Tech Support Forum - View Single Post - Am I clean - please help

skate_punk_21 · 07-08-2005, 10:17 PM

And We're Back!

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Notes
Lets get Cracking!

Downloads
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it. DO NOT RUN IT YET

Download KillBox DO NOT RUN IT YET

Download rkfiles and unzip the contents to a new folder on your desktop.DO NOT RUN IT YET

Download remv3.zip (look for the attachment to download). Make a new folder on the root drive C:\ and unzip remv3.zip files into it.DO NOT RUN IT YET

View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Boot Into Safe Mode
Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Stop Potentially Runnning Processes
Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINNT\System32\malhpu.exe

Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\malhpu.exe reg_run
O4 - HKLM\..\RunServicesOnce: [MDAC_20SP2] C:\DRV\AADELETE.EXE
check all the entries with Prefix "O16"

Please remember to close all other windows, including browsers then click Fix checked.

Run Downloaded Programs

1. Double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

2. Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINNT\cfgmgr52.dll
C:\WINNT\System32\PSof1.exe
C:\WINNT\cfgmgr52.dll
C:\WINNT\System32\malhpu.exe
C:\DRV\AADELETE.EXE

Run CleanUp! Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following:
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot your system in Normal Mode.

Further Scanning
Please run a Scan at any 2 of the Following sites
Symantec/Norton
Trend Micro
BitDefender On-Line Virus Scan
Panda ActiveScan
F-Secure
Kaspersky

Make sure that you choose the "fix" or "clean" option when available

Please post a fresh Hijack This log, the contents of both the log.txt and log1.txt in your next post. so that we can check if your system is clean.

07-08-2005, 10:17 PM	#2 (permalink)
skate_punk_21 1337 C0D3R Join Date: Mar 2005 Location: Canada Posts: 1,460 OS: Server 2K3/XP Pro/XP MCE/Win 98/Ubuntu Linux/BackTrack 2 My System	And We're Back! Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Notes Lets get Cracking! Downloads The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it. DO NOT RUN IT YET Download KillBox DO NOT RUN IT YET Download rkfiles and unzip the contents to a new folder on your desktop.DO NOT RUN IT YET Download remv3.zip (look for the attachment to download). Make a new folder on the root drive C:\ and unzip remv3.zip files into it.DO NOT RUN IT YET View Hidden Files and Folders Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Boot Into Safe Mode Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Stop Potentially Runnning Processes Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check): C:\WINNT\System32\malhpu.exe Start HijackThis Fix Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\malhpu.exe reg_run O4 - HKLM\..\RunServicesOnce: [MDAC_20SP2] C:\DRV\AADELETE.EXE check all the entries with Prefix "O16" *Please remember to close all other windows, including browsers then click Fix checked.* Run Downloaded Programs 1. Double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt. 2. Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt Note Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t. File/Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINNT\cfgmgr52.dll C:\WINNT\System32\PSof1.exe C:\WINNT\cfgmgr52.dll C:\WINNT\System32\malhpu.exe C:\DRV\AADELETE.EXE Run CleanUp! Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. Reboot your system in Normal Mode. Further Scanning Please run a Scan at any 2 of the Following sites Symantec/Norton Trend Micro BitDefender On-Line Virus Scan Panda ActiveScan F-Secure Kaspersky Make sure that you choose the "fix" or "clean" option when available Please post a fresh Hijack This log, the contents of both the log.txt and log1.txt in your next post. so that we can check if your system is clean. __________________ Have I Helped you? Please Consider a Donation to TechSupportForums Last edited by skate_punk_21; 07-08-2005 at 10:18 PM.