I've had it.

  • Thread starter Thread starter Menno Hershberger
  • Start date Start date
M

Menno Hershberger

I've been working on a computer that was sent to me from a mortgage
broker. They were getting popups faster than they could close them. Every
time one of the popups advertised spyware removers, they'd install them
and of course that made it worse. I mirrored the drive off to another
drive and went to work on it. Between MSAS, Pest Patrol, Sybot S&D, and
AdAware, I finally got it fairly clean. I couldn't install anything in
the exisiting account because it always wanted to install it on a network
drive. So I made a new account and have been doing it all from that
account. I FINALLY was able to set Service Pack 2 and all the updates
installed. Twice now when I thought I about had it, then it stopped
booting into Normal mode. So I copied the mirrored drive back and started
over again. It has now locked up in Normal Mode again and I'm damned if
I'm going through all that again. The last time I went into Safe Mode,
just to make a final run with MSAS to make sure I had everything, I got
red popups from MSAS that the crap was trying to install itself again...
in SAFE MODE. I use Hijack this to keep "fixing" all the random file
names, boot into Safe Mode with Command Prompt and delete all the freshly
formed DLL and exe files. Everything that's exactly 408 KB (there's
always about 5 or 6 new DLL's... 440 Kb). Nail.exe was in there way back,
but now I'm getting others that searches don't turn up. towl.exe is the
latest that keeps coming back. I keep getting more or less the same list.
Virtual Bouncer
Navidad.worm
eXact.BargainBuddy
eXact.NaviSearch
eXact.CashBack
eXact.Downloader
eXact.Bullseye Network
eXact.SearchBar
SurfSideKicker
Transponder.ABetterInternet.DrPMon
Transponder.ABetterInternet.Aurora
Transponder.ABetterInternet.Adware
ShopAtHome

Same filenames that keep reappearing are skkgsd.exe, and various other
skk*.dll files, towl.exe, ttrs.exe, exp.exe, svcproc.exe, hnerbe.exe,
iddk.exe, bargains.exe, mscd.dll (CashBack). Also a bunch of PerfString
folders and files.

Somewhere along the line when I could hold the popups down long enough, I
was able to run TrendMicro's HouseCall on it. It found a few items and
fixed them. He hadn't had anything but problems with Panda, so I got it
out and installed NAV 2005. A full scan with it in Safe Mode found some
adware stuff and deleted it. I get rid of everything that shows up in
HiJack This but it just keeps coming back.

How does stuff get itself running in Safe Mode? Like random file names.
You can end task on them and another will pop up to take its place. Where
else in the registry besides the Run Keys can stuff hide and get started?

If it were anyone else's computer, I would have wiped it a long time ago
and started over. But this guy has some kind of network setup, with
servers all configured on each machine. The outfit that set it up has
flown the coop and I don't know anything about it.

Does ANYONE see any kind of pattern here?

I'm posting this in alt.privacy.spyware seperately.
 
OK... I am on the third time around. This time I ran syslean on it, then
I got the AdAware plugin. It says "New Variant Found". Unfortunately,
when I told it to clean it, it reported that it was unable to clean and
to go get the latest version of VXCleaner. :-(
At least it detected it, now all I need to figure out is how to get rid
of it.
I don't really want to install Service Pack 2 till I get it cleaned up.
 
Try the following:

1. Close all web browsers
2. Delete the contents of c:\windows\prefetch.

Did that help?

Alan
 
Forgot to include the fact to do this in Safe Mode.

Also, run a full system scan with Ad-Aware and MSAS, just
not both at the same time. Delete what one finds, then
run the other.

Did this help?

Alan
 
You have the bundle that comes with SSK, PacerD & Aurora
and some trojan downloaders first we need to get rid or
Aurora this is going to be a long fix but I hoping it
will clear the problems your having

Ive read all the packet sniffing logs for this bundle and
it clearly states in them that all this is done by silent
installs with no EULA's displayed, from the wallpapers
site I use for testing it all starts by just entering the
site so because they download that much junk to the
system you will find it keeps locking up and giving error
messages, Ive got this on my test system and its
completly locked up so you will just have to reboot and
try end the processes or use Hijack This and kill the 04
run commands for these listed below - I have eTrust
antivirus and its a 1 year free trial for MS customers
and will delete some of this when you reboot if you need
it also ZoneLabs free firewall ZoneAlarm will give you
the choice if you want to let this stuff run so it will
make it easier then to work on the system.

Bring up task manager if needed and press Control - Alt -
delete and end the process for these:

bargains.exe
wintask.exe
cashback.exe
pokapoka63.exe
nls.exe
ms3asrad.exe
WFX5.exe
casclient.exe
sktpvvu.exe
xconfmsp.exe
lobbhhgji.exe
HBT.WeatheronTray.exe
HBT.OEAddon.exe
GLB1.tmp
VBouncerInner.exe

There's more than this but they will be random named
entries which may regenerate under a new name,if you are
sure they are not genuine end them,some of the above may
also be random so end what you can to get the system to
respond.

Get all the downloads first and update them before
starting( It may be easier to copy this to notepad as you
will be in safe mode for some of this fix).

Shut down MSAS completly, its real time protection can
interfere with the fixes and prevent things being removed
(Really its just protecting the registry from changes but
in cases like this it can also prevent malware being
removed as we need to make registry change to uninstall
the malware- Its fine to run the scanner but then right
click the bullseye and shut down MSAS to make things
easier, Also the same if you have Adaware's Adware or
Spybots Teatimer active or any other real time
protection.Another way round that is to install the
scanners below then boot into safe mode so the real time
features are not active)

You need to run these on the infected account if you can
and any other accounts you think may be infected.

Im not sure if this is the same VX2 cleaner as the one
Plun post but this is the latest( If you still have a
problem with this let us know and we can use Nailfix) :

http://updates.ls-servers.com/vx2cleaner.zip

Save the file where you can find it easily then Extract
the files and copy them (Left click and cover the files
and then right click and copy) then open Lavasoft's Ad-
Aware "Plugins" folder and paste them into there(Right
click and paste).

(C:\Program Files\Lavasoft\Ad-Aware SE\Plugins)



Download CCleaner and install, but do not run it yet.

http://www.ccleaner.com/ccdownload.asp



Run Ad-Aware and click the Add-ons button in the main
window.Select VX2 Cleaner from the list.

Click the "Run Tool" button in the lower right corner of
the window.Click "OK" when asked if you want to execute
this tool.It will say VX2 variant found then press
clean.Next it will say to reboot and run a smart scan
with Adaware. Reboot and run a full system scan with
Adaware SE

After that Delete these if found:

C:\WINDOWS\ffsnvqmgpiy.exe
C:\WINDOWS\rramcx.exe

Then run Ccleaner and choose "Run Cleaner"


Please download, install, and update the free version of
Ewido trojan scanner:

http://www.ewido.net/en/download/

When installing, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".
From the main ewido screen, click on update in the left
menu, then click the Start update button.
After the update finishes (the status bar at the bottom
will display "Update successful")
Exit Ewido. DO NOT scan yet.


Then reboot into safe mode(Reboot and keep tapping F8 and
choose safe mode from the list) and perform as much
cleaning as possible,

Goto Add/Remove screen and remove any of these if found
(Im just listing what I have on mine but if you have
downloaded other removers from these pop-ups check for
them as well)

SurfSideKick
SurfAccuracy
Virtual Bouncer
Bullseye Networks
CashBack
CashBack Buddy
BargainBuddy
Select Cashback
ShopperReports by Hotbar
Hotbar Browser, Weather and WowPaper Tools
Hotbar Outlook Tools
Hotbar Web Tools
Web Search Toolbar
EasySearchBar
NaviSearch
Windows AFA Internet Enhancement
WinFixer 2005

Then Exit Add/Remove screen

Run Ewido on a complete system scan and remove anything
found Also use MSAS in safe mode-If Ewido says error
during clean up on any entries run it again to be sure
they have been removed also when you choose remove on the
infection check the box at the bottom left corner for
Perform .

You dont have the Navidad worm its a TrojanDownloader.
(Small.ABD/SILLY.MK)

so if Ewido didnt delete them search for these and delete
the files ( They have many names so each scanner will
call them something different)

C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\npti.exe is Qoologic trojan

C:\WINDOWS\System32\PSof1.exe is SillyDl.NB/PacerD

C:\WINDOWS\System32\exp.exe is SillyDl.MK
trojan/Small.ABD

C:\WINDOWS\System32\wintask.exe is SillyDl.MK
trojan/Small.ABD

C:\WINDOWS\SYSTEM32\ROUIOUY.DLL is Qoologic trojan.

C:\WINDOWS\System32\rnmpnm.exe is Qoologic trojan.

C:\WINDOWS\etb\pokapoka63.exe is Betalire.F trojan/New
Elite Variant

C:\WINDOWS\system\lobbhhgji.exe is SillyDl.OG trojan.

C:\WINDOWS\System32\pbvkb.dat is Qoologic trojan.

C:\WINDOWS\System32\redit.cpl is Qoologic trojan.

C:\WINDOWS\System32\supdate.dll is Qoologic.L

C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe is
Win32.SillyDl.KU trojan/SurfSideKick Related

C:\WINDOWS\system32\wrapperouter.exe is Win32.SillyDl.KU
trojan.

Then goto start and run and type

prefetch (As alan said)

delete the contents of this folder

then to run again and type

%temp%

Delete everything you can from this folder


Then use Ccleaner again and choose "Run Cleaner"


That should then be done but you still need to reset afew
things :(

Goto "Start Menu" and "control panel" then to "Internet
Options"

Goto the "Advanced tab" and press "Restore Defaults"

Then to the "Security Tab" and press "Custom Level" then
press "reset"

Then to the "Programs Tab" and Press "Reset Web settings"

Then to the "General Tab" and press "delete files" and
include all offline content then up to the homepage
address box and enter the address you want to use then
press "apply"

Then reboot back to normal mode and see how things look

Thats my system clean again so hopefully it works the
same for you but let us know if you have any problems,
That seems to take ages to write so I feel sorry for you
having to try and follow this ;)


Regards

Andy
 
Noticed a mistake there I was going from one pc to the
other sorry about that its Adaware's adwatch that would
need closing not Adaware's adware ;)

Also with the zonelabs firewall its not really giving the
option to stop them running its because all these make
contact out from the pc thats why Zonealarm will then
block them

If you need help with anything just let us know

Regards Andy
 
Hi

Well, thats it from Andy ! Some more about Lavasofts VX2 tool.

- Latest Adaware ?
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022-10399602.html?tag=list

- VX2 plugin
http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml

How to run this special tool. Note that after reboot you start Adaware
again and choose "Smart scan" from "Scan now" and then perform a scan.

- Before running the VX2 Cleaner, make sure other anti-virus
or anti-spyware applications are closed.

- Run the VX2 Cleaner. If you computer is infected with VX2, a dialog
box with text such as “New VX2 variant found†or “VX2 variant 1 foundâ€
will appear.

- Press "Clean" and a dialog box with text “The first phase completed.
Please reboot and perform a Smart Scan" will appear. After saving your
work, reboot your system manually.

-Repeat this until the VX2 Cleaner reports "System clean,"
press "Close' to exit".

-Run Ad-Aware one more time and scan your computer to
make sure VX2 has been found and removed.


This is my little "story" yesterday using this tool with great result
to remove different abetterinternet VX2 infections:

http://hem.bredband.net/b288305/aurora.htm
 
Menno Hershberger said:
How does stuff get itself running in Safe Mode? Like random file
names. You can end task on them and another will pop up to take its
place. Where else in the registry besides the Run Keys can stuff hide
and get started?
Click to expand...

See HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot for lists
of things that start in Safe Mode and in Safe Mode with Network. If you
cannot see or modify these keys it is possible that the PC has a rootkit
installed.
 
Hello:

I feel YOUR pain and did not read all the replied
posts and would like to give you my posted reply.

First if I were in your shoes I'd run msconfig. Check
off all the boxes you feel that are not necessary to make
the system still functional. Restart and run again if
necessary.

Next open regedit and use the find command and remove
the software entries you know are causing you trouble.
Look for filenames that are the popup names if possible.

Next open control panel/folder options. Click on. Open
view. Check the box labeled "show hidden files and
folders". Apply OK.

Next open "my computer" click on drive C search for
the Windows folder. Open Windows folder.
Locate "Explorer.exe within the Windows folder. Right
click Explorer.exe and create shortcut. Locate shortcut
to Explorer.exe and drag to desktop "move here".

Open Explorer shortcut icon. Maximize. Click on my
computer. Locate local disk C. Open documents and
settings. Locate a persons name; ie, login name. Open.

Locate "Temp" folder and either deleate OR move to a
new location. If you want to...create a "New Folder"
named JUNK.

Create this new folder in the root of drive C. Open
your new folder called JUNK.

Create New Folders inside JUNK. Name them the users
LOGIN names. Example:

C:\JUNK\LARRY\CURLEY\MOE\. They are the "users".

Move all "temp" folders to the JUNK folder matching
the LOGIN USER NAMES.

Restart.
 
You have the bundle that comes with SSK, PacerD & Aurora
and some trojan downloaders first we need to get rid or
Aurora this is going to be a long fix but I hoping it
will clear the problems your having

Ive read all the packet sniffing logs for this bundle and
it clearly states in them that all this is done by silent
installs with no EULA's displayed, from the wallpapers
site I use for testing it all starts by just entering the
site so because they download that much junk to the
system you will find it keeps locking up and giving error
messages, Ive got this on my test system and its
completly locked up so you will just have to reboot and
try end the processes or use Hijack This and kill the 04
run commands for these listed below - I have eTrust
antivirus and its a 1 year free trial for MS customers
and will delete some of this when you reboot if you need
it also ZoneLabs free firewall ZoneAlarm will give you
the choice if you want to let this stuff run so it will
make it easier then to work on the system.

Bring up task manager if needed and press Control - Alt -
delete and end the process for these:

bargains.exe
wintask.exe
cashback.exe
pokapoka63.exe
nls.exe
ms3asrad.exe
WFX5.exe
casclient.exe
sktpvvu.exe
xconfmsp.exe
lobbhhgji.exe
HBT.WeatheronTray.exe
HBT.OEAddon.exe
GLB1.tmp
VBouncerInner.exe

There's more than this but they will be random named
entries which may regenerate under a new name,if you are
sure they are not genuine end them,some of the above may
also be random so end what you can to get the system to
respond.

Get all the downloads first and update them before
starting( It may be easier to copy this to notepad as you
will be in safe mode for some of this fix).

Shut down MSAS completly, its real time protection can
interfere with the fixes and prevent things being removed
(Really its just protecting the registry from changes but
in cases like this it can also prevent malware being
removed as we need to make registry change to uninstall
the malware- Its fine to run the scanner but then right
click the bullseye and shut down MSAS to make things
easier, Also the same if you have Adaware's Adware or
Spybots Teatimer active or any other real time
protection.Another way round that is to install the
scanners below then boot into safe mode so the real time
features are not active)

You need to run these on the infected account if you can
and any other accounts you think may be infected.

Im not sure if this is the same VX2 cleaner as the one
Plun post but this is the latest( If you still have a
problem with this let us know and we can use Nailfix) :

http://updates.ls-servers.com/vx2cleaner.zip

Save the file where you can find it easily then Extract
the files and copy them (Left click and cover the files
and then right click and copy) then open Lavasoft's Ad-
Aware "Plugins" folder and paste them into there(Right
click and paste).

(C:\Program Files\Lavasoft\Ad-Aware SE\Plugins)



Download CCleaner and install, but do not run it yet.

http://www.ccleaner.com/ccdownload.asp



Run Ad-Aware and click the Add-ons button in the main
window.Select VX2 Cleaner from the list.

Click the "Run Tool" button in the lower right corner of
the window.Click "OK" when asked if you want to execute
this tool.It will say VX2 variant found then press
clean.Next it will say to reboot and run a smart scan
with Adaware. Reboot and run a full system scan with
Adaware SE

After that Delete these if found:

C:\WINDOWS\ffsnvqmgpiy.exe
C:\WINDOWS\rramcx.exe

Then run Ccleaner and choose "Run Cleaner"


Please download, install, and update the free version of
Ewido trojan scanner:

http://www.ewido.net/en/download/

When installing, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".
From the main ewido screen, click on update in the left
menu, then click the Start update button.
After the update finishes (the status bar at the bottom
will display "Update successful")
Exit Ewido. DO NOT scan yet.


Then reboot into safe mode(Reboot and keep tapping F8 and
choose safe mode from the list) and perform as much
cleaning as possible,

Goto Add/Remove screen and remove any of these if found
(Im just listing what I have on mine but if you have
downloaded other removers from these pop-ups check for
them as well)

SurfSideKick
SurfAccuracy
Virtual Bouncer
Bullseye Networks
CashBack
CashBack Buddy
BargainBuddy
Select Cashback
ShopperReports by Hotbar
Hotbar Browser, Weather and WowPaper Tools
Hotbar Outlook Tools
Hotbar Web Tools
Web Search Toolbar
EasySearchBar
NaviSearch
Windows AFA Internet Enhancement
WinFixer 2005

Then Exit Add/Remove screen

Run Ewido on a complete system scan and remove anything
found Also use MSAS in safe mode-If Ewido says error
during clean up on any entries run it again to be sure
they have been removed also when you choose remove on the
infection check the box at the bottom left corner for
Perform .

You dont have the Navidad worm its a TrojanDownloader.
(Small.ABD/SILLY.MK)

so if Ewido didnt delete them search for these and delete
the files ( They have many names so each scanner will
call them something different)

C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\npti.exe is Qoologic trojan

C:\WINDOWS\System32\PSof1.exe is SillyDl.NB/PacerD

C:\WINDOWS\System32\exp.exe is SillyDl.MK
trojan/Small.ABD

C:\WINDOWS\System32\wintask.exe is SillyDl.MK
trojan/Small.ABD

C:\WINDOWS\SYSTEM32\ROUIOUY.DLL is Qoologic trojan.

C:\WINDOWS\System32\rnmpnm.exe is Qoologic trojan.

C:\WINDOWS\etb\pokapoka63.exe is Betalire.F trojan/New
Elite Variant

C:\WINDOWS\system\lobbhhgji.exe is SillyDl.OG trojan.

C:\WINDOWS\System32\pbvkb.dat is Qoologic trojan.

C:\WINDOWS\System32\redit.cpl is Qoologic trojan.

C:\WINDOWS\System32\supdate.dll is Qoologic.L

C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe is
Win32.SillyDl.KU trojan/SurfSideKick Related

C:\WINDOWS\system32\wrapperouter.exe is Win32.SillyDl.KU
trojan.

Then goto start and run and type

prefetch (As alan said)

delete the contents of this folder

then to run again and type

%temp%

Delete everything you can from this folder


Then use Ccleaner again and choose "Run Cleaner"


That should then be done but you still need to reset afew
things :(

Goto "Start Menu" and "control panel" then to "Internet
Options"

Goto the "Advanced tab" and press "Restore Defaults"

Then to the "Security Tab" and press "Custom Level" then
press "reset"

Then to the "Programs Tab" and Press "Reset Web settings"

Then to the "General Tab" and press "delete files" and
include all offline content then up to the homepage
address box and enter the address you want to use then
press "apply"

Then reboot back to normal mode and see how things look

Thats my system clean again so hopefully it works the
same for you but let us know if you have any problems,
That seems to take ages to write so I feel sorry for you
having to try and follow this ;)


Regards
Click to expand...

Thanks a Lot!. I hadn't looked back here for a couple of days since I've
been Googling for answers and trying stuff out. In the other newsgroup
(aps) they're telling me to format. There is one very impelling reason for
me NOT to format. This machine was set up in a networking environment by
someone who has dissappeared from the face of the earth. The owner has no
understanding of it, nor do I. I do know that there are mapped drives which
are labeled "pnttempl on server", "PNTDATA on server", "Users on Server",
"customer on Teresa", "c on server", "c on reception".
The main program they use there is called "Point" which is used to
coordinate data with credit agencies, lenders, etc. If I wiped the drive
and reinstalled, I nor anyone else would have any idea how to set it up
again.
Here is what I have been doing. I have lots of hard drives sitting around,
so the first thing I did was clone the drive the way it was brought in to
what we'll call "HARD DRIVE A". Then I just disconnected the cloned drive
and went to work on the original. Clean, scan, upgrade to SP2, etc. Until
it crashes... :-). Then I copy the cloned drive back and start all over
again. I am on the fourth attempt now and it's looking better than it has
yet. I have it clean in Safe Mode with MSAS, Spybot S&D, AdAware, and
Sysclean. As soon as I go into Normal mode, I'm still OK till I open
Internet Explorer, and then BANG... Surfsidekick is back. All those SSK
dll's and exes are back. I have Startup Monitor which stops it from
installing in the "run" key, but it won't give up.
The files on your list are VERY familiar. I have printed your post out
and am going to go follow it to a T and see what happens.
I'll keep you posted.
 
Menno Hershberger presented the following explanation :
Wow, does all THAT look familiar! By the way, the VX2 tool in Adaware
spotted a new variant on the one I'm working on, but it couldn't clean
it. Said to get a newer version of the VX2 cleaner. And of course the one
I have is the latest.
Click to expand...

Hi Menno

hehe, maybe a totally crazy test but it worked. :') (and Andy backed me
up)

Was the adaware plugin folder empty before you put the new VX2 files
within it ? I have checked forums within my country and none gets
that message to get a new ones.

Nevertheless you have all Andys advices.

Maybe worth a try, TrendMicros Antispyware detects a lot, free to try.

http://www.trendmicro.com/en/products/desktop/as/evaluate/overview.htm
 
You have the bundle that comes with SSK, PacerD & Aurora
and some trojan downloaders first we need to get rid or
Aurora this is going to be a long fix but I hoping it
will clear the problems your having

Ive read all the packet sniffing logs for this bundle and
it clearly states in them that all this is done by silent
installs with no EULA's displayed, from the wallpapers
site I use for testing it all starts by just entering the
site so because they download that much junk to the
system you will find it keeps locking up and giving error
messages, Ive got this on my test system and its
completly locked up so you will just have to reboot and
try end the processes or use Hijack This and kill the 04
run commands for these listed below - I have eTrust
antivirus and its a 1 year free trial for MS customers
and will delete some of this when you reboot if you need
it also ZoneLabs free firewall ZoneAlarm will give you
the choice if you want to let this stuff run so it will
make it easier then to work on the system.

Bring up task manager if needed and press Control - Alt -
delete and end the process for these:

bargains.exe
wintask.exe
cashback.exe
pokapoka63.exe
nls.exe
ms3asrad.exe
WFX5.exe
casclient.exe
sktpvvu.exe
xconfmsp.exe
lobbhhgji.exe
HBT.WeatheronTray.exe
HBT.OEAddon.exe
GLB1.tmp
VBouncerInner.exe

There's more than this but they will be random named
entries which may regenerate under a new name,if you are
sure they are not genuine end them,some of the above may
also be random so end what you can to get the system to
respond.

Get all the downloads first and update them before
starting( It may be easier to copy this to notepad as you
will be in safe mode for some of this fix).

Shut down MSAS completly, its real time protection can
interfere with the fixes and prevent things being removed
(Really its just protecting the registry from changes but
in cases like this it can also prevent malware being
removed as we need to make registry change to uninstall
the malware- Its fine to run the scanner but then right
click the bullseye and shut down MSAS to make things
easier, Also the same if you have Adaware's Adware or
Spybots Teatimer active or any other real time
protection.Another way round that is to install the
scanners below then boot into safe mode so the real time
features are not active)

You need to run these on the infected account if you can
and any other accounts you think may be infected.

Im not sure if this is the same VX2 cleaner as the one
Plun post but this is the latest( If you still have a
problem with this let us know and we can use Nailfix) :

http://updates.ls-servers.com/vx2cleaner.zip

Save the file where you can find it easily then Extract
the files and copy them (Left click and cover the files
and then right click and copy) then open Lavasoft's Ad-
Aware "Plugins" folder and paste them into there(Right
click and paste).

(C:\Program Files\Lavasoft\Ad-Aware SE\Plugins)



Download CCleaner and install, but do not run it yet.

http://www.ccleaner.com/ccdownload.asp



Run Ad-Aware and click the Add-ons button in the main
window.Select VX2 Cleaner from the list.

Click the "Run Tool" button in the lower right corner of
the window.Click "OK" when asked if you want to execute
this tool.It will say VX2 variant found then press
clean.Next it will say to reboot and run a smart scan
with Adaware. Reboot and run a full system scan with
Adaware SE

After that Delete these if found:

C:\WINDOWS\ffsnvqmgpiy.exe
C:\WINDOWS\rramcx.exe

Then run Ccleaner and choose "Run Cleaner"


Please download, install, and update the free version of
Ewido trojan scanner:

http://www.ewido.net/en/download/

When installing, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".
From the main ewido screen, click on update in the left
menu, then click the Start update button.
After the update finishes (the status bar at the bottom
will display "Update successful")
Exit Ewido. DO NOT scan yet.


Then reboot into safe mode(Reboot and keep tapping F8 and
choose safe mode from the list) and perform as much
cleaning as possible,

Goto Add/Remove screen and remove any of these if found
(Im just listing what I have on mine but if you have
downloaded other removers from these pop-ups check for
them as well)

SurfSideKick
SurfAccuracy
Virtual Bouncer
Bullseye Networks
CashBack
CashBack Buddy
BargainBuddy
Select Cashback
ShopperReports by Hotbar
Hotbar Browser, Weather and WowPaper Tools
Hotbar Outlook Tools
Hotbar Web Tools
Web Search Toolbar
EasySearchBar
NaviSearch
Windows AFA Internet Enhancement
WinFixer 2005

Then Exit Add/Remove screen

Run Ewido on a complete system scan and remove anything
found Also use MSAS in safe mode-If Ewido says error
during clean up on any entries run it again to be sure
they have been removed also when you choose remove on the
infection check the box at the bottom left corner for
Perform .

You dont have the Navidad worm its a TrojanDownloader.
(Small.ABD/SILLY.MK)

so if Ewido didnt delete them search for these and delete
the files ( They have many names so each scanner will
call them something different)

C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\npti.exe is Qoologic trojan

C:\WINDOWS\System32\PSof1.exe is SillyDl.NB/PacerD

C:\WINDOWS\System32\exp.exe is SillyDl.MK
trojan/Small.ABD

C:\WINDOWS\System32\wintask.exe is SillyDl.MK
trojan/Small.ABD

C:\WINDOWS\SYSTEM32\ROUIOUY.DLL is Qoologic trojan.

C:\WINDOWS\System32\rnmpnm.exe is Qoologic trojan.

C:\WINDOWS\etb\pokapoka63.exe is Betalire.F trojan/New
Elite Variant

C:\WINDOWS\system\lobbhhgji.exe is SillyDl.OG trojan.

C:\WINDOWS\System32\pbvkb.dat is Qoologic trojan.

C:\WINDOWS\System32\redit.cpl is Qoologic trojan.

C:\WINDOWS\System32\supdate.dll is Qoologic.L

C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe is
Win32.SillyDl.KU trojan/SurfSideKick Related

C:\WINDOWS\system32\wrapperouter.exe is Win32.SillyDl.KU
trojan.

Then goto start and run and type

prefetch (As alan said)

delete the contents of this folder

then to run again and type

%temp%

Delete everything you can from this folder


Then use Ccleaner again and choose "Run Cleaner"


That should then be done but you still need to reset afew
things :(

Goto "Start Menu" and "control panel" then to "Internet
Options"

Goto the "Advanced tab" and press "Restore Defaults"

Then to the "Security Tab" and press "Custom Level" then
press "reset"

Then to the "Programs Tab" and Press "Reset Web settings"

Then to the "General Tab" and press "delete files" and
include all offline content then up to the homepage
address box and enter the address you want to use then
press "apply"

Then reboot back to normal mode and see how things look

Thats my system clean again so hopefully it works the
same for you but let us know if you have any problems,
That seems to take ages to write so I feel sorry for you
having to try and follow this ;)
Click to expand...

Well, I'd like to report the good news, but it just didn't do it. I did
everything you said right to the T. And Ewido found about 61 items. Many
of them were random filenames I remember from earlier attempts. As soon
as got in normal mode and opened the Windows Update site, I started
getting popups. Few of them opened because I have an extensive hosts file
blocking most of them. One did make it that said "Passion" or something
like that. Anyway, I unplugged my ethernet cable right away, but then
MSAS came up with a red box that AlwaysUpdateNews was trying to install.
Also Startup Monitor came up with something that was trying to install in
the startup group. I may have gotten rid of surfsidekick... it was
usually the first one to reappear after I thought I had it cleaned.
I also have a program called "Command" in add/remove programs. When I try
to remove it, Norton blocks a script that the uninstall tries to run.
Whatever that is, I don't think it is actively running.
And in between all this, when trying to get updates, Microsoft Update
won't install the Windows Genuine Advantage Verification Tool.
I've gone back to safe mode and run all the stuff you gave me again and
have it coming up clean again.
Now I'm pondering what to do next. Any more ideas?
 
Menno Hershberger presented the following explanation :

Hi Menno

hehe, maybe a totally crazy test but it worked. :') (and Andy backed
me up)

Was the adaware plugin folder empty before you put the new VX2 files
within it ? I have checked forums within my country and none gets
that message to get a new ones.

Nevertheless you have all Andys advices.

Maybe worth a try, TrendMicros Antispyware detects a lot, free to try.

http://www.trendmicro.com/en/products/desktop/as/evaluate/overview.htm
Click to expand...

OK, I followed this suggestion too. And it found a lot more stuff. But
just as soon as I plug the damn ethernet cable in, I'm back in trouble
again. Even while I was downloading the above, I was getting popups and
stuff was trying to install. Startup Monitor saved me on those. This was
after I'd done all the stuff Andy listed for me. I haven't see
surfsidekick any more though. It was the first one to try and install
before.
Know of any more scanners? :-)
 
plun said:
Hi Menno

Time is money but this PC was important for your client !?

Either Andy takes a HijackThis log or you post it to
Aumha for help.
Click to expand...

Well, here it is for what it's worth. The "repairs.dll" is the only one
that is a mystery to me. If I "fix" it, and then run HJT again, it's
back.

Logfile of HijackThis v1.99.1
Scan saved at 10:00:52 PM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot-S&D\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:
\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware
\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared
\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1
\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files
\Trend Micro\Tmas\Tmas.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuw
eb_site.cab?1124761906781
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\dEvclnt.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation
- C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:
\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files
\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
Hi Menno

Time is money but this PC was important for your client !?

Either Andy takes a HijackThis log or you post it to
Aumha for help.
Click to expand...

Well, here it is for what it's worth. The "repairs.dll" is the only
one that is a mystery to me. If I "fix" it, and then run HJT again,
it's back.

Logfile of HijackThis v1.99.1
Scan saved at 10:00:52 PM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot-S&D\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:
\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [gcasServ] "C:\Program
Files\Microsoft AntiSpyware \gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared \ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1
\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files
\Trend Micro\Tmas\Tmas.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w
uw eb_site.cab?1124761906781
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: Shell Extensions -
C:\WINDOWS\system32\dEvclnt.dll O23 - Service: Symantec Event Manager
(ccEvtMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password
Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings
Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite
control - ewido networks - C:\Program Files\ewido\security
suite\ewidoctrl.exe O23 - Service: Norton AntiVirus Auto-Protect
Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton
AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall
Monitor Service (NPFMntor) - Symantec Corporation - C:\Program
Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan -
Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec
Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) -
Symantec Corporation - C: \Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec
Corporation - C:\Program Files \Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
Click to expand...

Also, here's some experimenting I've done in Safe Mode directly after
cleaning with AdAware, spybot S&D, MSAS, ewido and the Trend Micro
Scanner. All giving it a clean bill of health. Then this...
http://www.mewnlite.com/spyware/
 
on 2005-08-23, Menno Hershberger supposed :

Now I'm pondering what to do next. Any more ideas?

Hi Menno

Time is money but this PC was important for your client !?

Either Andy takes a HijackThis log or you post it to
Aumha for help.
Click to expand...

Well, here it is for what it's worth. The "repairs.dll" is the only
one that is a mystery to me. If I "fix" it, and then run HJT again,
it's back.

Logfile of HijackThis v1.99.1
Scan saved at 10:00:52 PM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot-S&D\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:
\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [gcasServ] "C:\Program
Files\Microsoft AntiSpyware \gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared \ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1
\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files
\Trend Micro\Tmas\Tmas.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w
uw eb_site.cab?1124761906781
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: Shell Extensions -
C:\WINDOWS\system32\dEvclnt.dll O23 - Service: Symantec Event Manager
(ccEvtMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password
Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings
Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite
control - ewido networks - C:\Program Files\ewido\security
suite\ewidoctrl.exe O23 - Service: Norton AntiVirus Auto-Protect
Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton
AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall
Monitor Service (NPFMntor) - Symantec Corporation - C:\Program
Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan -
Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec
Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) -
Symantec Corporation - C: \Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec
Corporation - C:\Program Files \Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
Click to expand...

Also, here's some experimenting I've done in Safe Mode directly after
cleaning with AdAware, spybot S&D, MSAS, ewido and the Trend Micro
Scanner. All giving it a clean bill of health. Then this...
http://www.mewnlite.com/spyware/
Click to expand...

I Googled "repair.dll" and only came up with ONE decent hit. Someone who
had experienced it and suspected it of being the one that created all the
other random named DLLs. I booted into the Restore Console and deleted
it. I haven't seen another popup yet and nothing has tried to install or
has tripped MSAS. I've known it was there all the time but none of the
scanners (MSAS, Ewido, TrendMicro, Spybot S&D, AdAware, SysClean) flagged
it.
Thanks to ALL who have helped me along with this!
 
Back
Top