Tech Support Forum - View Single Post

**Deckard** · 06-10-2006, 01:09 PM

Hello Nana123,

I'm happy to hear you fixed your mouse problem, but your computer still has some malware issues we'd like to resolve for you.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Please do these steps in order and do not skip any.

Downloads
Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Please download Ewido Anti-Malware

Install Ewido anti-malware
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen. When you run Ewido for the first time, you may get a warning "Database could not be found!" -- just click OK.
You will need to update Ewido to the latest definition files:
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed (the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update Ewido: Ewido manual updates

Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (i.e., C:\BFU).

Do not do anything with these yet!

Download and install CleanUp! but do not run it yet. *WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download L2mfix from one of these two locations:

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Do not do anything with the extracted folder yet.

Disable AntiSpyware
Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper:

Go to the Options>Program Options
Uncheck Load at Windows Startup
Click Shields & uncheck all items there
Uncheck Home page shield.

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Reboot To Safe Mode
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.

HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.el.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...3/cpbrkpie.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\d80m0id1e80.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\l0n40a5qed.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Downloaded Tool Fixes
Please go to Start > My Computer and navigate to the folder you installed BFU in (i.e, C:\BFU).

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- Cleanup! All Users
- Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.
Click OK
Press the CleanUp! button to start the program. DO NOT reboot/logoff when prompted.

Open Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close Ewido anti-malware.

Open the l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread with your next reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Normal Mode
Reboot your system in Normal Mode.

Online Virus Scan
Perform an online scan with Internet Explorer with Panda ActiveScan. Click on the "Free To Use ActiveScan" located on the top right hand corner.

Click Check Now and a "pop up" window will appear. (Please ensure that your pop up blocker doesn't block it)
Enter your e-mail address, country, and state & click Scan Now. Your computer will download of the 8 megabyte Panda's ActiveX control at this point.
Begin the scan by selecting My Computer. Note:
- Please turn off the real time scanner of any existing antivirus program while performing the online scan.
- Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
- Click on See report then click Save report.
- You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.

With Your Next Post...
Please paste the following logs:

Ewido report
l2mfix report
Panda Scan report
a new HiJackThis log taken after Panda finishes.

06-10-2006, 01:09 PM	#6 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Hello Nana123, I'm happy to hear you fixed your mouse problem, but your computer still has some malware issues we'd like to resolve for you. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Please do these steps in order and do not skip any. Downloads Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Please download Ewido Anti-Malware Install Ewido anti-malware Launch Ewido, there should be an icon on your desktop, double-click it. The program will now open to the main screen. When you run Ewido for the first time, you may get a warning "Database could not be found!" -- just click OK. You will need to update Ewido to the latest definition files: On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed (the status bar at the bottom will display ("Update successful") Exit Ewido, do not run the scan yet! If you are having problems with the updater, you can use this link to manually update Ewido: Ewido manual updates Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (i.e., C:\BFU). Do not do anything with these yet! Download and install CleanUp! but do not run it yet. WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Download L2mfix from one of these two locations: http://www.downloads.subratam.org/l2mfix.exe http://www.atribune.org/downloads/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Do not do anything with the extracted folder yet. Disable AntiSpyware Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper: Go to the Options>Program Options Uncheck Load at Windows Startup Click Shields & uncheck all items there Uncheck Home page shield. Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. Reboot To Safe Mode Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows. HijackThis Fixes Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.el.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab? O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...3/cpbrkpie.cab O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\d80m0id1e80.dll (file missing) O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\l0n40a5qed.dll (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* Downloaded Tool Fixes Please go to Start > My Computer and navigate to the folder you installed BFU in (i.e, C:\BFU). Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK Press the CleanUp! button to start the program. DO NOT reboot/logoff when prompted. Open Ewido: Click on scanner Click on Complete System Scan and the scan will begin. You will be prompted to clean the first infection. Select "Perform action on all infections", then proceed. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop or a location where you can find it easily. Close Ewido anti-malware. Open the l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread with your next reply. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! Normal Mode Reboot your system in Normal Mode. Online Virus Scan Perform an online scan with Internet Explorer with Panda ActiveScan. Click on the "Free To Use ActiveScan" located on the top right hand corner. Click Check Now and a "pop up" window will appear. (Please ensure that your pop up blocker doesn't block it) Enter your e-mail address, country, and state & click Scan Now. Your computer will download of the 8 megabyte Panda's ActiveX control at this point. Begin the scan by selecting My Computer. Note: Please turn off the real time scanner of any existing antivirus program while performing the online scan. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report. You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. With Your Next Post... Please paste the following logs: Ewido report l2mfix report Panda Scan report a new HiJackThis log taken after Panda finishes. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006