Tech Support Forum - View Single Post

AbstractEpiphany · 04-20-2006, 01:48 PM

Hello again sbelgard, and thank you for your patience.

Did you add *.af.mil to your Trusted Zone?

Before You Begin...
Please print out this page or copy it to Notepad to help you carry out the following instructions. Make sure to work through the fixes in the exact order they are mentioned below, and if there's anything that you don't understand, please ask any questions you may have before proceeding with the fix. You should not have any browsers or windows open, other than the programs mentioned in the fix, when you are following the procedures below.

Disable SpySweeper
Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper:

Open SpySweeper
Go to the Options -> Program Options
Uncheck Load at Windows Startup
Click Shields and uncheck all items there
Uncheck Home Page Shield.

And then close SpySweeper.

View Hidden and System Files
Open My Computer. Select the View menu and click Folder Options. Select the View Tab then select Show hidden files and folders. Uncheck Hide protected operating system files (recommended), and make sure to uncheck Hide file extensions for known file types. Click OK.

Download Tools
Please download Cleanup! or use this alternate link if the main link does not work and install it. You will use this later.
NOTE: Do not run this program if you have XP Professional 64 bit edition. If you are unsure as to whether or not you have a 64 bit version of XP, please download and run this tool: http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

I see you already have Ewido Anti-malware installed on your system. Please make sure it is updated to the latest definitions:

Open Ewido
On the left hand side of the main screen,. click Update
Then click on the Start Update button. The update will start and a progress bar will show the updates being installed.
After it has finished, close Ewido, we will use it later.

If you have problems with the updater, you can use the Ewido manual updater instead of the automatic updater.

Download Host.zip to your desktop. We'll use it later.

CWShredder
Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on Fix (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Restart to Safe Mode
Restart your computer, and repeatedly tap the F8 key (or the appropriate key for your system) until the menu appears. Select Safe Mode from that menu.

Uninstall Programs
Click Start -> Control Panel -> Add/Remove Programs and uninstall the following programs (if they exist):

MyWebSearch

Do not reboot if prompted by the uninstaller.

Fix HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxdm415BXUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/appli...ClientUtil.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll

Please remember to close all other windows (including browsers) then click Fix checked.

Delete Files
Delete the following files indicated in RED and folders indicated in BLUE if they still exist.

C:\WINDOWS\SYSTEM32\winzzc32.dll

Let me know if you can't find or delete it.

CleanUp!
NOTE: Cleanup deletes EVERYTHING out of temporary folders and does not make backups. If you have any files in your temporary folders you want to keep, move them now!

Open Cleanup! by double-clicking the icon on your desktop (or from Start -> All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- Cleanup! All Users
Uncheck the following:
- Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program. Do not reboot when prompted.

Ewido
Close all open windows and please do not open any new windows during the course of this scan. Open Ewido.

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans, Ewido is finding cases of false positives. You will need to step through the process of cleaning files one-by-one.
- If Ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Close Ewido

NOTE: The Ewido scan will require at least an hour to run.

Restart to Normal Mode
Restart your system normally.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

From your Desktop right-click hosts.zip and select Extract All from the menu.
Click Next, click Next, select the option Show Extracted files, click Finish. This will open the newly created hosts folder on your desktop.
Double-click on the included mvps.bat file. This will rename the existing hosts file to hosts.mvp, then it will copy the included updated hosts file to the correct location on your machine.

Scan with Panda ActiveScan
Perform an online scan with Internet Explorer with Panda ActiveScan (click on the Free To Use ActiveScan located on the top right hand corner).

Click Check Now and a "pop up" window will appear. Please ensure that your pop up blocker doesn't block it!
Enter your e-mail address, country, and state & click Scan Now. The download of the 8 MB Panda's ActiveX control will now take place.

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on See report then click Save report

NOTE: You don't need to remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Please turn off the real time scanners of any antivirus programs on your system while performing the online scan.

Logfiles Required
The Ewido logfile
The Panda ActiveScan report
A new HiJackThis log

And please advise as to how your system is running.

04-20-2006, 01:48 PM	#3 (permalink)
AbstractEpiphany Registered User Join Date: Jan 2006 Location: Canada Posts: 250 OS: Windows 98SE/XP Home, Mac OS X	Hello again sbelgard, and thank you for your patience. Did you add .af.mil to your Trusted Zone? Before You Begin...* Please print out this page or copy it to Notepad to help you carry out the following instructions. Make sure to work through the fixes in the exact order they are mentioned below, and if there's anything that you don't understand, please ask any questions you may have before proceeding with the fix. You should not have any browsers or windows open, other than the programs mentioned in the fix, when you are following the procedures below. Disable SpySweeper Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper: Open SpySweeper Go to the Options -> Program Options Uncheck Load at Windows Startup Click Shields and uncheck all items there Uncheck Home Page Shield. And then close SpySweeper. View Hidden and System Files Open My Computer. Select the View menu and click Folder Options. Select the View Tab then select Show hidden files and folders. Uncheck Hide protected operating system files (recommended), and make sure to uncheck Hide file extensions for known file types. Click OK. Download Tools Please download Cleanup! or use this alternate link if the main link does not work and install it. You will use this later. NOTE: Do not run this program if you have XP Professional 64 bit edition. If you are unsure as to whether or not you have a 64 bit version of XP, please download and run this tool: http://www.kellys-korner-xp.com/regs...p_whichcpu.exe I see you already have Ewido Anti-malware installed on your system. Please make sure it is updated to the latest definitions: Open Ewido On the left hand side of the main screen,. click Update Then click on the Start Update button. The update will start and a progress bar will show the updates being installed. After it has finished, close Ewido, we will use it later. If you have problems with the updater, you can use the Ewido manual updater instead of the automatic updater. Download Host.zip to your desktop. We'll use it later. CWShredder Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on Fix (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Restart to Safe Mode Restart your computer, and repeatedly tap the F8 key (or the appropriate key for your system) until the menu appears. Select Safe Mode from that menu. Uninstall Programs Click Start -> Control Panel -> Add/Remove Programs and uninstall the following programs (if they exist): MyWebSearch Do not reboot if prompted by the uninstaller. Fix HijackThis Entries Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O1 - Hosts: 207.68.172.246 msn.com O1 - Hosts: 207.68.172.246 msn.com O1 - Hosts: 207.68.172.246 msn.com O1 - Hosts: 207.68.172.246 msn.com O1 - Hosts: 207.68.172.246 msn.com O1 - Hosts: 207.68.172.246 msn.com O1 - Hosts: 207.68.172.246 msn.com O1 - Hosts: 207.68.172.246 msn.com O1 - Hosts: 207.68.172.246 msn.com O1 - Hosts: 207.68.172.246 msn.com O1 - Hosts: 207.68.172.246 msn.com O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file) O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file) O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxdm415BXUS O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minib...ansporter.cab? O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/appli...ClientUtil.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll Please remember to close all other windows (including browsers) then click Fix checked. Delete Files Delete the following files indicated in RED and folders indicated in BLUE if they still exist. C:\WINDOWS\SYSTEM32\winzzc32.dll Let me know if you can't find or delete it. CleanUp! NOTE: Cleanup deletes EVERYTHING out of temporary folders and does not make backups. If you have any files in your temporary folders you want to keep, move them now! Open Cleanup! by double-clicking the icon on your desktop (or from Start -> All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Uncheck the following: Scan local drives for temporary files Click OK, Press the CleanUp! button to start the program. Do not reboot when prompted. Ewido Close all open windows and please do not open any new windows during the course of this scan. Open Ewido. Click on scanner Click on Complete System Scan and the scan will begin. NOTE: During some scans, Ewido is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If Ewido detects a file you KNOW to be legitimate, select none as the action. DO NOT select "Perform action on all infections" If you are unsure of any entry found select none for now. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop. Close Ewido NOTE: The Ewido scan will require at least an hour to run. Restart to Normal Mode Restart your system normally. MVPS Hosts File The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. From your Desktop right-click hosts.zip and select Extract All from the menu. Click Next, click Next, select the option Show Extracted files, click Finish. This will open the newly created hosts folder on your desktop. Double-click on the included mvps.bat file. This will rename the existing hosts file to hosts.mvp, then it will copy the included updated hosts file to the correct location on your machine. Scan with Panda ActiveScan Perform an online scan with Internet Explorer with Panda ActiveScan (click on the Free To Use ActiveScan located on the top right hand corner). Click Check Now and a "pop up" window will appear. Please ensure that your pop up blocker doesn't block it! Enter your e-mail address, country, and state & click Scan Now. The download of the 8 MB Panda's ActiveX control will now take place. Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report NOTE: You don't need to remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Please turn off the real time scanners of any antivirus programs on your system while performing the online scan. Logfiles Required The Ewido logfile The Panda ActiveScan report A new HiJackThis log And please advise as to how your system is running.