Thread: Fatal Errors Using Virus Scanning (Norton Systemworks)
View Single Post
Old 04-21-2006, 02:17 AM   #3 (permalink)
MoralTerror
Analyst, Security Team
 
MoralTerror's Avatar
 
Join Date: Nov 2005
Location: UK
Posts: 1,968
OS: xp


Hi Paul

Please print this page or copy it to Notepad in order to assist you while carrying out the following instructions.

Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it. You will use this later.

Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:
  • Go to the Options>Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.

Please disable Ewido Security Suite's Guard by doing the following:
  • Open ewido by double-clicking the yellow 'e' icon in the system tray.
  • In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
  • When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup.

Launch Ewido & click Update from the left pane
Then click on Start Update.[/list]
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Please leave both of those programs disabled until your logs are clean.

Please use Symantec's guide to remove the Norton Quarantine files.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Uncheck the following :
  • Scan local drives for temporary files


Click OK, Press the CleanUp! button to start the program and reboot when prompted.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files


With the first file it prompts to clean, select the option:

* "Perform action on all infections"
* Choose clean and click OK.


Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [Windows Workstation Service] wkssvc.exe
O4 - HKCU\..\RunServices: [Windows Workstation Service] wkssvc.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\RECYCLER\NPROTECT\01501711.exe
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemp...veSekurity.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgGB2404.exe
O16 - DPF: {E0051273-5988-41EC-A891-11D4A1BABF35} (KDreg class) - http://217.69.157.142/player/kdreg.cab
O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)



Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED if they still exist.

winccf32.dll find via start>search
wkssvc.exe find via start>search
C:\RECYCLER\NPROTECT\01501711.exe



Reboot your system in Normal Mode.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner
  1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJack This log.

Required Logs

Ewido report
Panda report
new HijackThis log
MoralTerror is offline