Please Help.. virus will not go away!!

Good evening! I have been working on this for quite some time, and have followed all of the steps noted in "DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal " thread, but cannot get rid of everything. The file windows\system32\l8l6li3s18.dll keeps coming up with VX2 virus, and cannot seem to be deleted. If I get online, it seems to add to the mess. Is there anything else I can try?

Thanks!!

Kara

 

Hi Kara,

Please go ahead and send us a HijackThis Log and it will tell us how to proceed. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I'll check back as time permits.

PP

 

Hi PP! I hope I saved this right..

Thanks!!
Kara

 

PP will definitely help you out....

Im a n00b at this too, but i know for a fact that

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\gbqubzjc.dll
O2 - BHO: (no name) - {39A84F80-0000-0000-0500-000000000000} - C:\WINDOWS\system32\bepbqinp.dll
O2 - BHO: (no name) - {42896994-2AF7-AEFD-8B38-0DA180C7E78E} - C:\WINDOWS\system32\kbgrtkzi.dll
O2 - BHO: (no name) - {A8E0A308-598C-C505-25A5-D095496767FF} - C:\WINDOWS\system32\leiqgsuj.dll
O2 - BHO: (no name) - {AFA0EC64-0966-F09E-BCF1-D2DB798B9F12} - C:\WINDOWS\system32\zdrdflih.dll
O2 - BHO: (no name) - {C917F261-DECF-A732-6E24-855A37764457} - C:\WINDOWS\system32\eirgndzt.dll

is very bad indeed...

and these?
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

I THINK are bad (IP referral hijack..) but like I said, I wouldnt do anything till a more senior member runs your scan..

 

Hi Kara,

Before you do anything else, make sure HijackThis has been extracted from the ZIP File and you are not running it from the ZIP!!!


ALSO, can you tell me what this is? --> O4 - HKLM\..\Run: [MISSetup] E:\Mis\Enu\setup.exe



You have a number of issues to deal with. Please download the following tools and have them handy (Perhaps create an Anti-Spyware Folder for them). Make sure to get them from the links below:

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox
LSP - Fix



FIRST:
Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the dolsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move dolsp.dll into the Remove section.

Then, click the Finish Button. When the Repair Summary box appears, click OK.



NEXT:
Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Anthony is the COOLEST guy EVER!!!!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
These will come back
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\gbqubzjc.dll
O2 - BHO: (no name) - {39A84F80-0000-0000-0500-000000000000} - C:\WINDOWS\system32\bepbqinp.dll
O2 - BHO: (no name) - {42896994-2AF7-AEFD-8B38-0DA180C7E78E} - C:\WINDOWS\system32\kbgrtkzi.dll
O2 - BHO: (no name) - {A8E0A308-598C-C505-25A5-D095496767FF} - C:\WINDOWS\system32\leiqgsuj.dll
O2 - BHO: (no name) - {AFA0EC64-0966-F09E-BCF1-D2DB798B9F12} - C:\WINDOWS\system32\zdrdflih.dll
O2 - BHO: (no name) - {C917F261-DECF-A732-6E24-855A37764457} - C:\WINDOWS\system32\eirgndzt.dll

O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
These two should be gone after running LSP-Fix
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0452df9fadfb034ef422/netzip/RdxIE601.cab

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\l8l6li3s18.dll

O23 - Service: kceastaaaxuk (MsUpdate5) - Unknown owner - C:\WINDOWS\system32\msupd5.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc --> The Folder
C:\WINDOWS\system32\msupd5.exe
c:\windows\system32\dolsp.dll
C:\WINDOWS\system32\gbqubzjc.dll
C:\WINDOWS\system32\bepbqinp.dll
C:\WINDOWS\system32\kbgrtkzi.dll
C:\WINDOWS\system32\leiqgsuj.dll
C:\WINDOWS\system32\zdrdflih.dll


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


NOW:
Reboot to Normal Windows. Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE:Please do not run any other options or files in the l2mfix Folder!

Please attach the l2mfix log along with a fresh HijackThis log and we’ll see where you stand. I will try to check back as time permits.

Best Luck
PP

 

Hi PP:

went through all steps.. only found one file and the folder to delete manually. Here are my updated logs:

Thank you!
Kara

 

Hi Kara,

We're making a little bit of progress!!

NEXT STEP:

Please make sure ALL Browser Windows are Closed!

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually cough out another log in Notepad.

Again, don't run any other files in the L2MFix folder.

THEN:
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log along with the new L2MFix Log. I'll try to check back shortly to take a look and give you the next set of steps!

PP

 

Hi PP! Thanks so much for keeping me busy with these steps! Actually feel as though progress is finally being made!

Here are the updated L2MFix log and output logs.

Thanks!

Kara

 

Hi Kara,

Yes, progress is indeed being made! The process is a bit lengthy, though!

Here is the next set of steps:


FIRST:
Run Pocket KillBox and Copy & Paste the Following into the box: C:\WINDOWS\System32\vmss - Click Red X to delete it using Standard File Kill.


THEN:
Check your Recycle Bin to make sure that no problems remain.
If all is NOT well with Recycle Bin, please run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


After checking on your Recycle Bin:
Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy

Allow Machine to Reboot.


THEN:
Please download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.


FINALLY, please reboot and give me another HijackThis Log and we'll clean up the remnants!

Note: Please relocate HijackThis here: C:\Program Files\HijackThis

Also, you didn't tell me what this is: E:\Mis\Enu\setup.exe

PP

 

Hey PP!

Im not sure, I think the E:\Mis\Enu\setup.exe is this game called "Missing".. have not checked it out yet though!

Here it is....

 

Hi Kara,

Let's wrap this up, shall we?!

Please scan with HijackThis and fix these lines:
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {39A84F80-0000-0000-0500-000000000000} - (no file)
O2 - BHO: (no name) - {42896994-2AF7-AEFD-8B38-0DA180C7E78E} - (no file)
O2 - BHO: (no name) - {A8E0A308-598C-C505-25A5-D095496767FF} - (no file)
O2 - BHO: (no name) - {AFA0EC64-0966-F09E-BCF1-D2DB798B9F12} - (no file)
O2 - BHO: (no name) - {C917F261-DECF-A732-6E24-855A37764457} - (no file)

O23 - Service: kceastaaaxuk (MsUpdate5) - Unknown owner - C:\WINDOWS\system32\msupd5.exe (file missing)


Then reset your Web Settings:

Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com OR www.phillies.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Reboot, give me one last HJT Log and tell me how things are running now!

PP

 

Hey.. I am having some trouble with your last request.. when I right-click on the internet explorer icon, I do not get a Programs tab. I get General, Short cut, Compatibility, and Virus Property. Also, been using mozilla fox to get online since I started having so many problems.. KK

 

Open IE and GO Tools > Internet Options > Programs Tab & Reset Web Settings.

See if that works. This isn't a big deal - especially if you are now using FireFox.

PP

 

yes i like firefox. But I got it to work though anyway... and i cannot believe internet explorer seemed to have no problems at all! Everything seems to be running smooth so far... here is the latest hijackthis log though:

KK

 

Hi KK,

For some reason, hijack this is having trouble removing these. . . . Let's do this:

FIRST:
Please Boot to Safe Mode.

Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {39A84F80-0000-0000-0500-000000000000} - (no file)
O2 - BHO: (no name) - {42896994-2AF7-AEFD-8B38-0DA180C7E78E} - (no file)
O2 - BHO: (no name) - {A8E0A308-598C-C505-25A5-D095496767FF} - (no file)
O2 - BHO: (no name) - {AFA0EC64-0966-F09E-BCF1-D2DB798B9F12} - (no file)
O2 - BHO: (no name) - {C917F261-DECF-A732-6E24-855A37764457} - (no file)

O23 - Service: kceastaaaxuk (MsUpdate5) - Unknown owner - C:\WINDOWS\system32\msupd5.exe (file missing)

Be sure All Browser Windows are Closed when you Click FIX.

Reboot to Normal Windows and see if these remain. Again, not a big deal, but I like to strive for perfection!

Also, have a peek at Chaslang's Recommendations!!

I've got to run, but will check back Thursday evening to see how you fared.

PP

 

PP- I will try it and let you know. Thanks for helping me out tonight... I was getting ready to just get rid of everything and start over!! Feel MUCH better now.. thanks! Good night!

Kara

 

Happy to help!

Let me know if those last entries refuse to go.

PP

 

Hey PP- Tried cleaning these files several times (in safe mode) but still seem to show up on my hijackthis log. Will they cause a problem being there still? Everything else seems to be running perfectly.. :-D thank you! thank you!

Kara

 

You're welcome! Happy things are running normally again!

Those entries pose no problems . . . They are just annoying! I’d like to try this. . . .

Please download the old HijackThis v1.98.2 from here: HijackThis v1.98.2

Extract it from the ZIP to its own folder – C:\Program Files\HJT 1982

Now, scan & fix with this version as per the instructions in my last post (Safe Mode, etc…) and see if that gets them!


(PLAN B )
If that does not work, try this:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it FixBho.reg



REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
“{00000000-0000-0000-0000-000000000000}”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows CurrentVersion\Explorer\BrowserHelperObjects]
“{00000000-0000-0000-0000-000000000000}”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
“{39A84F80-0000-0000-0500-000000000000}”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows CurrentVersion\Explorer\BrowserHelperObjects]
“{39A84F80-0000-0000-0500-000000000000}”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
“{42896994-2AF7-AEFD-8B38-0DA180C7E78E}”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows CurrentVersion\Explorer\BrowserHelperObjects]
“{42896994-2AF7-AEFD-8B38-0DA180C7E78E}”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
“{A8E0A308-598C-C505-25A5-D095496767FF}”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows CurrentVersion\Explorer\BrowserHelperObjects]
“{A8E0A308-598C-C505-25A5-D095496767FF}”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
“{AFA0EC64-0966-F09E-BCF1-D2DB798B9F12}”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows CurrentVersion\Explorer\BrowserHelperObjects]
“{AFA0EC64-0966-F09E-BCF1-D2DB798B9F12}”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
“{C917F261-DECF-A732-6E24-855A37764457}”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows CurrentVersion\Explorer\BrowserHelperObjects]
“{C917F261-DECF-A732-6E24-855A37764457}”=-




Now:
DoubleClick on the FixBho.reg file you made and follow the prompts to allow it to merge these entries into the registry.

Hopefully one of these routes should do the trick! Let me know. I'll probably have to check back Friday . . . Awfully busy these days!

PP