That old (new) 69.20.16.183

Well, I'm not sure where I got this and, of course, it's worse than strep throat. Here's my HJT:

Edit by chaslang: Inline log changed to attachment

If anyone can help me- I've been working on this for days- I would really appreciate it...I've also inspected the windows32 files and, yeah, guard.tmp is there (but I didn't mess with anything). Thanks!

 

Hi Dunkbot,

Please download the following tools:
http://www.downloads.subratam.org/DllCompare.exe
Pocket KillBox
VX2.BetterInternet Finder XP/2k - Version Msg126
Generic Find It Tool - NT/2000/XP



NOW:Open the Generic FindIt Tool and run Find.bat. Give it as much time as it needs to run. If you get a "File not Found" error, just let it go. It will produce a lengthy log - Please attach that log using the "Manage Attachments" tool when you post.

NOTE: Once you have scanned with Find.bat, you MUST NOT REBOOT until you hear from us - The malware will mutate if you reboot.

I’m not around too often these days, but I'll check back when time permits.

PP

*** A mod with more power than I may move this thread to the Spyware Forum where it belongs

 

Ok, my screen went blank and I had no choice but to reboot but I do have the new HJT and also the requested log- sorry.

Edit by chaslang: Inline HJT log changed to attachment

...and findit:

Edit by chaslang: Inline find.bat log changed to attachment

Thanks for your help; that's the second time my system has done that in a week- the dang thing almost "knows" I'm trying to get rid of it...

 

OK, here it is:





Thanks again

 

Hi Dunkbot,


Please ATTACH All further logs using the "Manage Attachments" tool when you post.

Please DO NOT REBOOT. I will try to knock out a fix for you in the next 30 mins or so.

PP

 

AllRightyThen!

I'm giving you my "All in one" version of the workthrough in the hope of saving some time. With some luck, things will run smoothly - Otherwise we may have to repeat a few steps!

Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please print out these instructions (or save locally to make copy&pasting easy) so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Before you start, look in C:\WINDOWS\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINDOWS\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. If you do not find this, please continue with the other instructions.

Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\SfmRedir.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\enp2l17o1.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\Iuetwh32.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

You get the idea. . . Now, do the same for the rest of them:

Iuetwh32.dll
ir2sl5f71.dll
dnn4015qe.dll
spc.dll
l8r0li9m18.dll
oqbccu32.dll
kt1394.dll
ixxwan.dll
n8l8li3u18.dll
l46olej31ho.dll
jjpl400.dll
f4l02e3mgh.dll
sdobject.dll
afctres.dll
l68m0gl1e6q.dll
ozmanage.dll

Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .


NEXT:
Doublecheck to make sure that guard.tmp has been removed. If it somehow remains, feed it to Pocket KillBox and Delete it using Standard File Kill.

C:\WINDOWS\SYSTEM32\guard.tmp


AnyHoo, once guard.tmp is gone, run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg



REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7D35D116-7F2E-461B-99A2-DFD7F923DA8A}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]



Now:
Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.



Finally, attach another Find.bat log and a Fresh HJT log and we'll finish this up!

Let me know about any problems that you may have run into completing the above! I will try to check back when time permits - likely Friday evening.

PP

 

I'm sorry, but I don't know what "manage tools" you are speaking of ... what did I miss? My browser (Firefox) or something on this board- oh, I looked...OK? Wow, I'm gonna be busy...think I'll tackle this in the morn after some coffee. Again, thanks for all your help and I'll post tomorrow after the fix. Gotta eat and feed the cats. This has been educational for me- no printer, but I'll save the page before I go offline. Have a good one...cheers!

 

Just make sure you do not reboot! Otherwise the entries will change!

You'll find the "Manage Attachments" tool in the ADDITIONAL OPTIONS section when you post - Just scroll down a bit

PP

 

Well, I followed your instructions and guard.tmp could not be found for some reason. Here are the new logs:

 

But I have not seen an attempt or popup...everything seems stable- vast improvement. I'm sure there's more...I'm on the ready whenever you are Phillie-Sorceror of the Schuykill!

 

Hi Dunkbot,

A lot of items remain! We'll go a bit slower this time. Be sure to follow the instructions carefully.

guard.tmp may still be on your machine - Sometimes, it is hidden and protected and you just have to run through the motions of deleting is just in case! So keep adding it along with the steps below.

Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please print out these instructions (or save locally to make copy&pasting easy) so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

We'll run through the same steps as before.


Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\ir2sl5f71.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\spc.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\l8r0li9m18.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, do the same for the rest of them:

oqbccu32.dll
kt1394.dll
ixxwan.dll
n8l8li3u18.dll
l46olej31ho.dll
jjpl400.dll
f4l02e3mgh.dll
sdobject.dll
afctres.dll
l68m0gl1e6q.dll
ozmanage.dll


Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .


NOW, attach another Find.bat log and we'll see where we are. ALSO run DLL Compare and Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log as well.

Let me know about any problems that you may have run into completing the above! I may be going out tonight, so I'll check back when time permits.

PP

 

Don't give the title-mongers here any ideas!
Besides, I'm in OHIO!

PP

 

Here are the requested logs:
Running pretty good so far. Still no popups or attempts-bueno! Gettin' speedy.
Sorry about the joke but I know Ohio as well (lived there years ago). Thanks!!

 

Hi Dunkbot,

For some reason, these remain:

C:\WINDOWS\SYSTEM32\afctres.dll Tue Dec 14 2004 12:12:40a ..S.R 224,178 218.92 K
C:\WINDOWS\SYSTEM32\f4l02e~1.dll Tue Dec 14 2004 9:14:18a ..S.R 223,225 217.99 K
C:\WINDOWS\SYSTEM32\ixxwan.dll Sun Dec 26 2004 7:24:08p ..S.R 224,865 219.59 K
C:\WINDOWS\SYSTEM32\jjpl400.dll Tue Dec 14 2004 9:14:18a ..S.R 224,865 219.59 K
C:\WINDOWS\SYSTEM32\kt1394.dll Tue Jan 4 2005 6:58:58p ..S.R 223,027 217.80 K
C:\WINDOWS\SYSTEM32\l46ole~1.dll Thu Dec 23 2004 11:53:18a ..S.R 226,229 220.93 K
C:\WINDOWS\SYSTEM32\l68m0g~1.dll Tue Dec 14 2004 12:11:22a ..S.R 223,814 218.57 K
C:\WINDOWS\SYSTEM32\n8l8li~1.dll Thu Dec 23 2004 12:54:06p ..S.R 224,865 219.59 K
C:\WINDOWS\SYSTEM32\oqbccu32.dll Wed Jan 5 2005 9:10:54p ..S.R 223,359 218.12 K
C:\WINDOWS\SYSTEM32\ozmanage.dll Mon Dec 13 2004 11:44:22p ..S.R 223,814 218.57 K
C:\WINDOWS\SYSTEM32\sdobject.dll Tue Dec 14 2004 12:18:10a ..S.R 224,178 218.92 K

You must keep at trying to remove these DLLs via the procedure we have been using. We cannot continue to the next step until they are gone.
Keep entering the DLLs (minus the size and time and date information) and deleting. Make sure the DLLs you delete were created after Dec. 12, 2004.

Then, run DLL Compare again and check that they are gone. If some remain, repeat the process. You'll need to do this until the DLL Compare log is clean.

When the Log is clean, attach a fresh Find.bat log from the Generic Detection Tool and we'll go to the next step.
If we do not get them all, the problems will return.

PP

 

Sorry, I've been busy over the weekend. I've done the procedure a few times and these items persist. However, the system seems to be more stable and I'll post a log later. Thanks.

 

Gothcha, thanks.

 

Probably easier for you to run DLL Compare until it shows that you are clean. The find.bat log can be a bit difficult to read and shows more legitimate files. You should run that AFTER the DLL Compare shows clean. Then, submit a Find.bat log and we'll go to step 2.

I probably won't be able to check back until Monday night, but I'm certain Chaslang will keep an eye on your thread!

PP