Tech Support Forum - View Single Post

Piperian · 11-26-2005, 03:40 AM

Thanks for waiting patiently.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Do you recognize this entry?:
O4 - HKCU\..\Run: [ClearCookies] C:\WINDOWS\cc.exe

If not, please visit this website - http://virusscan.jotti.org/
Submit this file for a comprehensive scan & then post the results back here:

C:\WINDOWS\cc.exe

Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation. I recommend uninstalling it. I’ll leave the decision to you.

Download Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it.

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Uncheck the following :

Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program. When prompted to reboot, click No
.

Download win32delfkil.exe.

Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop called win32delfkil.
Close all windows and open the win32delfkil folder and double click on fix.bat.
Once the tool has finished the computer will reboot automatically. If it does not reboot...please do so manually.

On the reboot, go into Safe Mode. (As soon as it starts booting up again, continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.)

Go into Hijack This > Config > Misc. Tools > Open process manager. Select the following and click Kill process for each one if it still exists:

C:\WINDOWS\system32\sndcfg16.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs, if present:

Web Rebates
Preview AdService
Internet Optimizer
ActiveAlert

Open Hijack This and click on Scan. Check the following entries. (Make sure you do not miss any.)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Warcraft III - Reign Of Chaos no cd crack] C:\Program Files\Warcraft III\Warcraft III - Reign Of Chaos no cd crack.exe
O4 - HKLM\..\Run: [Preview AdService] PrevAdServ.exe
O4 - HKLM\..\Run: [Internet Optimizer] "optimize.exe"
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist:

C:\Windows\System32\sndcfg16.exe
C:\Program Files\Web_Rebates\
C:\Program Files\Warcraft III\Warcraft III - Reign Of Chaos no cd crack.exe
C:\Program Files\Preview AdService\
C:\Program Files\Internet Optimizer\
C:\WINDOWS\system32\st3.dll

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the [Save report] button
Save the report to your desktop

Close Ewido

Reboot into Normal Mode.

Please download Trend Micro Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer.

Repeat the same procedure above using the TrendMicro tool. In place of the TrendMicro icon will be a text file called "Antispyware.log." Please double-click that log and copy the entire contents and paste them here. Post the log from the second scan/clean, NOT the first, as this will contain what’s left in the system.

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post the following logs:
Jotti scan results
Windelf's log (located at C:\windelf.txt)
Ewido's log
Antispyware.log
Panda's report
a fresh HijackThis log

11-26-2005, 03:40 AM	#3 (permalink)
Piperian Registered User Join Date: Jul 2005 Posts: 204 OS: WinXP Pro SP2	Thanks for waiting patiently. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Do you recognize this entry?: O4 - HKCU\..\Run: [ClearCookies] C:\WINDOWS\cc.exe If not, please visit this website - http://virusscan.jotti.org/ Submit this file for a comprehensive scan & then post the results back here: C:\WINDOWS\cc.exe Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation. I recommend uninstalling it. I’ll leave the decision to you. Download Ewido Security Suite Install ewido security suite Launch ewido, there should be a big E icon on your desktop, double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. After the updates are installed, exit Ewido Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it. Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Uncheck the following : Scan local drives for temporary files Click OK, Press the CleanUp! button to start the program. When prompted to reboot, click No . Download win32delfkil.exe. Save it on your desktop. Double click on win32delfkil.exe and install it. This creates a new folder on your desktop called win32delfkil. Close all windows and open the win32delfkil folder and double click on fix.bat. Once the tool has finished the computer will reboot automatically. If it does not reboot...please do so manually. On the reboot, go into Safe Mode. (As soon as it starts booting up again, continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.) Go into Hijack This > Config > Misc. Tools > Open process manager. Select the following and click Kill process for each one if it still exists: C:\WINDOWS\system32\sndcfg16.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs, if present: Web Rebates Preview AdService Internet Optimizer ActiveAlert Open Hijack This and click on Scan. Check the following entries. (Make sure you do not miss any.) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [Warcraft III - Reign Of Chaos no cd crack] C:\Program Files\Warcraft III\Warcraft III - Reign Of Chaos no cd crack.exe O4 - HKLM\..\Run: [Preview AdService] PrevAdServ.exe O4 - HKLM\..\Run: [Internet Optimizer] "optimize.exe" O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist: C:\Windows\System32\sndcfg16.exe C:\Program Files\Web_Rebates\ C:\Program Files\Warcraft III\Warcraft III - Reign Of Chaos no cd crack.exe C:\Program Files\Preview AdService\ C:\Program Files\Internet Optimizer\ C:\WINDOWS\system32\st3.dll Run Ewido: Click [Scanner] Click [Complete System Scan] to begin scanning. Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK]. Once finished, click the [Save report] button Save the report to your desktop Close Ewido Reboot into Normal Mode. Please download Trend Micro Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop (tmas-web-scan.exe) It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. Repeat the same procedure above using the TrendMicro tool. In place of the TrendMicro icon will be a text file called "Antispyware.log." Please double-click that log and copy the entire contents and paste them here. Post the log from the second scan/clean, NOT the first, as this will contain what’s left in the system. Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan Please post the following logs: Jotti scan results Windelf's log (located at C:\windelf.txt) Ewido's log Antispyware.log Panda's report a fresh HijackThis log