Tech Support Forum - View Single Post

sUBs · 07-07-2005, 09:55 AM

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!.
If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

Enable the viewing of Hidden files
* Open Windows Explorer
* Go to Tools > Folder Options > View tab.
* enable the option for `Show hidden files and folder´
* disable the option for `Hide file extensions for known types´
* disable the option for `Hide protected operating system files´
* click "Yes" to confirm & then click "OK"

Close all open programs

From the L2mfix folder on your desktop, double click L2mfix.bat
- Select option #2 for Run Fix by typing "2" and then press enter
- Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log.

Please Do NOT run any other files in the l2mfix folder until you are told to
Download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

CleanUp! - Install

KillBox v2.0.0.175 - Save to Desktop.

Ewido Security Suite - Install & Update it's database but do not run it yet.

Nailfix - Unzip to the desktop

FindIt's.zip - Unzip to a new folder on Desktop

Process Explorer - Save to Desktop

FindQoologic - Unzip to Desktop.
Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :
- Media Access
  Rich Editor
  Windows AFA Internet Enhancement
Run a scan with HiJackThis & locate an O4 entry that looks similar to this...
O4 - HKLM\..\Run: [hacwte] c:\windows\system32\xppmshe.exe r
The name might be different but it resides in the system32 folder & has the alphabet "r" at the end. Close HiJackThis after you have identified this file. This is the file we need to use Process Explorer with.

Run Process Explorer and find name & location of the file you've just identified in the list of Processes.
Select the process and click Process > Suspend
Leave Process Explorer running with the process suspended..
Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
- name & location of the file you've just identified
  c:\windows\system32\xppmshe.exe
  C:\Program Files\Media Access\MediaAccK.exe
  C:\Program Files\Media Access\MediaAccess.exe
  C:\WINDOWS\system32\PSof1.exe
  C:\WINDOWS\system32\richup.exe
  C:\WINDOWS\cfgmgr52.dll
  C:\WINDOWS\VCMnet11.exe
  C:\WINDOWS\system32\hhnjnk.exe reg
  C:\WINDOWS\system32\AUNPS2.DLL
  C:\WINDOWS\system32\mcwebdvd.dll
  C:\WINDOWS\system32\dcusic.dll
  C:\WINDOWS\svcproc.exe
Start KillBox
1. Go to the File menu, and choose Paste from Clipboard.
  Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there.
2. Select/tick the following:
  - "Delete on Reboot"
  - "End Explorer Shell While Killing File"
  - "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Reboot to SafeMode
1. Shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
  Windows Advanced Options menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.
Remove a malware service.
1. Click Start > Run - type services.msc.
2. Locate the System Startup Service (SvcProc) service and double-click on it to open the Properties dialog.
3. Click the Stop button.
4. In the Startup type dropdown select Disabled.
5. Click the Apply button and then the Ok button.
6. Close the Services window
7. Then start HiJackThis & go to Config > Misc.Tools... > Delete an NT service...
  In the popup box that appears, type in SvcProc & click the OK button.
Locate and delete the following folder(s), if present:
- C:\Program Files\Media Access\
Locate and delete the following file(s), if present:
- INSERT TEXT HERE
Search for & delete ... using "Start>Search..." the following file(s), if present:
- INSERT TEXT HERE
Run Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Run Ewido:
- Click Scanner
- Click Complete System Scan to begin scanning.
- Click OK when prompted to clean files
- With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK
- Once finished, click the Save report button
- Save the report to your desktop
Close Ewido
Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hhnjnk.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [hacwte] c:\windows\system32\xppmshe.exe r
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0006.exe
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\mcwebdvd.dll (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\dcusic.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Run Cleanup!
Set the program up as follows:
1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
  - Empty Recycle Bins
  - Delete Cookies
  - Delete Prefetch files
  - [X]Scan local drives for temporary files (Please uncheck this option)
  - Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup
Reboot to NormalMode.
Do an online scan at Panda
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
Reboot Again & Run FindIt's.bat and wait for notepad to open a text file. Please be patient as it requires some time to finish running. Then post the results in your next reply
Run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file in your next post
Run a new scan with HiJackThis. Save the log file and post the contents in your next reply.

In your next post, please include fresh copies of:

HiJackThis log
List of files that Panda failed to disinfect
Ewido's logs
FindIt's log
Find-Qoologic's log

Please provide details of any problems you encountered whilst performing the above steps.

07-07-2005, 09:55 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,480 OS: N/A	Hi and Welcome to TSF! Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. It is also important you don't miss a step and perform everything in the right order!!. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. Enable the viewing of Hidden files * Open Windows Explorer * Go to Tools > Folder Options > View tab. * enable the option for `Show hidden files and folder´ * disable the option for `Hide file extensions for known types´ * disable the option for `Hide protected operating system files´ * click "Yes" to confirm & then click "OK" Close all open programs From the L2mfix folder on your desktop, double click L2mfix.bat Select option #2 for Run Fix by typing *"2"* and then press enter Press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log. Please Do NOT run any other files in the l2mfix folder until you are told to Download these additional files/programs :- (Do not run them unless instructed to do so) Unplug your computer from the Internet when you have finished downloading CleanUp! - Install KillBox v2.0.0.175 - Save to Desktop. Ewido Security Suite - Install & Update it's database but do not run it yet. Nailfix - Unzip to the desktop FindIt's.zip - Unzip to a new folder on Desktop Process Explorer - Save to Desktop FindQoologic - Unzip to Desktop. Uninstall the following programs, if present, using Control Panel > Add/Remove Programs : Media Access Rich Editor Windows AFA Internet Enhancement Run a scan with HiJackThis & locate an O4 entry that looks similar to this... O4 - HKLM\..\Run: [hacwte] c:\windows\system32\xppmshe.exe r The name might be different but it resides in the system32 folder & has the alphabet *"r"* at the end. Close HiJackThis after you have identified this file. This is the file we need to use Process Explorer with. Run Process Explorer and find name & location of the file you've just identified in the list of Processes. Select the process and click Process > Suspend Leave Process Explorer running with the process suspended.. Using KillBox Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. name & location of the file you've just identified c:\windows\system32\xppmshe.exe C:\Program Files\Media Access\MediaAccK.exe C:\Program Files\Media Access\MediaAccess.exe C:\WINDOWS\system32\PSof1.exe C:\WINDOWS\system32\richup.exe C:\WINDOWS\cfgmgr52.dll C:\WINDOWS\VCMnet11.exe C:\WINDOWS\system32\hhnjnk.exe reg C:\WINDOWS\system32\AUNPS2.DLL C:\WINDOWS\system32\mcwebdvd.dll C:\WINDOWS\system32\dcusic.dll C:\WINDOWS\svcproc.exe Start KillBox Go to the File menu, and choose Paste from Clipboard. Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there. Select/tick the following: "Delete on Reboot" "End Explorer Shell While Killing File" "Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. Reboot to SafeMode Shut Windows down, and then turn off the computer. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. Remove a malware service. Click Start > Run - type services.msc. Locate the System Startup Service (SvcProc) service and double-click on it to open the Properties dialog. Click the Stop button. In the Startup type dropdown select Disabled. Click the Apply button and then the Ok button. Close the Services window Then start HiJackThis & go to Config > Misc.Tools... > Delete an NT service... In the popup box that appears, type in SvcProc & click the OK button. Locate and delete the following folder(s), if present: C:\Program Files\Media Access\ Locate and delete the following file(s), if present: INSERT TEXT HERE Search for & delete ... using "Start>Search..." the following file(s), if present: INSERT TEXT HERE Run Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Run Ewido: Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK Once finished, click the Save report button Save the report to your desktop Close Ewido Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hhnjnk.exe reg_run O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [hacwte] c:\windows\system32\xppmshe.exe r O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0006.exe O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\mcwebdvd.dll (file missing) O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\dcusic.dll O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) Run Cleanup! Set the program up as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup Reboot to NormalMode. Do an online scan at Panda Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Reboot Again & Run FindIt's.bat and wait for notepad to open a text file. Please be patient as it requires some time to finish running. Then post the results in your next reply Run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file in your next post Run a new scan with HiJackThis. Save the log file and post the contents in your next reply. In your next post, please include fresh copies of: HiJackThis log List of files that Panda failed to disinfect Ewido's logs FindIt's log Find-Qoologic's log Please provide details of any problems you encountered whilst performing the above steps. __________________ Question - what have you done for the community today?