Tech Support Forum - View Single Post

sUBs · 07-16-2005, 10:03 AM

Hi and Welcome to TSF!

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!.

= = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install the program.

KillBox v2.0.0.175

About Buster - Unzip to a new folder on Desktop.
Update About Buster & exit the program once that is completed.

cwsserviceremove.zip - Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.

CWShredder - Save it to Desktop.

Open CWShredder and click [I AGREE]
Click [Check For Update]
Close CWShredder after updating

I have attached a file - regdel.txt - to this post. Downalod it & rename to "regdel.reg"
Double-click to run it & answer Yes when prompted to merge into the Registry.

Unplug your computer from the Internet when you have finished downloading

= = = = = = = = = = =

Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present

Surf Accuracy

= = = = = = = = = = =

Click Start>Run - type services.msc.
Locate the Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) service and double-click on it to open the Properties dialog.
Click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in 11Fßä #·ºÄÖ`I & click the OK button.

= = = = = = = = = = =

Run a HiJackThis scan. Select the following entries & click Fix checked :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fnllm.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fnllm.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7596F99E-D0E0-D10F-1786-8EB23DCDF3BD} - C:\WINNT\ieno32.dll (file missing)
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds5.dll (file missing)
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [ce5mko3e] C:\WINNT\System32\ce5mko3e.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [appsp32.exe] C:\WINNT\appsp32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appuz.exe (file missing)

= = = = = = = = = = =

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\ms32.tmp
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINNT\fnllm.dll
C:\WINNT\ieno32.dll
C:\WINNT\gds5.dll
C:\WINNT\System32\ce5mko3e.exe
C:\WINNT\appsp32.exe
C:\WINNT\system32\appuz.exe

Start KillBox.
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
* Replace on Reboot
* Use Dummy
* End Explorer Shell While Killing File
* "Unregister.dll Before Deleting" * if it's not grayed out
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt.
Click "Yes" at the 'Pending Operations' prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

= = = = = = = = = = =

Reboot to SafeMode

Run CWShredder:

Double-click on CWShredder.exe.
Click "Fix ->" and click "OK" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "Next->" and then "Exit".

Remove the offending service:

Double-click on cwsserviceremove.reg you downloaded earlier.
When it asks you to merge the information to the registry click "Yes".

= = = = = = = = = = =

Enable the viewing of Hidden files
1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. enable the option for `Show hidden files and folder´
3. disable the option for `Hide file extensions for known types´
4. disable the option for `Hide protected operating system files´
5. click "Yes" to confirm & then click "OK"

= = =

Locate and delete the following folder(s), if present:

C:\Program Files\SurfAccuracy\
C:\DOCUMENTS AND SETTINGS\TYLER1\FAVORITES\SHOP\
C:\DOCUMENTS AND SETTINGS\TYLER1\FAVORITES\SITES ABOUT\
C:\PROGRAM FILES\180searchassistant\
C:\WINNT\SYSTEM32\SahImages

= = = = = = = = = = =

Run Cleanup! & configure the program up as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

= = = = = = = = = = =

Run About Buster and click [Begin Removal]. Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.

= = = = = = = = = = =

Reboot to Normal-Mode.

Do an online scan at Kaspersky

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

= = = = = = = = = = =

In your next post, please include fresh copies of:

1. HiJackThis log
2. List of files that online scans failed to disinfect
3. About Buster's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

07-16-2005, 10:03 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,500 OS: N/A	Hi and Welcome to TSF! In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox. It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. It is also important you don't miss a step and perform everything in the right order!!. = = = = = = = = = = = Please download these additional files/programs. Do not run them unless instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. CleanUp! - Install the program. KillBox v2.0.0.175 About Buster - Unzip to a new folder on Desktop. Update About Buster & exit the program once that is completed. cwsserviceremove.zip - Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop. CWShredder - Save it to Desktop. Open CWShredder and click [I AGREE] Click [Check For Update] Close CWShredder after updating I have attached a file - regdel.txt - to this post. Downalod it & rename to "regdel.reg" Double-click to run it & answer Yes when prompted to merge into the Registry. Unplug your computer from the Internet when you have finished downloading = = = = = = = = = = = Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present Surf Accuracy = = = = = = = = = = = Click Start>Run - type services.msc. Locate the Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) service and double-click on it to open the Properties dialog. Click the Stop button. In the Startup type dropdown select Disabled. Click the Apply button and then the Ok button. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in 11Fßä #·ºÄÖ`I & click the OK button. = = = = = = = = = = = Run a HiJackThis scan. Select the following entries & click Fix checked : R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fnllm.dll/sp.html#12047 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fnllm.dll/sp.html#12047 R3 - Default URLSearchHook is missing O2 - BHO: Class - {7596F99E-D0E0-D10F-1786-8EB23DCDF3BD} - C:\WINNT\ieno32.dll (file missing) O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds5.dll (file missing) O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM\..\Run: [ce5mko3e] C:\WINNT\System32\ce5mko3e.exe O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE O4 - HKLM\..\Run: [appsp32.exe] C:\WINNT\appsp32.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appuz.exe (file missing) = = = = = = = = = = = Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\ms32.tmp C:\Program Files\SurfAccuracy\SAcc.exe C:\WINNT\fnllm.dll C:\WINNT\ieno32.dll C:\WINNT\gds5.dll C:\WINNT\System32\ce5mko3e.exe C:\WINNT\appsp32.exe C:\WINNT\system32\appuz.exe Start KillBox. Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox Click the dropdown-arrow next to the "Full Path of File to Delete" field. Verify that the filenames you pasted are found in there. Select/tick the following: * Replace on Reboot * Use Dummy * End Explorer Shell While Killing File * "Unregister.dll Before Deleting" * if it's not grayed out Click the RED X button. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the 'Pending Operations' prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. = = = = = = = = = = = Reboot to SafeMode Run CWShredder: Double-click on CWShredder.exe. Click "Fix ->" and click "OK" at the prompt. CWShredder will scan and clean your system of CWS files. Click "Next->" and then "Exit". Remove the offending service: Double-click on cwsserviceremove.reg you downloaded earlier. When it asks you to merge the information to the registry click "Yes". = = = = = = = = = = = Enable the viewing of Hidden files 1. From Windows Explorer, go to Tools>Folder Options>View tab. 2. enable the option for `Show hidden files and folder´ 3. disable the option for `Hide file extensions for known types´ 4. disable the option for `Hide protected operating system files´ 5. click "Yes" to confirm & then click "OK" = = = Locate and delete the following folder(s), if present: C:\Program Files\SurfAccuracy\ C:\DOCUMENTS AND SETTINGS\TYLER1\FAVORITES\SHOP\ C:\DOCUMENTS AND SETTINGS\TYLER1\FAVORITES\SITES ABOUT\ C:\PROGRAM FILES\180searchassistant\ C:\WINNT\SYSTEM32\SahImages = = = = = = = = = = = Run Cleanup! & configure the program up as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup = = = = = = = = = = = Run About Buster and click [Begin Removal]. Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply. = = = = = = = = = = = Reboot to Normal-Mode. Do an online scan at Kaspersky Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan = = = = = = = = = = = In your next post, please include fresh copies of: 1. HiJackThis log 2. List of files that online scans failed to disinfect 3. About Buster's log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today? Last edited by sUBs; 07-16-2005 at 10:10 AM.