Tech Support Forum - View Single Post

MicroBell · 08-18-2005, 01:00 AM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip
*Unzip it to your desktop.
* Ewido Security Suite
*Install ewido security suite
*Launch ewido, there should be a big E icon on your desktop, double-click it.
*The program will prompt you to update click the OK button
*The program will now go to the main screen
*You will need to update ewido to the latest definition files.
*On the left hand side of the main screen click update
*Click on Start
*The update will start and a progress bar will show the updates being installed.
*After the updates are installed exit Ewido.

*Cleanup
Download and install it

* KillBox
Download and unzip the Killbox.exe to your desktop.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: Mouse Button Monitor (mousebm)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows

Repeat that process for these other services...

Microsoft New Game 2 (svehost32)
TCP System Driver (tcpsys)

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen.

2.) Double-click the Ewido Security Suite icon to run the program. Set the program up as follows:
*Click on scanner
*Make sure the following boxes are checked before scanning:
*Binder
*Crypter
*Archives
*Click on Start Scan
*Let the program scan the machine
While the scan is in progress you will be prompted to clean the first file. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the window (this way you don't have to sit and watch ewido) click OK
*Once the scan has completed, there will be a button located on the bottom of the screen named Save report
*Click Save report
*Save the report to your desktop.

3.) Run Cleanup! by double-clicking the Cleanup! icon on your desktop.

4.) Run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://209.239.242.217/
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINNT\svehost32.exe
O23 - Service: TCP System Driver (tcpsys) - Unknown owner - C:\WINNT\system32\rsvterm.exe (file missing)

Close HiJackThis.

5.) Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. If your computer does not restart automatically, please restart it manually.

C:\WINNT\system32\mousebm.exe
C:\WINNT\svehost32.exe
C:\WINNT\system32\rsvterm.exe
C:\WINNT\system32\rdriv.sys

After computer has restarted continue with the rest of the instructions:

6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run this online virus scan:
Panda ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

08-18-2005, 01:00 AM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows XP-Pro SP2	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running. Ad-Aware® SE Personal Edition Spybot Search & Destroy CWShredder Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT) Please follow all instructions as specified. Print these instructions to ensure all are followed. Please download the following programs, but do not run them yet: * rdrivRem.zip Unzip it to your desktop. Ewido Security Suite Install ewido security suite Launch ewido, there should be a big E icon on your desktop, double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start* The update will start and a progress bar will show the updates being installed. After the updates are installed exit Ewido. *Cleanup Download and install it * KillBox Download and unzip the Killbox.exe to your desktop. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter. Go to Start->Run and type Services.msc then hit Ok Scroll down and find the service called: Mouse Button Monitor (mousebm) When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows Repeat that process for these other services... Microsoft New Game 2 (svehost32) TCP System Driver (tcpsys) 1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. 2.) Double-click the Ewido Security Suite icon to run the program. Set the program up as follows: Click on scanner* Make sure the following boxes are checked before scanning: Binder Crypter Archives Click on Start Scan* Let the program scan the machine While the scan is in progress you will be prompted to clean the first file. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the window (this way you don't have to sit and watch ewido) click OK Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report Save the report to your desktop. 3.) Run Cleanup! by double-clicking the Cleanup! icon on your desktop. 4.) Run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://209.239.242.217/ O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing) O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINNT\svehost32.exe O23 - Service: TCP System Driver (tcpsys) - Unknown owner - C:\WINNT\system32\rsvterm.exe (file missing) Close HiJackThis. 5.) Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. If your computer does not restart automatically, please restart it manually. C:\WINNT\system32\mousebm.exe C:\WINNT\svehost32.exe C:\WINNT\system32\rsvterm.exe C:\WINNT\system32\rdriv.sys After computer has restarted continue with the rest of the instructions: 6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out. Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc. 7.) Run this online virus scan: Panda ActiveScan Save the results from ActiveScan. I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder