# Difficult & problem fixes



## dvk01 (Dec 14, 2002)

It is completely pointless wasting your time trying to fix the latest VX2 or L2M hijacks with any manual method or by using adaware/spybot etc or any previous fixes

There is only one cure that works on this version (until they change it again) so if an HJT log with any of these lines appears

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

or any entries like 
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll

or the "victim" says that despite cleaning all the hijackers come back

then please don't attempt the fix unless you are 100% sure you know what you are doing

*  WARNING: This fix is ONLY for XP or Windows 2000/2003,
DO NOT attempt it on Windows 98 or ME, It will not work and probably wreck the computer*

If YOU are infected please do this or ask the victim to do this

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

then when the log has been posted please report to a moderator and we will examine to ensure it is suitable to use the remainder of the fix

only use this fix when asked to do so by someone who knows

Please post a hijackthis log or ask for help first

Edit:

The latest VX2/L2M incarnation only shows this entry 
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\t0r80a9ued.dll

or similar 
the clue is a strange random name dll in O20 in a HJT log


----------



## $teve (Oct 9, 2001)

Sticking this for a few days.
Instructions here:http://forums.subratam.org/index.php?showtopic=3466

:up:


----------



## $teve (Oct 9, 2001)

Your very welcome.

Lately we have been seeing a mixture of the Qoologic/Narrator trojan..Bube,the new VX2 variants and CWS all in the same logs.Its useless to try and prune anything away or use malware removal apps because more crapware is downloaded all the time the infected computer is on-line
The only way to deal with that is to start with the fix above,Kaspersky is the ONLY antivirus that will deal with this....it also has some success removing the VX2 infection.Ill link a thread I dealt with earlier in the week because there is a reg fix to run afterwards and a few more tidy ups.They need to make sure they totally disable their Antivirus program for this to work....AND use KAV in safe mode.
If they can use a non infected machine as a middle man and keep the infected one off-line until totally clean,thats a bonus.
If the above doesn`t work,then get them to back everything up and use the faithful old *FORMAT C:*

Log here:
http://forums.techguy.org/showthread.php?t=340855

dvk,firman1 or myself will keep this thread updated as things progress.

:up:


----------



## dvk01 (Dec 14, 2002)

This will contain notifications of the difficult & problem fixes that need specialist help 

Examples at the moment are VX2, Qoologic, Bube etc


----------



## dvk01 (Dec 14, 2002)

SE DLL fix

In view of problems experienced by several users with this fix we are not recommending it any longer until the problems have been sorted by the developers and have removed the canned fix for safety reasons


----------



## dvk01 (Dec 14, 2002)

SE.dll fix seems to be OK for use now

Make sure you downlaod the right version for the right operating system

XP/W2K

Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe

Download  'SpSeHjfix'.  to the desktop and then
right click a blank part of desktop & select new folder, call it spfix 
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

9X
Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe

Download  'SpSeHjfix'.  to the desktop and then
right click a blank part of desktop & select new folder, call it spfix 
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.


----------



## dvk01 (Dec 14, 2002)

Spywad aka Slimshield

where you have lots of 3 letter files in a hjt log

OK 2 versions uploaded make sure you use the right version for the operating system 
these are the instructions

Please report any problems so we can fix them



> This fix is only for XP & Windows 2000
> 
> Download and Save Spywadfix to your computer from this link: http://www.thespykiller.co.uk/files/spywadfix.exe and double click on the spywadfix.exe
> 
> ...





> This fix is only Windows 98 or ME
> 
> Download and Save spywad9xremove to your computer from this link: http://www.thespykiller.co.uk/files/spywad9xremove.exe
> 
> ...


----------



## dvk01 (Dec 14, 2002)

This one cleans up the desktop after many hijacks



> This fix is only for XP & Windows 2000
> 
> Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe
> 
> ...


----------



## dvk01 (Dec 14, 2002)

If you see a HJT log with an O2 BHO starting ***DP class like these below

please DO NOT attempt a fix as it will need very special treatment to avoid the computer being unbootable

Please report the post so one of the security mods can deal with it 

A fix is being worked on but it is quite involved at the moment as it's a new one that needs some refining 

O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINNT\bhoass.dll 
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll 

there will be several hidden files and some registry entries that need dealing with in order to keep the computer working and it has to be done in a particular order

we will keep you updated as we find out more


----------



## dvk01 (Dec 14, 2002)

If you have any doubts start all then start a new thread to ask for help

do not tag on someone elses thread

replace the name of the dll marked in red with the one in your particular case and the full filename marked in red to delete in HJT etc

Please download Process Explorer by Systernals from  HERE

Also download KillBox by Option^Explicit from HERE

*Then boot up in*  SAFE MODE

*the rest of this fix must be done in safe mode.*

Unzip Process Explorer and double click on *procexp.exe*

In the top section of the Process Explorer screen double click on *winlogon.exe* to bring up the winlogon.exe properties screen. Click on the *Threads tab* at the top.

Once you see this screen click on each instance of *pcftp.dll* once and then click the *kill* button.

After you have killed all of the *pcftp.dll*'s under winlogon click *OK*.

also look for any .ini or bak files or other dll's with either the same name or the file name in reverse & kill them as well

Next double click on *explorer.exe* and again click once on each instance of *pcftp.dll* then click the *kill* button.

also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well

Click on the *Threads* tab at the top.

Once you have done that cl

ick *OK* again.

Next run HijackThis and place a check beside each of the following.

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\security\pcftp.dll

O20 - Winlogon Notify: pcftp - C:\WINDOWS\security\pcftp.dll

Now click *fix checked* and close HijackThis.

Please copy the text in *BOLD* below, and paste it into a blank notepad window.
Save it as *vundo.reg* and in the save as type box choose *all files*.

Once you have saved it *double click* it and *allow* it to merge with the registry.

*REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]*

now run killbox and paste The FIRST ONE of these lines into the box, select delete on reboot then press the red X button,say yes to the prompt but no to reboot now

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\security\pcftp.dll

then repeat by typing in the full name of of any of the reverse named .bak or .ini or other files that you discovered in step 1

after you have input the last file name then reboot

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

Edit:

Symantec do now have a fairly reliable tool to fix this one now so try the symantec tool first
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.removal.tool.html

If it doesn't work then use the fix above


----------



## Flrman1 (Jul 26, 2002)

I have unstuck the original thread for this so I'll post this here. The original sticky thread is here:

http://forums.techguy.org/t376692.html

This fix is posted here primarily as a reference for those who are experienced with helping on the forums with these infections. If you are a victim of this infection, It is not recommended that you attempt to fix this on your own. Before you attempt anything, post your Hijack This log in the Security forum and wait for help from one of our experienced helpers.

The following fix provided by *noadhfear* will work to remove all of these:

*AntiVirusGold
Smitfraud
SpySheriff*

*Note*: The smitRem fix will work on 9x systems also, but ewido will only work on XP/2K systems. In noahdfear's original fix he had Adaware included in the fix, but I've found that the smitRem fix and ewido alone work fine. For 9x systems you should use Adaware instead of Ewido.

*For XP/2k systems:*


> * *Click here* to download smitRem.exe.
> Save the file to your desktop.
> It is a self extracting file.
> Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
> ...


*For 98/ME systems:*


> * *Click here* to download smitRem.exe.
> Save the file to your desktop.
> It is a self extracting file.
> Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
> ...


I am attaching my canned fixes for you with all the code tags. Mine is slightly different than the original posted by noadhfear, but not much. Feel free to save it and use it.


----------

