Spyware Help

HijackThis is not the first step and we have guidelines about when and how to post logs.

To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message.(Do NOT copy/paste the log into your post).

 

First you need to run ALL steps from the READ ME FIRST. You log show now signs of the online scans being run. So I have to wonder if you skipped anything else. Skipping steps will not help you resolve your problems faster. It will only delay getting your system properly fixed. You have a variety of problems. Run the online scans and anything else that you skip. Our READ ME is meant to be run in the order written, step by step to be most effective.

Second you must extract HijackThis from the ZIP file and install it where requested. You are running it from:
C:\DOCUME~1\Val\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

which is directly from the ZIP file. You will not get any backups this way. You must resolve this before continuing.

You will need to download LSP - Fix and follow the directions given below

NOW: Unzip it and run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the aklsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move aklsp.dll into the Remove section.

Then, please do the same for dolsp.dll.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

After doing the above download and intall: Microsoft® Windows AntiSpyware
Run a full system scan and allow it to repair what it finds.

After doing the MS Antispyware scan reboot your system and then do the following steps.

First Step:

Please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the links below: And only run what I specify.

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

Second Step:
Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment (do it later when we reconnect).


Third Step:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Fourth Step:

Get a new HJT log and post it here along with the logs from find.bat and l2mfix.bat.

 

You have a rather bad case of this VX2 infection and you have some other nasty problems too. Here are your next steps.

To begin, there are two file I wanted to have you remove back when we used LSP-Fix but I forgot to mention them. Please look for the below two files and delete them if found:
c:\windows\system32\dolsp.dll
c:\windows\system32\aklsp.dll

Step 1:

First I want you to uninstall Microsoft AntiSpyware and then reboot your PC.

After reboot come here and re-download and install this version: Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and continue the below steps.

Step 2:

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Again, don't run any other files in the L2MFix folder.

Step 3:

Run "find.bat" from the Generic Detection Tool again!

Okay after doing the above DO NOT REBOOT.

Step 4:


Now reconnect your cable to the internet (no browser yet) and get a new HJT log. Now open your browser and come back here and post as attachments the find.bat log, theth the L2MeFix Log, and the HJT log (it will take two messages to post all three attachments).

 

Just wait for it to complete! Hopefully it will not be too much longer.

Is it physically disconnected from the internet and are all browsers closed on that PC?


Did MS Antispyware find anything and fix or not fix it?

 

Does it still sound like there is disk activity going on?

Do you have a log from MS- AS?

 

Okay! I'll be waiting for the logs. How long did it take L2MFix to complete?

As far as MS-AS, what I'm interested in knowing is what (by name) items it found and what it fix and could not fix. It's useful to know what tools can fix what.

 

Okay! L2Mfix took care of a load of bad files. I still see some stuff in your HJT log I expected MS-AS to fix.

What version of MS Antispyware do you have running and also what version are the spyware definitions that it is using?

 

That is not the version number. Please look in the About MS Antispyware menu where the Definitions are also shown. The version number should look something like 1.0.509

Tell me what you have!

Have you tried running MS-AS in safe mode (with no networking)? If not, please do so.

It does take awhile for the scans with these tools to complete. The duration it takes depends on how many files on your system, the speed of your PC, and whether you keep doing other stuff during the scan.

Please download and run this too: EliteToolbar Remover
And then post a new HJT log.

 

Okay! So that's much better. Still some fixes to go and I will need a favor from you too.

But first some of the links to the MS AS download are giving the older version which is what you have. You have 1.0.501 the latest is 1.0.509. I would uninstall, reboot, and then reinstall the new one. Download it from the below link:

http://www.majorgeeks.com/downloadget.php?id=4466&file=1&evp=ce777b1c1a18760b1ff7da022361858a

Here is the favor! Before fixing some of the remaining items I would like to see if I can get copies of the files. See if you can run Windows Explorer and located the three below files:
C:\WINDOWS\system32\tguldndp.dll
C:\WINDOWS\system32\cxvaotpd.dll
C:\WINDOWS\system32\fdhstnmc.dll

If so, tell me the file sizes for each one. We will need to put them into a ZIP file so you can send them to me (either as an attachment to the thread or via email if too large. Do you know how to use WinZip or similar to put files into a ZIP file.

Now you still have a few problems left. Including a few left overs from the Look 2 Me VX2 infection. You were badly infected with multiple problems. Please run Step 2 from message number 7 again (that is l2mfix.bat and type 2) and post that log. I know it took a long time. Maybe it will not be as bad this time.

Now download the below file to your computer where you can find it.

RemV3.Zip

Extract all the files to a folder (make it a folder for only these tools).
Then boot into safe mode and run the remv3.bat file.

Then reboot in normal mode. And post a new HJT log and the log from the above l2mfix.bat file.

 

Running in safe mode would have been my suggestion (like we do in the READ ME).

Does your MS-AS now say it is 1.0.509 for version number?

Post the logs from L2Mfix and also post the log from REMV3.BAT (I forgot to ask for that in my last message. It creates a file name log.txt in your drive C root folder (the c:\ folder). So upload c:\log.txt here as an attachment too.

Also post another new HJT log (that will require a second message).

 

Try making three separate ZIP files. Otherwise you will have to enable PMs and then I can send you an email address to mail to.

The LM2Fix did not work properly. Can you please first run LM2Fix with option 1 and then follow it up by running it again a selection option 2. Post both of those logs. If this does not work, we will have to complete the final part of the cleanup using find.bat and some manual steps.

I'm not sure about you AOL problem.

 

Those 3 files may be related to a porn dialer.

Search your PC for each of the below files:

ieloader.dll, coder.ini, coder.log

You need to make sure you configure search properly. Follow the steps below.

If you use Search, you need to do the following:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter ieloader.dll
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

Repeat the search part for each file and let me know what you find.

Do you know how to use regedit (the registry editor)?

 

Okay! Just to be safe on the ieloader.dll stuff, got to this link:
http://www.sophos.com/virusinfo/analyses/trojcoderda.html

and click on the Description tab. Search thru your registry and see if you find any of the mentioned items. Do not do anything with them yet. Let's just see what we find first.

 

For some of them, just search for the numerical CLSID's like 67B15B0B-160C-4579-95AF-858169659092

You could also just directly navigate to the specific key by expand the keys manually to find what we are looking for (regedit's search mechanism is very slow).

For the other ietm you could search for IELoaderCtl
or again just navigate to the key.

Does that help or is searching still a problem for you?

 

Okay! Let's see if we can finish the baddies off:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\wupvlhla.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {93233805-2E29-A344-0FDA-9A9C8822FCF3} - C:\WINDOWS\system32\tguldndp.dll
O2 - BHO: (no name) - {D1F9E71A-51B7-C10C-D8E9-14FDC94410CB} - C:\WINDOWS\system32\cxvaotpd.dll
O2 - BHO: (no name) - {FAE9A4C4-15F3-7985-BB29-95CD2E3873CE} - C:\WINDOWS\system32\fdhstnmc.dll
O4 - HKLM\..\Run: [wupvlhla] C:\WINDOWS\system32\wupvlhla.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\tguldndp.dll
C:\WINDOWS\system32\cxvaotpd.dll
C:\WINDOWS\system32\fdhstnmc.dll
C:\WINDOWS\system32\wupvlhla.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now run Ccleaner that you installed while running the READ ME FIRST.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

There is one more problem in your log we will need to work on and that's the following:

O23 - Service: lhrlkusypdlv (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe

We may need to use a procedure similar to what is mentioned at Microsoft in the below link:
http://support.microsoft.com/?scid=kb;en-us;894278

 

Well now I would bet we will not be able to get rid of the line O2 - BHO lines where the files are missing. We have seen multiple cases of these where after removing the real problem (the exe file and the BHO files) that the O2 lines just will not stay gone. But let's try.

Run HJT and put checks on the following lines but DO NOT click fix until you make sure all browsers are closed including the one you are reading write now:
O2 - BHO: (no name) - {93233805-2E29-A344-0FDA-9A9C8822FCF3} - (no file)
O2 - BHO: (no name) - {D1F9E71A-51B7-C10C-D8E9-14FDC94410CB} - (no file)
O2 - BHO: (no name) - {FAE9A4C4-15F3-7985-BB29-95CD2E3873CE} - (no file)

Then after clicking fix exit HJT and reboot. Get a new HJT log after reboot and see if the O2 lines are still gone. If so, open a browser and then close the browser. Get another HJT log! Are they still gone?

I'll talk with you when you get back.

 

As expected! Let's not worry about the BHO's. There is no known fix for these right now but the files are gone and they are more than like not causing a problem. We need to look at the msupd6.exe file.

Can you see this file C:\WINDOWS\system32\msupd6.exe

 

Okay! Try killing the process that is running using TaskManager and then try deleting the file. Does that work. Also do the below for another problem you have!

Exit ALL applications especially browsers including the one you are reading in right now. (You may want to print or save this locally for reference).

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\isrvs\mfiltis.dll
then click OK. If a dialog box confirming this action appears, click OK.
If you get an error message on this, just OK it and continue.

Click START > RUN > regedit, please open the registry editor and navigate to the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB-C706-4791-8674-4D429F85897E}\InprocServer32

Backup this key by clicking File, Export and then enter a File name (like mfiltis1.reg) and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the InprocServer32 one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.

Now navigate to the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mfiltis

Backup this key by clicking File, Export and then enter a File name (like mfiltis2.reg) and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the mfiltis one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.

When done, reboot and post a new HJT log.

 

Just continue to the next one!

 

Okay run HijackThis and fix the below lines (do not fix until browsers are closed).
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O23 - Service: lhrlkusypdlv (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe (file missing)

Let me know if the O23 line comes back. If so, we will need to use a special procedure to fix it.