Tech Support Forum - View Single Post - Multiple pieces of Malware/Adware/Spyware...

Ried · 01-05-2006, 08:28 AM

Hi,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this.

Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe . Do not run it yet.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

---------------------------

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKEY_CLASSES_ROOT\TypeLib\{CED445E2-8C78-4F40-87D7-F7FB6F1B6791}

If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

---------------------------

Click on the Start button & select Run
Type in tasks & click Ok
In the ensuing window, click on the 'Advanced' menu (located above) & select 'View Hidden Tasks'

Delete the following Tasks:

A0A9CD9D91A67E41.job
A247B21990102599.job
A327A5AF90005FEB.job
A6B728339198A08B.job
A8938F6D91E803AD.job
A93CFA75916F7919.job
AB5B0A71912C808D.job
AC5C03A29357BD96.job
AD2A1D12918592DA.job
AF47999291980B32.job
AFFCA9F091875B0C.job

---------------------------

Instructions for using LSPFix

Double click on LSPFix.exe to run it.
Once running, you will be required to tick the disclaimer - "I know what I'm doing".
You'll find a window with 2 panes,if there is any thing in the remove pane please put it back into the keep pane.
Now highlight any instances of 'xfire_lsp_10650.dll'
Then click on the arrow pointing to the right, >>.
This will move the entry to the right pane labeled Remove
Click the Finish button to complete the fix.

---------------------------

Still from Normal Mode:

Run a scan in HijackThis. 'Check' each of the following if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following Files and Folders if they still exist.

C:\WINDOWS\SYSTEM32\saie_gdf.dat
C:\PROGRAM FILES\dialers
C:\PROGRAM FILES\COMMON FILES\Totem Shared
C:\Documents and Settings\Administrator\Application Data\Memo Each Face
C:\Documents and Settings\Elizabeth Shepherd\Application Data\Stop meta
C:\Documents and Settings\Elizabeth Shepherd\Application Data\Memo Each Face
C:\Documents and Settings\Pam Shepherd\Application Data\Memo Each Face
C:\Documents and Settings\Zach Shepherd\Application Data\Memo Each Face
C:\Documents and Settings\Zach Shepherd\Application Data\Stop meta

---------------------------

Clear your Mozilla cookies:

Open Mozilla>Tools>Options>Privacy
Click on Cookies
Click the Clear button.
Click OK

Reboot your system and run an online scan at Kaspersky:

Perform an online scan using Internet Explorer with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
*Once the files have been downloaded click on NEXT
Now click on Scan Settings
*In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:
*Standard
*Scan Options:
*Scan Archives
*Scan Mail Bases
*Click OK
Now under select a target to scan:
*Select My Computer
This will program will start and scan your system.
*The scan will take a while so be patient and let it run.
*Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button:
*Save the file to your desktop.
Copy and paste that information in your next post along with a new HijackThis log.

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and past the List from the notebook here.

01-05-2006, 08:28 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,551 OS: WinXP and Vista	Hi, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe . Do not run it yet. S& D Spybot's Tea Timer While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. --------------------------- Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED HKEY_CLASSES_ROOT\TypeLib\{CED445E2-8C78-4F40-87D7-F7FB6F1B6791} If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. --------------------------- Click on the Start button & select Run Type in tasks & click Ok In the ensuing window, click on the 'Advanced' menu (located above) & select 'View Hidden Tasks' Delete the following Tasks: A0A9CD9D91A67E41.job A247B21990102599.job A327A5AF90005FEB.job A6B728339198A08B.job A8938F6D91E803AD.job A93CFA75916F7919.job AB5B0A71912C808D.job AC5C03A29357BD96.job AD2A1D12918592DA.job AF47999291980B32.job AFFCA9F091875B0C.job --------------------------- Instructions for using LSPFix Double click on LSPFix.exe to run it. Once running, you will be required to tick the disclaimer - "I know what I'm doing". You'll find a window with 2 panes,if there is any thing in the remove pane please put it back into the keep pane. Now highlight any instances of 'xfire_lsp_10650.dll' Then click on the arrow pointing to the right, >>. This will move the entry to the right pane labeled Remove Click the Finish button to complete the fix. --------------------------- Still from Normal Mode: Run a scan in HijackThis. 'Check' each of the following if they still exist: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iomrhmimhgdt.com/KZe3t6V9...hTLRorRTF.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzfumpjujrsjsxzovzjnduy.c...HqvLAMdl8.html R3 - Default URLSearchHook is missing O4 - HKCU\..\Run: [01 Enc] C:\DOCUME~1\ZACHSH~1\APPLIC~1\MEMOEA~1\MediaKeepLoud.exe Click 'Fix Checked' and close HijackThis. --------------------------- Delete the following Files and Folders if they still exist. C:\WINDOWS\SYSTEM32\saie_gdf.dat C:\PROGRAM FILES\dialers C:\PROGRAM FILES\COMMON FILES\Totem Shared C:\Documents and Settings\Administrator\Application Data\Memo Each Face C:\Documents and Settings\Elizabeth Shepherd\Application Data\Stop meta C:\Documents and Settings\Elizabeth Shepherd\Application Data\Memo Each Face C:\Documents and Settings\Pam Shepherd\Application Data\Memo Each Face C:\Documents and Settings\Zach Shepherd\Application Data\Memo Each Face C:\Documents and Settings\Zach Shepherd\Application Data\Stop meta --------------------------- Clear your Mozilla cookies: Open Mozilla>Tools>Options>Privacy Click on Cookies Click the Clear button. Click OK Reboot your system and run an online scan at Kaspersky: Perform an online scan using Internet Explorer with Kaspersky WebScanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT* Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: *Standard *Scan Options: *Scan Archives *Scan Mail Bases *Click OK Now under select a target to scan: Select My Computer* This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post along with a new HijackThis log. Open HijackThis* Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Please copy and past the List from the notebook here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 01-05-2006 at 08:35 AM.