Tech Support Forum - View Single Post

CTSNKY · 01-20-2005, 02:56 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards.

Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\svcmserr.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [D4456E6E] C:\WINDOWS\system32\svcmserr.exe
O4 - HKLM\..\Run: [C88DFB66] C:\WINDOWS\system32\dsldsyl32.exe
O4 - HKCU\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [D4456E6E] C:\WINDOWS\system32\svcmserr.exe
O4 - HKCU\..\Run: [C88DFB66] C:\WINDOWS\system32\dsldsyl32.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk041
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O15 - Trusted Zone: http://*.0texkax7c6hzuidk.com
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1...23/cpbrkpie.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\jawa32.exe
C:\WINDOWS\system32\wuclient.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\svcmserr.exe
C:\WINDOWS\system32\dsldsyl32.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

01-20-2005, 02:56 PM	#6 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards. Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system32\xpsp2fw.exe C:\WINDOWS\system32\svcmserr.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe O4 - HKLM\..\Run: [D4456E6E] C:\WINDOWS\system32\svcmserr.exe O4 - HKLM\..\Run: [C88DFB66] C:\WINDOWS\system32\dsldsyl32.exe O4 - HKCU\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe O4 - HKCU\..\Run: [D4456E6E] C:\WINDOWS\system32\svcmserr.exe O4 - HKCU\..\Run: [C88DFB66] C:\WINDOWS\system32\dsldsyl32.exe O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk041 O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU) O15 - Trusted Zone: http://.0texkax7c6hzuidk.com O15 - Trusted Zone: http://.69sexsearch.com O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1...23/cpbrkpie.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\jawa32.exe C:\WINDOWS\system32\wuclient.exe C:\WINDOWS\system32\xpsp2fw.exe C:\WINDOWS\system32\svcmserr.exe C:\WINDOWS\system32\dsldsyl32.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ GO BIG BLUE!!