Thread: DANGER: SPYWARE...Smart Security 59.95$
View Single Post
Old 03-31-2005, 09:00 AM   #3 (permalink)
NealM
Registered User
 
NealM's Avatar
 
Join Date: Feb 2005
Posts: 91
OS: Win XP Pro


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.
Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time).

F:\WINDOWS2\Bvv.exe


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...12&gwCountry=BR
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS2\System32\kernels32.exe
O2 - BHO: (no name) - {94087010-979B-4559-A796-BA70D89C82E4} - F:\WINDOWS2\System32\nocdhea.dll
O4 - HKLM\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKLM\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKLM\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKLM\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKLM\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKLM\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKLM\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKLM\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKLM\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKLM\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKLM\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKLM\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKLM\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKLM\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKLM\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKLM\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKLM\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKCU\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKCU\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKCU\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKCU\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKCU\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKCU\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKCU\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKCU\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKCU\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKCU\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKCU\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKCU\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKCU\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKCU\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKCU\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKCU\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKCU\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKCU\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS2\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS2\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3BB699-E52E-4F06-A378-30135350AB52}: NameServer = 200.149.55.142 200.165.132.155
O18 - Filter: text/html - {68D65528-80BE-4350-8711-6C026BCAF7A6} - F:\WINDOWS2\System32\nocdhea.dll
O18 - Filter: text/plain - {68D65528-80BE-4350-8711-6C026BCAF7A6} - F:\WINDOWS2\System32\nocdhea.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - F:\WINDOWS2\System32\vbsys2.dll

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED

F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll
F:\WINDOWS2\System32\kernels32.exe
F:\WINDOWS2\System32\nocdhea.dll
F:\WINDOWS2\System32\Ehr.exe
F:\WINDOWS2\System32\Hoi.exe
F:\WINDOWS2\System32\Loe.exe
F:\WINDOWS2\Ssq.exe
F:\WINDOWS2\Ihi.exe
F:\WINDOWS2\System32\Ibt.exe
F:\WINDOWS2\Dtk.exe
F:\WINDOWS2\Gne.exe
F:\WINDOWS2\System32\Dsf.exe
F:\WINDOWS2\Odv.exe
F:\WINDOWS2\Bvv.exe
F:\WINDOWS2\System32\Fjd.exe
F:\WINDOWS2\Ggq.exe
F:\WINDOWS2\Rrg.exe
F:\WINDOWS2\Hef.exe
F:\WINDOWS2\System32\Oke.exe
F:\WINDOWS2\System32\Ncr.exe
F:\WINDOWS2\System32\Tpk.exe
F:\WINDOWS2\System32\Ehr.exe
F:\WINDOWS2\System32\Hoi.exe
F:\WINDOWS2\System32\Loe.exe
F:\WINDOWS2\Ssq.exe
F:\WINDOWS2\Ihi.exe
F:\WINDOWS2\System32\Ibt.exe
F:\WINDOWS2\Dtk.exe
F:\WINDOWS2\Gne.exe
F:\WINDOWS2\System32\Dsf.exe
F:\WINDOWS2\Odv.exe
F:\WINDOWS2\Bvv.exe
F:\WINDOWS2\System32\Fjd.exe
F:\WINDOWS2\Ggq.exe
F:\WINDOWS2\Rrg.exe
F:\WINDOWS2\Hef.exe
F:\WINDOWS2\System32\Oke.exe
F:\WINDOWS2\System32\Ncr.exe
F:\WINDOWS2\System32\Tpk.exe
F:\WINDOWS2\web\related.htm
F:\WINDOWS2\System32\nocdhea.dll
F:\WINDOWS2\System32\vbsys2.dll


Reboot your System in normal mode.


Download CW-Shredder HERE


Download 'SpSeHjfix'. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!


If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

Please post a fresh Hijack This log and the log that was created by 'SpSeHjfix'. so that we can check if your system is clean.
__________________
_____________________________________________________
Cheers


NealM
AMD Athlon XP2000 - Processor
512 RAM - Memory
HD1 - 15G
HD2 - 80G
NVIDIA GeForce FX 5200 - Graphics Card
NealM is offline