Tech Support Forum - View Single Post

Hustler24 · 06-09-2006, 12:24 AM

Hello and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

DISABLE ANTISPYWARE PROTECTION

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

DISABLE AND DELETE SERVICES

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Network DDE Connections
Double-click on it to open the Properties dialog.
Under the General tab:
Stop the service by using the Stop button.
Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, copy/paste NETDDEC Click on the OK button

Repeat the above steps for the service Netbios Helper Service.

------------------

DOWNLOADS

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

------------------

Please download Dr.Web CureIT

Alternate Download Site http://www.majorgeeks.com/Dr.Web_CureIT_d4783.html

-------------------

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop.

-------------------

SAFE MODE

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

------------------

KILL PROCESSES

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\system32\lssas.exe < NOTE THE SPELLING

-------------------

ADD/REMOVE PROGRAMS

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Viewpoint
Viewpoint Manager
Viewpoint Bar

-----------------

FIXES WITH HIJACK THIS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (make sure you do not miss any)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://146.176.65.10/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{65AC7DBC-C91A-4491-AC50-E64E85AA3C38}: NameServer = 85.255.116.125,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA39CCB-5D01-44CE-9B8D-4F2CF4F6F68C}: NameServer = 85.255.116.125,85.255.112.109
O20 - Winlogon Notify: sertgs - C:\WINDOWS\SYSTEM32\sertgs.dll
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe

Please remember to close all other windows, including browsers then click Fix checked.

FILE DELETIONS

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Viewpoint
C:\WINDOWS\system32\hgqhp.exe
C:\WINDOWS\SYSTEM32\sertgs.dll
C:\WINDOWS\system32\altsvc.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\lssas.exe < NOT THE LEGITIMATE lsass.exe

CLEANUP!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK
Press the CleanUp! button to start the program. DO NOT reboot/logoff when prompted.

-------------------

DR WEB CURE IT!

Doubleclick the "drweb-cureit.exe" and click "OK" in the prompt window that will open.
Then click "start the express scan now". It will first make a quick scan of your system so let it clean what it finds and when it says "done" click on the Green Screwdriver-ActionsTab, Adware-Dialers-Riskware-Hacktools and use dropdown menu and select "Delete"
Click on the drive(s) you want to scan.
A red dot * will mark the selected drive(s) then hit the green arrow in lower right corner.
It will now scan your drive(s) so say YES to ALL.

Reboot your system in Normal Mode.

----------------------

FIX WAREOUT

Double-click the Fixwareout file that you downloaded earlier. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved as C:\fixwareoutreport.txt. Post it in your reply.

-----------------

ONLINE SCAN

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJackThis log, the log from DrWeb CureIt and C:\fixwareoutreport.txt.

06-09-2006, 12:24 AM	#3 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	Hello and welcome to TSF Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. DISABLE ANTISPYWARE PROTECTION Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. DISABLE AND DELETE SERVICES Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Network DDE Connections Double-click on it to open the Properties dialog. Under the General tab: Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, copy/paste NETDDEC Click on the OK button Repeat the above steps for the service Netbios Helper Service. ------------------ DOWNLOADS Download and install CleanUp! but do not run it yet. WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. ------------------ Please download Dr.Web CureIT Alternate Download Site http://www.majorgeeks.com/Dr.Web_CureIT_d4783.html ------------------- Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/file...Fixwareout.exe Save it to your desktop. ------------------- SAFE MODE Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ------------------ KILL PROCESSES Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time). C:\WINDOWS\system32\lssas.exe < NOTE THE SPELLING ------------------- ADD/REMOVE PROGRAMS Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Viewpoint Viewpoint Manager Viewpoint Bar ----------------- FIXES WITH HIJACK THIS Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (make sure you do not miss any) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts: 64.91.255.87 www.dcsresearch.com O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://146.176.65.10/activex/AxisCamControl.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{65AC7DBC-C91A-4491-AC50-E64E85AA3C38}: NameServer = 85.255.116.125,85.255.112.109 O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109 O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA39CCB-5D01-44CE-9B8D-4F2CF4F6F68C}: NameServer = 85.255.116.125,85.255.112.109 O20 - Winlogon Notify: sertgs - C:\WINDOWS\SYSTEM32\sertgs.dll O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe *Please remember to close all other windows, including browsers then click Fix checked.* FILE DELETIONS Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\Viewpoint C:\WINDOWS\system32\hgqhp.exe C:\WINDOWS\SYSTEM32\sertgs.dll C:\WINDOWS\system32\altsvc.exe C:\WINDOWS\system32\service.exe C:\WINDOWS\system32\lssas.exe < NOT THE LEGITIMATE lsass.exe CLEANUP! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK Press the CleanUp!* button to start the program. DO NOT reboot/logoff when prompted. ------------------- DR WEB CURE IT! Doubleclick the "drweb-cureit.exe" and click "OK" in the prompt window that will open. Then click "start the express scan now". It will first make a quick scan of your system so let it clean what it finds and when it says "done" click on the Green Screwdriver-ActionsTab, Adware-Dialers-Riskware-Hacktools and use dropdown menu and select "Delete" Click on the drive(s) you want to scan. A red dot * will mark the selected drive(s) then hit the green arrow in lower right corner. It will now scan your drive(s) so say YES to ALL. Reboot your system in Normal Mode. ---------------------- FIX WAREOUT Double-click the Fixwareout file that you downloaded earlier. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved as C:\fixwareoutreport.txt. Post it in your reply. ----------------- ONLINE SCAN Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan Paste the Panda Scan report here together with a new HiJackThis log, the log from DrWeb CureIt and C:\fixwareoutreport.txt. Last edited by Hustler24; 06-09-2006 at 12:29 AM.