Tech Support Forum - View Single Post

CTSNKY · 02-22-2005, 02:34 PM

Wow, that is one infected machine! Your cleanup will take some time, but stay on the path we provide and you will get clean.

==============

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis and run it.

Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Uncheck the box labeled 'Hide protected operating system files'. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Download WinsockFix and unzip it. Then double-click on it to run it.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\system32\winupdt.exe
C:\Program Files\5cyz8ymn\5cyz8ymn.exe
C:\windows\system32\msnavc32.exe
C:\WINDOWS\system32\alrsdo.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\system\mhbvpjxx.exe
C:\WINDOWS\system32\prutqct.exe
C:\WINDOWS\system32\windcak32.exe
C:\Program Files\Preview AdService\PrevAdServ.exe
C:\Program Files\Preview AdService\PrevAdKeep.exe
C:\Program Files\BullsEye Network\bin\bargains.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

BullsEye Network
E2G
Preview AdService
Upromise_RemindU
VBouncer

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com (These will probably come back, FYI.)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O4 - HKLM\..\Run: [3undHjtze] C:\documents and settings\user\local settings\temp\3undHjtze.exe
O4 - HKLM\..\Run: [nsdcmd vid process] nsdcmdwin.exe
O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\Run: [soundtask] soundtask.exe
O4 - HKLM\..\Run: [Q] C:\documents and settings\user\local settings\temp\Q.exe
O4 - HKLM\..\Run: [Dfc] C:\documents and settings\user\local settings\temp\Dfc.exe
O4 - HKLM\..\Run: [Upromise0] "C:\Program Files\Upromise_RemindU\Upromise0.exe"
O4 - HKLM\..\Run: [H71OBehX] C:\documents and settings\user\local settings\temp\H71OBehX.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [C:\WINDOWS\mefachjvr.exe] C:\WINDOWS\mefachjvr.exe
O4 - HKLM\..\Run: [dymwec] C:\WINDOWS\system32\dymwec.exe
O4 - HKLM\..\Run: [5cyz8ymn] C:\Program Files\5cyz8ymn\5cyz8ymn.exe
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [wsmP3qQ] alrsdo.exe
O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\User\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\RunServices: [nsdcmd vid process] nsdcmdwin.exe
O4 - HKLM\..\RunServices: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\RunServices: [soundtask] soundtask.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\system32\prutqct.exe
O4 - HKCU\..\Run: [hB5FRkctj] advserv.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/A.../bridge-c18.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\DocumentsandSettings\User\n20050308.exe
C:\Program Files\5cyz8ymn\
C:\Program Files\BullsEye Network\
C:\Program Files\E2G\
C:\Program Files\Preview AdService\
C:\ProgramFiles\Upromise_RemindU\
C:\ProgramFiles\VBouncer\
C:\WINDOWS\mefachjvr.exe
C:\WINDOWS\system\mhbvpjxx.exe
c:\windows\system32\aklsp.dll
C:\WINDOWS\system32\alrsdo.exe
c:\windows\system32\dolsp.dll
C:\WINDOWS\system32\dymwec.exe
C:\WINDOWS\system32\msbe.dll
C:\windows\system32\msnavc32.exe
C:\windows\system32\msnavc32.exelee0105
C:\WINDOWS\system32\prutqct.exe
C:\WINDOWS\system32\vmss\
C:\WINDOWS\system32\windcak32.exe
C:\WINDOWS\system32\winupdt.exe
C:\WINDOWS\system32\wsxsvc\

(Will have to search for these....probably most in Windows\System32 folder.)
advserv.exe
alrsdo.exe
D0CE0C16B1
E6F1873B.DLL
nsdcmdwin.exe
soundcontrl.exe
soundtask.exe

Run CleanUp! again.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

=========

Now, for the hard part, removing those O1's........

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe
PV http://www.greyknight17.com/spy/pv.zip
VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe
Hoster http://www.greyknight17.com/spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe
KillBox http://www.greyknight17.com/spy/KillBox.exe
notify.bat - right click on this link http://www.greyknight17.com/spy/notify.bat and choose Save As...Save it.

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip
ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip

2. Run Kill2Me.

3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!).
a) Open that folder on your Desktop and double click on the runme.bat file.
b) Type in 3 and hit your Enter key. Save the log file.
c) Type in 5 and hit your Enter key. Save the log file.
d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below.

4. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later.

5. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum later.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

Post all of the logs in your next post. We need them all to get a fix for this infection.

02-22-2005, 02:34 PM	#2 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Wow, that is one infected machine! Your cleanup will take some time, but stay on the path we provide and you will get clean. ============== Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. You have an outdated version of HijackThis. Click here to get the latest version of HijackThis and run it. Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Uncheck the box labeled 'Hide protected operating system files'. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Download WinsockFix and unzip it. Then double-click on it to run it. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system32\winupdt.exe C:\Program Files\5cyz8ymn\5cyz8ymn.exe C:\windows\system32\msnavc32.exe C:\WINDOWS\system32\alrsdo.exe C:\WINDOWS\system32\wsxsvc\wsxsvc.exe C:\WINDOWS\system32\vmss\vmss.exe C:\WINDOWS\system\mhbvpjxx.exe C:\WINDOWS\system32\prutqct.exe C:\WINDOWS\system32\windcak32.exe C:\Program Files\Preview AdService\PrevAdServ.exe C:\Program Files\Preview AdService\PrevAdKeep.exe C:\Program Files\BullsEye Network\bin\bargains.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: BullsEye Network E2G Preview AdService Upromise_RemindU VBouncer Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com (These will probably come back, FYI.) O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll O4 - HKLM\..\Run: [3undHjtze] C:\documents and settings\user\local settings\temp\3undHjtze.exe O4 - HKLM\..\Run: [nsdcmd vid process] nsdcmdwin.exe O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe O4 - HKLM\..\Run: [soundtask] soundtask.exe O4 - HKLM\..\Run: [Q] C:\documents and settings\user\local settings\temp\Q.exe O4 - HKLM\..\Run: [Dfc] C:\documents and settings\user\local settings\temp\Dfc.exe O4 - HKLM\..\Run: [Upromise0] "C:\Program Files\Upromise_RemindU\Upromise0.exe" O4 - HKLM\..\Run: [H71OBehX] C:\documents and settings\user\local settings\temp\H71OBehX.exe O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe O4 - HKLM\..\Run: [C:\WINDOWS\mefachjvr.exe] C:\WINDOWS\mefachjvr.exe O4 - HKLM\..\Run: [dymwec] C:\WINDOWS\system32\dymwec.exe O4 - HKLM\..\Run: [5cyz8ymn] C:\Program Files\5cyz8ymn\5cyz8ymn.exe O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105 O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [wsmP3qQ] alrsdo.exe O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\User\n20050308.exe O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe O4 - HKLM\..\Run: [salm] c:\temp\salm.exe O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\RunServices: [nsdcmd vid process] nsdcmdwin.exe O4 - HKLM\..\RunServices: [soundcontrl] soundcontrl.exe O4 - HKLM\..\RunServices: [soundtask] soundtask.exe O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\system32\prutqct.exe O4 - HKCU\..\Run: [hB5FRkctj] advserv.exe O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (HKCU) O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/A.../bridge-c18.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\DocumentsandSettings\User\n20050308.exe C:\Program Files\5cyz8ymn\ C:\Program Files\BullsEye Network\ C:\Program Files\E2G\ C:\Program Files\Preview AdService\ C:\ProgramFiles\Upromise_RemindU\ C:\ProgramFiles\VBouncer\ C:\WINDOWS\mefachjvr.exe C:\WINDOWS\system\mhbvpjxx.exe c:\windows\system32\aklsp.dll C:\WINDOWS\system32\alrsdo.exe c:\windows\system32\dolsp.dll C:\WINDOWS\system32\dymwec.exe C:\WINDOWS\system32\msbe.dll C:\windows\system32\msnavc32.exe C:\windows\system32\msnavc32.exelee0105 C:\WINDOWS\system32\prutqct.exe C:\WINDOWS\system32\vmss\ C:\WINDOWS\system32\windcak32.exe C:\WINDOWS\system32\winupdt.exe C:\WINDOWS\system32\wsxsvc\ (Will have to search for these....probably most in Windows\System32 folder.) advserv.exe alrsdo.exe D0CE0C16B1 E6F1873B.DLL nsdcmdwin.exe soundcontrl.exe soundtask.exe Run CleanUp! again. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. ========= Now, for the hard part, removing those O1's........ Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Please download the following programs required for the removal process: Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe PV http://www.greyknight17.com/spy/pv.zip VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe Hoster http://www.greyknight17.com/spy/Hoster.exe CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe KillBox http://www.greyknight17.com/spy/KillBox.exe notify.bat - right click on this link http://www.greyknight17.com/spy/notify.bat and choose Save As...Save it. Please follow the steps below: 1. Download/run the following uninstallers: Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip 2. Run Kill2Me. 3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!). a) Open that folder on your Desktop and double click on the runme.bat file. b) Type in 3 and hit your Enter key. Save the log file. c) Type in 5 and hit your Enter key. Save the log file. d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below. 4. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later. 5. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum later. We also need a list of files in the following folders: C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here. C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious. Post all of the logs in your next post. We need them all to get a fix for this infection. __________________ GO BIG BLUE!!