Tech Support Forum - View Single Post

greyknight17 · 03-18-2005, 10:02 AM

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so).

Right click on this link http://www.greyknight17.com/spy/RemoveSpyDeleter.reg and choose Save As. Save it and then double click on it to run it. Choose Yes and OK. You may delete this file afterwards.

1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question.

2. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and delete App Paths

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

3. Run KillBox now.
a) Click on the 'Delete on Reboot' button.
b) Check 'End Explorer Shell While Killing File'.
c) Check 'Unregister .dll Before Deleting' for each file (if it's available).

Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them):

c:\recycler\desktop.ini
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\WCDMLOG.dll
C:\WINDOWS\isrvs\
C:\WINDOWS\system32\q4860elsehq60.dll
C:\WINDOWS\system32\ktnol7531.dll

Under C:\Windows\Downloaded Program Files\ you may repair the last two that are damaged - just right click and choose repair. If it still causes problems, just delete them.

4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode.

5. Run HijackThis and do a scan. Check and fix the following:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD1.tmp\svcmm32.exe" /startup
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\q4860elsehq60.dll

Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK.

Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff.

6. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32\ and sort the files by date. There will/should be two new DLLs.
-- If those O1 entries do return in HijackThis, paste those two files into KillBox (in Step 3 above) and kill them. Just follow through the same procedures (Steps 3 - 6) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again).

After that's done (or if you need more help), give us a new set of updated logs (2 PV logs, 1 notify.txt log, 1 VX2Finder log and 1 HijackThis log).

03-18-2005, 10:02 AM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Please print out the instructions here (or save it in Notepad) so that you can follow along more easily. This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so). Right click on this link http://www.greyknight17.com/spy/RemoveSpyDeleter.reg and choose Save As. Save it and then double click on it to run it. Choose Yes and OK. You may delete this file afterwards. 1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question. 2. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and delete App Paths If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. 3. Run KillBox now. a) Click on the 'Delete on Reboot' button. b) Check 'End Explorer Shell While Killing File'. c) Check 'Unregister .dll Before Deleting' for each file (if it's available). Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them): c:\recycler\desktop.ini C:\WINDOWS\system32\guard.tmp C:\WINDOWS\system32\WCDMLOG.dll C:\WINDOWS\isrvs\ C:\WINDOWS\system32\q4860elsehq60.dll C:\WINDOWS\system32\ktnol7531.dll Under C:\Windows\Downloaded Program Files\ you may repair the last two that are damaged - just right click and choose repair. If it still causes problems, just delete them. 4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode. 5. Run HijackThis and do a scan. Check and fix the following: O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD1.tmp\svcmm32.exe" /startup O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing) O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing) O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\q4860elsehq60.dll Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK. Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff. 6. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32\ and sort the files by date. There will/should be two new DLLs. -- If those O1 entries do return in HijackThis, paste those two files into KillBox (in Step 3 above) and kill them. Just follow through the same procedures (Steps 3 - 6) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again). After that's done (or if you need more help), give us a new set of updated logs (2 PV logs, 1 notify.txt log, 1 VX2Finder log and 1 HijackThis log). __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools