[dvk01]

It is completely pointless wasting your time trying to fix the latest VX2 or L2M hijacks with any manual method or by using adaware/spybot etc or any previous fixes

There is only one cure that works on this version (until they change it again) so if an HJT log with any of these lines appears

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

or any entries like
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll

or the "victim" says that despite cleaning all the hijackers come back

then please don't attempt the fix unless you are 100% sure you know what you are doing

WARNING: This fix is ONLY for XP or Windows 2000/2003,
DO NOT attempt it on Windows 98 or ME, It will not work and probably wreck the computer

If YOU are infected please do this or ask the victim to do this


Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

then when the log has been posted please report to a moderator and we will examine to ensure it is suitable to use the remainder of the fix



only use this fix when asked to do so by someone who knows

Please post a hijackthis log or ask for help first


Edit:

The latest VX2/L2M incarnation only shows this entry
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\t0r80a9ued.dll

or similar
the clue is a strange random name dll in O20 in a HJT log

[$teve]

Sticking this for a few days.
Instructions here:http://forums.subratam.org/index.php?showtopic=3466

[$teve]

Your very welcome.

Lately we have been seeing a mixture of the Qoologic/Narrator trojan..Bube,the new VX2 variants and CWS all in the same logs.Its useless to try and prune anything away or use malware removal apps because more crapware is downloaded all the time the infected computer is on-line
The only way to deal with that is to start with the fix above,Kaspersky is the ONLY antivirus that will deal with this....it also has some success removing the VX2 infection.Ill link a thread I dealt with earlier in the week because there is a reg fix to run afterwards and a few more tidy ups.They need to make sure they totally disable their Antivirus program for this to work....AND use KAV in safe mode.
If they can use a non infected machine as a middle man and keep the infected one off-line until totally clean,thats a bonus.
If the above doesn`t work,then get them to back everything up and use the faithful old FORMAT C:

Log here:
http://forums.techguy.org/showthread.php?t=340855


dvk,firman1 or myself will keep this thread updated as things progress.

[dvk01]

This will contain notifications of the difficult & problem fixes that need specialist help

Examples at the moment are VX2, Qoologic, Bube etc

[dvk01]

SE DLL fix

In view of problems experienced by several users with this fix we are not recommending it any longer until the problems have been sorted by the developers and have removed the canned fix for safety reasons

[dvk01]

SE.dll fix seems to be OK for use now

Make sure you downlaod the right version for the right operating system

XP/W2K

Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe


Download 'SpSeHjfix'. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

9X
Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe


Download 'SpSeHjfix'. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

[dvk01]

Spywad aka Slimshield

where you have lots of 3 letter files in a hjt log

OK 2 versions uploaded make sure you use the right version for the operating system
these are the instructions


Please report any problems so we can fix them

Quote:

This fix is only for XP & Windows 2000

Download and Save Spywadfix to your computer from this link: http://www.thespykiller.co.uk/files/spywadfix.exe and double click on the spywadfix.exe

It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below

If it doesn't open then go to c:\spywad and double click on the remove spywad.vbs Do not run any other file from there please unless asked to

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

It will open an Input box. Paste this line into the box

< insert full path and name of file here>< this will be the 3 letter name shown as running in running processes in a HJT log and will normally be C:\windows\Xxx.exe (the first letter is normally a Capital)>

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.


** Script Does not remove the orphaned run entries.

Finally, it will Run hijackthis so that you can remove the orphaned run entries and anything else as instructed by your Advisor on the forums.

If hijackthis doesn't start, run it manually.


--------------------------
When finished, post the contents of Spywad.txt and a new Hijackthis log.

If the files deleted are all found to be part of the infection and nothing important has been deleted, you will be instructed to delete the entire Spywad Folder after you have cleaned up all other User Profiles on that system.


Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

Then run hijackthis and remove the entries as directed by your Forum Advisor.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then either reboot or log off & on again to change the desktop settings

You will need to do this step for every user account

Quote:

This fix is only Windows 98 or ME

Download and Save spywad9xremove to your computer from this link: http://www.thespykiller.co.uk/files/spywad9xremove.exe

Double click on the spywad9xremove.exe file and it will automatically extract to c:\spywad9x where it needs to be to run and will automatically open the 98 remove spywad.vbs script for you ready to paste in the line mentioned below

If it doesn't open then go to c:\spywad9x and double click on the 98 remove spywad.vbs Do not run any other file from there please unless asked to

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

It will open an Input box. Paste this line into the box

< insert full path and name of file here>< this will be the 3 letter name shown as running in running processes in a HJT log and will normally be C:\windows\Xxx.exe (the first letter is normally a Capital)>

The script will kill that process, backup and then delete any matching files in windows System and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad9x Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.


** Script Does not remove the orphaned run entries.

Finally, it will Run hijackthis so that you can remove the orphaned run entries and anything else as instructed by your Advisor on the forums.

If hijackthis doesn't start, run it manually.

--------------------------
When finished, post the contents of Spywad.txt and a new Hijackthis log.

If the files deleted are all found to be part of the infection and nothing important has been deleted, you will be instructed to delete the entire Spywad Folder after you have cleaned up all other User Profiles on that system.


Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named 98 registry only.vbs

Have each User sign in and run 98 registry only.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad9x folder. Double click on 98 registry only.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

Then run hijackthis and remove the entries as directed by your Forum Advisor.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then either reboot or log off & on again to change the desktop settings

You will need to do this step for every user account

[dvk01]

This one cleans up the desktop after many hijacks

Quote:

This fix is only for XP & Windows 2000

Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe

It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script

If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

If you get a message when you first run it "Can not find script file "blah blah blah" then don't worry just doubleclick the cleandesktop.vbs script again you sometimes get that message when a script blocker blocks the script

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then press F5

You will need to do this step for every user account

[dvk01]

If you see a HJT log with an O2 BHO starting ***DP class like these below

please DO NOT attempt a fix as it will need very special treatment to avoid the computer being unbootable

Please report the post so one of the security mods can deal with it

A fix is being worked on but it is quite involved at the moment as it's a new one that needs some refining

O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINNT\bhoass.dll
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll

there will be several hidden files and some registry entries that need dealing with in order to keep the computer working and it has to be done in a particular order

we will keep you updated as we find out more

[dvk01]

If you have any doubts start all then start a new thread to ask for help

do not tag on someone elses thread

replace the name of the dll marked in red with the one in your particular case and the full filename marked in red to delete in HJT etc


Please download Process Explorer by Systernals from HERE

Also download KillBox by Option^Explicit from HERE


Then boot up in SAFE MODE

the rest of this fix must be done in safe mode.


Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of pcftp.dll once and then click the kill button.

After you have killed all of the pcftp.dll's under winlogon click OK.

also look for any .ini or bak files or other dll's with either the same name or the file name in reverse & kill them as well

Next double click on explorer.exe and again click once on each instance of pcftp.dll then click the kill button.

also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well

Click on the Threads tab at the top.

Once you have done that cl

ick OK again.

Next run HijackThis and place a check beside each of the following.


O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\security\pcftp.dll

O20 - Winlogon Notify: pcftp - C:\WINDOWS\security\pcftp.dll


Now click fix checked and close HijackThis.

Please copy the text in BOLD below, and paste it into a blank notepad window.
Save it as vundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.



REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]


now run killbox and paste The FIRST ONE of these lines into the box, select delete on reboot then press the red X button,say yes to the prompt but no to reboot now

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\security\pcftp.dll


then repeat by typing in the full name of of any of the reverse named .bak or .ini or other files that you discovered in step 1

after you have input the last file name then reboot

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

Edit:

Symantec do now have a fairly reliable tool to fix this one now so try the symantec tool first
http://securityresponse.symantec.com...oval.tool.html

If it doesn't work then use the fix above

[Flrman1]

I have unstuck the original thread for this so I'll post this here. The original sticky thread is here:

http://forums.techguy.org/t376692.html

This fix is posted here primarily as a reference for those who are experienced with helping on the forums with these infections. If you are a victim of this infection, It is not recommended that you attempt to fix this on your own. Before you attempt anything, post your Hijack This log in the Security forum and wait for help from one of our experienced helpers.


The following fix provided by noadhfear will work to remove all of these:

AntiVirusGold
Smitfraud
SpySheriff

Note: The smitRem fix will work on 9x systems also, but ewido will only work on XP/2K systems. In noahdfear's original fix he had Adaware included in the fix, but I've found that the smitRem fix and ewido alone work fine. For 9x systems you should use Adaware instead of Ewido.

For XP/2k systems:

Quote:

* Click here to download smitRem.exe.

• Save the file to your desktop.
• It is a self extracting file.
• Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
• Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Download the trial version of Ewido Security Suite here.

• Install ewido.
• During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido
• It will prompt you to update click the OK button and it will go to the main screen
• On the left side of the main screen click update
• Click on Start and let it update.
• DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan it will prompt you to clean files, click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar.If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan

For 98/ME systems:

Quote:

* Click here to download smitRem.exe.

• Save the file to your desktop.
• It is a self extracting file.
• Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
• Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Go here and download Ad-Aware SE.

• Install the program and launch it.
• First in the main window look in the bottom right corner and click on Check for updates now
• Click Connect and download the latest reference files.
• Do not run Adaware yet. Just download the updates and have it ready to run later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Now launch Adaware:

• From main window click Start then under Select a scan Mode tick Perform full system scan.
• Next deselect Search for negligible risk entries.
• Now to scan just click the Next button.
• When the scan is finished mark everything for removal and get rid of it.
• Right-click the window and choose select all from the drop down menu and click Next

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Web" tab. Under "View my Active desktop as a web page" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button.
Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

I am attaching my canned fixes for you with all the code tags. Mine is slightly different than the original posted by noadhfear, but not much. Feel free to save it and use it.