Persistent VX2, no internet, IP reset

Remember the tools I said you would need????

Unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that to your next post.

Do not reboot after that because that can cause the files to mutate.

 

Well let me see if I can get your started. Here are the files that we need to delete using Killbox. They are all in the c:\winnt\system32 folder:

C:\WINNT\System32\anmfd.dll
C:\WINNT\System32\fpro0393e.dll
C:\WINNT\System32\n0n60a5sed.dll
C:\WINNT\System32\SNDOCVW.DLL
C:\WINNT\System32\kodbe.dll
C:\WINNT\System32\gpl6l33s1.dll
C:\WINNT\System32\wkpdxm.dll
C:\WINNT\System32\WGNHTTP5.DLL
C:\WINNT\System32\hr6q05j5e.dll
C:\WINNT\System32\wti.dll
C:\WINNT\System32\iygcmn.dll
C:\WINNT\System32\q0ps0a77ed.dll
C:\WINNT\System32\whnrnr.dll
C:\WINNT\System32\tkpmon.dll
C:\WINNT\System32\twpmon.dll
C:\WINNT\System32\RISUTILS.DLL
C:\WINNT\System32\abstream.dll
C:\WINNT\System32\maslgn32.dll

and c:\winnt\system32\guard.tmp

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINNT\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\System32\anmfd.dll



1) Now,Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINNT\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After it reboots get another findit.bat log and post it. Also run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.

 

Yes! All users have to be fixed. However, these steps may have already taken care of the biggest part of the problem for all users.

Okay use Windows Explorer and get to Please Navigate to C:\Windows\SYSTEM32 and look for a file named guard.tmp. If it exists (and it looks to me like it does), feed it to KillBox and Delete using Standard File Kill. (This does not require a reboot.)

Tell me if this works then we can move to the next step.

 

Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NOW:

Open VX2Finder and Click the Restore Policy Button.

Then, use the UserAgent$ Button to remove the UserAgent from the registry.

NEXT: Run findit.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log from normal boot mode.

 

Click OK! And let it reboot. Then come back and post the logs.

 

Are we having a problem? What's taking you so long? I need to get some sleep but wanted to finish this.

Is the scan taking this long?

 

I just notice you have HijackThis installed in LavaSofts directory. While this does not prevent it from working it is not good practice. The C:\Program Files\Lavasoft folder is for their software (like Ad-Aware) not for other programs. You should move HijackThis along with its backup folder to:
c:\Program Files\HJT (which you will have to create).


Using START > RUN > regedit, please open the registry editor and navigate to the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony

Backup this key by clicking File, Export and then enter a File name and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the Telephony one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.


Looks like we are finished because you HijackThis is already clean. That's a rather small log. Is that everything running. Is it from normal boot mode. It looks like a lot of stuff that should be running (like your virus app) is not.

 

No problem! These VX2's can sometimes be much more difficult then this one. Requiring many more passes of findit.bat and cleanups using Killbox.

 

Okay! Private! Finish up my instructions on the double.

 

Okay! You should do the stuff here to help avoid future problems: How to Protect yourself from malware!

Now check your other login out while I try to get some sleep.

 

Great! Let us know what the status of you other login is.

 

That's not an about:blank hijack you just need to Reset Your Web settings.

Also the below should be fixed. Some of the O15 lines may come back (like crazywinnings)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149

 

Well the
O15 - Trusted Zone: *.frame.crazywinnings.com

came back as I said!

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Now run HJT and fix the O1 - Hosts lines and the O15 - Trusted Zone: http://*.frame.crazywinnings.com line if still there. Then reboot your computer and get a new HJT log to post here.

 

Those are backups from what Pocket Killbox was deleting. You can delete them later when we are sure that none of them were required for anything else. By now that should be a safe bet.

You log is clean. I just have to ask, did you place the below restriction using SpywareGuard, SpywareBlaster or another program like that?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

 

You can post the HJT logs in this thread. But let's work one at a time, it gets confusing otherwise.

 

Is this log from safe mode? If so, ALWAYS post HJT logs from normal boot mode unless otherwise requested. Also, you only need to run HSremove and about:Buster if you have HSA and/or about:blank hijacks.

Why was C:\WINNT\system32\taskmgr.exe running? If you ran Task Manager before using HJT, don't do that.

You should also shut down C:\Program Files\AIM95\aim.exe before using HJT.

You can have HJT fix this line:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

But I need to see a normal boot mode log. Other than the above it looks clean!

 

There is only one way that this log and the previous can be from normal mode and that would be if it were being edited or filtered (HJT has a filter option) to remove items. There are items missing that absolutely must be running or your PC would not boot. Get a full un-edited/unfiltered log from normal boot mode.

For example, few items that should be showing:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe

 

Select each item in your Ignorelist and then click the Delete button. That "deletes" them from the Ignorelist only.

While putting items in the Ignorelist may be a useful feature to the indvidiual end user so they can easily see when something has changed or been added to their log, it is not useful at all in cases like this when someone else is trying to help fix problems on your PC. There are things that we expect to see. Sometimes good, sometimes bad stuff. But if we don't see them, it could be because something bad is hiding them or preventing them from running. Thus we get sent down the wrong path. And could even be asking you to install or do something that is totally not necessary. Just look at how time we wasted here because I kept saying "that cannot be your whole log" or "that cannot be from normal boot mode".

 

Yes! That's true but we don't like to see that stuff in a hosts file. It makes it too easy for bad stuff to hide and it does not do much good anyway since most malware that use the hosts file for anything will just re-write it anyway. We need to find out why yours is inaccessable to HJT. Is the file setup to be hidden or a system?

You HJT log is still being filtered. I need a full complete unfiltered log. Check it before posting.

 

This log is clean! If you have multiple user accounts, you need to run the cleaning steps on all of them to make sure you get everything.

Are you having any visible problems right now on any accounts?

 

I would suggest you check out each of the other logins. If they have problems run the appropriate steps of the READ ME FIRST. Then look at a HJT log. If you cannot tell if anything is wrong, give me a hollar.

 

You may as well stay here to avoid getting all the typical boiler plate messages. Make sure you remind me when you come back that we are looking at a different user login on the same PC (that is, if it is necessary for you to come back).