Tech Support Forum - View Single Post

Ried · 07-15-2005, 07:22 PM

Hello old hickory,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean.

Please download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.sfx.exe and run it. Uncompress the file and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download AboutBuster 5 www.malwarebytes.biz/AboutBuster5.zip and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8A0DB32B-05DE-FEDD-EFA2-683C23669852} - C:\WINDOWS\system32\ipke32.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [netwj.exe] C:\WINDOWS\system32\netwj.exe
O4 - HKLM\..\RunOnce: [netgt.exe] C:\WINDOWS\netgt.exe
O4 - HKLM\..\RunOnce: [ntuk.exe] C:\WINDOWS\ntuk.exe
O4 - HKLM\..\RunOnce: [mskf.exe] C:\WINDOWS\mskf.exe
O4 - HKLM\..\RunOnce: [sdklz.exe] C:\WINDOWS\system32\sdklz.exe
O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\system32\mfcor32.exe
O4 - HKLM\..\RunOnce: [crfq.exe] C:\WINDOWS\crfq.exe
O4 - HKLM\..\RunOnce: [winxm.exe] C:\WINDOWS\system32\winxm.exe
O4 - HKLM\..\RunOnce: [ipqa.exe] C:\WINDOWS\system32\ipqa.exe
O4 - HKLM\..\RunOnce: [appwi32.exe] C:\WINDOWS\system32\appwi32.exe
O4 - HKLM\..\RunOnce: [atlom32.exe] C:\WINDOWS\system32\atlom32.exe
O4 - HKLM\..\RunOnce: [sdkhj.exe] C:\WINDOWS\sdkhj.exe
O4 - HKLM\..\RunOnce: [mfciv32.exe] C:\WINDOWS\mfciv32.exe
O4 - HKLM\..\RunOnce: [atlgt32.exe] C:\WINDOWS\atlgt32.exe
O4 - HKLM\..\RunOnce: [crbz.exe] C:\WINDOWS\crbz.exe
O4 - HKLM\..\RunOnce: [appsi.exe] C:\WINDOWS\appsi.exe
O4 - HKLM\..\RunOnce: [netzk.exe] C:\WINDOWS\system32\netzk.exe
O4 - HKLM\..\RunOnce: [winun.exe] C:\WINDOWS\winun.exe
O4 - HKLM\..\RunOnce: [javahp32.exe] C:\WINDOWS\javahp32.exe
O4 - HKLM\..\RunOnce: [javaxk.exe] C:\WINDOWS\javaxk.exe
O4 - HKLM\..\RunOnce: [atlzc32.exe] C:\WINDOWS\system32\atlzc32.exe
O4 - HKLM\..\RunOnce: [ipbc32.exe] C:\WINDOWS\system32\ipbc32.exe
O4 - HKLM\..\RunOnce: [netyq.exe] C:\WINDOWS\netyq.exe
O4 - HKLM\..\RunOnce: [crrm32.exe] C:\WINDOWS\system32\crrm32.exe
O4 - HKLM\..\RunOnce: [sdkqd32.exe] C:\WINDOWS\system32\sdkqd32.exe
O4 - HKLM\..\RunOnce: [netmz.exe] C:\WINDOWS\system32\netmz.exe
O4 - HKLM\..\RunOnce: [crev.exe] C:\WINDOWS\crev.exe
O4 - HKLM\..\RunOnce: [netsb32.exe] C:\WINDOWS\netsb32.exe
O4 - HKLM\..\RunOnce: [addyv.exe] C:\WINDOWS\system32\addyv.exe
O4 - HKLM\..\RunOnce: [crze32.exe] C:\WINDOWS\crze32.exe
O4 - HKLM\..\RunOnce: [winxk32.exe] C:\WINDOWS\system32\winxk32.exe
O4 - HKLM\..\RunOnce: [javaad.exe] C:\WINDOWS\system32\javaad.exe
O4 - HKLM\..\RunOnce: [mfczk.exe] C:\WINDOWS\system32\mfczk.exe
O4 - HKLM\..\RunOnce: [sysfe.exe] C:\WINDOWS\system32\sysfe.exe
O4 - HKLM\..\RunOnce: [crpj.exe] C:\WINDOWS\crpj.exe
O4 - HKLM\..\RunOnce: [sdkxv32.exe] C:\WINDOWS\system32\sdkxv32.exe
O4 - HKLM\..\RunOnce: [sysyx.exe] C:\WINDOWS\system32\sysyx.exe
O4 - HKLM\..\RunOnce: [atlul.exe] C:\WINDOWS\atlul.exe
O4 - HKLM\..\RunOnce: [mszf32.exe] C:\WINDOWS\mszf32.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netgt.exe" /s (file missing)

Using Windows Explorer, delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\lcsnw.dll
C:\WINDOWS\system32\ipke32.dll
C:\WINDOWS\system32\netwj.exe
C:\WINDOWS\netgt.exe
C:\WINDOWS\ntuk.exe
C:\WINDOWS\mskf.exe
C:\WINDOWS\system32\sdklz.exe
C:\WINDOWS\system32\mfcor32.exe
C:\WINDOWS\crfq.exe
C:\WINDOWS\system32\winxm.exe
C:\WINDOWS\system32\ipqa.exe
C:\WINDOWS\system32\appwi32.exe
C:\WINDOWS\system32\atlom32.exe
C:\WINDOWS\sdkhj.exe
C:\WINDOWS\mfciv32.exe
C:\WINDOWS\atlgt32.exe
C:\WINDOWS\crbz.exe
C:\WINDOWS\appsi.exe
C:\WINDOWS\system32\netzk.exe
C:\WINDOWS\winun.exe
C:\WINDOWS\javahp32.exe
C:\WINDOWS\javaxk.exe
C:\WINDOWS\system32\atlzc32.exe
C:\WINDOWS\system32\ipbc32.exe
C:\WINDOWS\netyq.exe
C:\WINDOWS\system32\crrm32.exe
C:\WINDOWS\system32\sdkqd32.exe
C:\WINDOWS\system32\netmz.exe
C:\WINDOWS\crev.exe
C:\WINDOWS\netsb32.exe
C:\WINDOWS\system32\addyv.exe
C:\WINDOWS\crze32.exe
C:\WINDOWS\system32\winxk32.exe
C:\WINDOWS\system32\javaad.exe
C:\WINDOWS\system32\mfczk.exe
C:\WINDOWS\system32\sysfe.exe
C:\WINDOWS\crpj.exe
C:\WINDOWS\system32\sdkxv32.exe
C:\WINDOWS\system32\sysyx.exe
C:\WINDOWS\atlul.exe
C:\WINDOWS\mszf32.exe

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Reboot into Normal Mode.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you may do it manually at http://www.ewido.net/en/download/updates/ Do NOT the Ewido scan yet.

Reboot into Safe Mode.

Run Ewido:
-Click [Scanner]
-Click [Complete System Scan] to begin scanning.
-Click [OK] when prompted to clean files

With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].

Once finished, click the [Save report] button

Save the report to your desktop

Close Ewido

Run another scan with HijackThis and post the log as well as the report from Ewido

07-15-2005, 07:22 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,555 OS: WinXP and Vista	Hello old hickory, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. Please download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds. Download CWShredder at http://www.greyknight17.com/spy/CWShredder.sfx.exe and run it. Uncompress the file and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Download AboutBuster 5 www.malwarebytes.biz/AboutBuster5.zip and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {8A0DB32B-05DE-FEDD-EFA2-683C23669852} - C:\WINDOWS\system32\ipke32.dll O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe O4 - HKLM\..\Run: [netwj.exe] C:\WINDOWS\system32\netwj.exe O4 - HKLM\..\RunOnce: [netgt.exe] C:\WINDOWS\netgt.exe O4 - HKLM\..\RunOnce: [ntuk.exe] C:\WINDOWS\ntuk.exe O4 - HKLM\..\RunOnce: [mskf.exe] C:\WINDOWS\mskf.exe O4 - HKLM\..\RunOnce: [sdklz.exe] C:\WINDOWS\system32\sdklz.exe O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\system32\mfcor32.exe O4 - HKLM\..\RunOnce: [crfq.exe] C:\WINDOWS\crfq.exe O4 - HKLM\..\RunOnce: [winxm.exe] C:\WINDOWS\system32\winxm.exe O4 - HKLM\..\RunOnce: [ipqa.exe] C:\WINDOWS\system32\ipqa.exe O4 - HKLM\..\RunOnce: [appwi32.exe] C:\WINDOWS\system32\appwi32.exe O4 - HKLM\..\RunOnce: [atlom32.exe] C:\WINDOWS\system32\atlom32.exe O4 - HKLM\..\RunOnce: [sdkhj.exe] C:\WINDOWS\sdkhj.exe O4 - HKLM\..\RunOnce: [mfciv32.exe] C:\WINDOWS\mfciv32.exe O4 - HKLM\..\RunOnce: [atlgt32.exe] C:\WINDOWS\atlgt32.exe O4 - HKLM\..\RunOnce: [crbz.exe] C:\WINDOWS\crbz.exe O4 - HKLM\..\RunOnce: [appsi.exe] C:\WINDOWS\appsi.exe O4 - HKLM\..\RunOnce: [netzk.exe] C:\WINDOWS\system32\netzk.exe O4 - HKLM\..\RunOnce: [winun.exe] C:\WINDOWS\winun.exe O4 - HKLM\..\RunOnce: [javahp32.exe] C:\WINDOWS\javahp32.exe O4 - HKLM\..\RunOnce: [javaxk.exe] C:\WINDOWS\javaxk.exe O4 - HKLM\..\RunOnce: [atlzc32.exe] C:\WINDOWS\system32\atlzc32.exe O4 - HKLM\..\RunOnce: [ipbc32.exe] C:\WINDOWS\system32\ipbc32.exe O4 - HKLM\..\RunOnce: [netyq.exe] C:\WINDOWS\netyq.exe O4 - HKLM\..\RunOnce: [crrm32.exe] C:\WINDOWS\system32\crrm32.exe O4 - HKLM\..\RunOnce: [sdkqd32.exe] C:\WINDOWS\system32\sdkqd32.exe O4 - HKLM\..\RunOnce: [netmz.exe] C:\WINDOWS\system32\netmz.exe O4 - HKLM\..\RunOnce: [crev.exe] C:\WINDOWS\crev.exe O4 - HKLM\..\RunOnce: [netsb32.exe] C:\WINDOWS\netsb32.exe O4 - HKLM\..\RunOnce: [addyv.exe] C:\WINDOWS\system32\addyv.exe O4 - HKLM\..\RunOnce: [crze32.exe] C:\WINDOWS\crze32.exe O4 - HKLM\..\RunOnce: [winxk32.exe] C:\WINDOWS\system32\winxk32.exe O4 - HKLM\..\RunOnce: [javaad.exe] C:\WINDOWS\system32\javaad.exe O4 - HKLM\..\RunOnce: [mfczk.exe] C:\WINDOWS\system32\mfczk.exe O4 - HKLM\..\RunOnce: [sysfe.exe] C:\WINDOWS\system32\sysfe.exe O4 - HKLM\..\RunOnce: [crpj.exe] C:\WINDOWS\crpj.exe O4 - HKLM\..\RunOnce: [sdkxv32.exe] C:\WINDOWS\system32\sdkxv32.exe O4 - HKLM\..\RunOnce: [sysyx.exe] C:\WINDOWS\system32\sysyx.exe O4 - HKLM\..\RunOnce: [atlul.exe] C:\WINDOWS\atlul.exe O4 - HKLM\..\RunOnce: [mszf32.exe] C:\WINDOWS\mszf32.exe O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netgt.exe" /s (file missing) Using Windows Explorer, delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\lcsnw.dll C:\WINDOWS\system32\ipke32.dll C:\WINDOWS\system32\netwj.exe C:\WINDOWS\netgt.exe C:\WINDOWS\ntuk.exe C:\WINDOWS\mskf.exe C:\WINDOWS\system32\sdklz.exe C:\WINDOWS\system32\mfcor32.exe C:\WINDOWS\crfq.exe C:\WINDOWS\system32\winxm.exe C:\WINDOWS\system32\ipqa.exe C:\WINDOWS\system32\appwi32.exe C:\WINDOWS\system32\atlom32.exe C:\WINDOWS\sdkhj.exe C:\WINDOWS\mfciv32.exe C:\WINDOWS\atlgt32.exe C:\WINDOWS\crbz.exe C:\WINDOWS\appsi.exe C:\WINDOWS\system32\netzk.exe C:\WINDOWS\winun.exe C:\WINDOWS\javahp32.exe C:\WINDOWS\javaxk.exe C:\WINDOWS\system32\atlzc32.exe C:\WINDOWS\system32\ipbc32.exe C:\WINDOWS\netyq.exe C:\WINDOWS\system32\crrm32.exe C:\WINDOWS\system32\sdkqd32.exe C:\WINDOWS\system32\netmz.exe C:\WINDOWS\crev.exe C:\WINDOWS\netsb32.exe C:\WINDOWS\system32\addyv.exe C:\WINDOWS\crze32.exe C:\WINDOWS\system32\winxk32.exe C:\WINDOWS\system32\javaad.exe C:\WINDOWS\system32\mfczk.exe C:\WINDOWS\system32\sysfe.exe C:\WINDOWS\crpj.exe C:\WINDOWS\system32\sdkxv32.exe C:\WINDOWS\system32\sysyx.exe C:\WINDOWS\atlul.exe C:\WINDOWS\mszf32.exe Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here. Reboot into Normal Mode. Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you may do it manually at http://www.ewido.net/en/download/updates/ Do NOT the Ewido scan yet. Reboot into Safe Mode. Run Ewido: -Click [Scanner] -Click [Complete System Scan] to begin scanning. -Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK]. Once finished, click the [Save report] button Save the report to your desktop Close Ewido Run another scan with HijackThis and post the log as well as the report from Ewido __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."