New form of spyware?

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Please download the following tools (but only run what I request) and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the links below:

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

Pocket KillBox

LSP - Fix


Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing


First Step:

Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the dolsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move dolsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Second Step:

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment (do it later when we reconnect).

Third Step:
Get a new HJT log.

Now reconnect and come back here and post as attachments the find.bat log (normally already named output.txt) and the new HJT log (this will require two posts as only two attachments can be made in a message).Based on those logs, we will determine the next steps.

Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

 

Do not update to SP2 until all malware issues are resolved! Post a new HJT log right now! An XP repair would not remove the malware files. It could cause some things to not show but their files could still be lingering.

 

Wait you already had XP SP2 installed?

You know the repair was not needed? The first step I gave in my procedure would have fixed your internet access problem!

 

Ok! Did you notice what I said about the repair not being needed? You just need to be a little more patient when you come here for help. Your HJT log post was answered in 7 minutes. If you had checked back before doing a repair you could have save yourself a load of aggravation doing unnecessary steps.

 

You're welcome! The file ( dolsp.dll ) which was shown in your HJT log was missing and was part of your LSP chain. With it missing the chain is broken and you would get no internet access. That was what I telling you to repair in that first step with LSP-fix.

 

You do not want it. It is malware and is not supposed to be there to begin with.
Somewhere along the line the file was remove somehow but it was not removed from the LSP chain first. That is what broke your internet access.

 

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

First Step:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

Second Step:
Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Do not run any other files in the L2MFix folder.

Third Step:

Run "find.bat" from the Generic Detection Tool again!

Fourth Step:
Get a new HJT log.


Now reconnect to the internet and come back here and post and attach the L2MeFix Log, the find.bat log along with the HJT Log.

Okay after doing the above DO NOT REBOOT.

 

Remember to always exit browsers before you run HijackThis. In your logs I keep seeing the below:
C:\Program Files\Internet Explorer\iexplore.exe

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\vnpiav.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Collector's Office\Desktop\l2mfix\second.bat
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vnpiav.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\vnpiav.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.