vx2 and cws reocurring problem

hello.
after being riddled with computer vd from a video game hint site.. i spent a couple hours correcting the problem. i thought my computer was clean, but overnight a few things came back. vx2 and cool web search. over and over i clean them out and they come right back.

the wierd thing is cws shredder won't recognize that it is there. and the vx2 cleaner plug for adaware isn't seeing it either. has anyone else seen this before?

erik

 

Hi Erik,

You've likely been hit with the new VX2 variant that is making the rounds. While we probably need to roll up our sleeves and go after the VX2 manually, I think it would be a good idea for you to start with the Cleanup Tutorial HERE:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it - you didn't give OS) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

Best luck
PP

 

hi. sorry it took me so long to get back to this. i double checked all of the steps, and i'm still getting the vx2 and cool web search files. they come back within a couple minutes or so.

by the way. after i completed the steps, i downloaded microsofts antispyware software. it found quite a few more threats. has anyone had luck with this as far as protection, or anyone suggest something better?

thanks, erik

 

Hi Erik,

Submit a HJT log as per my last post and we'll see what we're dealing with.

I haven't looked at M$ new product. Probably stick with what I've got - Tried and True, ya know?

PP

 

here is my log. it should be an easy one to go through. i really appreciate what you all do here. usually i can solve the problem by finding a post with a similar problem. cheers. erik

 

Hey Erik,

I see a couple of things in your log that need to be fixed. However, first I'd like you to download this tool and run Find.bat and attach the log. One of the HJT entries makes me wonder if Qoologic is hidden on your machine.

Generic Find It Tool - NT/2000/XP

May go out tonight, but will check back when time permits.

PP

 

hi. here is that log. how many people work here on this site anyway?
erik

 

I don't work here. I and Chaslang and a few other regular forum members offer advice here in the Spyware Forum in our free time. We don't get paid - We just enjoy doing it. MGs Forums is a large community forum with members and contributors located all over the globe.


ANYHOO:
As I suspected, you have Qoologic on your machine.

Please download Pocket KillBox


NOW, you will be entering items into Pocket KillBox. Plese select the “Delete on Reboot” Option. Copy and Paste each of the following into the box one at a time, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but, when prompted to reboot, DO NOT Allow your machine to Reboot until the last item has been entered:


C:\WINDOWS\system32\couzgy.dll
C:\WINDOWS\system32\ebpuzo.dll
C:\WINDOWS\system32\hwumpz.exe
C:\WINDOWS\system32\couzgy.dll
C:\WINDOWS\system32\ebpuzo.dll
C:\WINDOWS\system32\hwumpz.exe
C:\WINDOWS\system32\pbuyqa.dat
C:\WINDOWS\system32\wruoyi.exe
C:\WINDOWS\system32\pbuyqa.dat
C:\WINDOWS\system32\wruoyi.exe
C:\WINDOWS\system32\??rvices.exe


When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.

Now, attach a fresh HijackThis Log and a fresh Find.bat Output log and we'll go from there. I'll will try to check back Sunday night.

PP

 

It's hard to copy and paste services.exe when the line is ??rvices.exe

 

hello.

here are the two logs. is it normal for windows to go into chkdsk upon restart?
i ran adaware after the reboot. i'm really sorry for the delay on posting this.. thanks guys. erik

 

No.

I think the new M$ Anti-Spyware is a steaming pile right now (IMHO) and should be uninstalled and deleted - you can always get it again when they fix the bugs.

Please feed this to Pocket KillBox and Delete on Reboot:

C:\WINDOWS\system32\hwumpz.exe

Then attach Fresh HJT & Find.bat logs and we'll go from there.

PP

 

ok. here are the two logs again.the computer does seem to be better off. as far as pop ups go and things like that. erik

 

Hi Erik,

For the most part, your logs look OK to me. You can go ahead and remove these entries with the files missing:

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab ---> Suggest this one as well, but up to you.
O23 - Service: Performance Logs and Alerts - Unknown - C:\WINDOWS\system32\smlogsvc.exe (file missing)

Also, you should probably run a search of your machine for this guy and remove if found: C:\WINDOWS\System32\??rvices.exe

For future reference, have a peek here: How to Protect yourself from malware!

PP