Ready to play James Bond?

Discussion in 'Malware Help (A Specialist Will Reply)' started by bailmeout, Jan 16, 2005.

  1. bailmeout

    bailmeout Specialist

    Alright I'll keep it as simple as my twisted mind lets me. Due to an abnormally crazy set of circumstances I was forced to start using Win2000 professional edition.
    Now all the latest service packs and updates were applied, crappy Nortons 2003 firewall+antivirus installed,additional google popup blocker as well as Lavasoft Adware professional with about every plugin u could imagine.
    Anyhow I'm certainly not here to write a story so I'll lay down the facts.
    Everything was runing beautifully and smoothly untill going back two maybe three weeks things started getting dirty. I come home turn on the pc boom there we are 661 popups blocked, recycler seemd corrupted 3 files stuck in there. Simply after a few commands in DOS problem fixed.... ohoho so little did I know, every file sent there magicaly seems to go anywhere but there. Spyware was what my thoughts were. Downloaded MS antispyware beta even a little buggy thought I'd give it a try. Anyway it found wintools, vurtual bouncer poissble hijacker and some other crap. I menaged to get rid of wintools and virtual bouncer ran crap cleaner then ran hijack this. There it was lets say xxx.xx.xxx.iesearch.com xxx.xx.xxxnetscapesearch.com and another one. Now when im on the couch bonking away on my gamepad or watching a DVD I cannot express how annoying it is when these sites keep poping up forcing me to get off the couch!!!! Also I noticed my optusnet cable conecction has significently droped.
    Anyone ready to tackle this one because quite frankly it is not my area of expertees and I'm about to give up.
    Thanx in advance, Sash
     
    bailmeout, Jan 16, 2005
    #1
  2. bailmeout

    bailmeout Specialist

    *Ahem* forgot to add I am using I.e , I know I know but I'm used to it and its patched up as much as it can be. Hmm I somewhat got a feeling the msn messenger 7.0 betta second version (less bugg free) :p has gotten its dirty little hands onto something too. handwriting plugin dessapeared like in a flash? I really don't want to format though might be the best idea, since im too busy reading forums lol and moding my pc
     
    bailmeout, Jan 16, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Jan 16, 2005
    #3
  4. bailmeout

    bailmeout Specialist

    Ok just I i suspected. Its the same old browser redirections the ip always appears to be the same and it is the 3 major searches. ran that crapy ms spyware betta version = same result= possible hijacks i installed the spyware blaster as well and updated now as for hijack this the latest version ran that too with all browsers closed even d/c from the internet every time i try to remove those nasty redirections a window usually pops up not allowing me to do it. The cable conection is still radicilously slow. Anyhow here is the log.
     

    Attached Files:

    bailmeout, Jan 16, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 16, 2005
    #5
  6. bailmeout

    bailmeout Specialist

    Alrighty all three downloaded zip deleted then created separate folder in program files ran it and here is a log. Btw thank u heaps because I know how annoying is to have yet to tacckle with it!
     

    Attached Files:

    bailmeout, Jan 16, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What do you mean "three downloaded zip deleted"?
     
    chaslang, Jan 16, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    NOTE: DON'T LOG OFF! Stay here for awhile. I'm working on a fix but if you reboot, all of it will not work properly. I'll be posting it in a little while.
     
    chaslang, Jan 16, 2005
    #8
  9. bailmeout

    bailmeout Specialist

    sorry typo, 2 zip files kill box and the one i ran and the other one is an .exe file now what i meant is after i created a separate folder and copy.pasted the .bat and other 2 programs i deleted the 'unzipped' folder just not to get it confused. Anyway interesting thing is after I ran spyware blaster and unabled the protection the number of popups blocked significently reduced from say 661 to 134. Too bad computer rebooted 2 minutes ago. Winlogon generated some errors and when the windows loaded i got a popup RUNDLL saying that an exception occured while trying to run ''''C:\WINNT\system32\axsmib.dll'',UMonitor'' QUOTED exactly.
    No problem i cam back from work so I have all the time.
     
    bailmeout, Jan 16, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When working on problems like these you need to do only what we tell you to do. Running other things will confuse us, you, and your malware problems will mutate making our fixes ineffective. The below may no longer be complete valid now.


    Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg

    Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.

    Here is a list of files that we need to delete using Killbox.

    C:\WINNT\System32\gp86l3ls1.dll
    C:\WINNT\System32\doserver.dll
    C:\WINNT\System32\fplq0335e.dll
    C:\WINNT\System32\r46u0ej9eho.dll
    C:\WINNT\System32\tipmon.dll
    C:\WINNT\System32\dnr4019qe.dll
    C:\WINNT\System32\hr8405lqe.dll
    C:\WINNT\System32\aza2l5ho1.dll
    C:\WINNT\System32\e2jmlc111f.dll
    C:\WINNT\System32\j4j6le1s1h.dll
    C:\WINNT\System32\o0pqla751d.dll
    C:\WINNT\System32\fpns0357e.dll
    C:\WINNT\System32\hr4m05h1e.dll
    C:\WINNT\System32\p84ulih9184.dll
    C:\WINNT\System32\gp88l3lu1.dll
    C:\WINNT\System32\j22q0cf5ef2.dll
    C:\WINNT\System32\gpl8l33u1.dll
    C:\WINNT\System32\en2sl1f71.dll
    C:\WINNT\System32\k208lcdu1f08.dll
    C:\WINNT\System32\jtj4071qe.dll
    C:\WINNT\System32\kt48l7hu1.dll
    C:\WINNT\System32\jt4m07h1e.dll
    C:\WINNT\System32\r8r6li9s18.dll
    C:\WINNT\System32\sgpblb.dll
    C:\WINNT\System32\dnr2019oe.dll
    C:\WINNT\System32\ir42l5ho1.dll
    C:\WINNT\System32\jt8q07l5e.dll
    C:\WINNT\System32\lv2409fqe.dll
    C:\WINNT\System32\n62ulgf9162.dll
    C:\WINNT\System32\hr6u05j9e.dll
    C:\WINNT\System32\dnrm0191e.dll
    C:\WINNT\System32\s8puli7918.dll
    C:\WINNT\System32\g6jo0g13e6.dll
    C:\WINNT\System32\ktpul7791.dll

    and also C:\WINNT\System32\guard.tmp

    And here is how you need to do it.

    Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

    Now you are going to repeat the below steps for every file except C:\WINNT\System32\guard.tmp
    (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\System32\gp86l3ls1.dll


    1) Now, Copy and Paste fullpathfile into the box
    2) Check the option to Use Dummy.
    3) Now, Click the Red X and Yes to the confirmation message.
    4) A message will ask if you want to reboot now – Click NO.
    5) Repeat for all files except the last one

    For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

    Now, Copy and Paste C:\WINNT\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally. Tell me if you get any error messages on reboot and tell me the exact messages.

    Important:
    Also run Windows Explorer and look in C:\WINDOWS\System32 for the file guard.tmp. Tell me if you see it or not. If it remains, paste C:\WINDOWS\SYSTEM32\guard.tmp into Pocket KillBox and Delete it using Standard File Kill. Check it again using Windows Explorer to make sure it is gone.

    Once guard.tmp is gone, run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

    NEXT:
    Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

    Then click on these buttons in the right pane unless they are not enabled:

    UserAgent$ Button to remove the UserAgent from the registry

    Guardian.reg

    Restore Policy

    Allow Machine to Reboot.

    Finally, attach another Find.bat log and a Fresh HJT log! Let me know if you had any trouble with the above instructions.
     
    chaslang, Jan 16, 2005
    #10
  11. bailmeout

    bailmeout Specialist

    Alright, seems to be reappearing again, however I think I might have messed it up so i can redo the procces from what you wrote. As i was doing the last fix by the time i read it i deleted first few dlls normally without them acting as dumies then when i scrolled down i saw exactly what you wrote!
    I did it in appropriate manner then which obviously didnt seem to work now as for the C:\WINNT\System32\guard.tmp i did not find it at all.
    Here are the new logs.
     

    Attached Files:

    bailmeout, Jan 16, 2005
    #11
  12. bailmeout

    bailmeout Specialist

    Also as per System restore, doesnt that just exist in win xp?
    Got me a little confused there so I didn't know what to do or where to turn it off?
     
    bailmeout, Jan 16, 2005
    #12
  13. bailmeout

    bailmeout Specialist

    i just repeated those steps again NOTHING same thing again. the last hjt logfile is probably not good to you now. Anyway feeling a bit tired so I won't waste your time now, will just do it tomorrow perhaps.
     
    bailmeout, Jan 16, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! WinXP & WinME only! Sorry about the confusion. I forgot to remove that line when I did some cutting and pasting.
     
    chaslang, Jan 16, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Let's take it a little slower this time. Make sure you read the instruction before doing anything so you follow them properly. Quite a few of the problems are gone already but we have more to do. And we have to keep double checking for guard.tmp even though you already looked.


    Here is a list of files that we need to delete using Killbox.

    C:\WINNT\System32\wupdxm.dll
    C:\WINNT\System32\h60q0gd5e60.dll
    C:\WINNT\System32\axsmib.dll

    and also C:\WINNT\System32\guard.tmp

    And here is how you need to do it.

    Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

    Now you are going to repeat the below steps for every file except C:\WINNT\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\System32\wupdxm.dll


    1) Now, Copy and Paste fullpathfile into the box
    2) Check the option to Use Dummy.
    3) Now, Click the Red X and Yes to the confirmation message.
    4) A message will ask if you want to reboot now – Click NO.
    5) Repeat for all files except the last one

    For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

    Now, Copy and Paste C:\WINNT\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally. Tell me if you get any error messages on reboot and tell me the exact messages.

    Important:
    Also run Windows Explorer and look in C:\WINNT\System32 for the file guard.tmp. Tell me if you see it or not. If it remains, paste C:\WINNT\SYSTEM32\guard.tmp into Pocket KillBox and Delete it using Standard File Kill. Check it again using Windows Explorer to make sure it is gone.

    NEXT: Run find.bat again and attach that Log and a fresh HJT Log . At this point it is very important that you do not reboot until you next here from me. These problems can mutate and spread during reboots make my instructions not completely valid. You can disconnect from the internet, just do not reboot.
     
    chaslang, Jan 16, 2005
    #15
  16. bailmeout

    bailmeout Specialist

    Sorry I had to leave for a while the power went out so the pc has been rebooted, I will try and and do this now and let you know how it went hopefully leave the pc overnight or something simillar then post the log.
     
    bailmeout, Jan 17, 2005
    #16
  17. bailmeout

    bailmeout Specialist

    Seems as soon as the computer is rebooted or this this thing notices an internet conecction goes biserk and mutates more then aliens haha. Dammit. here is the fresh new scans. Same results.

    Funnily enough C:\WINNT\System32\guard.tmp
    is never there at all
     

    Attached Files:

    bailmeout, Jan 17, 2005
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're wasting my time and yours if you keep rebooting when you should not!
    Also you should remain disconnected from the internet physically (unplug cable) from now on while working on these steps. Only plug back in when told to come back and post.
     
    chaslang, Jan 17, 2005
    #18
  19. bailmeout

    bailmeout Specialist

    Hi, the internet is off evertyime I am doing the processes as for rebooting once it was the power failiure and windows generated errors, the last logs are fresh no reboot since. However the popups keep coming back just not as much
     
    bailmeout, Jan 17, 2005
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ignore the popups! I know they are there. We have not finished fixing the problem. Infact we have not finished the first step yet.
     
    chaslang, Jan 17, 2005
    #20
  21. bailmeout

    bailmeout Specialist

    Ok, whenever you grab a spare moment, I'm ready
     
    bailmeout, Jan 17, 2005
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    OKAY print these instructions or save them locally! I want you to physically disconnect after reading this sentence before continuing. Do not connect again until told to an do not open any browsers until you come back.


    Copy and paste the quoted information below to notepad. Save it to your Desktop as type "all files" and name it 2fixvx2.reg

    Now:
    Click on the 2fixvx2.reg file you made and allow it to merge the registry entries into the registry.

    Here is a list of files that we need to delete using Killbox.

    C:\WINNT\System32\dxctl.dll
    C:\WINNT\System32\ltl0273mg.dll
    C:\WINNT\System32\mzdocs.dll
    C:\WINNT\System32\nvj0291mg.dll
    C:\WINNT\System32\c800lidm180a.dll
    C:\WINNT\System32\k6800glme6qa0.dll

    and also C:\WINNT\System32\guard.tmp

    And here is how you need to do it.

    Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

    Now you are going to repeat the below steps for every file except C:\WINNT\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\System32\dxctl.dll

    1) Now, Copy and Paste fullpathfile into the box
    2) Check the option to Use Dummy.
    3) Now, Click the Red X and Yes to the confirmation message.
    4) A message will ask if you want to reboot now – Click NO.
    5) Repeat for all files except the last one

    For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

    Now, Copy and Paste C:\WINNT\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally. Tell me if you get any error messages on reboot and tell me the exact messages.

    Important:
    Also run Windows Explorer and look in C:\WINNT\System32 for the file guard.tmp. Tell me if you see it or not. If it remains, paste C:\WINNT\SYSTEM32\guard.tmp into Pocket KillBox and Delete it using Standard File Kill. Check it again using Windows Explorer to make sure it is gone.

    NEXT: Run find.bat again and attach that Log and a fresh HJT Log . At this point it is very important that you do not reboot until you next here from me. These problems can mutate and spread during reboots make my instructions not completely valid. You can disconnect from the internet, just do not reboot.
     
    chaslang, Jan 17, 2005
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It does not look (at least not from what I can see) that you have gone offline. I hope you did physically disconnect (unplug). Malware can still get out if you leave your cables plugged in (even if you don't have a browser running).
     
    chaslang, Jan 17, 2005
    #23
  24. bailmeout

    bailmeout Specialist

    Ok this time u unplugged the cables ran everything as you have said and i did however see C:\WINNT\System32\guard.tmp this time. After the last killbox delete and rebooting as you said i noticed my quick launch went double (normally on left hand side, now on right hand side too with Quick Launch option as well.
     

    Attached Files:

    bailmeout, Jan 17, 2005
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

    NOW:

    Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

    Then click on these buttons in the right pane unless they are "greyed" out:

    - UserAgent$ Button to remove the UserAgent from the registry
    - Guardian.reg
    - Restore Policy

    Exit and reboot.


    Copy and paste the quoted information below to notepad. Save it to your Desktop as type "all files" and name it 2fixvx2.reg (overwrite the previous one)

    Now:
    Click on the 2fixvx2.reg file you made and allow it to merge the registry entries into the registry.

    Run HJT this and fix the below lines if present:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O14 - IERESET.INF: START_PAGE_URL=http://www

    Now reboot again!

    Now (hopefully the last time): Run find.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log Let me know how things look to you too.
     
    chaslang, Jan 17, 2005
    #25
  26. bailmeout

    bailmeout Specialist

    Well it seems to have done the job or partialy anyway, HJT doesn not show the file redirections anymore , however the quicklaunch is still on both sides and before rebooting and runing hjt and bat.ini when I ran hjt previsouly to fix those file redirections i got a message that unexpected error occured at procedure:modMain_FixOther1item(sltem-01 - Hosts 69.20.16.183 autosearch.msn.com
    Error #70 - Permision denied
     

    Attached Files:

    bailmeout, Jan 17, 2005
    #26
  27. bailmeout

    bailmeout Specialist

    My friend i beleive I am not speaking too soon but seems it has worked a charm. Wohoo Who da man? U da man :p I just tired to send some files into recycler they showed up there and then deleted when prompted only thing left is the double quick launch but who cares it's not a problem thank you so much
     
    bailmeout, Jan 17, 2005
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know what you mean by bat.ini

    Are you sure you did not do something yourself to Quicklaunch?

    And did you miss fixing these:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
    O14 - IERESET.INF: START_PAGE_URL=http://www
     
    chaslang, Jan 17, 2005
    #28
  29. bailmeout

    bailmeout Specialist

    Another typo i seem to do those when im excited :p I meant find.bat as for those two how did you know I'd be so dum as miss them :) heh. I just fixed them befoire and rebooted, ran another hjt everything seemed in perfect order and as for the toolbar thingy I fixed it anyway. You have done plenty already so I will not bother you with this again as for if it does come back I will format. Thank you so much again. Forum closed if you like :cool:
     
    bailmeout, Jan 17, 2005
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 17, 2005
    #30

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds