Tech Support Forum - View Single Post - Help

Ried · 11-30-2005, 08:22 AM

Hello Emmanuel2005 and welcome to TSF,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download the following programs and tools. Please do not run them until directed to do so.

Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

HSFix

About Buster - Unzip to a new folder. Update About Buster & exit the program once that is completed.

CWShredder - Save it to Desktop.

Open CWShredder and click [I AGREE]
Click [Check For Update]
Close CWShredder after updating

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

---------------------------

Go to My Computer->[b]Tools[b]->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Spy Fighter --This is considered a rogue program

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Network Security Service
Double-click on it to open the Properties dialog.
- Under the General tab:
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in 11Fßä#·ºÄÖ`I **please note there is a space before the 11, make sure to include it. Click on the OK button

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll
O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE
O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzu32.exe

Delete the following Files and Folders if they still exist.

C:\WINDOWS\system32\ljzuu.dll
C:\WINDOWS\sdksr.dll
C:\WINDOWS\d3sr32.dll
C:\WINDOWS\SYSTEM32\IPXK.EXE
C:\Program Files\SpyFighter
C:\WINDOWS\ntzu32.exe

---------------------------

Run CWShredder & click on [Fix].

Run About Buster and click Begin Removal. Once that's done, just hit the OK button. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Double-click on HSfix.reg & answer YES when prompted to merge into the registry.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
Note: [b][color=teal][size=1]CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Run Ewido:
*Click [Scanner]
*Click [Complete System Scan] to begin scanning.
*Click [OK] when prompted to clean files

With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].

Once finished, click the [Save report] button
Save the report to your desktop
Close Ewido

---------------------------

Reboot into Normal Mode.

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm *Requires Internet Explorer.
Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.

Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
Click On 'Scan Now'
Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
If it finds any malware, it will offer you a report. Click on see report
Then click Save report
Post the contents of the report in your next reply along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

So I need the following logs:

Ewido Results
Ab LogFile.txt
Panda ActiveScan
HijackThis

11-30-2005, 08:22 AM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,551 OS: WinXP and Vista	Hello Emmanuel2005 and welcome to TSF, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Download the following programs and tools. Please do not run them until directed to do so. Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. HSFix About Buster - Unzip to a new folder. Update About Buster & exit the program once that is completed. CWShredder - Save it to Desktop. Open CWShredder and click [I AGREE] Click [Check For Update] Close CWShredder after updating Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later. --------------------------- Go to My Computer->[b]Tools[b]->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. --------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Spy Fighter --This is considered a rogue program Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Network Security Service Double-click on it to open the Properties dialog. Under the General tab: Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in 11Fßä#·ºÄÖ`I please note there is a space before the 11, make sure to include it. Click on the OK button Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzu32.exe Delete the following Files and Folders if they still exist. C:\WINDOWS\system32\ljzuu.dll C:\WINDOWS\sdksr.dll C:\WINDOWS\d3sr32.dll C:\WINDOWS\SYSTEM32\IPXK.EXE C:\Program Files\SpyFighter C:\WINDOWS\ntzu32.exe --------------------------- Run CWShredder & click on [Fix]. Run About Buster and click Begin Removal. Once that's done, just hit the OK button. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here. Double-click on HSfix.reg & answer YES when prompted to merge into the registry. Open Cleanup*! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. Note: [b][color=teal][size=1]CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! Run Ewido: Click [Scanner] Click [Complete System Scan] to begin scanning. Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean* and click [OK]. Once finished, click the [Save report] button Save the report to your desktop Close Ewido --------------------------- Reboot into Normal Mode. Please run an online scan at http://www.pandasoftware.com/products/activescan.htm Requires Internet Explorer. Make sure you click the "Free Online Virus Scan"* in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it Click On 'Scan Now' Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB Begin the scan by selecting My Computer * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. If it finds any malware, it will offer you a report. Click on see report Then click Save report Post the contents of the report in your next reply along with a new HijackThis log. * Turn off the real time scanner of any existing antivirus program while performing the online scan So I need the following logs: Ewido Results Ab LogFile.txt Panda ActiveScan HijackThis __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."