Tech Support Forum - View Single Post

**Omerr** · 07-06-2005, 02:23 PM

Hello and welcome to TSF

I just want to give you a good word: your thread was absolutely excellent, you really gave us the information needed and scanned how we asked you to. Good job with that!

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process.

Download CWShredder http://www.greyknight17.com/spy/CWShredder.exe

Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.

Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. Save that log, we will use it later.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder and hit the Fix button.

Download Hoster and run it. Choose the 'Restore Original Hosts' button and press OK.

Download CleanUP! and install it. Do NOT run it yet.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\System32\intel32.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

PSGuard

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 82.146.33.177 lloydstsb.co.uk
O1 - Hosts: 82.146.33.177 online.lloydstsb.co.uk
O1 - Hosts: 82.146.33.177 www.lloydstsb.co.uk
O1 - Hosts: 82.146.33.177 www.lloydstsb.com
O1 - Hosts: 82.146.33.177 personal.barclays.co.uk
O1 - Hosts: 82.146.33.177 barclays.co.uk
O1 - Hosts: 82.146.33.177 ibank.barclays.co.uk
O1 - Hosts: 82.146.33.177 www.barclays.co.uk
O1 - Hosts: 82.146.33.177 www.nwolb.com
O1 - Hosts: 82.146.33.177 nwolb.com
O1 - Hosts: 82.146.33.177 hsbc.co.uk
O1 - Hosts: 82.146.33.177 www.hsbc.co.uk
O1 - Hosts: 82.146.33.177 abbey.com
O1 - Hosts: 82.146.33.177 www.abbey.com
O1 - Hosts: 82.146.33.177 www.abbey.co.uk
O1 - Hosts: 82.146.33.177 abbey.co.uk
O1 - Hosts: 82.146.33.177 cahoot.com
O1 - Hosts: 82.146.33.177 www.cahoot.com
O1 - Hosts: 82.146.33.177 www.cahoot.co.uk
O1 - Hosts: 82.146.33.177 cahoot.co.uk
O1 - Hosts: 82.146.33.177 www.co-operativebank.co.uk
O1 - Hosts: 82.146.33.177 co-operativebank.co.uk
O1 - Hosts: 82.146.33.177 www.co-operativebank.com
O1 - Hosts: 82.146.33.177 co-operativebank.com
O1 - Hosts: 82.146.33.177 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 82.146.33.177 www.smile.co.uk
O1 - Hosts: 82.146.33.177 smile.co.uk
O1 - Hosts: 82.146.33.177 www.cajamar.es
O1 - Hosts: 82.146.33.177 cajamar.es
O1 - Hosts: 82.146.33.177 www.cajamar.com
O1 - Hosts: 82.146.33.177 www.unicaja.es
O1 - Hosts: 82.146.33.177 unicaja.es
O1 - Hosts: 82.146.33.177 www.unicaja.com
O1 - Hosts: 82.146.33.177 unicaja.com
O1 - Hosts: 82.146.33.177 www.caixagalicia.es
O1 - Hosts: 82.146.33.177 caixagalicia.es
O1 - Hosts: 82.146.33.177 www.caixagalicia.com
O1 - Hosts: 82.146.33.177 caixagalicia.com
O1 - Hosts: 82.146.33.177 activa.caixagalicia.es
O1 - Hosts: 82.146.33.177 www.caixapenedes.es
O1 - Hosts: 82.146.33.177 caixapenedes.es
O1 - Hosts: 82.146.33.177 www.caixapenedes.com
O1 - Hosts: 82.146.33.177 caixapenedes.com
O1 - Hosts: 82.146.33.177 bancae.caixapenedes.com
O1 - Hosts: 82.146.33.177 www.caixasabadell.es
O1 - Hosts: 82.146.33.177 caixasabadell.es
O1 - Hosts: 82.146.33.177 www.caixasabadell.net
O1 - Hosts: 82.146.33.177 caixasabadell.net
O1 - Hosts: 82.146.33.177 www.cajamadrid.es
O1 - Hosts: 82.146.33.177 cajamadrid.es
O1 - Hosts: 82.146.33.177 www.cajamadrid.com
O1 - Hosts: 82.146.33.177 cajamadrid.com
O1 - Hosts: 82.146.33.177 oi.cajamadrid.es
O1 - Hosts: 82.146.33.177 www.ccm.es
O1 - Hosts: 82.146.33.177 ccm.es
O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru
O1 - Hosts: 17.145.117.11 www.kaspersky.ru
O1 - Hosts: 17.145.117.11 kaspersky.ru
O1 - Hosts: 17.145.117.11 kaspersky-labs.com
O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com
O2 - BHO: (no name) - {F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} - C:\WINDOWS\System32\imal.dll
O4 - HKLM\..\Run: [Ins3DT] F:\INSTALL4\INS3DT.EXE
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O18 - Filter: text/html - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll
O18 - Filter: text/plain - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Folder indicated in BLUE if it still exists:

C:\Program Files\PSGuard

Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\imal.dll
F:\INSTALL4\INS3DT.EXE

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would liek to keep stored in these locations, Move them now!!!

Reboot your system in Normal Mode.

Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log.

Make sure to update Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

Please scan again with HijackThis to get a new log.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Now give us a new HijackThis Analyzer log, along with SpSeHjfix’s log, so we can make sure your system is clean.

07-06-2005, 02:23 PM	#3 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello and welcome to TSF I just want to give you a good word: your thread was absolutely excellent, you really gave us the information needed and scanned how we asked you to. Good job with that! Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process. Download CWShredder http://www.greyknight17.com/spy/CWShredder.exe Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98. Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. Save that log, we will use it later. If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage. Now run the CWShredder and hit the Fix button. Download Hoster and run it. Choose the 'Restore Original Hosts' button and press OK. Download CleanUP! and install it. Do NOT run it yet. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time). C:\WINDOWS\System32\intel32.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: PSGuard Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\gaming\LOCALS~1\Temp\se.dll/spage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O1 - Hosts: 82.146.33.177 lloydstsb.co.uk O1 - Hosts: 82.146.33.177 online.lloydstsb.co.uk O1 - Hosts: 82.146.33.177 www.lloydstsb.co.uk O1 - Hosts: 82.146.33.177 www.lloydstsb.com O1 - Hosts: 82.146.33.177 personal.barclays.co.uk O1 - Hosts: 82.146.33.177 barclays.co.uk O1 - Hosts: 82.146.33.177 ibank.barclays.co.uk O1 - Hosts: 82.146.33.177 www.barclays.co.uk O1 - Hosts: 82.146.33.177 www.nwolb.com O1 - Hosts: 82.146.33.177 nwolb.com O1 - Hosts: 82.146.33.177 hsbc.co.uk O1 - Hosts: 82.146.33.177 www.hsbc.co.uk O1 - Hosts: 82.146.33.177 abbey.com O1 - Hosts: 82.146.33.177 www.abbey.com O1 - Hosts: 82.146.33.177 www.abbey.co.uk O1 - Hosts: 82.146.33.177 abbey.co.uk O1 - Hosts: 82.146.33.177 cahoot.com O1 - Hosts: 82.146.33.177 www.cahoot.com O1 - Hosts: 82.146.33.177 www.cahoot.co.uk O1 - Hosts: 82.146.33.177 cahoot.co.uk O1 - Hosts: 82.146.33.177 www.co-operativebank.co.uk O1 - Hosts: 82.146.33.177 co-operativebank.co.uk O1 - Hosts: 82.146.33.177 www.co-operativebank.com O1 - Hosts: 82.146.33.177 co-operativebank.com O1 - Hosts: 82.146.33.177 welcome2.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 welcome6.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 welcome8.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 welcome10.co-operativebankonline.co.uk O1 - Hosts: 82.146.33.177 www.smile.co.uk O1 - Hosts: 82.146.33.177 smile.co.uk O1 - Hosts: 82.146.33.177 www.cajamar.es O1 - Hosts: 82.146.33.177 cajamar.es O1 - Hosts: 82.146.33.177 www.cajamar.com O1 - Hosts: 82.146.33.177 www.unicaja.es O1 - Hosts: 82.146.33.177 unicaja.es O1 - Hosts: 82.146.33.177 www.unicaja.com O1 - Hosts: 82.146.33.177 unicaja.com O1 - Hosts: 82.146.33.177 www.caixagalicia.es O1 - Hosts: 82.146.33.177 caixagalicia.es O1 - Hosts: 82.146.33.177 www.caixagalicia.com O1 - Hosts: 82.146.33.177 caixagalicia.com O1 - Hosts: 82.146.33.177 activa.caixagalicia.es O1 - Hosts: 82.146.33.177 www.caixapenedes.es O1 - Hosts: 82.146.33.177 caixapenedes.es O1 - Hosts: 82.146.33.177 www.caixapenedes.com O1 - Hosts: 82.146.33.177 caixapenedes.com O1 - Hosts: 82.146.33.177 bancae.caixapenedes.com O1 - Hosts: 82.146.33.177 www.caixasabadell.es O1 - Hosts: 82.146.33.177 caixasabadell.es O1 - Hosts: 82.146.33.177 www.caixasabadell.net O1 - Hosts: 82.146.33.177 caixasabadell.net O1 - Hosts: 82.146.33.177 www.cajamadrid.es O1 - Hosts: 82.146.33.177 cajamadrid.es O1 - Hosts: 82.146.33.177 www.cajamadrid.com O1 - Hosts: 82.146.33.177 cajamadrid.com O1 - Hosts: 82.146.33.177 oi.cajamadrid.es O1 - Hosts: 82.146.33.177 www.ccm.es O1 - Hosts: 82.146.33.177 ccm.es O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru O1 - Hosts: 17.145.117.11 www.kaspersky.ru O1 - Hosts: 17.145.117.11 kaspersky.ru O1 - Hosts: 17.145.117.11 kaspersky-labs.com O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com O2 - BHO: (no name) - {F4A7AAC1-A2EB-49B7-8043-7421F4F25C8A} - C:\WINDOWS\System32\imal.dll O4 - HKLM\..\Run: [Ins3DT] F:\INSTALL4\INS3DT.EXE O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O18 - Filter: text/html - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll O18 - Filter: text/plain - {98FB572A-D936-4FD8-AF60-C693779D20DC} - C:\WINDOWS\System32\imal.dll *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Folder indicated in BLUE if it still exists: C:\Program Files\PSGuard Delete the following Files indicated in RED if they still exist: C:\WINDOWS\System32\intel32.exe C:\WINDOWS\System32\imal.dll F:\INSTALL4\INS3DT.EXE Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: • Empty Recycle Bins • Delete Cookies • Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck* this option) • Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would liek to keep stored in these locations, Move them now!!! Reboot your system in Normal Mode. Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log. Make sure to update Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us. Please scan again with HijackThis to get a new log. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Now give us a new HijackThis Analyzer log, along with SpSeHjfix’s log, so we can make sure your system is clean. __________________ I am here in order to help you.