Overwhelmed with spyware, page-jacking punks! Help

I've tried Spybot, Zone Alarm to add to NAV 2003. I followed your suggestions of downloading SP2 again (it had fouled up so many things that I had reverted back) and dumping AA 6.0 for AA SE! It came up with over 750 baddies! Dealt with them, rebooted and my homepage was jacked with miraclesearch. Where do I go from here, Internet Rangers?

 

Hi

This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure one of the PROS will help you. These guys are quite busy, as you can see by the number of posts, so hang in there. Good Luck!!

TheOldThug

 

After I'd sent off my plea, in a state of meltdown, I found "Read this first" and am in the process of going through all the steps listed. (Hard for us ADHD'ers!) Sorry that I was premature. I am relieved to have a cookbook to go by instead of frantic attempts.
Thanks for your help.

 

OK, I'm crawling out of the trenches, bruised and battered. I've run all the programs twice and gotten rid of quite a bit, but the last time through still leaves me with WWWcoolsearch items and CWShredder keeps "encountering a problem and has to shut down". As I try to post this, I'm getting assaulted from popups. This is as bad as a colonoscopy prep, but will be worth it to be rid of the insidious thugs.
What can I do next?
Thanks

 

Hi go2ri2l,

Please go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

PP

 

I can't seem to attach the file. I get upload error, after going to management attachments, browse to C:\program files\Hijack this file, select, it appears in the window, hit upload and it's gone. Upload error.
I rebooted, but same.

 

Just save the Log to the Desktop where you can find it easily. If need be, copy and paste it to your post and I'll attach it when I check back.

PP

 

I ran another one, since I've been off the computer for a few hours repreive. My 14 y/o son's been on (with dire admonishment not to download anything).
Thanks. I hope I got it right.

 

Hi go2ri2l,

You have a few issues including a Narrator Trojan and a VX2 variant. We should be able to get you fixed up!

How many active User Accounts are on this machine?


To start:
Please download the following tools and have them handy (Perhaps create an Anti-Spyware Folder for them). Make sure to get them from the links below:

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox
LSP - Fix


Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


FIRST:
Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the dolsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move dolsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Next:
Look in Add/Remove Programs for Browser Aid, Browser Pal or other toolbars and Uninstall if found. Note any other suspicious looking entries.

NEXT:
Please scan with HijackThis and Check the Boxes for the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
These will come back
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [dwblvc] C:\WINDOWS\System32\dwblvc.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [a07FRjZ3T] dbmv_32.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
These should be gone after using LSP-Fix
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

dbmv_32.exe --> Use Windows Explorer to find this one
D0CE0C16B1 --> Use Windows Explorer to find this one
C:\WINDOWS\System32\dwblvc.exe
E6F1873B.DLL --> Use Windows Explorer to find this one

NEXT:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


NOW:
Reboot to Normal Windows. Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE:Please do not run any other options or files in the l2mfix Folder!

Please save the l2mfix log along with a fresh HijackThis log and try to attach them using the "Manage Attachments" tool in the Additional Options section when you post.
TRY NOT TO REBOOT after scanning for these logs! I will try to check back as time permits.

Best Luck
PP

 

Dear Phillie Phan,
I'm back and have followed all instructions. I even managed to get the attachments on here. I'll be around waiting for input.
We only run one User Account anymore. Multi's seemed to slow and jam things up.
Thanks for all you do!
go2ri2l

 

Hi go2ri2l,

Happy to help

NEXT STEPS:
Please make sure ALL Browser Windows are Closed!

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log.

Again, don't run any other files in the L2MFix folder.

THEN:
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log along with the L2MeFix Log. These will tell me if we got all the VX2 and pinpoint the Narrator Trojan.

Been very busy today - I will check back as time permits.

PP

 

O.K. Here's what I got this time.
go2ri2l

 

Hi Go2ri2l,

A few more steps left:
Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


NOW:
Please check your Recycle Bin to make sure that no problems remain.
If all is NOT well with Recycle Bin, please run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


After checking on your Recycle Bin:
Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.


NEXT:
Now, you will be entering items into Pocket KillBox. Please open KillBox and select the “Delete on Reboot” OptionCopy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Also, check the box to “End Explorer Shell While Killing File” for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

C:\WINDOWS\System32\vmss
C:\WINDOWS\system32\ozpznu.dll
C:\WINDOWS\system32\ygugqz.dll
C:\WINDOWS\system32\zpupam.exe
C:\WINDOWS\system32\aquqky.dat
C:\WINDOWS\system32\iyuygo.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\uygyip.exe

When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixnrtr.reg


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-


Now:
DoubleClick on the fixnrtr.reg file you made and allow it to merge the registry entries into the registry.


NEXT:
Please download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.

Finally, reboot and give me another Find.bat Log and HijackThis Log and tell me how things are running. Hopefully, all will be clear, but it is likely that we will have to remove a few remnants with HijackThis before we can declare your machine healed.

PP

 

Hi PP,
Recycle was empty.
VX2.finder showed nothing. I made logs but haven't done anything else at this point.
go2ri2l

 

ALL of the above instructions still apply and must be followed Just skip the bit about Recycle Bin. Please do the other steps as I listed them and post the two logs I requested at the end of last post.

Hang in there. . . . Almost done

PP

 

Dear Phillie Phan,
OK, I saw where I got confused in the VX2 part, but got back ontrack. I completed all of the steps and attached logs. The computer is our friend, once again. Haven't had a pop-up or any of the nasty surprises that have plagued us for months.
You are a hero!
go2ri2l

 

Happy to help
Everything looks good! I think we can declare your computer healed.

While you’re here, have a peek at Chaslang’s Recommendations .

Happy Computing
PP

 

I cannot thank you enough for all of your patience, time and generosity in sharing your expertise with me. I have learned a lot from you and the Major Geeks. Your site will always hold a place in my Favorite's file. I hope that with the suggested preventative maintenance, I won't need such intensive therapy again.
I hope that your Philly's do great this year and get to play my Red Sox in September, or even better, October.
Thanks again.
go2ri2l

 

You're welcome

Hope my Phillies play the Sox in October as well, but both the AL & NL Easts are going to be marathon battles this season! The competition is restocked and reloaded . . . . At the very least, it'll be interesting!

Best
PP