Tech Support Forum - View Single Post

sUBs · 08-31-2005, 09:40 PM

How did you get re-infected so soon? You have to do the whole fix again

Download DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf

Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

Reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Workstation NetLogon Servic
Double-click on it to open the Properties dialog.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B2D696D0-91BB-1E7F-44BB-A44FB1038DDF} - C:\WINDOWS\sdkjw.dll
O4 - HKLM\..\Run: [nthf.exe] C:\WINDOWS\nthf.exe
O4 - HKLM\..\Run: [syssy.exe] C:\WINDOWS\syssy.exe
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\javaln.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

Checkmark/tick - "Ignore Safe System Info Streams"
Click the "Scan" button
When it has finished scanning, checkmark/tick all that it found
Click the "remove selected" button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run CWShredder & click on Fix.

Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
- In the scan settings make that the following are selected:
  - Scan using the following Anti-Virus database:
    - Standard
  - Scan Options:
    - Scan Archives
    - Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:

HiJackThis

Online scan

About Buster

Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

08-31-2005, 09:40 PM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,500 OS: N/A	How did you get re-infected so soon? You have to do the whole fix again Download DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards. Reboot your computer in SafeMode : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Workstation NetLogon Servic Double-click on it to open the Properties dialog. Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS Run a scan with HiJackThis & select/tick the following & click "Fix checked" : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhaww.dll/sp.html#12047 (FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\**.dll/sp.htm) R3 - Default URLSearchHook is missing O2 - BHO: Class - {B2D696D0-91BB-1E7F-44BB-A44FB1038DDF} - C:\WINDOWS\sdkjw.dll O4 - HKLM\..\Run: [nthf.exe] C:\WINDOWS\nthf.exe O4 - HKLM\..\Run: [syssy.exe] C:\WINDOWS\syssy.exe O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\javaln.exe = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Start HijackThis & Go to Config> Misc Tools > Open ADS Spy Checkmark/tick - "Ignore Safe System Info Streams" Click the "Scan" button When it has finished scanning, checkmark/tick all that it found Click the "remove selected" button = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files** 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run CWShredder & click on Fix. Run About Buster and click - Begin Removal. Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" .Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO NORMAL MODE Perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan:Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text** button: Save the file to your desktop. Copy and paste that information in your next post. * Turn off the real time scanner of any existing antivirus program while performing the online scan = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = In your next post, please include fresh logs from: HiJackThis Online scan About Buster Ewido Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?