Tech Support Forum - View Single Post - Searchdom, loaders and virus Influx 'HELP'?

VADAR · 03-01-2005, 10:14 AM

Hi steveybob,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards.

Download istbar removal tool and save it to your desktop. Open FxIstbar and then click ok.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\system.exe
C:\WINDOWS\System32\csrssp.exe
C:\WINDOWS\fvutsu.exe
C:\WINDOWS\a65d.exe
C:\WINDOWS\System32\SNSS32.EXE
C:\WINDOWS\newsd.exe
C:\WINDOWS\System32\rant.exe
C:\WINDOWS\System32\run.exe
C:\WINDOWS\System32\pingppac.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

ieloader
Preview AdService
IST Service

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [NvCplSystem] C:\WINDOWS\system.exe
O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe
O4 - HKLM\..\Run: [Kg5elGi4] c:\windows\temp\Kg5elGi4.exe
O4 - HKLM\..\Run: [NAV Auto Updates] csrssp.exe
O4 - HKLM\..\Run: [bkITDO] C:\WINDOWS\fvutsu.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteexk32.exe
O4 - HKLM\..\Run: [popuppers65] C:\WINDOWS\a65d.exe
O4 - HKLM\..\Run: [Dot.net Networking] SNSS32.EXE
O4 - HKLM\..\Run: [newsfeed12] C:\WINDOWS\newsd.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [runs] run.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [PPPOEO] pingppac.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] csrssp.exe
O4 - HKLM\..\RunServices: [Dot.net Networking] SNSS32.EXE
O4 - HKLM\..\RunServices: [rant] rant.exe
O4 - HKLM\..\RunServices: [runs] run.exe
O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe
O4 - HKCU\..\Run: [NAV Auto Updates] csrssp.exe
O4 - HKCU\..\Run: [rant] rant.exe
O4 - HKCU\..\Run: [runs] run.exe
O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%...6E%65%7 4/?re=
O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%...6E%65%7 4/?re=
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system.exe
C:\WINDOWS\System32\csrssp.exe
C:\WINDOWS\fvutsu.exe
C:\WINDOWS\a65d.exe
C:\WINDOWS\System32\SNSS32.EXE
C:\WINDOWS\newsd.exe
C:\WINDOWS\System32\rant.exe
C:\WINDOWS\System32\run.exe
C:\WINDOWS\System32\pingppac.exe
C:\WINDOWS\Downloaded Program Files\ieloader.exe
C:\windows\system32\eliteexk32.exe
C:\Program Files\Preview AdService
C:\Program Files\ISTsvc
rant.exe->>>>>> Do a search for this one.
run.exe->>>>>>>Do a search for this one.

Run cleanup again

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

03-01-2005, 10:14 AM	#4 (permalink)
VADAR Member Join Date: Jan 2005 Location: Bristol,uk Posts: 154 OS: win xp pro	Hi steveybob, Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards. Download istbar removal tool and save it to your desktop. Open FxIstbar and then click ok. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system.exe C:\WINDOWS\System32\csrssp.exe C:\WINDOWS\fvutsu.exe C:\WINDOWS\a65d.exe C:\WINDOWS\System32\SNSS32.EXE C:\WINDOWS\newsd.exe C:\WINDOWS\System32\rant.exe C:\WINDOWS\System32\run.exe C:\WINDOWS\System32\pingppac.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: ieloader Preview AdService IST Service Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [NvCplSystem] C:\WINDOWS\system.exe O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe O4 - HKLM\..\Run: [Kg5elGi4] c:\windows\temp\Kg5elGi4.exe O4 - HKLM\..\Run: [NAV Auto Updates] csrssp.exe O4 - HKLM\..\Run: [bkITDO] C:\WINDOWS\fvutsu.exe O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteexk32.exe O4 - HKLM\..\Run: [popuppers65] C:\WINDOWS\a65d.exe O4 - HKLM\..\Run: [Dot.net Networking] SNSS32.EXE O4 - HKLM\..\Run: [newsfeed12] C:\WINDOWS\newsd.exe O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe O4 - HKLM\..\Run: [runs] run.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [PPPOEO] pingppac.exe O4 - HKLM\..\RunServices: [NAV Auto Updates] csrssp.exe O4 - HKLM\..\RunServices: [Dot.net Networking] SNSS32.EXE O4 - HKLM\..\RunServices: [rant] rant.exe O4 - HKLM\..\RunServices: [runs] run.exe O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe O4 - HKCU\..\Run: [NAV Auto Updates] csrssp.exe O4 - HKCU\..\Run: [rant] rant.exe O4 - HKCU\..\Run: [runs] run.exe O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%...6E%65%7 4/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%...6E%65%7 4/?re= O15 - Trusted Zone: .media-motor.net O15 - Trusted Zone: .popuppers.com Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system.exe C:\WINDOWS\System32\csrssp.exe C:\WINDOWS\fvutsu.exe C:\WINDOWS\a65d.exe C:\WINDOWS\System32\SNSS32.EXE C:\WINDOWS\newsd.exe C:\WINDOWS\System32\rant.exe C:\WINDOWS\System32\run.exe C:\WINDOWS\System32\pingppac.exe C:\WINDOWS\Downloaded Program Files\ieloader.exe C:\windows\system32\eliteexk32.exe C:\Program Files\Preview AdService C:\Program Files\ISTsvc rant.exe->>>>>> Do a search for this one. run.exe->>>>>>>Do a search for this one. Run cleanup again Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.