Tech Support Forum - View Single Post

**jgvernonco** · 04-21-2005, 07:55 AM

Greetings, and welcome to TSF!

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\documents and settings\sagar\local settings\temp\LMp.exe
C:\WINDOWS\System32\2qdsrch1.exe
C:\documents and settings\ishwin\local settings\temp\REVTdgxuC.exe
C:\documents and settings\ishwin\local settings\temp\x6bz5a.exe
C:\documents and settings\ishwin\local settings\temp\Mz8pHTEjf.exe
C:\documents and settings\ishwin\local settings\temp\PUkMVP0vv.exe
C:\WINDOWS\system32\2jdsrch2.exe
C:\WINDOWS\system32\d?xplore.exe
C:\Documents and Settings\SAGAR\Application Data\othb.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u taQkmd9.dll
regsvr32 /u rwer.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\SAGAR\Application Data\Mozilla\Profiles\default\e79s20x5.slt\prefs.j s)

O2 - BHO: (no name) - {4FAA4628-B113-02EA-8A52-64550DF12A1B} - C:\WINDOWS\System32\eynhu.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\SAGAR\Local Settings\Temp\taQkmd9.dll
O2 - BHO: (no name) - {E9203F32-D6FA-8E07-843E-814DF0AE73BB} - C:\WINDOWS\system32\rwer.dll

O4 - HKLM\..\Run: [an455f9z.exe] C:\WINDOWS\an455f9z.exe /dk
O4 - HKLM\..\Run: [LMp] C:\documents and settings\sagar\local settings\temp\LMp.exe
O4 - HKLM\..\Run: [5d1b953b8067] C:\WINDOWS\System32\2qdsrch1.exe
O4 - HKLM\..\Run: [Upsfc] C:\DOCUME~1\SHYAM\LOCALS~1\Temp\app1F.tmp
O4 - HKLM\..\Run: [LMp.exe] C:\documents and settings\sagar\local settings\temp\LMp.exe
O4 - HKLM\..\Run: [Mz8pHTEjf] C:\documents and settings\ishwin\local settings\temp\Mz8pHTEjf.exe
O4 - HKLM\..\Run: [REVTdgxuC] C:\documents and settings\ishwin\local settings\temp\REVTdgxuC.exe
O4 - HKLM\..\Run: [x6bz5a] C:\documents and settings\ishwin\local settings\temp\x6bz5a.exe
O4 - HKLM\..\Run: [PUkMVP0vv] C:\documents and settings\ishwin\local settings\temp\PUkMVP0vv.exe
O4 - HKLM\..\Run: [Mz8pHTEjf.exe] C:\documents and settings\ishwin\local settings\temp\Mz8pHTEjf.exe
O4 - HKLM\..\Run: [REVTdgxuC.exe] C:\documents and settings\ishwin\local settings\temp\REVTdgxuC.exe
O4 - HKLM\..\Run: [x6bz5a.exe] C:\documents and settings\ishwin\local settings\temp\x6bz5a.exe
O4 - HKLM\..\Run: [PUkMVP0vv.exe] C:\documents and settings\ishwin\local settings\temp\PUkMVP0vv.exe
O4 - HKLM\..\Run: [beb797a8c493] C:\WINDOWS\system32\2jdsrch2.exe
O4 - HKCU\..\Run: [Bbkte] C:\WINDOWS\system32\d?xplore.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\SAGAR\Application Data\othb.exe

O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} (UDConnect Class) - http://17.sharedsource.org/html/Nrs..._1.0.0.1ie.cab?
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/...iker/wtinst.cab

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

When your done, rescan your system and make sure the following isn't present:

N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src

If it is, then fix that entry again; sometimes it'll take more than one pass. The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed.

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\documents and settings\sagar\local settings\temp\LMp.exe
C:\WINDOWS\System32\2qdsrch1.exe
C:\documents and settings\ishwin\local settings\temp\REVTdgxuC.exe
C:\documents and settings\ishwin\local settings\temp\x6bz5a.exe
C:\documents and settings\ishwin\local settings\temp\Mz8pHTEjf.exe
C:\documents and settings\ishwin\local settings\temp\PUkMVP0vv.exe
C:\WINDOWS\system32\2jdsrch2.exe
C:\Documents and Settings\SAGAR\Application Data\othb.exe
C:\Documents and Settings\SAGAR\Local Settings\Temp\taQkmd9.dll
C:\WINDOWS\system32\rwer.dll
C:\WINDOWS\an455f9z.exe
C:\DOCUME~1\SHYAM\LOCALS~1\Temp\app1F.tmp

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Post back a new log, and let me know how everything goes.

04-21-2005, 07:55 AM	#3 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	Greetings, and welcome to TSF! The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download, unzip to your desktop CWShredder and run it, then: 1. Click "*Check For Update" (If an update isn't available, skip to step #4.) 2. Click "Click here to Download the upate". 3. When the new version has been downloaded, click "Save". 4. Click "Fix ->" =============== Run HiJackThis* then: 1. Click "*Config..." 2. Click "Misc Tools" 3. Click "Open Process manager" - Next, while holding down the CTRL* key, locate (if present) and click on (highlight) each of the following: C:\documents and settings\sagar\local settings\temp\LMp.exe C:\WINDOWS\System32\2qdsrch1.exe C:\documents and settings\ishwin\local settings\temp\REVTdgxuC.exe C:\documents and settings\ishwin\local settings\temp\x6bz5a.exe C:\documents and settings\ishwin\local settings\temp\Mz8pHTEjf.exe C:\documents and settings\ishwin\local settings\temp\PUkMVP0vv.exe C:\WINDOWS\system32\2jdsrch2.exe C:\WINDOWS\system32\d?xplore.exe C:\Documents and Settings\SAGAR\Application Data\othb.exe Now double-check and make sure that only those item(s) above are highlighted, then click "*Kill process". Now, click "Refresh", check again, and repeat this step if any remain. =============== Now, let's open a command prompt* and unregister the dll(s) we're going to remove, by entering the following: regsvr32 /u taQkmd9.dll regsvr32 /u rwer.dll It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing. =============== Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later. Also move the "*Backups" folder, for HiJackThis, if present. =============== Run HiJackThis* and click "*Scan", then check(tick) the following, if present: R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank* N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\SAGAR\Application Data\Mozilla\Profiles\default\e79s20x5.slt\prefs.j s) O2 - BHO: (no name) - {4FAA4628-B113-02EA-8A52-64550DF12A1B} - C:\WINDOWS\System32\eynhu.dll (file missing) O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\SAGAR\Local Settings\Temp\taQkmd9.dll O2 - BHO: (no name) - {E9203F32-D6FA-8E07-843E-814DF0AE73BB} - C:\WINDOWS\system32\rwer.dll O4 - HKLM\..\Run: [an455f9z.exe] C:\WINDOWS\an455f9z.exe /dk O4 - HKLM\..\Run: [LMp] C:\documents and settings\sagar\local settings\temp\LMp.exe O4 - HKLM\..\Run: [5d1b953b8067] C:\WINDOWS\System32\2qdsrch1.exe O4 - HKLM\..\Run: [Upsfc] C:\DOCUME~1\SHYAM\LOCALS~1\Temp\app1F.tmp O4 - HKLM\..\Run: [LMp.exe] C:\documents and settings\sagar\local settings\temp\LMp.exe O4 - HKLM\..\Run: [Mz8pHTEjf] C:\documents and settings\ishwin\local settings\temp\Mz8pHTEjf.exe O4 - HKLM\..\Run: [REVTdgxuC] C:\documents and settings\ishwin\local settings\temp\REVTdgxuC.exe O4 - HKLM\..\Run: [x6bz5a] C:\documents and settings\ishwin\local settings\temp\x6bz5a.exe O4 - HKLM\..\Run: [PUkMVP0vv] C:\documents and settings\ishwin\local settings\temp\PUkMVP0vv.exe O4 - HKLM\..\Run: [Mz8pHTEjf.exe] C:\documents and settings\ishwin\local settings\temp\Mz8pHTEjf.exe O4 - HKLM\..\Run: [REVTdgxuC.exe] C:\documents and settings\ishwin\local settings\temp\REVTdgxuC.exe O4 - HKLM\..\Run: [x6bz5a.exe] C:\documents and settings\ishwin\local settings\temp\x6bz5a.exe O4 - HKLM\..\Run: [PUkMVP0vv.exe] C:\documents and settings\ishwin\local settings\temp\PUkMVP0vv.exe O4 - HKLM\..\Run: [beb797a8c493] C:\WINDOWS\system32\2jdsrch2.exe O4 - HKCU\..\Run: [Bbkte] C:\WINDOWS\system32\d?xplore.exe O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\SAGAR\Application Data\othb.exe O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} (UDConnect Class) - http://17.sharedsource.org/html/Nrs..._1.0.0.1ie.cab? O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/...iker/wtinst.cab Now, with all windows closed except HiJackThis, click "*Fix checked". =============== When your done, rescan your system and make sure the following isn't present: N3 - Netscape ... 5CSBWeb_01.src* (or) 5CSBWeb_02.src If it is, then fix that entry again; sometimes it'll take more than one pass. The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed. =============== Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: files... C:\documents and settings\sagar\local settings\temp\LMp.exe C:\WINDOWS\System32\2qdsrch1.exe C:\documents and settings\ishwin\local settings\temp\REVTdgxuC.exe C:\documents and settings\ishwin\local settings\temp\x6bz5a.exe C:\documents and settings\ishwin\local settings\temp\Mz8pHTEjf.exe C:\documents and settings\ishwin\local settings\temp\PUkMVP0vv.exe C:\WINDOWS\system32\2jdsrch2.exe C:\Documents and Settings\SAGAR\Application Data\othb.exe C:\Documents and Settings\SAGAR\Local Settings\Temp\taQkmd9.dll C:\WINDOWS\system32\rwer.dll C:\WINDOWS\an455f9z.exe C:\DOCUME~1\SHYAM\LOCALS~1\Temp\app1F.tmp - Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode". =============== Post back a new log, and let me know how everything goes. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt