Tech Support Forum - View Single Post

palguy · 02-27-2005, 10:56 AM

Hello djbutzen and welcome to TSF,

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time).

C:\WINDOWS\System32\prutqct.exe
C:\WINDOWS\System32\prutqct.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

2osx21u6
E2G

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = wi.rr.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {05460EBA-C366-402A-A504-6426836E6FD5} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {0CAE85DF-F444-4071-90EC-4E8AB67F8AD0} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: (no name) - {2A16EDF2-AE29-45C7-B581-3FF0CF6D3EF4} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {38FFAFE9-52F2-445E-97FB-B273062A93D0} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {59C7D99E-D7D1-400C-9A80-75CDE57BF46D} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: (no name) - {68E29065-DC6A-4EE0-8F5D-695211B11F89} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {6923C5E5-BA91-4563-B93C-E48228386996} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {93172F4F-D1EC-473E-8DBE-8A4AA22DCF8F} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll
O2 - BHO: (no name) - {9DEB7E5B-7B04-498B-90E6-9C3035215D5B} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {C4E17322-D63E-4A28-8B85-9447B9662686} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {E8B56F4A-05ED-4D76-90D1-EE45A52C8A9B} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrive...ave/Install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/036af65...ip/RdxIE601.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O21 - SSODL: eplrr9 - {75598E8B-7776-4E4C-90A9-F3AFAA9C1C1F} - C:\WINDOWS\System32\mspdnx.dll

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\System32\prutqct.exe
C:\WINDOWS\System32\rsyncmon.dll
C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
C:\WINDOWS\System32\AUNBHO.dll
C:\WINDOWS\System32\ic2_win.dll
C:\WINDOWS\System32\mspdnx.dll
C:\WINDOWS\isrvs
C:\Program Files\2osx21u6
C:\Program Files\E2G

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

02-27-2005, 10:56 AM	#3 (permalink)
palguy Registered User Join Date: Nov 2004 Posts: 369 OS: xp	Hello djbutzen and welcome to TSF, Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time). C:\WINDOWS\System32\prutqct.exe C:\WINDOWS\System32\prutqct.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: 2osx21u6 E2G Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = wi.rr.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {05460EBA-C366-402A-A504-6426836E6FD5} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {0CAE85DF-F444-4071-90EC-4E8AB67F8AD0} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll O2 - BHO: (no name) - {2A16EDF2-AE29-45C7-B581-3FF0CF6D3EF4} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O2 - BHO: (no name) - {38FFAFE9-52F2-445E-97FB-B273062A93D0} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll O2 - BHO: (no name) - {59C7D99E-D7D1-400C-9A80-75CDE57BF46D} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll O2 - BHO: (no name) - {68E29065-DC6A-4EE0-8F5D-695211B11F89} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {6923C5E5-BA91-4563-B93C-E48228386996} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {93172F4F-D1EC-473E-8DBE-8A4AA22DCF8F} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll O2 - BHO: (no name) - {9DEB7E5B-7B04-498B-90E6-9C3035215D5B} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {C4E17322-D63E-4A28-8B85-9447B9662686} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {E8B56F4A-05ED-4D76-90D1-EE45A52C8A9B} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrive...ave/Install.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/036af65...ip/RdxIE601.cab O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll O21 - SSODL: eplrr9 - {75598E8B-7776-4E4C-90A9-F3AFAA9C1C1F} - C:\WINDOWS\System32\mspdnx.dll *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\System32\prutqct.exe C:\WINDOWS\System32\rsyncmon.dll C:\Documents and Settings\All Users\Application Data\msw\MSW.dll C:\WINDOWS\System32\AUNBHO.dll C:\WINDOWS\System32\ic2_win.dll C:\WINDOWS\System32\mspdnx.dll C:\WINDOWS\isrvs C:\Program Files\2osx21u6 C:\Program Files\E2G Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.