Thread: ads in web pages with popups and redirect
View Single Post
Old 01-06-2006, 02:38 PM   #4 (permalink)
sUBs
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,353
OS: N/A


Quote:
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ROYDAL~1\LOCALS~1\Temp\HijackThis.exe
This is the reason why FixWareOut didnt open HijackThis automatically. You were running HijackThis out of a zipped archieve.

Please create a new directory - C:\Program Files\HijackThis
Extract HijackThis into there.
Once you have done that, it's IMPORTANT that you double click on hijackthis.exe to run the program.
Exit the program once you have done so.


* * * * * *


Save the following instructions in Notepad & ensure that Ewido is disabled. Keep it disabled till I tell you you're clean.


Go to Start > Run - type C:\fixwareout\FixIt.bat <Press Enter>
This will run the fixwareout tool again

Follow the on-screen prompts & reboot your computer when instructed to do so.

After you have restarted, wait for HijackThis to launch automatically.
With HiJackThis & place a check next to these items and select "Fix checked":

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunOnce: [DeleteYourSiteBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\YourSiteBar\ysb.dll"
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

Close HijackThis, and click OK to proceed.


* * * * * * KILLBOX * * * * * * * * * * * * * * * * * * * * * * *


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • All files (if available)
Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy
  • C:\WINDOWS\banmanpro.exe
    C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
    C:\WINDOWS\nem220.dll
    C:\WINDOWS\SYSTEM32\DH9013.exe
    C:\WINDOWS\uhncdsdp.exe
    C:\WINDOWS\WinDy.exe
    C:\WINDOWS\SYSTEM32\CSCSZ.EXE
    C:\WINDOWS\SYSTEM32\DMFZX.EXE
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • ISTsvc
    Power Scan
    SideFind
    SurfAccuracy
    YourSiteBar
    Internet Optimizer
Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Program Files\ISTsvc\
    C:\Program Files\Power Scan
    C:\Program Files\SideFind\
    C:\Program Files\SurfAccuracy\
    C:\Program Files\YourSiteBar\
    C:\Program Files\Internet Optimizer\

Delete the contents of this folder,leaving the container folder empty

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *

This will clear the System Volume Information folder
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK


Do another Kaspersky scan using the earlier settings & post the resultant log


In your next post, please include fresh logs from:
  • FixWareout's log
  • HiJackThis log
  • Online Scan
  • Ewido (Safe Mode)
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline