Tech Support Forum - View Single Post - [RESOLVED]Junk-O-Rama

tinag · 04-23-2005, 12:24 PM

Hello again.

That's definitely progress. Let's see if we can get the rest..

Before proceeding, please print this page or copy it to Notepad to help you carry out the instructions. If you have questions about any instruction, please ask before performing it.

Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes.

Reboot your system into Safe Mode: restart it and then repeatedly tap the F8 key until the menu appears, then selecting Safe Mode.

Open Hijack This. On the main screen , click Open the misc tools. Then click Delete an NT Service. In the box that pops up, paste in:

svcproc.exe

and click OK. Under "Other Stuff" in the bottom right-hand corner, click Back to return to the HJT scanning screen.

Now click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any):

O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Owner\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [razin] C:\DOCUME~1\Owner\LOCALS~1\Temp\rm05040901.Stub.exe
O4 - Global Startup: strings.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

Please close all other windows, including browsers, then click Fix checked.

Next, search for a file called strings.exe. Don't do anything with it yet -- just note its location.

Run Killbox (one of the programs you downloaded in the last fix). You'll need to paste the following list of files into Killbox one at a time. Check the Delete on Reboot box and the Unregistered DLL (if the latter is available -- it won't be every time). Click the red X, and it will ask to reboot now; click NO and proceed with the next file. Once you get to the last one, click YES so it will reboot. If you get a “Pending FileRename Operations Registry Data has been Removed by External Process!" message, then just restart manually. Here's the list of files to delete -- some of them may not exist:

C:\WINDOWS\system32\delfin0414.dll
C:\WINDOWS\system32\goldnew2b0414.dll
c:\windows\SvcProc.exe
strings.exe (that is, the one you just looked up)

Reboot your system into Safe Mode once more (again, this means repeatedly tapping F8 until the menu appears, then selecting Safe Mode). This is very important, as the following must be done in Safe Mode!

Now you need to run rkfiles.bat and rem.bat again. You should probably delete or move the logs you created with these tools last time around so there's no confusion between the old and new ones:

Double-click rkfiles.bat. It will scan for a while, so please be patient. Wait until the DOS window closes, then open the C:\log.txt it created and rename it log1.txt. This is important: both this tool and the next one use log.txt as the logfile name, so if you don't rename this one, it'll be overwritten when you run the next tool, and you don't want that!

Next, open the folder where you unzipped the remv3.zip files, and double-click the rem.bat file. Let it run. It will delete the files and remove the infection, and then make a log of the files it finds. The log files will be C:\log.txt and bad1.txt.

Reboot back to normal mode.

In your next post, please include a fresh HijackThis log and the contents of both the log.txt and log1.txt (from the rkfiles and rem.bat scans).

04-23-2005, 12:24 PM	#5 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Hello again. That's definitely progress. Let's see if we can get the rest.. Before proceeding, please print this page or copy it to Notepad to help you carry out the instructions. If you have questions about any instruction, please ask before performing it. Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes. Reboot your system into Safe Mode: restart it and then repeatedly tap the F8 key until the menu appears, then selecting Safe Mode. Open Hijack This. On the main screen , click Open the misc tools. Then click Delete an NT Service. In the box that pops up, paste in: svcproc.exe and click OK. Under "Other Stuff" in the bottom right-hand corner, click Back to return to the HJT scanning screen. Now click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any): O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Owner\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup O4 - HKLM\..\Run: [razin] C:\DOCUME~1\Owner\LOCALS~1\Temp\rm05040901.Stub.exe O4 - Global Startup: strings.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing) *Please close all other windows, including browsers, then click Fix checked.* Next, search for a file called strings.exe. Don't do anything with it yet -- just note its location. Run Killbox (one of the programs you downloaded in the last fix). You'll need to paste the following list of files into Killbox one at a time. Check the Delete on Reboot box and the Unregistered DLL (if the latter is available -- it won't be every time). Click the red X, and it will ask to reboot now; click NO and proceed with the next file. Once you get to the last one, click YES so it will reboot. If you get a “Pending FileRename Operations Registry Data has been Removed by External Process!" message, then just restart manually. Here's the list of files to delete -- some of them may not exist: C:\WINDOWS\system32\delfin0414.dll C:\WINDOWS\system32\goldnew2b0414.dll c:\windows\SvcProc.exe strings.exe (that is, the one you just looked up) Reboot your system into Safe Mode once more (again, this means repeatedly tapping F8 until the menu appears, then selecting Safe Mode). This is very important, as the following must be done in Safe Mode! Now you need to run rkfiles.bat and rem.bat again. You should probably delete or move the logs you created with these tools last time around so there's no confusion between the old and new ones: Double-click rkfiles.bat. It will scan for a while, so please be patient. Wait until the DOS window closes, then open the C:\log.txt it created and rename it log1.txt. This is important: both this tool and the next one use log.txt as the logfile name, so if you don't rename this one, it'll be overwritten when you run the next tool, and you don't want that! Next, open the folder where you unzipped the remv3.zip files, and double-click the rem.bat file. Let it run. It will delete the files and remove the infection, and then make a log of the files it finds. The log files will be C:\log.txt and bad1.txt. Reboot back to normal mode. In your next post, please include a fresh HijackThis log and the contents of both the log.txt and log1.txt (from the rkfiles and rem.bat scans). __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!