I've spent over 10 hours trying to defeat this trojan. I can't. I'm not even going to detail what I've tried - cause it hasn't worked and I'm tired :)
So, I've saved the Hijackthis log file analysis at http://www.hijackthis.de/l
And here is the output from VX2 Finder:
Log for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
Extensions
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
{B0A2FCFA-BC60-4BF9-A1EA-7
=========End Of Log================
Okay, all you experts....help! :)
Jon
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
SheharyaarSaahil,
Yes, I have run the VX2 Add-on for Ad-Aware. It finds nothing.
System Restore is Turned Off
Um, I don't think I have run all the tools in safe mode.
I have done the fixes many times, and I thought I had deleted those files but perhaps not.
What you are sayign is making sense to me, but I've missed this boat a lot of times. Would you write this up as a procedure for me to follow? Also, should I be deleting the 2 htm files ast well?
ok let me try..... here goes...... :)
First use msconfig to untick unwanted progrmas as described here >> http://netsquirrel.com/msc
Then make sure that you have these latest edition of tools and install and update them,
AdAware ==> http://www.spychecker.com/
SpyBot ==> http://www.spychecker.com/
CoolWebShredder ==> http://www.softpedia.com/p
About:Buster ==> http://www.snapfiles.com/g
Vx2 Removal Tool ==> http://www.downloads.subra
Stinger ==> http://vil.nai.com/vil/sti
Then Disable System Restore >> WinME\XP >> http://www.pchell.com/viru
Then Disable the Messenger Service if its running >> http://www.itc.virginia.ed
Then run hijackthis scan, close all the explorer windows, disconnect from the intenret and fix the above lines which i mentioned, now dont do anything else and restart your system and boot it in safemode now!
1. Login as Administrator
2. Run your av scan and stinger and delete anything they find
3. Run the Spyware Removal tools one by one and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\your username\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\your username\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\your username\Cookies, and delete all cookies present here
(ofcourse im assuming that u have already saved all the login passwords for ur websites :)
8. Goto C:\Windows\Temp and delete all files present here
9. Dont delete those html files, but delete the two exe ones, i.e kapsar.exe and lgkvgt.exe
10. Reboot back in Normal Mode and check if problems are gone or not
Post Back and Good Luck :)
Hi JohnSH,
regarding to the very suggestions of shehar,
install Pest Patrol from:
http://www.pestpatrol.com/
make this settings:
Pest patrol > options > Where to Search :
check : all files ;
check : scanning method : thorough ,
check : scan shell tree options > show hidden and show files .
Pest patrol > options > What to search for - and then check all the items-all!
Pest patrol > options > What to exclude : wtere must be only the recycle folder and system volume information nothing mere!
Pest patrol > options > Automatic scans !!!
check : scan on boot --> your boot partition
check : PPMemCheck Memory Scan > Invoke on boot
check : CookiePatrol > Invoke on boot
check : PPcontrol > Invoke on boot
check : KeyPatrol > Invoke on boot
you can check also the right click option for folders too...
check in the main menue to scan all hard drives .... update the pest patrol.
install winpatrtol from:
http://www.winpatrol.com/w
Have you done everything ,restart your PC as normal and delete everything that the two programs detect....
ONLY AS A SUGGESTION!!! :
I would recommend that you install also Antivir Personal edition as antiviral program with the following settings:
on both scanner and virus watcher:
at the search section/tab:
-for boot sectors :check the two options
-for the data search :check all files
-for priority check :high
at the search subtab - archves:select all archive types
at the repair section:
-check :delete with prompt
at the unwanted program tab:
-check all
at the heuristic tab:
-select:enable mcro virus heuristic
-select:win32 file heuristic enabled and then detction level high
at the drag&drop tab:
-select:scan subfolders
at the miscellaneous tab:
-select: interruption allowed
-check the option for load the guard at system start
-check the option lload the guard via the control program
-enable:check for old virus definition files(7 days)
go to options and make: save setting...
this settings you must make to the main program and the virus guard too,,,
to start the virus guard menue -double click on the Antivir icon in the system tray=>options=>configure,,
but you must first disable your recent virus scanner to install the antivir personal if you wish-i am very happy with this program....
hope this additional info could help!
CHEERS
Worth a try:
http://downloads.subratam.
The latest Look2Me Fix
it hides in safemode. i think it is changing filenames around. I can always find either kaspar.exe or lgkvgt.exe or lsp.dll, but never all 3. I've even tried it in safemode with command line so the explorer shell doesn't get loaded (I think).
This variant is very very tricky, the only VX2 that ever sees it is ad-aware. The only good thing about this so far is that I'm pulling my hair out which is getting rid of my bald spot......
oh, yeah, I've removed the entries from regedit, and from hijackthis, and from msconfig........arrrgh! many times now....
Yes, and I got rid of those a while back. But I just saw something interesting. I got the machine to a point that tested on hijack as a "clean" machine. Then, I plugged the LAN cable back in and all of a sudden I get this popup from RUNDLL as follows:
An exception occurred while trying to run ""C:\WINDOWS\system32\rzgs
now I get this when I run Hijackthis:
http://www.hijackthis.de/l
so whatever this thing is, it is network aware......
Download Killbox from here >> http://www.downloads.subra
using it, try to tell it to remove three files,
C:\WINDOWS\system32\rzgsvc
C:\WINDOWS\system32\kapsar
lgkvgt.exe
now restart and check if still these files are reappearing ??
Hi Jon,
i read the postings and as a suggestion i'll recommend to you that you install theese two programs :
PestPatrol and Winpatrol(as above)
you can remove all found entries but if there is a program module hidden inside the explorer.exe for an instance,you can't see this malware even with the best registry program,,,
so why i recomment theese scanners to ,cuz there are startup scanners and they are active during your start up,,,if you can disable the starting up module,among the startup of your system ,there could be a way that you stop the results from it:kaspar.exe and this silly .dll,,,
just try them and post your reply!
check out your antivirus program:make the highest protection,update it and make scan...
Good luck!
the dll name appears to be random, changes after every boot....I let it sit connected to the internet for 90 minutes, undisturbed, the damm thing filled up the computer with another 15-20 pieces of ad-ware...Elite Toolbar, VBouncer, etceteras...this is some serious sh*t happening to this machine.....
....I'm this close to formatting the drive and starting clean.......
....Going to try Pest Patrol next, I guess, in maximum modes.......
Hi Jon ,
don't give up!Formatting is the dullest thing and the virus wins,,,
I have written to you for Pest patrol adjustement,please make the settings as above,
for winpatrol you don't need any furthur setting except,,,
why don't you clean your winsock settings and then lock the host file with winn patrol or spybot ,this could also´help(the trojan connects to a speciffic site isn't it...)
Do you have a firewall if not instal the new Kerio Personal or ZoneAlarm - this could block the internet-connectivity of the trojan ...
if you want make also screen shots of what you found,delete and rapair(Printscreen[Gadwin]
Good luck!
As posted above:
http://downloads.subratam.
Don't click the link because the (...) break it.
Copy it and paste to your browser address bar.
Zee
Have a go with the PeperFix:
http://downloads.subratam.
hmmm can i ask a last question if you dont mind =\
when you goto Start>Run>regedit and navigate to the following key
HKEY_LOCAL_MACHINE\Softwar
in the right pane you will find an AppInit_DLLs entry, when you right click it and click Modify, what is the value data written here ??
No problems here if you want to ask for a refund at Community Support:
http://www.experts-exchang
I honestly don't believe that suggesting a format and reinstall could be an accepted answer to this question.
Cheers and good luck!
Zee
JonSh,
I feel your pain, I am still dealing with same thing. Its a nasty one to say the least, and to address blue_zee yes format c: sometimes just provides a sense of relief. I have spent since Thanksgiving trying to resolve from what it seems the same issues. I have stayed with it because it entered thru a door (port 135) that was opened by one of my vendors applications. Needless to say the potential for my clients to get this is very high. So I figured going thru the pain today will pay off when my clients get this.
Just few things that happened to me when I was hit:
Google toolbar and popup blocker disabled
Reycycle bin icon always showed full, oped folder nothing, right click asked to delete 9 files?
Certian keys on keyboard were remapped
Host file, unlocked
NAV disabled
Spybot disabled certian things, but not completely, enough not to casue attention
Right click possible culprit, it would disappear
Process running in safe mode
Randomly create a dll upon winlogin and logout, also dll name is random containing numbers a letters
provide new key in Notify of Winlogin which appeared to look like a normal name such as Restart, Startup, Stillimage with newly created dll registered already
host of pop-ups even with opera and firefox using their stuff
cpu cycles just kill system after a while
turned restore feature backon disks
populate temp directories with links
turned feature on folders to hide hidden files
From what I can tell is that two files seem to be at the root at least for me, pkpbpp.exe and klkikk.exe
My next step is to use a linux LiveCD distro to boot up in RAM and delete all files on HD past a certian date.
Thing that actually scares me is that what is next? A friend and I have talked about the entire collapse of the Internet infrastructure in the next 3 years (running bet we started 5 years ago). This was based more upon the downsizing and outsourcing of IT, aslo companies stretching systems original intent well beyond its means. I am starting to rethink that "what is next" a little ole piece of software written in C+ will bring the Internet down even sooner.
Hi!
This Vx2 variant is being worked on - mixed success.
2 or more randomly named dll's - that change on reboot.
A hidden file in system32 named guard.tmp
Causes things deleted to be immediately deleted and not sent
to the recycle bin.
Messes with a user's ability to print anything.
Some success using DLLCompare and PocketKillbox to find all the dll's
Trys to connect to {www.a-d-w-a-r-e.com} or something simliar
One user had success dealing with it using Recovery Console - link here:
{http://computercops.biz/p
Don't know yet if this fix works all the time, though.
{Zupe} over at SWI has written a batch file to try to help find the bad dll's -
http://www.dslreports.com/
Check the warning about it also showing valid files!!
Here's a link to a post where he's using it -
http://www.dslreports.com/
Sheeesh!!! - what will they come up with next!?!
Regards
RF
Looks like what I have, here is the link to my ongoing post here at EE:
http://www.experts-exchang
I believe that the dll's are created at each login and logout and shutdown, this is how it even happens during safe mode since I have been logging in. This is supported by the fact I have two new dlls each day at least on system. The key under HKLM\Software\Microsoft\WI
Also I just noticed that all the other keys that are normally in the Notify have neen delted (not by me) so this Vx2 variant is self mutating and smart enough to delte keys over time. Aslo there are several more new .exe running I have not seen before in the process list.
Today when I booted my software from various companies were no longer registered including Spysubtract, TrendMicro and XP Pro!!!!!
I have a copy of Knoppix, which I have been informed can write and read to NTFS without a hitch. My plan later is to boot Knoppix off CD and have a good old time delting.
The main key with this variant is to get as quick as possible, rebooting and log on/off the sytem the least amount of times possible. The best would be a bootable floppy/CD with a batch program to delete suspect files based on time, size and naming convention.
I hope this provides some insight to anyone who may have this on their system. I will report back if using Knoppix approach works or does not.
Joel_Sisko
Hi JonSh,thanks for the given points and damn sorry that we couldn't solve the problem...
Good luck with the new system,,,a good firewall and antiviral system will prevent you from having theese troubles again,so if you wish keep on patrolling :) with the right settings on each program!
All the best!
Joel_Sisko,
it's true that knoppix has the experimental captive system:
http://www.jankratochvil.n
I can give you a suggestion ,that you use the ERD Commander,it's very expensive ,but does a good work -in case of overwriting or deleting files from all kind of ntfs-partitions...
CHEERS
Business Accounts
Answer for Membership
by: SheharyaarSaahilPosted on 2004-12-02 at 11:32:41ID: 12729391
Hello JonSh =)
There is an addon of Adaware called Vx2 Cleaner.... have you installed and run it >> http://www.lavasoftusa.com
Is System Restore turned off ?? Have you run all the tools in safemode ??
Have you run this tool yet in safemode >> http://www.downloads.subra
In your log file, these entries are required to be fixed,
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\kapsar
O4 - Global Startup: lgkvgt.exe
Have you fixed them and deleted those kapsar.exe and lgkvgt.exe files manually from the system ??