

 

the hjt log is here and maybe the generic tool.

 

Hi Lasale,

I really didn't want you to run any of the tools yet! Especially without being familiar with them. Oh, well . . . Probably no harm done We'll forge ahead:

Now:
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log - I'll take a look and let you know how to proceed.

PP

 

Attached is output.text from generic detection.
BTW, in doing stuff, I got a virus warning for backdoor.sdbot. It is not quarantined now. It is in c\doc&set\Caroline\localsettings\temp\temporaryinternetfiles\content.IE5\CBJBQO9H\photos[1].txt.

 

Hi Lasale,

You are running quite a few anti-spyware tools – Might be wise to weed out some of the less effective ones in favor of SpybotSD and Spyware Blaster when we finish.

Also, it looks like msconfig is running selective startup – What has been disabled?

I will leave a few questionable personal preference type items alone.


Please look in Add or Remove Programs for the following and Uninstall them if found:

BearShare
Windows Ad Status
WinTools
AdStatus Service

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKCU\..\Run: [prutmct] C:\WINDOWS\system32\prutmct.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/190b29d60b028e1bb819/netzip/RdxIE601.cab
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\PROGRAM FILES\COMMON FILES\WinTools --> The Folder
C:\Program Files\BearShare --> The Folder
C:\Program Files\AdStatus Service -->The Folder
C:\WINDOWS\system32\prutmct.exe

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


NEXT:
Reboot to Normal Windows.
Check your Recycle Bin to make sure that no problems remain.
If all is NOT well with Recycle Bin, please run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


After checking on your Recycle Bin:
Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NEXT:
Please download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.

Rescan with HijackThis and attach a fresh log. Also, tell me how things are running now and if any problems remain. I'll check back as time permits.

PP

 

guardian.reg wouldn't highlight to click. Recycle Bin was fine. no hijacking so far. attached is log.

 

HJT log looks OK! You could fix these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Are things still running the way they should?

Please have a look at Chaslang's Suggestions!!

PP

 

attached is hjt log. working fine. in suggestions...spyware doctor in NOT free. Interestingly, the free online scan of spyware doctor revealed 28 items and the pest patrol online scan revealed 253 items from ezula to virtual bouncer to xxx.
when I run AdAware SE and Spybot S&D they say I am clean. Do I need to purchase Syware Doctor?
BTW, the links from your website today on all of these on two computers is leading to Cannot Open Page...?
Also, you cannot access to SunJava link even from their site. And the link to the tool to get rid of Microsoft Java doesn't work.
Any other suggestions? Leave well enough alone?
Thank you.

 

The log looks OK. Some of those detections may be False Positives or orphaned registry entries with no corresponding files. If you are not having symptoms or problems, I'd not worry about it. I tend to trust Ad-aware and Spybot. I suggest you go with those two and add Spyware Blaster. You should also look at the new Microsoft Anti-spyware in a few weeks - They are working the kinks out of it right now, but it promises to be a strong deterrent!

Also, make sure you run a good Firewall (suggest Sygate or ZoneAlarm) and turn OFF the built in Windows Firewall.

I am not sure about the problem with the links - Could be site related problem. Does this happen at other sites? If problem persists, let us know and we'll explore it in depth!

PP