Tech Support Forum - View Single Post

greyknight17 · 08-21-2005, 04:17 PM

Welcome to TSF.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Download APT http://www.diamondcs.com.au/index.php?page=apt and unzip the contents to a new folder on your desktop.

* Open the folder you just created and click on apt.exe and search in the window for unbctln.exe .
* Open your C:\Windows\system32 folder and search for unbctln.exe . Don't delete it yet, just leave the system32 folder open so you can see the bad file.
* In APT again, Select unbctln.exe and Click Kill3.
* Then immediately delete unbctln.exe from your system32 folder.

Close APT.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

P2P Networking
Ebates_MoeMoneyMaker

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vkzuyhpzctfwfvdvfkye.uk/...z8qIuLhtB5.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hpebgcxhzjpbexvu.com/zX/C9Mm...LU/cKNsLNc.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: ohb - {98640C3B-0699-4D51-ADB4-A6FC48ACB966} - C:\WINDOWS\system32\nst10.dll
O2 - BHO: (no name) - {99FB134B-6F81-B7E2-1CC5-446C0BB5DF8B} - C:\DOCUME~1\GWARNE~1\APPLIC~1\DENTIN~1\Onestart.ex e
O2 - BHO: (no name) - {C238E6ED-F25F-B3BA-4AFC-5F8ACF604747} - C:\DOCUME~1\GWARNE~1\APPLIC~1\DENTIN~1\Onestart.ex e
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [owns cdrom 16 ante] C:\Documents and Settings\All Users\Application Data\nountrayownscdrom\Tonsrdr.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [eaqucc] c:\windows\system32\unbctln.exe r
O4 - HKLM\..\Run: [slow city regs 01] C:\Documents and Settings\All Users\Application Data\AIMCASHSLOWCITY\data okay.exe
O4 - HKCU\..\Run: [POKE HEART] C:\DOCUME~1\GWARNE~1\APPLIC~1\CDROMT~1\gramflaw.ex e
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://www.go-in-now.com/tl7000.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\nst10.dll\
C:\DOCUME~1\GWARNE~1\APPLIC~1\DENTIN~1\
C:\Documents and Settings\All Users\Application Data\nountrayownscdrom\
C:\WINDOWS\system32\P2P Networking\
c:\windows\system32\unbctln.exe - this filename may have changed it's name (see NOTE above on how to tell)
C:\Documents and Settings\All Users\Application Data\AIMCASHSLOWCITY\
C:\DOCUME~1\GWARNE~1\APPLIC~1\CDROMT~1\
C:\Program Files\Ebates_MoeMoneyMaker\
C:\WINDOWS\zeta.exe

Restart your computer and post the logs for HijackThis and Ewido.

08-21-2005, 04:17 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Please download Ewido Security Suite at http://www.ewido.net/en/download/. 1. Install Ewido Security Suite. 2. When installing, under 'Additional Options' uncheck: * Install background guard * Install scan via context menu 3. Launch Ewido, there should be an icon on your desktop, double click it. 4. The program will now open to the main screen. 5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment. 6. You will need to update Ewido to the latest definition files. * On the left hand side of the main screen click update. * Then click on Start Update. 7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'. 8. Exit Ewido. DO NOT scan yet. If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually. Download APT http://www.diamondcs.com.au/index.php?page=apt and unzip the contents to a new folder on your desktop. * Open the folder you just created and click on apt.exe and search in the window for unbctln.exe . * Open your C:\Windows\system32 folder and search for unbctln.exe . Don't delete it yet, just leave the system32 folder open so you can see the bad file. * In APT again, Select unbctln.exe and Click Kill3. * Then immediately delete unbctln.exe from your system32 folder. Close APT. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff. Now open Ewido and do a scan on your system. * Click on scanner * Click on Complete System Scan and the scan will begin. * NOTE: During some scans with Ewido it is finding cases of false positives. o You will need to step through the process of cleaning files one-by-one. o If Ewido detects a file you KNOW to be legitimate, select none as the action. o Do NOT select 'Perform action on all infections' o If you are unsure of any entry found, select none for now as the action. * Once the scan has completed, there will be a button located on the bottom of the screen named Save report * Click Save report. * Save the report .txt file to your desktop or a location where you can find it easily. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: P2P Networking Ebates_MoeMoneyMaker Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vkzuyhpzctfwfvdvfkye.uk/...z8qIuLhtB5.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hpebgcxhzjpbexvu.com/zX/C9Mm...LU/cKNsLNc.html R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: ohb - {98640C3B-0699-4D51-ADB4-A6FC48ACB966} - C:\WINDOWS\system32\nst10.dll O2 - BHO: (no name) - {99FB134B-6F81-B7E2-1CC5-446C0BB5DF8B} - C:\DOCUME~1\GWARNE~1\APPLIC~1\DENTIN~1\Onestart.ex e O2 - BHO: (no name) - {C238E6ED-F25F-B3BA-4AFC-5F8ACF604747} - C:\DOCUME~1\GWARNE~1\APPLIC~1\DENTIN~1\Onestart.ex e O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [owns cdrom 16 ante] C:\Documents and Settings\All Users\Application Data\nountrayownscdrom\Tonsrdr.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [eaqucc] c:\windows\system32\unbctln.exe r O4 - HKLM\..\Run: [slow city regs 01] C:\Documents and Settings\All Users\Application Data\AIMCASHSLOWCITY\data okay.exe O4 - HKCU\..\Run: [POKE HEART] C:\DOCUME~1\GWARNE~1\APPLIC~1\CDROMT~1\gramflaw.ex e O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU) O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://www.go-in-now.com/tl7000.dll O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing) NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r. Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\nst10.dll\ C:\DOCUME~1\GWARNE~1\APPLIC~1\DENTIN~1\ C:\Documents and Settings\All Users\Application Data\nountrayownscdrom\ C:\WINDOWS\system32\P2P Networking\ c:\windows\system32\unbctln.exe - this filename may have changed it's name (see NOTE above on how to tell) C:\Documents and Settings\All Users\Application Data\AIMCASHSLOWCITY\ C:\DOCUME~1\GWARNE~1\APPLIC~1\CDROMT~1\ C:\Program Files\Ebates_MoeMoneyMaker\ C:\WINDOWS\zeta.exe Restart your computer and post the logs for HijackThis and Ewido. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools