Tech Support Forum - View Single Post - Help

Ried · 12-01-2005, 08:02 AM

Hi Emmanuel,

For the most part, we're going to have to repeat the previous procedure. This fix needs to be done all at one time, with no pauses in between the steps outlined, so make sure you have enough time set aside.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. (it's important that you get version v2.0.0.175) Do not run it yet.

---------------------------

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Network Security Service
Double-click on it to open the Properties dialog.
- Under the General tab:
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in 11Fßä#·ºÄÖ`I **please note there is a space before the 11, make sure to include it. Click on the OK button

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------
Start KillBox.
Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\system32\ipwm32.dll
C:\WINDOWS\elcad.dll
C:\WINDOWS\SYSTEM32\IPXK.EXE
C:\WINDOWS\NETGF.EXE
C:\WINDOWS\sdkpg32.exe
C:\WINDOWS\d3fl32.exe
C:\WINDOWS\ipur32.exe
C:\WINDOWS\javaia32.exe
C:\WINDOWS\javasi32.exe
C:\WINDOWS\javazo.exe
C:\WINDOWS\ntzu32.exe
C:\WINDOWS\system32\addyl.exe
C:\WINDOWS\system32\d3ak.exe
C:\WINDOWS\system32\d3xx32.exe
C:\WINDOWS\system32\ipas32.exe
C:\WINDOWS\system32\msdb32.exe
C:\WINDOWS\system32\netir32.exe
C:\WINDOWS\system32\netyp.exe
C:\WINDOWS\system32\ntdo32.exe
C:\WINDOWS\system32\ntlj32.exe
C:\WINDOWS\sdksr.dll

Go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.

Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5C24F68F-330D-3834-5594-F52CB787AE93} - C:\WINDOWS\system32\ipwm32.dll
O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll (file missing)
O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE
O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [netgf.exe] C:\WINDOWS\NETGF.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzu32.exe

Click 'Fix Checked' and close HijackThis.

Delete the following files/folders:

C:\Documents and Settings\user\Favorites\SITES ABOUT
C:\Documents and Settings\user\Favorites\Only sex website.url

---------------------------

Run CWShredder & click on [Fix].

Run About Buster and click Begin Removal. Once that's done, just hit the OK button. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Double-click on HSfix.reg & answer YES when prompted to merge into the registry.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
Note: [b][color=teal][size=1]CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Run Ewido:
*Click [Scanner]
*Click [Complete System Scan] to begin scanning.
*Click [OK] when prompted to clean files

With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].

Once finished, click the [Save report] button
Save the report to your desktop
Close Ewido

---------------------------

Reboot into Normal Mode.

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm *Requires Internet Explorer.
Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.

Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
Click On 'Scan Now'
Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
If it finds any malware, it will offer you a report. Click on see report
Then click Save report
Post the contents of the report in your next reply along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

So I need the following logs:

Ewido Results
Ab LogFile.txt
Panda ActiveScan
HijackThis

12-01-2005, 08:02 AM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,555 OS: WinXP and Vista	Hi Emmanuel, For the most part, we're going to have to repeat the previous procedure. This fix needs to be done all at one time, with no pauses in between the steps outlined, so make sure you have enough time set aside. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. (it's important that you get version v2.0.0.175) Do not run it yet. --------------------------- Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Network Security Service Double-click on it to open the Properties dialog. Under the General tab: Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in 11Fßä#·ºÄÖ`I please note there is a space before the 11, make sure to include it. Click on the OK button Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. --------------------------- Start KillBox*. Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C: C:\WINDOWS\system32\ipwm32.dll C:\WINDOWS\elcad.dll C:\WINDOWS\SYSTEM32\IPXK.EXE C:\WINDOWS\NETGF.EXE C:\WINDOWS\sdkpg32.exe C:\WINDOWS\d3fl32.exe C:\WINDOWS\ipur32.exe C:\WINDOWS\javaia32.exe C:\WINDOWS\javasi32.exe C:\WINDOWS\javazo.exe C:\WINDOWS\ntzu32.exe C:\WINDOWS\system32\addyl.exe C:\WINDOWS\system32\d3ak.exe C:\WINDOWS\system32\d3xx32.exe C:\WINDOWS\system32\ipas32.exe C:\WINDOWS\system32\msdb32.exe C:\WINDOWS\system32\netir32.exe C:\WINDOWS\system32\netyp.exe C:\WINDOWS\system32\ntdo32.exe C:\WINDOWS\system32\ntlj32.exe C:\WINDOWS\sdksr.dll Go to the File menu, and choose Paste from Clipboard Click on the dropdown menu next to Full Path of File to Delete field. Verify that the filenames you pasted are found there Select/tick the following: Delete on Reboot * End Explorer Shell While Killing File * Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt. --------------------------- Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\elcad.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O2 - BHO: Class - {5C24F68F-330D-3834-5594-F52CB787AE93} - C:\WINDOWS\system32\ipwm32.dll O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll (file missing) O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll (file missing) O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe O4 - HKLM\..\Run: [netgf.exe] C:\WINDOWS\NETGF.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzu32.exe Click 'Fix Checked' and close HijackThis. Delete the following files/folders: C:\Documents and Settings\user\Favorites\SITES ABOUT C:\Documents and Settings\user\Favorites\Only sex website.url --------------------------- Run CWShredder & click on [Fix]. Run About Buster and click Begin Removal. Once that's done, just hit the OK button. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here. Double-click on HSfix.reg & answer YES when prompted to merge into the registry. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" *Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. Note: [b][color=teal][size=1]CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! Run Ewido: Click [Scanner] Click [Complete System Scan] to begin scanning. Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean* and click [OK]. Once finished, click the [Save report] button Save the report to your desktop Close Ewido --------------------------- Reboot into Normal Mode. Please run an online scan at http://www.pandasoftware.com/products/activescan.htm Requires Internet Explorer. Make sure you click the "Free Online Virus Scan"* in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it Click On 'Scan Now' Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB Begin the scan by selecting My Computer * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. If it finds any malware, it will offer you a report. Click on see report Then click Save report Post the contents of the report in your next reply along with a new HijackThis log. * Turn off the real time scanner of any existing antivirus program while performing the online scan So I need the following logs: Ewido Results Ab LogFile.txt Panda ActiveScan HijackThis __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."