VX2 and IE redirect issues

Hi all, I would greatly appreciate some direction for the following.

I have read and followed in exact order Major Attitudes' guideline of 6/22/04 23:20 on How to: Spyware, Trojan and Virus Removal. I am running Win 2000, downloaded the full range of downloading tools, went into safe mode and ran Trend, Symantec and McAFee as well as CCleaner, Ad-Aware (with VX2 plugin) as well as Spybot (with DSO explot patch) and the secondary removal tools CWShredder, Kill2Me, about:Buster and HSRemove. With the exception of Ad-Aware, things seems to proceed properly. Ad-aware detects VX2 and some IE redirect issues. The VX2 add-in seems to not only not correct the problem, but doesnt even seem to run. I have tried in both safe mode and regular mode to no avail. Can someone please provide some direction on both the VX2 issue as well as the ie.autosearch problems? Thanks

 

Dr. C, thank you for prompt response. Log file is attached as indicated. I will download the software you suggested in preparation. Thanks

steve

 

Dr. C,

I uninstalled both the Spyhunter and Anti-Spyware Blocker per your suggestion. I was asked to reboot after one of them, but have yet to as I went directly into the Hiacj This issue. he computer didnt really run slow. I have also run the HijackThis utility and have attached the report log. I will leave the computer on and not reboot for now.

Steve

 

Correction, I attached the L2MeFix Tool log file.

 

Hi Steveraustin,

Since Chas isn't here, I'll give the next steps:

Please make sure ALL Browser Windows are Closed for this step!

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go a little crazy for a bit, but just let it run. It should eventually produce another log in Notepad. Please attach that log.

Again, don't run any other files in the L2MFix folder.

Then, please download Generic Detection Tool - NT/2000/XP

I didn't see Qoologic/Narrator in you HJT log, but this measure will tell for sure.
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log along with the L2MeFix Log.

I imagine Chas will check back soon.

PP

 

Well, not sure I did this right, but I did run the fix, option 2, seemed to work ok, rebooted automatically. i went back and ran option 1 again to create the report though. I didnt see the report generated automatically outside of me brute forcing it. it is attached. I will follow up on the 2nd half of the post shortly. but here is the log as report2.txt.

 

forgot to attach

 

Here is the output from the generic detection tool find.bat.

 

Hey Chas,

No! It wasn't. You ran the find.log - (Option #1).

I asked Steveraustin to run the FIX - (Option #2). This fix removes VX2 DLLs, guard.tmp, Desktop.ini, User Agent, etc . . . Saves the hassle of entering everything into KillBox. Unfortunately, it doesn't look for Narrator Trojan/Qoologic.

Looking at new Find.bat log, some items were missed by the tool. Really needed to see the fix log.
Don't have time right now to address fix - cooking dinner

PP

 

I saw it too. Steve didn't attach the fix log, but I suspect something messed up along the way. We can always revert back to Plan A (Original Method of fixing this) or rerun the fix option #2 . . . . . .

PP

 

I reran L2mfix option #2 and added the log file. Not sure where it stands and if you want me to do anything at this point or not.

steve

 

Looks better, Steve. I think the tool got it all this time. You don't have the Narrator Trojan to deal with either. This ought to finish it up for you:

First, please download these two tools:

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


NOW:
Please check your Recycle Bin to make sure that no problems remain.
If all is NOT well with Recycle Bin, please run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


After checking on your Recycle Bin:
Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NEXT:
Please download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.

Finally, reboot and attach a fresh HijackThis Log and tell us how things are running. Hopefully, all will be clear!

PP

 

I saw that too - Had a thread not too long ago where the fix ran into all sorts of errors, but when I had the user run Find.bat, all the VX2 had been removed. Do you think we should ask for another Find.bat log?

PP

 

Better to be safe - Need it for Guardian.reg and Restore Policy, if I remember correctly.
Also, sometimes the Desktop.ini removal doesn't take, so I ask about recycle bin and give the bit with Pocket Killbox.

The bit with Hoster is necessary. See my go2ri2l thread. The user gave me a copy of Hosts file by mistake and the entries were there after the L2MeFix had been run.

PP

 

Hi guys,

I didnt seem tohave a recycle bin issue. I ran Killbox anyway and it came back empty. I then ran the VX2.BetterInternet Finder and have attached the log for that. It did come back with some files but Im not sure what Im supposed to do with them. The Restore Policy was enabled after the scan, but not the User Agent or the Guradian. I did click on the Restore Policy button and am about to reboot (automatically). No files showed up in the lower box..so I didnt delete anything as far as i know. I will move on to the Holster section after the reboot.

steve

 

Well, I noticed my previous posting got lost. Must not have hit send or something. Ill try to recap. I ran the Pocket KillBox but didnt see anything in the recycle bin and also did the C:|recycler\desktop.ini. I then ran the VX2.Betterinternet. From what I recall, only the Restore Policy button was enabled which I did use. It then rebooted automatically and I went onto Hoster. I did run into one issue, but I dnot recall at what step it was. I ran into an error and a physical memory dump, I just dont recall at what step. In any case, it rebooted automatically. I have attached the HijackThisLog and I also reran the find.bat and posted it here as there were some comments about this in the previous postings. Right now, things seems to be running ok. I havent run into anything noticeable other than some outside port scanning attempts (via Nortin Int. Sec). I did a web-based security check and it indicated I had 3 ports open. If you know how to turn those off, I would be interested. Still getting alot of spam, but maybe not an internal issue. And I likely have too much antivirus software running concurrently. But no obvious browser redirects. I will do some conventional infection searches shortly, but i suspect they will come up empty. Please advise if i need to take another step based upon logs. Thanks
Steve

 

disregard my comments about posting getting lost. 2 pages to the thread...go figure.. steve

 

Dr. C, I use Norton Internet Security for my firewall. I have protection set as high as it will go on it, but the online Symantec Security Check still tells me I am vulnerable.

I also checked for the msjava.dll file and it is not within the specified directory nor anywhere else.

 

I also ran Spysubstract. Nice layout. Did come up empty. I generally have Prevx, Spyware guard, Spybot, Spysweeoper and Spy Subtract as well as the Norton Internet Security and Antivirus running upon windows startup.

 

You are correct. I only have the trial versions for spysweeper and spysubtract. . I do have the additional programs you mentioned as well. I have not purchased any of them.

The Symantec Security check wont tell me which specific ports are open, but my notes say ports 443, 25 and 80 were open when i ran another security check cant dont recall what app i used to get this info. Cant seem to locate it offhand.

 

Was mistaken, symantec did show which ports..and the ones reported above were correct.

 

Not sure if anything else needs to be done, re: ports or spyware. Thanks for all the help though. Can take a few deep breaths now.....and then its taxes..ugggh

 

well guys, its back to the fight Im afraid. While spybot, adaware,arent showing anything, a package called scanspyware indicates viewpoint, isearch, virtual bouncer, real bar, gohip and grokster infections. I would appreciate any help in getting rid of these.

thanks

 

Hi dr C, Actually, I had uninstalled it...but then spaced and reinstalled in later. But i did get rid of it now. I did update both other apps late last night and checked to make sure I had latest versions. Both are coming back clean. I also d'loaded the latest HJT and the logfile is attached. I appreciate the help. i realize you guys are quite busy.

steve

 

It was on the computer, but I wasnt using it. i have since removed both freesurfer and spyware doctor. Do you recommend I do anything else?

thanks
steve