Tech Support Forum - View Single Post - Wrapperouter, seedcorn, uci

skate_punk_21 · 07-09-2005, 09:35 PM

And We're Back!

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Notes
Its understandable that this would frustrate you, its regenerative...

Downloads
Download rkfiles and unzip the contents to a new folder on your desktop.DO NOT RUN IT YET

Download remv3.zip Make a new folder on the root drive C:\ and unzip remv3.zip files into it. DO NOT RUN IT YET

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it. DO NOT RUN IT YET

Download Killbox DO NOT RUN IT YET

View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Stop NT Service

Part1

Click Start>Run, type services.msc into the Open editbox and click the Ok button.
Locate the " WinTools for IE service (WinToolsSvc) " service and double-click on it to open the Properties dialog.
Click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.
Close the Services window

Part 2

Click Start>Run, type cmd into the Open editbox and click the Ok button.
Copy/paste the line below into the Command Prompt window and press the Enter key:
sc delete WinToolsSvc
Close the Command Prompt window

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\System32\nsd16.dll
C:\WINDOWS\System32\richedtr.dll
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\richup.exe
C:\WINDOWS\System32\nmahll.exe
C:\WINDOWS\System32\glmstat.exe
C:\WINDOWS\System32\hypaddin.exe

Boot Into Safe Mode
Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Stop Potentially Runnning Processes
Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\Program Files\Cas\Client\casclient.exe

Potential Uninstallations
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Cas
Free Popup Killer = foistware proven to install the Regsvc32 homepage hijacker
WinTools
Ebates

Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {7766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsd16.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} -
C:\WINDOWS\System32\richedtr.dll
O4 - HKLM\..\Run: [r79S3nR] hypaddin.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nmahll.exe reg_run
O4 - HKCU\..\Run: [awq2Rhdng] glmstat.exe
O4 - HKCU\..\Run: [Terminate Popup] C:\Program Files\Free-Popup-Killer\fpuk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
(file missing) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6.../bridge-c18.cab
O16 - DPF: {A0777FF1-23AC-11D5-BA9B-00C04F753F09} (BridgeChannel) -
http://channel.bridge.com/bc/java/bc_bridge_i.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie
TruVoice American English TTS Engine) -
http://www.talkingbuddy.com/talkingbuddyinstall.exe
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) -
http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime
Environment 1.4.1_02) -
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner -
C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Free-Popup-Killer\
C:\Program Files\Cas\
C:\Program Files\Ebates_MoeMoneyMaker\
C:\Program Files\Common Files\WinTools\

Run Downloaded Programs
Double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses "log.txt" as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

Run CleanUp! Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following:
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot your system in Normal Mode.

Further Scanning
Please run a Scan at any 2 of the Following sites
Symantec/Norton
Trend Micro
BitDefender On-Line Virus Scan
Panda ActiveScan
F-Secure
Kaspersky

Make sure that you choose the "fix" or "clean" option when available

Please post a fresh Hijack This log, and post the contents of both the log.txt and log1.txt in your next post, so that we can check if your system is clean.

07-09-2005, 09:35 PM	#2 (permalink)
skate_punk_21 1337 C0D3R Join Date: Mar 2005 Location: Canada Posts: 1,457 OS: Server 2K3/XP Pro/XP MCE/Win 98/Ubuntu Linux/BackTrack 2 My System	And We're Back! Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Notes Its understandable that this would frustrate you, its regenerative... Downloads Download rkfiles and unzip the contents to a new folder on your desktop.DO NOT RUN IT YET Download remv3.zip Make a new folder on the root drive C:\ and unzip remv3.zip files into it. DO NOT RUN IT YET The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it. DO NOT RUN IT YET Download Killbox DO NOT RUN IT YET View Hidden Files and Folders Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Stop NT Service Part1 Click Start>Run, type services.msc into the Open editbox and click the Ok button. Locate the " WinTools for IE service (WinToolsSvc) " service and double-click on it to open the Properties dialog. Click the Stop button. In the Startup type dropdown select Disabled. Click the Apply button and then the Ok button. Close the Services window Part 2 Click Start>Run, type cmd into the Open editbox and click the Ok button. Copy/paste the line below into the Command Prompt window and press the Enter key: sc delete WinToolsSvc Close the Command Prompt window Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\System32\nsd16.dll C:\WINDOWS\System32\richedtr.dll C:\WINDOWS\System32\PSof1.exe C:\WINDOWS\cfgmgr52.dll C:\WINDOWS\System32\richup.exe C:\WINDOWS\System32\nmahll.exe C:\WINDOWS\System32\glmstat.exe C:\WINDOWS\System32\hypaddin.exe Boot Into Safe Mode Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Stop Potentially Runnning Processes Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check): C:\Program Files\Cas\Client\casclient.exe Potential Uninstallations Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Cas Free Popup Killer = foistware proven to install the Regsvc32 homepage hijacker WinTools Ebates Start HijackThis Fix Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {7766247-311C-43B4-8499-3D5FEC94A183} - (no file) O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsd16.dll O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll O4 - HKLM\..\Run: [r79S3nR] hypaddin.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nmahll.exe reg_run O4 - HKCU\..\Run: [awq2Rhdng] glmstat.exe O4 - HKCU\..\Run: [Terminate Popup] C:\Program Files\Free-Popup-Killer\fpuk.exe O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe" O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6.../bridge-c18.cab O16 - DPF: {A0777FF1-23AC-11D5-BA9B-00C04F753F09} (BridgeChannel) - http://channel.bridge.com/bc/java/bc_bridge_i.cab O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://www.talkingbuddy.com/talkingbuddyinstall.exe O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* File/Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\Free-Popup-Killer\ C:\Program Files\Cas\ C:\Program Files\Ebates_MoeMoneyMaker\ C:\Program Files\Common Files\WinTools\ Run Downloaded Programs Double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt. Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt Note Each tool uses "log.txt" as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t. Run CleanUp! Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. Reboot your system in Normal Mode. Further Scanning Please run a Scan at any 2 of the Following sites Symantec/Norton Trend Micro BitDefender On-Line Virus Scan Panda ActiveScan F-Secure Kaspersky Make sure that you choose the "fix" or "clean" option when available Please post a fresh Hijack This log, and post the contents of both the log.txt and log1.txt in your next post, so that we can check if your system is clean. __________________ Have I Helped you? Please Consider a Donation to TechSupportForums Last edited by skate_punk_21; 07-09-2005 at 09:46 PM.