Tech Support Forum - View Single Post

MicroBell · 06-04-2005, 02:57 PM

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Download and install CleanUp http://cleanup.stevengould.org/

Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point.

NOw run the cleanup utility and reboot/logoff when prompted.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: Network Security Service ( 11Fßä#·ºÄÖ`I)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{DF7B4507-13C3-06E8-197B-D732093994CA}<--delete that folder

Close regedit

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINDOWS\atlyd.exe
C:\WINDOWS\system32\ipba.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {DF7B4507-13C3-06E8-197B-D732093994CA} - C:\WINDOWS\system32\appwo32.dll
O4 - HKLM\..\Run: [ipba.exe] C:\WINDOWS\system32\ipba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O15 - Trusted Zone: http://www.redimps.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8516EA74-A176-478C-8C9A-C41D73DEDCA3}: NameServer = 194.74.65.68 194.72.9.38
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlyd.exe

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\atlyd.exe
C:\WINDOWS\system32\ipba.exe
C:\WINDOWS\system32\appwo32.dll

Once you reboot..post another hijackthis log and silentrunners log along with the logs from the tools below....

Download Rkfiles.zip http://skads.org/special/rkfiles.zip
UNZIP the contents to a permanent folder on your desktop.

Download the following attachment remv3.zip http://forums.skads.org/index.php?showtopic=80
Make a folder on the root drive C:\ and unzip the files into it.

REBOOT TO SAFE MODE… These tools MUST be run in safe mode!!
Once in safe mode…

Double click rkfiles.bat
It will scan for a while, so please be patient.
Wait till the dos window closes.
Open the C:\log.txt it created and rename it log1.txt.

Now Open the folder were you saved remv3.zip files and click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tool before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.

So I need the following logs...

Hijackthis
Silentrunners
Rkfiles (log1.txt)
Remv3 (log.txt)

06-04-2005, 02:57 PM	#6 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip Download and install CleanUp http://cleanup.stevengould.org/ Download DelDomains.inf Right-click and select..... Save Target As To use: Right-click and select....... Install (no need to restart) Note This will remove all entries in the "Trusted Zone" Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point. NOw run the cleanup utility and reboot/logoff when prompted. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go to Start->Run and type Services.msc then hit Ok Scroll down and find the service called: Network Security Service ( 11Fßä#·ºÄÖ`I) When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {DF7B4507-13C3-06E8-197B-D732093994CA}<--delete that folder Close regedit Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\atlyd.exe C:\WINDOWS\system32\ipba.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R3 - Default URLSearchHook is missing O2 - BHO: Class - {DF7B4507-13C3-06E8-197B-D732093994CA} - C:\WINDOWS\system32\appwo32.dll O4 - HKLM\..\Run: [ipba.exe] C:\WINDOWS\system32\ipba.exe O4 - Startup: PowerReg Scheduler V3.exe O15 - Trusted Zone: http://www.redimps.com O17 - HKLM\System\CCS\Services\Tcpip\..\{8516EA74-A176-478C-8C9A-C41D73DEDCA3}: NameServer = 194.74.65.68 194.72.9.38 O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlyd.exe Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINDOWS\atlyd.exe C:\WINDOWS\system32\ipba.exe C:\WINDOWS\system32\appwo32.dll Once you reboot..post another hijackthis log and silentrunners log along with the logs from the tools below.... Download Rkfiles.zip http://skads.org/special/rkfiles.zip UNZIP the contents to a permanent folder on your desktop. Download the following attachment remv3.zip http://forums.skads.org/index.php?showtopic=80 Make a folder on the root drive C:\ and unzip the files into it. REBOOT TO SAFE MODE… These tools MUST be run in safe mode!! Once in safe mode… Double click rkfiles.bat It will scan for a while, so please be patient. Wait till the dos window closes. Open the C:\log.txt it created and rename it log1.txt. Now Open the folder were you saved remv3.zip files and click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt Note Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tool before running the other as it will overwrite the file if you don’t. Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post. So I need the following logs... Hijackthis Silentrunners Rkfiles (log1.txt) Remv3 (log.txt) __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder