Tech Support Forum - View Single Post

MicroBell · 06-06-2005, 02:13 AM

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Download and install CleanUp http://cleanup.stevengould.org/

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{B109FAA8-EEB1-49C6-81F2-71B8AEC12546}\SECURITY.EXE
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{DECEF43B-1200-4816-B4A0-E6A07D740A68}\SVCHOST.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://aragorn.briars.net/tsweb/msrdp.cab

C:\WINDOWS\System32\Services <--delete that folder

C:\WINDOWS\System32\spoolsrv32.exe <--delete that file

C:\Windows\desktop.html <--delete that file if you have it.

Now locate and delete ANY of these files below....

Files dropped in C:\windows\system32 folder..............

$$$_.log
1iln10o2.exe
1iln10o2.ini
2g6k5jnm.dat
4i59j9qq.dat
633d1u62.exe
633d1u62.ini
739nndpq.dat
abc.exe
auto_update_uninstall.exe
auto_update_uninstall.log
bre.dll
bre32.dll
cc47dtjf.dat
cidft.dll
cidpoq32.dll
cssrs.exe
eSellerateControl350.dll
eSellerateEngine.dll
exclean.exe
exdl.exe
exdl0.exe
exdl1.exe
exul.exe
fs9iphc6.dll
ga02vaii.ini
gpeart.exe
gupd.dll
h323log.txt
hst32.dll
ica3prt.exe
icnfe.dll
icqrt.dll
icvbr.dll
init32m.exe
ipdnssec6.exe
kernels32.exe
latest.exe
mqexdlm.srg
msbe.dll
mscnf.dll
msxct.exe
ok91u8rs.dat
r006o4ab.html
rch.dll
rch32.dll
rdrlib.dll
sdfup.dll
thun.dll
thun32.dll
trf32.dll
ucoruw.dll
vx.tll
vxgame1.exe
vxgame3.exe
vxgamet1.exe
vxgamet2.exe
vxh8jkdq1.exe
vxh8jkdq2.exe
vxh8jkdq5.exe
vxh8jkdq6.exe
vxh8jkdq7.exe
vxh8jkdq8.exe
wcnl32.dll
web.exe
wecxg32.dll
win32.exe
wirl.dll
wnstssv.exe

C:\Documents and Settings\useraccount\Application Data\osse.exe <--delete that if you have it. If another file is there..post it here.

Run the cleanup utility and reboot/logoff when prompted. Reboot back to normal mode and post another hijackthis log.

06-06-2005, 02:13 AM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Download and install CleanUp http://cleanup.stevengould.org/ Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{B109FAA8-EEB1-49C6-81F2-71B8AEC12546}\SECURITY.EXE O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{DECEF43B-1200-4816-B4A0-E6A07D740A68}\SVCHOST.EXE O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://aragorn.briars.net/tsweb/msrdp.cab C:\WINDOWS\System32\Services <--delete that folder C:\WINDOWS\System32\spoolsrv32.exe <--delete that file C:\Windows\desktop.html <--delete that file if you have it. Now locate and delete ANY of these files below.... Files dropped in C:\windows\system32 folder.............. $$$_.log 1iln10o2.exe 1iln10o2.ini 2g6k5jnm.dat 4i59j9qq.dat 633d1u62.exe 633d1u62.ini 739nndpq.dat abc.exe auto_update_uninstall.exe auto_update_uninstall.log bre.dll bre32.dll cc47dtjf.dat cidft.dll cidpoq32.dll cssrs.exe eSellerateControl350.dll eSellerateEngine.dll exclean.exe exdl.exe exdl0.exe exdl1.exe exul.exe fs9iphc6.dll ga02vaii.ini gpeart.exe gupd.dll h323log.txt hst32.dll ica3prt.exe icnfe.dll icqrt.dll icvbr.dll init32m.exe ipdnssec6.exe kernels32.exe latest.exe mqexdlm.srg msbe.dll mscnf.dll msxct.exe ok91u8rs.dat r006o4ab.html rch.dll rch32.dll rdrlib.dll sdfup.dll thun.dll thun32.dll trf32.dll ucoruw.dll vx.tll vxgame1.exe vxgame3.exe vxgamet1.exe vxgamet2.exe vxh8jkdq1.exe vxh8jkdq2.exe vxh8jkdq5.exe vxh8jkdq6.exe vxh8jkdq7.exe vxh8jkdq8.exe wcnl32.dll web.exe wecxg32.dll win32.exe wirl.dll wnstssv.exe C:\Documents and Settings\useraccount\Application Data\osse.exe <--delete that if you have it. If another file is there..post it here. Run the cleanup utility and reboot/logoff when prompted. Reboot back to normal mode and post another hijackthis log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder