Tech Support Forum - View Single Post

Ried · 08-19-2005, 07:32 PM

Hello erik1927 and welcome to TSF,

This trojan is not showing in your log, however, based on your description, let's begin with these procedures:

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

Please download the following programs, but do not run them yet:

rdrivRem.zip - http://www.geekstogo.com/forum/index...e=post&id=1778
* Unzip it to your desktop.

Ewido Security Suite - http://www.ewido.net/en/download/

* Install Ewido Security Suite.
* Launch Ewido. There should be a big E icon on your desktop. Double click on it.
* The program will prompt you to update. Click the OK button.
* The program will now go to the main screen.
* You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Click on Start.
* The update will start and a progress bar will show the updates being installed.
* After the updates are installed exit Ewido.

* CleanUp! - http://www.greyknight17.com/spy/CleanUp.exe
* Install it.

* Killbox by Option^Explicit - http://www.greyknight17.com/spy/KillBox.exe
* Save it to your desktop. We may need it later.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

1.) Please double click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double click the Ewido Security Suite icon to run the program.

* Click on scanner.
* Click Complete System Scan.
* Let the program scan the machine.

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

* Click Save report.
* Save the report to your desktop.
* Exit Ewido.

3.) CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

4.) After CleanUp! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED (after you checked the last entry below):

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.j s)

Note: N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src
The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed.

Close HijackThis.

After computer has restarted continue with the rest of the instructions:

5.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out. Also, make sure your anti-virus program is working properly - you can turn on and off auto-protect, etc.

6.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan - http://www.pandasoftware.com/activescan/
TrendMicro 's Housecall (http://uk.trendmicro-europe.com/ente...all_launch.php) - check 'Auto Clean'

Save the results from Panda ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HijackThis log into this topic.

08-19-2005, 07:32 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,578 OS: WinXP and Vista	Hello erik1927 and welcome to TSF, This trojan is not showing in your log, however, based on your description, let's begin with these procedures: Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. Please download the following programs, but do not run them yet: rdrivRem.zip - http://www.geekstogo.com/forum/index...e=post&id=1778 * Unzip it to your desktop. Ewido Security Suite - http://www.ewido.net/en/download/ * Install Ewido Security Suite. * Launch Ewido. There should be a big E icon on your desktop. Double click on it. * The program will prompt you to update. Click the OK button. * The program will now go to the main screen. * You will need to update Ewido to the latest definition files. * On the left hand side of the main screen click update. * Click on Start. * The update will start and a progress bar will show the updates being installed. * After the updates are installed exit Ewido. * CleanUp! - http://www.greyknight17.com/spy/CleanUp.exe * Install it. * Killbox by Option^Explicit - http://www.greyknight17.com/spy/KillBox.exe * Save it to your desktop. We may need it later. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. 1.) Please double click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder. 2.) Double click the Ewido Security Suite icon to run the program. * Click on scanner. * Click Complete System Scan. * Let the program scan the machine. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK. Once the scan has completed, there will be a button located on the bottom of the screen named Save report. * Click Save report. * Save the report to your desktop. * Exit Ewido. 3.) CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff. 4.) After CleanUp! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED (after you checked the last entry below): N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.j s) Note: N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed. Close HijackThis. After computer has restarted continue with the rest of the instructions: 5.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out. Also, make sure your anti-virus program is working properly - you can turn on and off auto-protect, etc. 6.) Run BOTH of these online virus scans (NOT at the same time!): ActiveScan - http://www.pandasoftware.com/activescan/ TrendMicro 's Housecall (http://uk.trendmicro-europe.com/ente...all_launch.php) - check 'Auto Clean' Save the results from Panda ActiveScan. I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HijackThis log into this topic. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."