Spyware that I cannot remove / VX2??

Re: Spyware that I cannot remove

Hello!

This is my 1st post and i must say i'm glad i stumbled across this website. majorgeeks.com is a very resourceful website choc-full of juicy information and software for all!!!

Anywho along with being my 1st post here, this is also my first time getting malware installed on my computer and being "utterly frustrated to the point of almost wanting to buy another hard drive and start fresh because of it" type syndrome. [gasp]...easy tiger, it's ok....just a computer. LOL...i'm a senior in computer engineering and unfortunately a class on malware/spyware isn't in the lineup, so i'm a severe newbie when it comes to fixing these types of problems. I cruised the majorgeeks forum for about an hour and found this site: http://forums.majorgeeks.com/showthread.php?t=35407. I did every step to the "T" on that post and unfortunately still have the same problems. I was hoping to find a previous post that is related to my issue and this post seems to be the closest.

After doing everything on the "READ ME FIRST..." post, my malware symptoms are much like Alisen's symptoms.....

When i ran CWShredder, i encountered an error message also when it scanned for the "CWS.Bootconf" file and closed the program. That was with the newest version of CWShredder, version 2.0. I ran the 1.0 version with no problems and there i could fix the ".Bootconf" file. Unfortunately it keeps coming back for revenge!!!

When i ran Spybot S&D, i encountered a bunch of "coolwebsearch" files that could not be deleted. Tried it in both modes..."safe" mode and "regular" mode.

...after booting in regular mode and doing everthing in the "READ ME FIRST..." post, i encountered the same ".dll, UMonitor" messages upon startup. I have installed HijackThis in it's own C: folder, but have not ran it yet.


I have Norton AntiVirus 2005 and had Norton Utilites 2003 installed. I say "had" because Utilities 2003 expired three days ago and i decided not to renew it, so i deleted the program because the "Your Norton Utilities has expired, please renew for only $45" messages would pop up every hour and it became annoying. Well, big mistake because the next day when i jumped online i had all these pop-ups and now my computer runs at snail speed and it's impossible to play my online games anymore...thus the EXTREME frustrating part. I switched my browser over to Firefox and have experienced little pop-ups so far which is soothing, but when it takes 5 minutes just to get to my Control Panel...that's where i draw the line!!!

Anywho i installed a new hard drive about 6 months ago and loaded a fresh copy of Windows XP Prof. edition and have been using the Norton Utilites 2003 software along with my windows firewall and haven't had any problems.
But now that my Utilities is expired i'm floating down crap creek with one paddle...lol. Since Alisen had the same problems as i did, i was going to go ahead and do the steps she did in order to rid my computer of this demon, but i figure i would wait and write this post to see what any of you "pros" recommended first. Plus after looking at the 12 or so post replies, i see this is no easy task to delete this VX2 variant. I will wait upon request to attach any logs or text files.

If anyone has any tips or can walk me through this, i'd greatly appreciate it! Heck, i'd even buy a Majorgeek.com t-shirt and promote you guys around town if all goes well ...Ha ha!

-Cougar

P.S. My screen name for Yahoo and AOL is "mojodojo2k". Since i am practically sitting in front of a computer most of the day feel free to IM me for more info....that would make things quicker also!

 

Re: Spyware that I cannot remove

Hi Cougar,

If you are certain that you've exhausted the Tutorial's options ( including the Online Scans), then go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I will split you off into your own thread to avoid confusion.

I’ve been tied up with work these days, but somebody will try to take a look at your log when they get a chance.

Best
PP

 

Hi PhilliePhan,

Thanks for the quick reply and i understand how busy you computer people can be! I have exhausted my ways to delete this problem but with no luck. I followed the HijackThis instructions and attached are my results. Much obligue to anyone who can tell me what's going on!

-Cougar

 

Hi Cougar,

There are only a few of us volunteering our free time in this forum, so the process may drag out a bit, but we'll get you fixed up!

Please download the following tools and have them handy (Perhaps create an Anti-Spyware Folder for them). Make sure to get them from the links below:


L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox
LSP - Fix


Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


FIRST:
Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the dolsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move dolsp.dll into the Remove section.

Then, please do the same for winlspak.dll.

Now, click the Finish Button. When the Repair Summary box appears, click OK.


NOW:
Look in Add/Remove Programs and Uninstall SED if found.

NEXT:
Please look in Task Manager and try to END the following running processes, if found:

netdaemon.exe
SED.exe
rsotilse.exe
yrivvw.exe
rshbene.exe

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
These lines will likely return
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [netdaemon] C:\WINDOWS\system32\netdaemon /v
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\Cougar\n20050308.exe
O4 - HKLM\..\Run: [wFtO39S] rsotilse.exe
O4 - HKCU\..\Run: [ho2ERVeqT] rshbene.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
These should be gone due to LSP-Fix
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll

O18 - Protocol: bw+0 - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {09F196DB-0C7F-4C31-9158-2DB3CE9874D2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - ……REMOVE ALL OF THESE similar 018 lines

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\netdaemon
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED ---> The Folder
C:\Documents and Settings\Cougar\n20050308.exe
yrivvw.exe ---> Use Windows Explorer to find this one – It is likely the Narrator Trojan and will probably return
rsotilse.exe ---> Use Windows Explorer to find this one
rshbene.exe ---> Use Windows Explorer to find this one


Then, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


NOW:
Reboot to Normal Windows. Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE:Please do not run any other options or files in the l2mfix Folder!

Please attach the l2mfix log along with a fresh HijackThis log and we’ll see where you stand. Please DO NOT REBOOT after scanning for these logs!! I will try to check back as time permits - Likely Friday evening before I head out for the night.

Best Luck
PP

 

I just posted my situation on here, and some of what happened to me (not an advanced user at all), including the same frustrations, are happening to you it seems. Check out my post of tonight.

I hope it helps. Very similar it seems, and I swear my system finally after a month, and probably over 30+ hours of trying to troubleshoot (myself ONLINE, and some tech support calls).

good luck.

 

I see your other post Googleman for i am not alone in this! Looks like you give some good info and i'll follow it!

PhilliePhan i will try the following things (in your last post) on sunday night and will post my 12mfix and hijackThis log on sunday night, so if available can check it on monday. I kind of need to use my computer during the weekend and may have to reboot! Once again, thanks for the help and enjoy the weekend!

 

Hi Philliephan,

Well i did all of what you asked in your last post and have attached the 12mfix and hijackThis logs. Yes i agree chaslang...i'd rather take the long route and remove ALL of what's bad on my computer then do a mere "quick fix". Ten hut!

-Cougar

 

Hi Cougar,

Please check to see if the following folder remains and Delete it:
C:\Program Files\AutoUpdate


For the next step, please make sure ALL Browser Windows are Closed!

NOW:
Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually produce another log in Notepad. Please attach that log along with a fresh HijackThis log.

Again, please do not run any other files in the L2MFix folder.

I will try to check back when time permits and we'll see how things shook out.

PP

 

Ok..done. Had to delete the "autoUpdate" folder in safe mode. Here are the logs of both.

 

Hi Cougar,

Looks like we got the VX2.
Please run HijackThis and Fix these lines:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"


This entry is likely the Narrator Trojan that often accompanies this VX2 variant: C:\WINDOWS\system32\yrivvw.exe

To deal this one, please unzip the Generic Detection Tool - NT/2000/XP to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that log along with a fresh HijackThis. I will check back as time permits.

PP

 

"Generic Detection Tool - NT/2000/XP" link isn't working. Where is the download located?? Tried putting it in majorgeeks search bar, but received alot of requests.

-Thanks

 

That's odd - Link works fine for me.

I attached the tool below.

PP

 

Hi PP,

Thanks for the info! The two log files are attached...

-Cougar

 

Hi Cougar,

Hopefully, this will wrap it up!


Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


NOW, you will be entering items into Pocket KillBox. Please open KillBox and select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Also, check the box to “End Explorer Shell While Killing File” for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

C:\WINDOWS\System32\vmss
C:\WINDOWS\system32\goyllc.dll
C:\WINDOWS\system32\pwzllh.exe
C:\WINDOWS\system32\zboiie.dll
C:\WINDOWS\system32\qbawwp.dat
C:\WINDOWS\system32\yrivvw.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ytukkh.exe

When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixnrtr.reg


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-


Now:
DoubleClick on the fixnrtr.reg file you made and allow it to merge the registry entries into the registry.

NEXT:
Please download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.


Finally, reboot and give me another Find.bat Log and HijackThis Log and tell me how things are running. With any luck, all will be clear! Will try to check back tonight, if possible.

PP

 

Hello PP,

Well, so far so good...knock on plastic,lol. The ".dll Umonitor" warning i get during startup has ceased and no pop-up in sight yet. Enclosed are the logs....hopefully things look good!

 

Hi Cougar,

Both logs look good. I think it is safe to pronounce your computer healed! How are things working?

While you're here, you should take a look at Chaslang's recommendations HERE: How to protect yourself from malware!

PP

 

Hi PhilliePhan,

Yes i agree!!! Things are back to normal and my online gaming is no more rudely interrupted by pop-ups or because my computer is running slow. Thank you soo much PP!!! You were very helpful and in the long run probably saved me $60 if i had taken it to a computer store. Soo, with the extra money that i saved i think i'll venture on over to the majorgeeks merchandise site and see if i can't pick out a t-shirt to buy!

One last question: Is it safe to delete most of these malware fix programs now? Like the CWShredder, 12mfix, HiJackThis, Killbox, Stinger, etc. programs??

I'll look at Chaslang's post on what to keep, like the SpywareBlaster program and what else i can do to prevent this stuff from happening again.

Once again Thank you!!!

-Cougar

 

You're welcome! - My favorite Online Game is playing Malware Assassin!!

You can delete the tools if you so desire. You will also find a file on C: Drive called "!Submit" which is a backup of items removed by KillBox - You may delete this as well.

Enjoy your MajorGeeks T-Shirt!

Happy Computing
PP