Thread: looots of adware/spyware keep coming all due to a bad windows media player link
View Single Post
Old 07-10-2005, 03:19 PM   #4 (permalink)
sUBs
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,326
OS: N/A


Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!.
If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

Please do not run Hijackthis from it's current location. Create a permanent folder and move hijackthis.exe into it.
  1. From Windows Explorer, Click on drive C:
  2. Click on File>New>Folder
  3. Call it HJT, or any other name of your choice.
  4. Move all files to the newly created folder

~~~~~~~~~~~~~~

Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

CleanUp! - Install

KillBox v2.0.0.175 - Save to Desktop.

Download & RUN FxIeplgn.exe

Download & RUN FxWebsch.exe



~~~~~~~~~~~~~~

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :
CashBack
NaviSearch
BullsEye Network
E2Give Browser Add On
Bargain Buddy
HuntBar
~~~~~~~~~~~~~~

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
C:\WINDOWS\RRRKAU.EXE
C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTB.DLL
C:\Program Files\E2G\IeBHOs.dll
C:\WINDOWS\SYSTEM\MSBE.DLL
C:\WINDOWS\SYSTEM\NVMS.DLL
C:\WINDOWS\SYSTEM\MSCB.DLL
C:\WINDOWS\wupdt.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
c:\windows\system\dlylygu.exe
C:\WINDOWS\SYSTEM\UPDTUP.exe
C:\Program Files\tarc\cire.exe
c:\windows\system\kkmvhhzr.exe
c:\windows\kkmvhhzr.exe
C:\Program Files\Cas\Client\casclient.exe
c:\Windows\Start Menu\Programs\Startup\nnnd.exe
C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL
Start KillBox
  1. Go to the File menu, and choose [Paste from Clipboard].
    Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there.
  2. Select/tick the following:
    • "Delete on Reboot"
    • "End Explorer Shell While Killing File"
    • "Unregister.dll Before Deleting" if it's not grayed out.
  3. Click the RED X button.
  4. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


~~~~~~~~~~~~~~

Reboot to SafeMode
  1. Shut Windows down, and then turn off the computer.
  2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
  3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
    Windows Advanced Options menu appears.
  4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.


~~~~~~~~~~~~~~

Enable the viewing of Hidden files
  • Double-click on the My Computer icon.
  • Select the View menu and then click Folder Options.
  • After the new window appears select the View tab.
  • Scroll down until you see the Show all files radio button and select it.
  • Press the Apply button and then the OK button and close the My Computer window.
  • Now your computer is configured to show all hidden files.

Locate and delete the following folder(s), if present:
C:\Program Files\E2G\
C:\Program Files\BullsEye Network\
C:\Program Files\NaviSearch\
C:\Program Files\CashBack\
C:\Program Files\tarc\
C:\Program Files\Cas\
Search for & delete ... using "Start>Search..." the following file(s), if present:
nnnd.exe
kkmvhhzr.exe
~~~~~~~~~~~~~~

Run Cleanup! & configure the program as follows:
  1. Click Options...
  2. Move the arrow down to Custom CleanUp!
  3. Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • [X]Scan local drives for temporary files (Please uncheck this option)
    • Cleanup! All Users
  4. Click OK
  5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup


~~~~~~~~~~~~~~

Reboot to Normal Mode

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rrrkau.exe reg_run
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [dlylygu] c:\windows\system\dlylygu.exe
O4 - HKCU\..\Run: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe
O4 - HKCU\..\Run: [Rrsu] C:\Program Files\tarc\cire.exe
O4 - HKCU\..\Run: [Cytoa] \kkmvhhzr.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\RunServices: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe
O4 - HKCU\..\RunServices: [Rrsu] C:\Program Files\tarc\cire.exe
O4 - HKCU\..\RunServices: [Cytoa] \kkmvhhzr.exe
O4 - HKCU\..\RunServices: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\RunOnce: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe
O4 - Startup: nnnd.exe
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL

~~~~~~~~~~~~~~

Do an online scan at Panda

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Then download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


~~~~~~~~~~~~~~

Reboot Again & Run a new scan with HiJackThis. Save the log file and post the contents in your next reply.

In your next post, please include fresh copies of:
  • HiJackThis log
  • List of files that Panda failed to disinfect
  • Antispyware.log

Please provide details of any problems you encountered whilst performing the above steps.
__________________

Question - what have you done for the community today?
sUBs is offline