Tech Support Forum - View Single Post

MicroBell · 03-31-2005, 09:37 PM

Hi and Welcome to TSF

You have more then 1 infection taking place. You got one on the first fix and we will attack the others. Understand this will take several steps. Please print these instructions out so you can follow along. Do not MISS or SKIP a step.

Make sure system restore is enabled and make a restore point. This is in case you make a mistake you can restore the OS. Once your fixed..we will address the restore folder.

Download Hoster http://members.aol.com/toadbee/hoster.zip
Download and install CleanUp http://cleanup.stevengould.org/

Download the attachment I posted here called fixsec.txt. Save it to your desktop. Now rename it to fixsec.reg. DO NOT run it yet.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

F:\WINDOWS2\System32\Dbk.exe
F:\WINDOWS2\System32\Jun.exe
F:\WINDOWS2\System32\Pic.exe
F:\WINDOWS2\System32\Klg.exe
F:\WINDOWS2\System32\Cre.exe
F:\WINDOWS2\System32\Jvh.exe
F:\WINDOWS2\System32\Uoq.exe
F:\WINDOWS2\System32\Lvv.exe
F:\WINDOWS2\Dhf.exe
F:\WINDOWS2\Lts.exe
F:\WINDOWS2\System32\Jun.exe
F:\WINDOWS2\System32\Pic.exe
F:\WINDOWS2\System32\Klg.exe
F:\WINDOWS2\System32\Cre.exe
F:\WINDOWS2\System32\Jvh.exe
F:\WINDOWS2\System32\Uoq.exe
F:\WINDOWS2\System32\Lvv.exe
F:\WINDOWS2\Dhf.exe
F:\WINDOWS2\Lts.exe
F:\WINDOWS2\Idt.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...12&gwCountry=BR
O4 - HKLM\..\Run: [winpos] F:\WINDOWS2\winpos.exe
O4 - HKLM\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKLM\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKLM\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKLM\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKLM\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKLM\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKLM\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKLM\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKLM\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKLM\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKLM\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKLM\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKLM\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKLM\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKLM\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKLM\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKLM\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKLM\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKLM\..\Run: [Pjm] F:\WINDOWS2\Blv.exe
O4 - HKLM\..\Run: [Ern] F:\WINDOWS2\Ftl.exe
O4 - HKLM\..\Run: [Icj] F:\WINDOWS2\System32\Dbk.exe
O4 - HKLM\..\Run: [Sge] F:\WINDOWS2\System32\Dnp.exe
O4 - HKLM\..\Run: [Llm] F:\WINDOWS2\Asf.exe
O4 - HKLM\..\Run: [Goi] F:\WINDOWS2\System32\Cap.exe
O4 - HKLM\..\Run: [Mcp] F:\WINDOWS2\Ros.exe
O4 - HKLM\..\Run: [AMonitor] F:\Program Files\TPF4\amon.exe
O4 - HKLM\..\Run: [Ucu] F:\WINDOWS2\System32\Jun.exe
O4 - HKLM\..\Run: [Oao] F:\WINDOWS2\Feq.exe
O4 - HKLM\..\Run: [Oeh] F:\WINDOWS2\System32\Pic.exe
O4 - HKLM\..\Run: [Kol] F:\WINDOWS2\System32\Klg.exe
O4 - HKLM\..\Run: [Ktc] F:\WINDOWS2\System32\Cre.exe
O4 - HKLM\..\Run: [Tbj] F:\WINDOWS2\Duo.exe
O4 - HKLM\..\Run: [Gqu] F:\WINDOWS2\System32\Jvh.exe
O4 - HKLM\..\Run: [Uvc] F:\WINDOWS2\System32\Uoq.exe
O4 - HKLM\..\Run: [Qot] F:\WINDOWS2\System32\Lvv.exe
O4 - HKLM\..\Run: [Hml] F:\WINDOWS2\Dhf.exe
O4 - HKLM\..\Run: [Egh] F:\WINDOWS2\Lts.exe
O4 - HKLM\..\Run: [Hve] F:\WINDOWS2\Idt.exe
O4 - HKCU\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKCU\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKCU\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKCU\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKCU\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKCU\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKCU\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKCU\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKCU\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKCU\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKCU\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKCU\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKCU\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKCU\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKCU\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKCU\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKCU\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKCU\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKCU\..\Run: [Pjm] F:\WINDOWS2\Blv.exe
O4 - HKCU\..\Run: [Ern] F:\WINDOWS2\Ftl.exe
O4 - HKCU\..\Run: [Icj] F:\WINDOWS2\System32\Dbk.exe
O4 - HKCU\..\Run: [Sge] F:\WINDOWS2\System32\Dnp.exe
O4 - HKCU\..\Run: [Llm] F:\WINDOWS2\Asf.exe
O4 - HKCU\..\Run: [Goi] F:\WINDOWS2\System32\Cap.exe
O4 - HKCU\..\Run: [Mcp] F:\WINDOWS2\Ros.exe
O4 - HKCU\..\Run: [Ucu] F:\WINDOWS2\System32\Jun.exe
O4 - HKCU\..\Run: [Oao] F:\WINDOWS2\Feq.exe
O4 - HKCU\..\Run: [Oeh] F:\WINDOWS2\System32\Pic.exe
O4 - HKCU\..\Run: [Kol] F:\WINDOWS2\System32\Klg.exe
O4 - HKCU\..\Run: [Ktc] F:\WINDOWS2\System32\Cre.exe
O4 - HKCU\..\Run: [Tbj] F:\WINDOWS2\Duo.exe
O4 - HKCU\..\Run: [Gqu] F:\WINDOWS2\System32\Jvh.exe
O4 - HKCU\..\Run: [Uvc] F:\WINDOWS2\System32\Uoq.exe
O4 - HKCU\..\Run: [Qot] F:\WINDOWS2\System32\Lvv.exe
O4 - HKCU\..\Run: [Hml] F:\WINDOWS2\Dhf.exe
O4 - HKCU\..\Run: [Egh] F:\WINDOWS2\Lts.exe
O4 - HKCU\..\Run: [Hve] F:\WINDOWS2\Idt.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - F:\WINDOWS2\System32\vbsys2.dll (file missing)

Delete ALL those 3 letter files above and these files that I listed below..

F:\WINDOWS2\winpos.exe
F:\WINDOWS2\System32\vbsys2.dll
c:\WINDOWS\Aja.html
c:\WINDOWS\Cjr.exe
c:\WINDOWS\desktop.html
c:\WINDOWS\popup.html
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _46.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _48.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _50.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _52.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _54.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _56.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _57.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _58.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _60.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _62.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _64.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _66.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _68.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _70.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _72.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _73.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _74.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _75.xml
c:\WINDOWS\system32\Hcc.exe
c:\WINDOWS\PCHEALT <--folder

FDI.EXE <--locate and delete that one!!

Open the hoster file and run the program to restore your hosts file.

Navigate to the C:\Windows\Prefetch folder and delete all files in that folder

Run the cleanup utility and reboot/logoff when prompted.

Reboot back to normal mode. Now double click that fixsec.reg file we made and merge it into the registry. If it asks you..say YES to merge.

Once thats merged...reboot the PC.

Now..once your back to normal windows..right click on the desktop..select properties...desktop..customize desktop...web..and uncheck anything listed. Now highlight and delete any entry that says security..or anything other then the default "My Current Homepage". Leave that entry be.

Run the cleanup utility again...reboot. Once back to normal windows post another hijackthis log. If those 04 entrys are back...repeat the process as you missed a file for deletion. You MUST get them all..otherwise this thing reinstalls itself.