Tech Support Forum - View Single Post

sUBs · 07-13-2005, 02:27 PM

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

There seems to be no anti-virus application installed on this machine. Anti-virus programs protect against infections. Without one, you're vulnerable to every virus, spyware program, trojan and piece of malware that is floating around out there. I urge you to install an anti-virus program as quickly as possible. Please choose one from these 3 free programs that are available for home use:

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!.
If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

You are currently running an outdated version of HiJackThis. Please click on the link below to download the most current version:

HiJackThis_sfx.exe

Delete your current HiJackThis.exe file and double-click on the file you just downloaded and then click on the Unzip button to install the newer version. It will be installed to the C:\Program Files\HiJackThis\ directory by default. I would require your next HJT log to be from this newer version

Please do not run Hijackthis from it's current location. Create a permanent folder and move hijackthis.exe into it.

From Windows Explorer, Click on drive C:
Click on File>New>Folder
Call it HJT, or any other name of your choice.
Move all files to the newly created folder

~~~~~~~~~~~~~~

Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

Place a shortcut to Panda ActiveScan on your desktop.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Download & Install CleanUp!

Download Ewido Security Suite - Install & Update it's database but do not run it yet.

If you have not already installed Ad-Aware SE 1.06, download and update Ad-Aware SE Setup. Don't run it yet!

~~~~~~~~~~~~~~

ZeroSpyware - These programs are rogueware and we highly recommend that you uninstall them. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

ZeroSpyware

~~~~~~~~~~~~~~

Reboot to SafeMode

Shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
[Windows Advanced Options] menu appears.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware Limited Edition\
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE166989-A8A9-4DD6-A1B4-8E08E2AAEB3F}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74981C0-A043-44ED-9222-A406510EF3BF}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{D74D6144-A420-4CC0-97EC-9F10E668DB9D}: NameServer = 69.50.188.180 85.255.112.5

~~~~~~~~~~~~~~

Enable the viewing of Hidden files

Open Windows Explorer
Go to Tools>Folder Options>View tab.
enable the option for `Show hidden files and folder´
disable the option for `Hide file extensions for known types´
disable the option for `Hide protected operating system files´
click "Yes" to confirm & then click "OK"

Locate and delete the following folder(s), if present:

C:\Program Files\FBM Software\

~~~~~~~~~~~~~~

Run Cleanup! & configure the program up as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

~~~~~~~~~~~~~~

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

~~~~~~~~~~~~~~

Open Ad-aware and close ALL other windows.

Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
1. In the [General] window make sure the following are selected in green:
  1. Under [Safety]:
    - Automatically save log-file
  2. Automatically quarantine objects prior to removal
  3. Safe Mode (always request confirmation)
2. Under [Definitions]:
  - Prompt to update outdated definitions - set the number of days = 7
Click on the [Scanning] button on the left and select in green:
1. Under [Driver, Folders & Files]:
  - Scan Within Archives
2. Under [Select drives & folders to scan]:
  - choose all hard drives
3. Under [Memory & Registry]: all green
  - Scan Active Processes
  - Scan Registry
  - Deep Scan Registry
  - Scan my IE favorites for banned URL’s
  - Scan my Hosts file
Click on the [Advanced] button on the left and select in green:
1. Under [Shell Integration]:
  - Move deleted files to recycle bin
2. Under [Logfile Detail Level]: all green
  - include addtional object information
  - DeSelect - include negligible objects information
  - include environment information
3. Under [Alternate Data Streams]:
  - Don't log streams smaller than 0 bytes
  - Don't log ADS with the following names: CA_INOCULATEIT
Click the [Tweak] button and select in green:
1. Under [Scanning Engine]:
  - Unload recognized processes during scanning
  - Scan registry for all users instead of current user only
2. Under [Cleaning Engine]:
  - Let Windows remove files in use at next reboot
3. Under [Log Files]:
  - Include basic Ad-aware SE settings in logfile
  - Include additional Ad-aware SE settings in logfile
  - Please DeSelect: Include Module list in logfile
Click on [Proceed] to save the settings.
Click [Start]
Choose [Perform Full System Scan]
DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
Click [Next] and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
Right-click on the list and choose Select All
Click the [Next] button to finish removing the items that were found

~~~~~~~~~~~~~~

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the Save report button
Save the report to your desktop

Close Ewido

~~~~~~~~~~~~~~

Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, smitfiles.txt and the Ewido Log.
Let us know if any problems persist.

07-13-2005, 02:27 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,449 OS: N/A	Hi and Welcome to TSF! Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". There seems to be no anti-virus application installed on this machine. Anti-virus programs protect against infections. Without one, you're vulnerable to every virus, spyware program, trojan and piece of malware that is floating around out there. I urge you to install an anti-virus program as quickly as possible. Please choose one from these 3 free programs that are available for home use: AVG Anti-Virus Avast Home Edition BitDefender Free Edition v7 It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. It is also important you don't miss a step and perform everything in the right order!!. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. You are currently running an outdated version of HiJackThis. Please click on the link below to download the most current version: HiJackThis_sfx.exe Delete your current HiJackThis.exe file and double-click on the file you just downloaded and then click on the Unzip button to install the newer version. It will be installed to the C:\Program Files\HiJackThis\ directory by default. I would require your next HJT log to be from this newer version Please do not run Hijackthis from it's current location. Create a permanent folder and move hijackthis.exe into it. From Windows Explorer, Click on drive C: Click on File>New>Folder Call it HJT, or any other name of your choice. Move all files to the newly created folder ~~~~~~~~~~~~~~ Please download these additional files/programs :- (Do not run them unless instructed to do so) Unplug your computer from the Internet when you have finished downloading Place a shortcut to Panda ActiveScan on your desktop. Download smitRem.zip and save the file to your desktop. Right click on the file and extract it to it's own folder on the desktop. Download & Install CleanUp! Download Ewido Security Suite - Install & Update it's database but do not run it yet. If you have not already installed Ad-Aware SE 1.06, download and update Ad-Aware SE Setup. Don't run it yet! ~~~~~~~~~~~~~~ ZeroSpyware - These programs are rogueware and we highly recommend that you uninstall them. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection. Uninstall the following programs, if present, using Control Panel > Add/Remove Programs : ZeroSpyware ~~~~~~~~~~~~~~ Reboot to SafeMode Shut Windows down, and then turn off the computer. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the [Windows Advanced Options] menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. ~~~~~~~~~~~~~~ Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ O17 - HKLM\System\CCS\Services\Tcpip\..\{AE166989-A8A9-4DD6-A1B4-8E08E2AAEB3F}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{B74981C0-A043-44ED-9222-A406510EF3BF}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{D74D6144-A420-4CC0-97EC-9F10E668DB9D}: NameServer = 69.50.188.180 85.255.112.5 ~~~~~~~~~~~~~~ Enable the viewing of Hidden files Open Windows Explorer Go to Tools>Folder Options>View tab. enable the option for `Show hidden files and folder´ disable the option for `Hide file extensions for known types´ disable the option for `Hide protected operating system files´ click "Yes" to confirm & then click "OK" Locate and delete the following folder(s), if present: C:\Program Files\FBM Software\ ~~~~~~~~~~~~~~ Run Cleanup! & configure the program up as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup ~~~~~~~~~~~~~~ Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ~~~~~~~~~~~~~~ Open Ad-aware and close ALL other windows. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window: In the [General] window make sure the following are selected in green: Under [Safety]: Automatically save log-file Automatically quarantine objects prior to removal Safe Mode (always request confirmation) Under [Definitions]: Prompt to update outdated definitions - set the number of days = 7 Click on the [Scanning] button on the left and select in green: Under [Driver, Folders & Files]: Scan Within Archives Under [Select drives & folders to scan]: choose all hard drives Under [Memory & Registry]: all green Scan Active Processes Scan Registry Deep Scan Registry Scan my IE favorites for banned URL’s Scan my Hosts file Click on the [Advanced] button on the left and select in green: Under [Shell Integration]: Move deleted files to recycle bin Under [Logfile Detail Level]: all green include addtional object information DeSelect - include negligible objects information include environment information Under [Alternate Data Streams]: Don't log streams smaller than 0 bytes Don't log ADS with the following names: CA_INOCULATEIT Click the [Tweak] button and select in green: Under [Scanning Engine]: Unload recognized processes during scanning Scan registry for all users instead of current user only Under [Cleaning Engine]: Let Windows remove files in use at next reboot Under [Log Files]: Include basic Ad-aware SE settings in logfile Include additional Ad-aware SE settings in logfile Please DeSelect: Include Module list in logfile Click on [Proceed] to save the settings. Click [Start] Choose [Perform Full System Scan] DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Click [Next] and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window Right-click on the list and choose Select All Click the [Next] button to finish removing the items that were found ~~~~~~~~~~~~~~ Run Ewido: Click [Scanner] Click [Complete System Scan] to begin scanning. Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK]. Once finished, click the Save report button Save the report to your desktop Close Ewido ~~~~~~~~~~~~~~ Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present. Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log, smitfiles.txt and the Ewido Log. Let us know if any problems persist. __________________ Question - what have you done for the community today?