Tech Support Forum - View Single Post - I got some adware or something![RESOLVED]

**blackduck30** · 04-21-2005, 08:56 PM

In the future can you please post logs in seperate thread to stop any change of confusion
.......................................................
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download cwsserviceremove.zip.[*]Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.[*]Please do not do anything with it yet.

Download CWShredder and install it. Click on 'I Agree' button if you agree with it. We will use this later.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results.
We will use this later.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. We will use this later.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip it to a folder on your the Desktop. Do not run it yet.

Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe and run it. Click on New.Net on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

Reboot into Safe Mode (hit F8 key until menu shows up).

Go to Start->Run and type in services.msc and hit OK. Then look for Workstation NetLogon Service Helper and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\system32\d3gb.exe
C:\WINDOWS\system32\sdkdy.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {D9E4FCE9-DD60-AD26-B07D-BFB00720C50B} - C:\WINDOWS\system32\ipqb32.dll

O4 - HKLM\..\Run: [sdkdy.exe] C:\WINDOWS\system32\sdkdy.exe
O4 - HKLM\..\RunOnce: [d3gb.exe] C:\WINDOWS\system32\d3gb.exe

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysbh32.exe (file missing)

Delete the following Files/Folders in RED (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\d3gb.exe
C:\WINDOWS\system32\sdkdy.exe
C:\WINDOWS\system32\aeook.dll
C:\WINDOWS\system32\ipqb32.dll
C:\WINDOWS\sysbh32.exe

Run the cwsserviceremover

Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Run Spybot-S&D
Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident and make sure that TeaTimer is checked. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

Run cwsshredder

Run Cleanup

Run Adaware

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

04-21-2005, 08:56 PM	#6 (permalink)
blackduck30 TSF Enthusiast Join Date: Sep 2004 Location: Wollongong/Australia Posts: 4,230 OS: XP pro SP3/Vista Ultimate My System	first log In the future can you please post logs in seperate thread to stop any change of confusion ....................................................... Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download cwsserviceremove.zip.[]Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.[]Please do not do anything with it yet. Download CWShredder and install it. Click on 'I Agree' button if you agree with it. We will use this later. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. We will use this later. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. We will use this later. Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip it to a folder on your the Desktop. Do not run it yet. Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe and run it. Click on New.Net on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts. Reboot into Safe Mode (hit F8 key until menu shows up). Go to Start->Run and type in services.msc and hit OK. Then look for Workstation NetLogon Service Helper and double click on it. Click on the Stop button and under Startup type, choose Disabled. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system32\d3gb.exe C:\WINDOWS\system32\sdkdy.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\aeook.dll/sp.html#60392 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {D9E4FCE9-DD60-AD26-B07D-BFB00720C50B} - C:\WINDOWS\system32\ipqb32.dll O4 - HKLM\..\Run: [sdkdy.exe] C:\WINDOWS\system32\sdkdy.exe O4 - HKLM\..\RunOnce: [d3gb.exe] C:\WINDOWS\system32\d3gb.exe O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysbh32.exe (file missing) Delete the following Files/Folders in RED (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\d3gb.exe C:\WINDOWS\system32\sdkdy.exe C:\WINDOWS\system32\aeook.dll C:\WINDOWS\system32\ipqb32.dll C:\WINDOWS\sysbh32.exe Run the cwsserviceremover Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here. Run Spybot-S&D Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident and make sure that TeaTimer is checked. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation. Run cwsshredder Run Cleanup Run Adaware Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ Blackduck30 Time is like money and milk, It's always running out Any Donations Help Keep TSF Free For All Last edited by blackduck30; 04-21-2005 at 08:58 PM.