popups, redirects, coolweb/vx2?

You appear to have multiple antivirus applications installed and running. You need to uninstall all but one. Which one are you going to keep?

 

Keep Escan. You must uninstall Norton. It is stll running and still installed.
Giant is not an antivirus application. It is more a spyware app! And they don't exist anymore now. They were bought my Microsoft.

Ezshield is not an antivirus app either and you probably need it. ezsp_px.exe is the executable for Easy Systems CD & DVD writing software.

 

You have a broken LSP chain. Run LSPFix that PP gave you the link for.
Check the "I know what I am doing" box Click on mwtsp.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\tnlio\oluvbdj.exe
C:\WINDOWS\system32\cekbw\ocdaf.exe
C:\WINDOWS\system32\wqbhooxq\icixntmd.exe
C:\WINDOWS\system32\xjjciwyo\frerchx.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [oluvbdj] C:\WINDOWS\system32\tnlio\oluvbdj.exe
O4 - HKLM\..\Run: [ocdaf] C:\WINDOWS\system32\cekbw\ocdaf.exe
O4 - HKLM\..\Run: [icixntmd] C:\WINDOWS\system32\wqbhooxq\icixntmd.exe
O4 - HKLM\..\Run: [frerchx] C:\WINDOWS\system32\xjjciwyo\frerchx.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0781853c483095b0f302/netzip/RdxIE601.cab

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\tnlio\oluvbdj.exe
C:\WINDOWS\system32\cekbw\ocdaf.exe
C:\WINDOWS\system32\wqbhooxq\icixntmd.exe
C:\WINDOWS\system32\xjjciwyo\frerchx.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

The O1 - Hosts lines will come back. We'll fix that up in the VX2 clean process PP was talking a

 

Extract all the files from the Generic Tool the PP had you download into their own folder.
Then run find.bat. Post the log it creates back here as an attachment.

 

Here is a list of files that we need to delete using Killbox.
C:\WINDOWS\System32\wkfeman.dll
C:\WINDOWS\System32\n64s0gh7e64.dll
C:\WINDOWS\System32\GRARAspi.dll
C:\WINDOWS\System32\k2620cjoefoc0.dll
C:\WINDOWS\System32\reched32.dll
C:\WINDOWS\System32\cmrtcli.dll
C:\WINDOWS\System32\leeps11n.dll
C:\WINDOWS\System32\j86mlij118o.dll
C:\WINDOWS\System32\i2jq0c15ef.dll
C:\WINDOWS\System32\tbappcmp.dll
C:\WINDOWS\System32\gp4ql3h51.dll
C:\WINDOWS\System32\eoent97.dll
C:\WINDOWS\System32\amwav.dll
C:\WINDOWS\System32\nimsmgr.dll
C:\WINDOWS\System32\j04o0ah3ed4.dll
C:\WINDOWS\System32\afstream.dll
C:\WINDOWS\System32\rDstapi.dll
C:\WINDOWS\System32\t28ulcl91fq.dll
C:\WINDOWS\System32\g204lcdq1f0e.dll
C:\WINDOWS\System32\nbtcfgx.dll
C:\WINDOWS\System32\vxa256.dll
C:\WINDOWS\System32\ruched20.dll
C:\WINDOWS\System32\aza007fme.dll
C:\WINDOWS\System32\jt2007fme.dll
C:\WINDOWS\System32\dnpo0173e.dll
C:\WINDOWS\System32\fp4003hme.dll
C:\WINDOWS\System32\enpol1731.dll
C:\WINDOWS\System32\mjiole16.dll
C:\WINDOWS\System32\wdbhits.dll
C:\WINDOWS\System32\p26s0cj7efo.dll
C:\WINDOWS\System32\lul8093ue.dll
C:\WINDOWS\System32\m0lsla371d.dll
C:\WINDOWS\System32\ubnp.dll
C:\WINDOWS\System32\tkpmonui.dll
C:\WINDOWS\System32\czmmdlg.dll
C:\WINDOWS\System32\purfnet.dll
C:\WINDOWS\System32\mzcsubs.dll
C:\WINDOWS\System32\cLrules.dll
C:\WINDOWS\System32\mqls2.dll
C:\WINDOWS\System32\ixnathlp.dll
C:\WINDOWS\System32\pbtorec.dll
C:\WINDOWS\System32\SjOrder.dll
C:\WINDOWS\System32\LSXPM12N.DLL
C:\WINDOWS\System32\kxdnec.dll
C:\WINDOWS\System32\dn2m01f1e.dll
C:\WINDOWS\System32\cbvfat.dll
C:\WINDOWS\System32\itq.dll
C:\WINDOWS\System32\kidpl.dll
C:\WINDOWS\System32\dhmodemx.dll
C:\WINDOWS\System32\PGDLIB32.DLL
C:\WINDOWS\System32\kzdgr1.dll
C:\WINDOWS\System32\opmdspif.dll
C:\WINDOWS\System32\mv2sl9f71.dll
C:\WINDOWS\System32\p26slcj71fo.dll
C:\WINDOWS\System32\dhsapi.dll
C:\WINDOWS\System32\dCd8.dll
C:\WINDOWS\System32\wuhatm.dll
C:\WINDOWS\System32\lvl8093ue.dll
C:\WINDOWS\System32\itsso.dll
C:\WINDOWS\System32\cslbact.dll
C:\WINDOWS\System32\kwdpl.dll
C:\WINDOWS\System32\cgyptdlg.dll
C:\WINDOWS\system32\jsdvwsdk.dll


and the last one is c:\WINDOWS\system32\guard.tmp

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\System32\wkfeman.dll

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After it reboots get another find.bat log and post it. Do not reboot after posting this log. While it may not always do so, it can mutate and also spread to new file names thus making this process go on and on. We need to get all these files deleted before we can get to the next step.

 

It should not matter but safe mode can sometimes be the best option.

 

Normally when you get

"PendingFileRenameOperations Registry Data has been Removed by External Process!".

You just need to do a manual reboot and the files will be deleted by Pocket Killbox.

 

Use Windows Explorer and look in your C:\WINDOWS\System32 folder for the file named guard.tmp

It looks like it is there. If so, try to delete it by right clicking on it and selecting delete.
Does that work?

 

If the previous step deleted guard.tmp. Do the below otherwise wait for new instructions:

Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NOW:


Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit and reboot.

NEXT: Run find.bat and attach that Log and a fresh HJT Log

 

Using START > RUN > regedit, please open the registry editor and navigate to the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap

Backup this key by clicking File, Export and then enter a File name and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the ShellScrap one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.

Exit all browsers run HJT and have it fix:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Reboot and post a new HJT log and tell me how things are working

Then we need to figure out why the below came back:
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing

I thought we fixed this with LSP-Fix earlier.

 

Good find PP!

You may need to register the DLL!

From the command prompt or from a Run dialog box:

regsvr32 c:\windows\system32\mwtsp.dll

 

You're welcome but with Escan uninstall try the LSP-fix and see what happens. Does the O10 line go away?

 

Yes but does it come back saying (missing) or (unknown file)?

 

Okay so download the mwtsp.zip file from the below link:

http://www.mwti.net/antivirus/hotfix/mwtsp.asp

and extract it to your system32 folder.

See if that helps.

 

Try this:
1) Use LSP to fix the problem.
2) Unregister the DLL from the command problem:
regsvr32 /u c:\windows\system32\mwtsp.dll

You may still get an error on this.
3) Uninstall the Escan software and reboot
4) After reboot look for the c:\windows\system32\mwtsp.dll file and delete it (let me know if it is still here at this point).
5) Check a HijackThis scan and make sure it does not show the O10 problem
6) Check for updates to your Escan program and download them if available.
7) Re-install Escan

Tell me if there is any change!
If still showing up as missing. Download and run this: http://faq.tweakers.net/wos/WinsockXPFix.exe


I found a link (although some of it is in German) that show someone had the same problem and just used LSP-fix and the problem was gone.

http://www.trojaner-board.de/archive/index.php/t-10910.html

 

Okay but since we deleted mwtsp.dll before, is it there now? If so, I don't know what to tell you about this anymore. Seems like something is messed up with Escan.

If everything is working okay (including Escan), it maybe best just to ignore that line in HijackThis but remember that in the future (just in case you ever post a log again).

 

You're welcome.