Virus won't allow access to internet

Discussion in 'Malware Help (A Specialist Will Reply)' started by Lydster, Jun 9, 2005.

  1. Lydster

    Lydster Private First Class

    I've followed your instructions before to successfully remove viruses from different workstations here; however, I've got one I'm working on at home and this virus is so bad that I can't even consistently gain an internet connection through AOL. I was following your instructions (DO THIS BEFORE ASKING FOR SUPPORT...), and one time I was able to connect through AOL and then started the microtrend scan through IE. However, I was only about 33% of the way through downloading the definition updates and then the pop-ups got so bad that it finally kicked me out entirely, and I could never get AOL to allow me to sign on after that.

    What do you suggest I do since there are so many of your steps that I cannot follow with no internet access?

    Thanks (again) for all your help!
     
    Lydster, Jun 9, 2005
    #1
  2. tblue

    tblue Corporal

    Hi Lydster,
    If you have access to a machine that can get online and has a cd burner you can download all the recommended programs and transfer them to the infected machine. That is what I had to do a long time ago.

    T.Blue
     
    tblue, Jun 9, 2005
    #2
  3. Lydster

    Lydster Private First Class

    Okay, I've run everything I can from 'DO NOT POST UNTIL YOU HAVE READ THIS.' (I couldn't get any updates for the spyware and I couldn't do any on-line scans because I couldn't maintain an internet connection for more than a munite or so at a time.)

    Attached is the HJT log.

    This is an XP station. What's happening is when you connect to the internet (which you can only do once in a while and which disconnects you pretty quickly after that), you get a TON of pop-ups all over the place. Also, even if you don't connect to the internet, it appears that a Desktop Search is running in the background, and every minute or so a window keeps popping up saying that the computer cannot access the internet page it's trying to connect to -- even though you're not actually trying to connect to the internet. Even if you try to run a program off a CD, this constant attempt to connect that runs in the background slows everything down and keeps pausing the program to ask the question about whether to Retry or Stay Offline.

    I'm no expert at the Registry Editor, so I'm hoping you can give me very explicit instructions on what to do once you've reviewed the HJT log.

    Many, many thanks for your help!!
     

    Attached Files:

    Lydster, Jul 5, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a bunch of problems. This is going to take a few stages to remove everything. It may even require some repetition. So please be patient. So do not expect things to be completely fixed on the first go around.

    Look in Add/Remove Programs for the below and uninstall if found:
    WeirdOnTheWeb
    E2give

    Please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Only run what I tell you to run. Some items will be using later. Make sure you download them from the links below:

    HOSTER

    L2MeFix Tool

    Pocket KillBox

    LSP - Fix

    Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover
    - Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later.


    Also download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program

    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

    Exit Browsers now before continuing


    First Step:

    Now run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the aklsp.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move aklsp.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.

    Second Step:
    Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

    NOTE: Please do not run any other options or files in the l2mfix Folder!

    Third Step:

    Download and make sure you update for Microsoft® Windows AntiSpyware but do not run a scan yet.

    Now reboot into safe mode with no network support (disconnect the cable), make sure you have no browsers opened and then run a full scan with MS Antispyware and let it fix what it finds.

    Fourth Step:

    - Now while still in safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

    - When abiremover finishes just reboot into normal and continue with the below steps.


    Fifth Step:

    Reboot into normal mode and:
    • Unzip Hoster (we downloaded earlier) to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program

    Sixth Step:

    Get a new HJT log.

    Now reconnect and come back here and post as attachments the l2mfix log and the new HJT log. Based on those logs, we will determine the next steps. There are still going to be a load of bad things present. We must proceed slowly do to the level of infection you have. Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.
     
    Last edited: Jul 5, 2005
    chaslang, Jul 5, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I decided to post some additional steps to do since I will not be around later until after midnight (EST).


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Step 1: L2Mefix cleanup


    Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

    Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

    Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
    Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

    Again, don't run any other files in the L2MFix folder.

    Step 2: HijackThis Cleanup steps


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\winupdt.exe
    C:\windows\system32\iguM.exe
    C:\WINDOWS\system32\iguM.exe
    C:\WINDOWS\System32\ap9h4qmo.exe
    C:\WINDOWS\System32\rlrzvp.exe
    C:\WINDOWS\gaSrve.exe
    C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
    C:\WINDOWS\System32\exp.exe
    C:\WINDOWS\System32\wintask.exe
    C:\WINDOWS\System32\batmeter.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\WINDOWS\System32\picsvr\picsvr.exe
    C:\WINDOWS\System32\akrro.exe
    C:\WINDOWS\System32\sysmonnt.exe
    C:\WINDOWS\System32\pruttct.exe
    C:\WINDOWS\System32\adp256.exe
    C:\WINDOWS\System32\pruttct.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.resortvacationstogo.com/company.cfm?co=15&filter=allinc&source=metrics
    R3 - Default URLSearchHook is missing
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
    O4 - HKLM\..\Run: [kvzbob] c:\windows\system32\kvzbob.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [xa8k65bb] C:\Program Files\xa8k65bb\xa8k65bb.exe
    O4 - HKLM\..\Run: [iguM.exe] c:\windows\system32\iguM.exe
    O4 - HKLM\..\Run: [fszCUs] C:\windows\system32\fszCUs.exe
    O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [fszCUs.exe] C:\windows\system32\fszCUs.exe
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejky32.exe
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlrzvp.exe
    O4 - HKLM\..\Run: [gaSrve] C:\WINDOWS\gaSrve.exe
    O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [d3e94e685ac2] C:\WINDOWS\System32\batmeter.exe
    O4 - HKLM\..\Run: [tsvcin] C:\Documents and Settings\Colleen\n20050308.EXE
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
    O4 - HKLM\..\Run: [0F7P38i] akrro.exe
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
    O4 - HKCU\..\Run: [pruttct] C:\WINDOWS\System32\pruttct.exe
    O4 - HKCU\..\Run: [HooFRUG3Q] adp256.exe
    O4 - HKCU\..\RunOnce: [pruttct] C:\WINDOWS\System32\pruttct.exe
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
    O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\dnj6011se.dll
    O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\E2G <-- the whole folder
    C:\Program Files\eSyndicate <-- the whole folder
    C:\Program Files\WeirdOnTheWeb <-- the whole folder
    C:\Program Files\xa8k65bb <-- the whole folder
    C:\WINDOWS\System32\nsvsvc <-- the whole folder
    C:\WINDOWS\System32\picsvr <-- the whole folder
    C:\WINDOWS\isrvs <-- the whole folder
    C:\WINDOWS\gaSrve.exe
    C:\WINDOWS\farmmext.exe
    C:\WINDOWS\System32AUNPS2.DLL
    c:\windows\system32\E6F1873B.DLL
    C:\WINDOWS\System32\winupdt.exe
    C:\windows\system32\iguM.exe
    C:\WINDOWS\System32\ap9h4qmo.exe
    C:\WINDOWS\System32\rlrzvp.exe
    C:\WINDOWS\System32\exp.exe
    C:\WINDOWS\System32\wintask.exe
    C:\WINDOWS\System32\batmeter.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\WINDOWS\System32\picsvr\picsvr.exe
    C:\WINDOWS\System32\akrro.exe
    C:\WINDOWS\System32\sysmonnt.exe
    C:\WINDOWS\System32\pruttct.exe
    C:\WINDOWS\System32\adp256.exe
    C:\WINDOWS\System32\pruttct.exe
    c:\windows\system32\kvzbob.exe
    C:\windows\system32\fszCUs.exe
    c:\windows\system32\akrro.exe
    C:\Documents and Settings\Colleen\n20050308.EXE
    C:\windows\system32\elitejky32.exe <--- also delete any other filenames beginning with elite and ending in .exe.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Step 3: L2Mefix cleanup

    Now reboot in normal mode and post a new HJT log along with the L2MeFix Log
    And tell us how things are working.

    Okay after doing the above DO NOT REBOOT or power down.
     
    chaslang, Jul 5, 2005
    #5
  6. Lydster

    Lydster Private First Class

    chaslang:

    Recd both your posts -- Thank you! Just one question: On the MS Antispyware (or any other anti-spyware program for that matter), I will not be able to download updates, because once I install the program on the affected station from the CD that I burned from my unaffected station, I cannot get an internet connection to download the updates.

    Is this still okay to proceed with, or is there some other way to get updates?

    Lydster
     
    Lydster, Jul 5, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After doing the LSP-Fix step, you may be able too.

    But even if you cannot, just continue.
     
    chaslang, Jul 5, 2005
    #7
  8. Lydster

    Lydster Private First Class

    Okay, I completed all the steps that I could from your two posts. Just want to mention that of all the possible entries you listed that I should delete with HJT, there were only a small percentage that I found. Many were not there. I deleted all that I found that exactly matched those on your list.

    The good news is that all the many pop-ups seem to have stopped. Also, for right now anyway, I was able to get an internet connection through AOL. However, the internet is running EXTREMELY slow. It's taking a minute or more to load each page. I had to burn the HJT and L2MeFix logs onto a CD and bring them back here into the office in order to send them to you.

    The logs are attached. Let me know what you think. Also, any ideas about why the computer is running so slow?
     

    Attached Files:

    Lydster, Jul 8, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's because HijackThis was able to find and delete many of them. My steps include the manually deletion part as a backup. We never know what HJT will be able to find and delete.

    Well we got rid of a load of bad stuff already and a nasty VX2 infection too.

    One of the items I asked you to fix is still there: C:\WINDOWS\system32\iguM.exe

    Let's try a slightly different approach this time.



    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

    C:\WINDOWS\system32\iguM.exe
    C:\WINDOWS\system32\iguM.exe <--- make sure you kill all of the running processes. There were 2 in your last log.


    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [iguM.exe] c:\windows\system32\iguM.exe


    After clicking Fix, exit HJT.

    I had you download Pocket Killbox a few messages back. Extract it to it's own folder somewhere that you can find it.
    Run Killbox by double clicking on the killbox.exe file.

    Check the following boxes:

    Standard File Kill
    End Explorer Shell While Killing file

    Copy & paste (you must use copy & paste - typing will give an error) the full path the file below into the Full Path of File to Delete box.

    C:\WINDOWS\system32\iguM.exe

    With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
    If the above delete fails for any reason continue with the next steps.

    - in Killbox select the option to Delete on Reboot
    - uncheck the option to End Explorer Shell While Killing file

    Copy & paste the full path of the file you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? Click Yes!

    Okay so now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

    After reboot, get a new HJT log and post it here. Also tell me how the steps went and how things are working.
     
    chaslang, Jul 9, 2005
    #9
  10. Lydster

    Lydster Private First Class

    Regarding that C:\WINDOWS\system32\iguM.exe file, I forgot to mention something: When I went into the HJT tool, per your instructions, to delete that file, every time I deleted it, a new one would show up at the bottom of the list. Then I would would delete that one, and two more would show up at the bottom of the list. This went on for 5+ minutes before I realized that it didn't matter how many times I deleted the file, it was going to show up again at the bottom.

    Sorry, I meant to mention this when I posted the HJT log, but it slipped my mind. Do you still want me to try to follow the first part of your last post? If it's like it was last time, I know that that file will just keep popping right back up in the HJT tool.
     
    Lydster, Jul 11, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, follow all the steps anyway. Kill it and even if it restarts, just continue thru the rest of the steps. Hopefully Killbox will delete it on reboot.
     
    chaslang, Jul 11, 2005
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds