The VX2 that won't die!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mitchel, Nov 2, 2004.

  1. mitchel

    mitchel Private E-2

    Hi - my malware infection is driving me crazy! I've done everything that I've found so far, but it's still there. Any help would be GREATLY appreciated. Here's a brief history:

    1) The computer was running slower and slower, with more and more pop-up ads.

    2) I downloaded & updated AdAware, ran it, and found hundreds of malware programs. I cleaned them off, then downloaded & ran Spybot S&D. It cleaned off many more.

    3) Without being connected to the Internet, I found that several programs would terminate after a few seconds of running: Norton Anti-Virus, Regedit to name a couple. Every time I ran AdAware, I found the same four entries: two VX2 and two BrowserAid. I'd clean them, but on the next reboot they'd be back.

    4) I found MajorGeeks, registered, and followed the "Do Not Post Until You Have Read This..." procedure posted by Major Attitude. I followed the directions, rebooting in safe mode, running all the scanning programs (including AdAware VX2 add-on), etc. On rebooting in normal mode, the computer was running faster & better than ever. I was breathing a sigh of relief.

    5) When I connected back to the internet, the computer slowed down to a crawl after about an hour, and an AdAware scan showed 23 malware entries, including four VX2, two BrowserAids, several Virtual Bouncers, etc.

    Something is still alive on the computer that is sucking these things back on like a vacuum cleaner. Any suggestions? I'm desperate!

    Many, many thanks,
    Mitchel
     
    mitchel, Nov 2, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you also run the VX2 cleaner plugin for Ad-Aware SW?

    Make sure you have HJT Version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Nov 2, 2004
    #2
  3. mitchel

    mitchel Private E-2

    I ran the VX2 cleaner plugin for Ad-Aware SW several times, and it always said that it performed the cleaning - VX2 always comes back, though!

    Thanks for your help, I'm attaching the log file as you asked.

    Mitchel
     

    Attached Files:

    mitchel, Nov 2, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Nov 2, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have system restore disabled and viewing of hidden files enabled.

    First goto Add/Remove Programs and look for an uninstall to NaviSearch. If found, uninstall it.
    Let me know whether you find this uninstall or not.

    The two previous peper trojan scans may have fixed some of the items I have included below, so just ignore those lines if no longer present.


    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:
    regsvr32 /u C:\WINDOWS\System32\stlb2.dll
    then click OK. If a dialog box confirming this action appears, click OK

    Click Start, and then click Run.
    Type, or copy and paste, the following text:
    regsvr32 /u C:\WINDOWS\System32\cwsk.dll
    then click OK. If a dialog box confirming this action appears, click OK

    Click Start, and then click Run.
    Type, or copy and paste, the following text:
    regsvr32 /u c:\windows\system32\E6F1873B.DLL
    then click OK. If a dialog box confirming this action appears, click OK

    Click Start, and then click Run.
    Type, or copy and paste, the following text:
    regsvr32 /u c:\windows\system32\D9EBC318C.DLL
    then click OK. If a dialog box confirming this action appears, click OK

    Click Start, and then click Run.
    Type, or copy and paste, the following text:
    regsvr32 /u c:\windows\system32\D0CE0C16B1.DLL
    then click OK. If a dialog box confirming this action appears, click OK


    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below processes and End them if found:
    msg32.exe
    compatUI.exe
    nls.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\System32\stlb2.dll
    O2 - BHO: (no name) - {19F56D2F-C244-7CE3-8350-15557BA52E6A} - C:\WINDOWS\System32\cwsk.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\System32\stlb2.dll
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [Services] C:\msg32.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Sep0.exe
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [9ca415153876] C:\WINDOWS\System32\compatUI.exe
    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
    O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://bannerfarm.ace.advertising.com/bannerfarm/47041/WrapperOuter1154.EXE


    Boot into safe mode and use Windows Explorer to delete (if found):
    C:\msg32.exe
    C:\WINDOWS\System32\compatUI.exe
    C:\WINDOWS\System32\stlb2.dll
    C:\WINDOWS\System32\cwsk.dll
    C:\Program Files\NaviSearch <--- the whole directory
    C:\WINDOWS\System32\Sep0.exe
    C:\WINDOWS\System32\E6F1873B.DLL
    C:\WINDOWS\System32\D9EBC318C.DLL
    C:\WINDOWS\System32\D0CE0C16B1.DLL

    No reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Nov 2, 2004
    #5
  6. mitchel

    mitchel Private E-2

    I went through all of the instructions -

    System Restore is disabled & hidden files enabled.

    I didn't find a NaviSearch in the program files.

    Running regsvr32 for stlb2.dll, cwsk.dll, and D0CE0C16B1.DLL was successful.

    Running it for D9EBC318C.DLL gave the message "LoadLibrary failed - the specified module could not be found".

    Running it for E6F1873B.DLL gave "DLL was loaded, but the DllUnregisterServer entry point was not found. E6F1873B.DLL does not appear to be a .DLL or OCX file.

    I removed the specified entries using HijackThis (a couple were no longer there), then I deleted the specified files.

    Things seem to be working much better - attached is a new HijackThis scan.

    Thank you so much for your time and all of your help. I sincerely appreciate it - I was at my wits' end! Let me know if you see anything else in the new HJT scan that I should address.

    Thanks,
    Mitchel
     

    Attached Files:

    mitchel, Nov 2, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome Mitchell! Your log looks clean now. I assume the VX2 problems are gone?

    Please also check this out to help avoid future problems: How to Protect yourself from malware!
     
    chaslang, Nov 2, 2004
    #7
  8. mitchel

    mitchel Private E-2

    The VX2 monster seems to have been slayed! I've already downloaded one of the recommended preventative malware programs.

    Thanks for everything,
    Mitchel
     
    mitchel, Nov 2, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!
     
    chaslang, Nov 2, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds