Please help, i've been infected!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by soticked, Dec 8, 2004.

  1. soticked

    soticked Private E-2

    First of all I think this website is great, its good to see there are good guys (and girls) out their to help us who are not as knowledgable as others. Ive got a nightmare on my hands, coolwwwsearch, 01 redirect host autosearch 69.20.16.183 or something like that. Spybot, Hijackthis, Adware se, all detect it and when I delete them they just regenerate. I've ran cw shredder, aboutbuster, spyware blaster and none of them seem to dothe trick. Ive disabled system restore, shown all hidden files, ran all of those programs in safe mode to no avail. When I run adware, I get stuff like Elitum, vx2, coolwwwsearch, among others. I have used the vx2 plug in and it say system clean, then I do system scan and there it is laughing at me. OH yeah, I also have about:blank and second though. WHAT A MESS. ps:i screwed up my hard drive search by screwing around in the registry. I guess I deleted a file that is required. I know, Im a idiot! can some please help!
     
    soticked, Dec 8, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you run ALL of the steps in < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal > ? If so, and you still have a problem, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.
     
    chaslang, Dec 9, 2004
    #2
  3. soticked

    soticked Private E-2

    here is my hjt log file, i have followed all of the steps the best i could. In the (services.msc) section their were items that were pretty close but not exact so I left them alone. I hope this helps.


    EDIT by chaslang: Inline log changed to an attachment
     

    Attached Files:

    • hjt.txt
      File size:
      2.8 KB
      Views:
      0
    Last edited by a moderator: Dec 9, 2004
    soticked, Dec 9, 2004
    #3
  4. simonk

    simonk Corporal

    those Q10 will have to be fixed with spybot

    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll

    delete these
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch

    im not sure of this one for know O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.sarasotamls.com/XMLSearch/XMLCache.CAB

    anyway clear those items and run again im still checking your processes
     
    simonk, Dec 9, 2004
    #4
  5. simonk

    simonk Corporal

    OK

    you need to let hijack this fix this as well

    C:\WINDOWS\System32\yiqvia.exe

    then run your up to date ad-aware and spybot programs and post a txt file log of hj this
     
    simonk, Dec 9, 2004
    #5
  6. simonk

    simonk Corporal

    simonk, Dec 9, 2004
    #6
  7. soticked

    soticked Private E-2

    hi simonk thanks alot for the help, the sarasotamls is is a multipe listing service for realtors in sarasota Fl, I use that for my work. I will get going on those other steps.
     
    soticked, Dec 9, 2004
    #7
  8. soticked

    soticked Private E-2

    I fixed those entires with hjt than ran spybot and adware and deleted what it would let me. I then ran hjt again.


    EDIT by chaslang: Inline log changed to attachment
     

    Attached Files:

    Last edited by a moderator: Dec 9, 2004
    soticked, Dec 9, 2004
    #8
  9. simonk

    simonk Corporal

    those O1 and O10 enteries are still left there bott in safe mode and run CWshredder to fix them
     
    simonk, Dec 9, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    CWShredder will only fix the O1 entries for a few seconds and then they will come right back. This is a fairly new problem that many users are having. No real fix has been found yet.

    CWShredder will do absolutely nothing for the O10 lines and neither would Spybot as already noticed.


    Soticked,

    Download this tool - LSP-FIX from http://www.majorgeeks.com/download4180.html

    THEN:
    Please run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the calsp.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move calsp.dll into the Remove section.

    Do the same for aklsp.dll (if you find it)!

    Now, click the Finish Button. When the Repair Summary box appears, click OK.

    You also need to fix one of default pages. The URL is not spelled correctly. You can have HJT fix this line or see if you can change it manually.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = goolge.com

    Now, Reboot and then scan with HijackThis and attach that log

    Please do not post HJT logs as inline text. They must be an attachment to your message. See how I changed your previous log. Also, next time we ask for the READ ME FIRST to be run, please run ALL of the steps. The online scans are not optional.
     
    Last edited: Dec 9, 2004
    chaslang, Dec 9, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Dec 9, 2004
    #11
  12. soticked

    soticked Private E-2

    Hey guys, thanks alot for all the help. The steps in pooterjazzs thread did not seem to help. I followed the advice from chaslang so here is the hjt log.
     

    Attached Files:

    soticked, Dec 9, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to fix:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = goolge.com
     
    chaslang, Dec 9, 2004
    #13
  14. soticked

    soticked Private E-2

    hey chaslang, sorry about that.
     

    Attached Files:

    soticked, Dec 9, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the Google problem is fixed.

    Are you sure that you ran ALL of the steps exactly as Potterjazz indicated? I know it seem long and it may have been confusing, but at this point it is the only case where someone has had success in removing the problem. Go back and look again and make sure you ran everything as indicated. If there is some aspect of those steps that you do not understand, please tell us and we'll work thru it. But do not skip any steps. Begin by running Spybot. Does it actually find anything running each time you run it? Something that seems not to get fixed? If so, save Spybot's log and post it here so we can look at it.
     
    chaslang, Dec 10, 2004
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds