Tech Support Forum - View Single Post

tetonbob · 03-02-2006, 10:10 PM

This is going to take you some time. Be sure to complete each and every step.

Please download & install the trial version of Kaspersky Personal Pro
Have it update it's virus definitions & then exit the program.

Please download these additional files/programs. Do not run them unless instructed to do so.

smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

*Note* Alternate download sites for smitrem... http://www.downloads.subratam.org/smitRem.exe
http://www.bleepingcomputer.com/file...ar/smitRem.exe

DelDomains.inf
Right-click and select Save Target As - save it to your desktop.

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Download and install CleanUp!
NOTE: Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to log-off/reboot at the end, if it does please do so.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

Do a full system scan with Kaspersky & have it disinfect all that it finds.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\System32\msnscps.dll
O4 - HKLM\..\Run: [TIAP] c:\windows\eee2.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\winlogon.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [rscn] C:\WINDOWS\System32\bum587.exe ymmud
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following Files/Folders if they exist:

C:\WINDOWS\System32\msnscps.dll
c:\windows\eee2.exe
C:\WINDOWS\sysldr32.exe
C:\WINDOWS\sysvx_.exe
C:\WINDOWS\inet20004
C:\WINDOWS\System\svwhost.exe
C:\WINDOWS\System32\bum587.exe
C:\WINDOWS\sachostx.exe
C:\WINDOWS\System32\intell321.exe
C:\Program Files\AlfaCleaner
C:\WINDOWS\SYSTEM32\msupdate32.dll

Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall"

Restart in normal mode if possible.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

IMPORTANT!:

You will need to use the direct link to SP1 below.

Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

**Note** If you're having trouble locating the service pack SP1a here is a direct link to download it from..

http://download.microsoft.com/downlo...p1a_en_x86.exe

Run a new scan with HJT, in normal mode if possible now, save the log and post it.

Thank you for your cooperation.

Return with logs from:

Ewido
smitfiles.txt
Kaspersky online scan
HJT

03-02-2006, 10:10 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,594 OS: 2000 Pro; XP Pro; XP Home	This is going to take you some time. Be sure to complete each and every step. Please download & install the trial version of Kaspersky Personal Pro Have it update it's virus definitions & then exit the program. Please download these additional files/programs. Do not run them unless instructed to do so. smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Note Alternate download sites for smitrem... http://www.downloads.subratam.org/smitRem.exe http://www.bleepingcomputer.com/file...ar/smitRem.exe DelDomains.inf Right-click and select Save Target As - save it to your desktop. To use: Right-click and select....... Install (no need to restart) Note This will remove all entries in the "Trusted Zone" Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Download and install CleanUp! NOTE: Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click OK Press the CleanUp! button to start the program. It may ask you to log-off/reboot at the end, if it does please do so. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop ** Ewido scan would require at least an hour. Do a full system scan with Kaspersky & have it disinfect all that it finds. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\System32\msnscps.dll O4 - HKLM\..\Run: [TIAP] c:\windows\eee2.exe O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\winlogon.exe O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s O4 - HKLM\..\Run: [rscn] C:\WINDOWS\System32\bum587.exe ymmud O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following Files/Folders if they exist: C:\WINDOWS\System32\msnscps.dll c:\windows\eee2.exe C:\WINDOWS\sysldr32.exe C:\WINDOWS\sysvx_.exe C:\WINDOWS\inet20004 C:\WINDOWS\System\svwhost.exe C:\WINDOWS\System32\bum587.exe C:\WINDOWS\sachostx.exe C:\WINDOWS\System32\intell321.exe C:\Program Files\AlfaCleaner C:\WINDOWS\SYSTEM32\msupdate32.dll Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" Restart in normal mode if possible. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan IMPORTANT!: You will need to use the direct link to SP1 below. Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online. Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here. Note If you're having trouble locating the service pack SP1a here is a direct link to download it from.. http://download.microsoft.com/downlo...p1a_en_x86.exe Run a new scan with HJT, in normal mode if possible now, save the log and post it. Thank you for your cooperation. Return with logs from: Ewido smitfiles.txt Kaspersky online scan HJT __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009