Tech Support Forum - View Single Post

MicroBell · 06-05-2005, 02:45 AM

The Nav issue may or maynot be related to this infection. Anyway...we still got some cleaning to do....

Download Hoster http://www.greyknight17.com/spy/Hoster.exe

Run the cleanup utility and reboot/logoff when prompted. Reboot back into safe mode.

Run hijackthis and fix the following entrys...

O17 - HKLM\System\CCS\Services\Tcpip\..\{8516EA74-A176-478C-8C9A-C41D73DEDCA3}: NameServer = 194.74.65.68 194.72.9.38

Now run the hoster program and select "Restore Hosts File"

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\system32\addlo32.dll
C:\WINDOWS\system32\apiuf.dll
C:\WINDOWS\system32\atleh32.dll
C:\WINDOWS\system32\sysyy32.exe
C:\WINDOWS\addgk32.dll
C:\WINDOWS\apife32.exe
C:\WINDOWS\crol32.dll
C:\WINDOWS\mfcqx.dll
C:\WINDOWS\sdkpv.dll

Once rebooted post another hijackthis and Rkfiles logs..and the log from the following tool....

Please empty any Quarantine folder in your antivirus, empty your recycle bin and purge/delete all recovery items in the spybot program if you use it…BEFORE!!! running this tool.

Download this virus checker and tool from eScan Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4. Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane (Bottom Window)
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file. DO NOT post the log from the “View Log” button as that log does NOT contain the info we are after.

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here along with a new hijackthis log.

06-05-2005, 02:45 AM	#8 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	The Nav issue may or maynot be related to this infection. Anyway...we still got some cleaning to do.... Download Hoster http://www.greyknight17.com/spy/Hoster.exe Run the cleanup utility and reboot/logoff when prompted. Reboot back into safe mode. Run hijackthis and fix the following entrys... O17 - HKLM\System\CCS\Services\Tcpip\..\{8516EA74-A176-478C-8C9A-C41D73DEDCA3}: NameServer = 194.74.65.68 194.72.9.38 Now run the hoster program and select "Restore Hosts File" Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINDOWS\system32\addlo32.dll C:\WINDOWS\system32\apiuf.dll C:\WINDOWS\system32\atleh32.dll C:\WINDOWS\system32\sysyy32.exe C:\WINDOWS\addgk32.dll C:\WINDOWS\apife32.exe C:\WINDOWS\crol32.dll C:\WINDOWS\mfcqx.dll C:\WINDOWS\sdkpv.dll Once rebooted post another hijackthis and Rkfiles logs..and the log from the following tool.... Please empty any Quarantine folder in your antivirus, empty your recycle bin and purge/delete all recovery items in the spybot program if you use it…BEFORE!!! running this tool. Download this virus checker and tool from eScan Mwav.exe (Use Link 3) 1. Save it to a folder. 2. Reboot into safe mode 3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything) 4. Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane (Bottom Window) Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file. DO NOT post the log from the “View Log” button as that log does NOT contain the info we are after. Note If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything..but to ID the bad guys. Once you copy that to a notepad file...highlight the text and copy it here along with a new hijackthis log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder