Thread: smsse.exe not found, RPC Error and Continual Pop Ups
View Single Post
Old 01-10-2006, 10:13 PM   #3 (permalink)
rikkker
Registered User
 
rikkker's Avatar
 
Join Date: Jul 2005
Location: Canada
Posts: 213
OS: xp-pro


Thanks for being so patient


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

==========================================================

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

==========================================================

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't good at all. They collect information about you and your usage. We recommend uninstalling it.

==========================================================

Additonal Downloads


Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections. Visit Window's Update to get the KB912919 patch.

--------------------

Right click on this link DelO15Domains.inf and choose Save As. Save it to
your desktop.

-------------------

Please download Cleanup! and install it. Do NOT run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

-------------------

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

-------------------

Download this removal tool for Adware.IEPlugin and save it to you desktop.

------------------

Download and install Ewido Security Suite

When installing, under "Additional Options
  • " uncheck.. Install background guard
  • " uncheck.. Install scan via context menu

Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
When you have finished updating, EXIT Ewido

If you are having problems with the updater, you can use this link to manually update Ewido

------------------

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:


Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

==========================================================

Download KillBox (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:
delete on Reboot
Select all the filenames listed below & then right-click & select Copy


C:\WINDOWS\IA\command.exe
C:\WINDOWS\elitemediapop.exe
C:\WINDOWS\system32\sms_msn.exe
C:\temp\salm.exe
C:\WINDOWS\wdskctl.exe
C:\Program Files\snss\snss.exe
C:\WINDOWS\newfrn.exe
C:\WINDOWS\system32\msxct.exe
C:\WINDOWS\z00098.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\APD123.exe
C:\WINDOWS\vezod.exe
C:\Program Files\Network\network.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Program Files\sf\sf.exe
C:\PROGRA~1\COMMON~1\orwf\orwfm.exe
C:\WINDOWS\nwf.exe
C:\PROGRA~1\COMMON~1\orwf\orwfa.exe
C:\Program Files\System Files\System.exe
C:\PROGRA~1\COMMON~1\orwf\orwfl.exe
C:\windows\rlvknlg.exe
C:\WINDOWS\system32\l4dsds.exe
C:\WINDOWS\ghbosuyv.dll
C:\WINDOWS\System32\zkcqfqaq.dll
C:\WINDOWS\bxxs5.dll
C:\WINDOWS\ghbosuyv.dll
C:\WINDOWS\System32\nsk29.dll
C:\WINDOWS\DH.dll
C:\WINDOWS\System32\WinNB57.dll
C:\WINDOWS\System32\wuauclt.dll


* Go to the File menu, and choose Paste from Clipboard
* Click the unregister .dll Before Deleting (if not greyed out)
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.


Quote:
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.
==========================================================


Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

==========================================================

Click Start->Run - type SERVICES.MSC & then click on the OK button [list=1][*]Locate the service - cmdService Double-click on it to open the Properties dialog.
  • Change the Startup type to Disabled & then click on the OK button
  • Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  • In the popup box that appears, type in "cmdService" & then click on the OK button

Answer No when prompted to reboot

==========================================================

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

AutoUpdate
VBouncer
Media Access
WildTangent
BullsEye Network
MarketBrowser

==========================================================

Open HijackThis and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {DB4D32DD-ED6D-22D6-25D2-D3C84203C374} - C:\WINDOWS\ghbosuyv.dll
R3 - URLSearchHook: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - C:\WINDOWS\System32\zkcqfqaq.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - C:\WINDOWS\System32\zkcqfqaq.dll
F2 - REG:system.ini: Shell=Explorer.exe smsse.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - (no file)
O2 - BHO: (no name) - {2B8DFA48-CA00-3CE6-1565-ED0A5B7BBB5D} - C:\WINDOWS\ghbosuyv.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsk29.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O2 - BHO: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - C:\WINDOWS\System32\zkcqfqaq.dll
O2 - BHO: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - C:\WINDOWS\System32\zkcqfqaq.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - (no file)
O3 - Toolbar: Search - {EF7AC596-721D-2D17-0A4D-354348C9EA68} - C:\WINDOWS\ghbosuyv.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\l4dsds.exe reg_run
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe " -boot
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00098.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\System32\APD123.exe
O4 - HKLM\..\Run: [vezod] C:\WINDOWS\vezod.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazr
O4 - HKCU\..\Run: [Tgtubun] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [orwf] C:\PROGRA~1\COMMON~1\orwf\orwfm.exe
O4 - HKCU\..\Run: [nwf] C:\WINDOWS\nwf.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0003.exe
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins009.exe
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...CabInstall.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll

Please remember to close all other windows, including browsers then click Fix checked.


==========================================================

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\IA
C:\Program Files\snss
C:\Program Files\AutoUpdate
C:\Program Files\Network
C:\Program Files\apsi
C:\Program Files\sf
C:\PROGRA~1\COMMON~1\orwf
smsse.exe<<<=you will have to search for this one.
msxct.exe <<<=you will have to search for this one.
C:\Program Files\Media Access
C:\Program Files\WildTangent
C:\Program Files\BullsEye Network
wuamgrd.exe <<<=you will have to search for this one.
PowerReg Scheduler V3.exe <<<=you will have to search for this one.
PowerReg Scheduler.exe <<<=you will have to search for this one.
C:\Program Files\MarketBrowser


==========================================================

Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

==========================================================


Open Ad-aware and do a full scan. Remove all it finds.

==========================================================

Run Cleanup! using the following configuration:
  1. Click Options...
  2. Set the slider to Standard CleanUp!
  3. Uncheck the following:
    • Delete Newsgroup cache
    • Delete Newsgroup Subscriptions
    • Scan local drives for temporary files
  4. Click OK
  5. Press the CleanUp! button to start the program.
  6. Do NOT Reboot/logoff when prompted.

* CleanUp! will not create any backups!!

==========================================================

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC

==========================================================

Reboot your system in Normal Mode.

==========================================================

Do a HijackThis scan & place a check next to these items if they still exist.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazr
O4 - HKCU\..\Run: [Tgtubun] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [orwf] C:\PROGRA~1\COMMON~1\orwf\orwfm.exe
O4 - HKCU\..\Run: [nwf] C:\WINDOWS\nwf.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"

Close hijackthis.

==========================================================

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.


==========================================================

In your next post i will need fresh logs from:

1)HijackThis
2)Ewido log
3)Kaspersky scan
rikkker is offline