Tech Support Forum - View Single Post

Ried · 08-19-2005, 09:44 PM

Hello Mexican Toffee,

Yes, the Panda scan is what helped identify the infection.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Open your Task Scheduler and delete the following jobs:

8E4C26C893A3F968
A4AAC43291857E82
AD6BDD9191845139

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\osmim.dll
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\osmim.dll
C:\Archivos de programa\new_uninstall.exe
C:\Archivos de programa\toolbar_uninstall.exe

Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

C2Media
CSBB
MyWay
NavExcel

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.abyfslcbxrryyvmj.us/ceCG...2ywPUX7jEX.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uizaymxdrub.com/ceCG7dLj...B6l5_UEI0ok.htm
O4 - HKCU\..\Run: [five name] C:\DOCUME~1\ADMINI~1\DATOSD~1\INFOBR~1\Extra Load.exe

Now delete the following files/folders:

c:\archiv~1\infobr~1
c:\docume~1\admini~1\datosd~1\infobr~1
C:\WINDOWS\SYSTEM32\osmim.dll
C:\WINDOWS\smdat32m.sys
C:\ARCHIVOS DE PROGRAMA\C2Media
C:\ARCHIVOS DE PROGRAMA\CSBB
C:\ARCHIVOS DE PROGRAMA\MyWay
C:\ARCHIVOS DE PROGRAMA\NavExcel
C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE
C:\Archivos de programa\new_uninstall.exe
C:\Archivos de programa\toolbar_uninstall.exe

*note* Check each of your users and ALL users Program and Application Data folders for any strange named folders..like the ones we are deleting (safe 16 team, Close fork meal army, Sixth Tons Trust) as this infection installs these in each account on the PC including the users, ALL users, Admin..ect accounts.

Run another scan with Panda, save the log and post it here.
Run FindLop again and post that along with another HijackThis log.

08-19-2005, 09:44 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 28,177 OS: WinXP Home, Vista, Windows 7 64bit	Hello Mexican Toffee, Yes, the Panda scan is what helped identify the infection. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Open your Task Scheduler and delete the following jobs: 8E4C26C893A3F968 A4AAC43291857E82 AD6BDD9191845139 Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C: C:\WINDOWS\SYSTEM32\osmim.dll C:\WINDOWS\smdat32m.sys C:\WINDOWS\system32\osmim.dll C:\Archivos de programa\new_uninstall.exe C:\Archivos de programa\toolbar_uninstall.exe Start KillBox. Go to the File menu, and choose Paste from Clipboard. Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there. Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File * Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: C2Media CSBB MyWay NavExcel Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.abyfslcbxrryyvmj.us/ceCG...2ywPUX7jEX.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uizaymxdrub.com/ceCG7dLj...B6l5_UEI0ok.htm O4 - HKCU\..\Run: [five name] C:\DOCUME~1\ADMINI~1\DATOSD~1\INFOBR~1\Extra Load.exe Now delete the following files/folders: c:\archiv~1\infobr~1 c:\docume~1\admini~1\datosd~1\infobr~1 C:\WINDOWS\SYSTEM32\osmim.dll C:\WINDOWS\smdat32m.sys C:\ARCHIVOS DE PROGRAMA\C2Media C:\ARCHIVOS DE PROGRAMA\CSBB C:\ARCHIVOS DE PROGRAMA\MyWay C:\ARCHIVOS DE PROGRAMA\NavExcel C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE C:\Archivos de programa\new_uninstall.exe C:\Archivos de programa\toolbar_uninstall.exe *note* Check each of your users and ALL users Program and Application Data folders for any strange named folders..like the ones we are deleting (safe 16 team, Close fork meal army, Sixth Tons Trust) as this infection installs these in each account on the PC including the users, ALL users, Admin..ect accounts. Run another scan with Panda, save the log and post it here. Run FindLop again and post that along with another HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 Microsoft MVP - 2010 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."