Tech Support Forum - View Single Post

kworley517 · 03-20-2005, 11:18 AM

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Desktop. This is required because HijackThis will create backups and we don't want them to be deleted.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Do not run it yet...

Note:
I see you have P2P software installed on your machine (LimeWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation. I will make recommendations below for removal, which you can choose to ignore, where this P2P application is involved. I’ll leave the decision to you.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\windows\system32\cizyyewq.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\sys11-2134011857.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
C:\Documents and Settings\user\Application Data\dart.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Media Access
WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\rtneg2.dll
O2 - BHO: (no name) - {D6715F67-CA88-B357-A92E-BFC9DBC66E90} - C:\WINDOWS\System32\ewi.dll
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cizyyewq] c:\windows\system32\cizyyewq.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [sys11-2134011857] C:\WINDOWS\sys11-2134011857.exe
O4 - HKCU\..\Run: [Asar] C:\Documents and Settings\user\Application Data\dart.exe
O4 - HKCU\..\Run: [Hto] C:\WINDOWS\System32\w?oaclt.exe
O4 - HKCU\..\Run: [gw2nROa9e] dmsptdll.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho...On/AlwaysOn.CAB
O16 - DPF: {298E1FE9-B230-4620-89E1-F821FF81F870} (ONCLUB Control) - http://onclub.co.kr/onclub/ONCLUB.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01308c1...ip/RdxIE601.cab
O16 - DPF: {72ED8878-6E16-4EA1-BDD6-3B21EF676E45} (CVTrace Control) - http://www.seevideo.co.kr/pub/cvideox/trace/cvtrace.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA?¼OCA·I±×·?) - http://cdn.hangame.com/hangame/mess...g/HanWebMsg.cab

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\windows\system32\cizyyewq.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\sys11-2134011857.exe
C:\Documents and Settings\user\Application Data\dart.exe
C:\WINDOWS\dlmax.dll
C:\WINDOWS\System32\rtneg2.dll
C:\WINDOWS\System32\ewi.dll
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\System32\w?oaclt.exe

AUNPS2.DLL -=> Do a search for this file and delete ALL instances found.
dmsptdll.exe -=> Do a search for this file and delete ALL instances found.

C:\Documents and Settings\All Users\Application Data\msw\
C:\Program Files\Media Access\
C:\Program Files\AWS\

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and post the contents of the LOG file in the forum.

03-20-2005, 11:18 AM	#3 (permalink)
kworley517 Analyst, Security Team Join Date: Feb 2005 Location: South Florida Posts: 538 OS: XP Pro	Here we go.... Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Desktop. This is required because HijackThis will create backups and we don't want them to be deleted. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Do not run it yet... Note: I see you have P2P software installed on your machine (LimeWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation. I will make recommendations below for removal, which you can choose to ignore, where this P2P application is involved. I’ll leave the decision to you. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\windows\system32\cizyyewq.exe C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe C:\WINDOWS\SysCheckBop32.exe C:\WINDOWS\sys11-2134011857.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe C:\Documents and Settings\user\Application Data\dart.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Media Access WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\rtneg2.dll O2 - BHO: (no name) - {D6715F67-CA88-B357-A92E-BFC9DBC66E90} - C:\WINDOWS\System32\ewi.dll O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [cizyyewq] c:\windows\system32\cizyyewq.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32 O4 - HKLM\..\Run: [sys11-2134011857] C:\WINDOWS\sys11-2134011857.exe O4 - HKCU\..\Run: [Asar] C:\Documents and Settings\user\Application Data\dart.exe O4 - HKCU\..\Run: [Hto] C:\WINDOWS\System32\w?oaclt.exe O4 - HKCU\..\Run: [gw2nROa9e] dmsptdll.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho...On/AlwaysOn.CAB O16 - DPF: {298E1FE9-B230-4620-89E1-F821FF81F870} (ONCLUB Control) - http://onclub.co.kr/onclub/ONCLUB.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01308c1...ip/RdxIE601.cab O16 - DPF: {72ED8878-6E16-4EA1-BDD6-3B21EF676E45} (CVTrace Control) - http://www.seevideo.co.kr/pub/cvideox/trace/cvtrace.cab O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA?¼OCA·I±×·?) - http://cdn.hangame.com/hangame/mess...g/HanWebMsg.cab Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\windows\system32\cizyyewq.exe C:\WINDOWS\SysCheckBop32.exe C:\WINDOWS\sys11-2134011857.exe C:\Documents and Settings\user\Application Data\dart.exe C:\WINDOWS\dlmax.dll C:\WINDOWS\System32\rtneg2.dll C:\WINDOWS\System32\ewi.dll C:\WINDOWS\System32\pacis.exe C:\WINDOWS\System32\w?oaclt.exe AUNPS2.DLL -=> Do a search for this file and delete ALL instances found. dmsptdll.exe -=> Do a search for this file and delete ALL instances found. C:\Documents and Settings\All Users\Application Data\msw\ C:\Program Files\Media Access\ C:\Program Files\AWS\ Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and post the contents of the LOG file in the forum.