Tech Support Forum - View Single Post

sUBs · 07-25-2006, 10:58 AM

Okay, one down. Several more to go. This is gonna be a huge fix

Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

* * * * * *

Before fixing anything, Please download the Suspicious File Packer from here:

http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

C:\WINDOWS\system32\sys_dll.dll
C:\Program Files\RngInterstitial.dll

Allow SFP to pack the files. This will generate a CAB archive on your desktop.

Please submit it to this webpage

Please include a link to this topic in the message.

* * * * * * WIN32DELFKIL * * * * * * * * * * * * * * * * * * * *

Download win32delfkil.exe.

Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop called win32delfkil.
Close all windows and open the win32delfkil folder and double click on fix.bat.
Once the tool has finished the computer will reboot automatically. If it does not reboot...please do so manually by turning the power off and then back on.
Post the contents of the logfile c:\windelf.txt when every task is complete

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *

Download & install - CleanUp.exe (not recommended for WinXP64)

Donwload & save on Desktop, the file attached to this post - sUBs000.zip
Dont do anything with it yet. We'll use it later

Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Download Ewido Anti-Malware

Install Ewido Anti-Malware
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update.

If you are having problems with the updater, you can use this link to manually update Ewido

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet.

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *

Go to Start → Control Panel → Add or Remove Programs and uninstall the following programs:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it

In case Purityscan or OINS is not listed, download and use this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Please note any other programs that you dont recognize in your next response

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {29DC52A8-BEA3-4CDE-8F20-FC3A50BBE49B} - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\g59559484.dll
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/hwspade..._9 256677.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O20 - AppInit_DLLs: C:\WINDOWS\system32\alg.dll
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\SYSTEM32\winjgf32.dll
O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - (no file)

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

* * * * * *

Locate the attachment you downloaded earlier - sUBs000.zip
Double click the file within & it shall produce a log for you

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Delete Cookies

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner & select the Scan tab
Click Complete System Scan to begin scanning.
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop.

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

* * * *

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

* * * *

Next go to Control Panel click Display>Desktop>Customize Desktop>Website
Under the 'Web pages' box, Uncheck everything present.

* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *

Establish an internet connection & perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh copies of:

HiJackThis log

Fresh combofix log

c:\windelf.txt

Online scan

Log produced by sUBs.bat

rapport.txt

Ewido's log

Let us know if any problems persist.

07-25-2006, 10:58 AM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,326 OS: N/A	Okay, one down. Several more to go. This is gonna be a huge fix Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. * * * * * * Before fixing anything, Please download the Suspicious File Packer from here: http://www.safer-networking.org/files/sfp.zip Unzip it to the desktop and run it. Paste the following list of bad files into the Suspicious File Packer window: C:\WINDOWS\system32\sys_dll.dll C:\Program Files\RngInterstitial.dll Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please submit it to this webpage Please include a link to this topic in the message. * * * * * * WIN32DELFKIL * * * * * * * * * * * * * * * * * * * * Download win32delfkil.exe. Save it on your desktop. Double click on win32delfkil.exe and install it. This creates a new folder on your desktop called win32delfkil. Close all windows and open the win32delfkil folder and double click on fix.bat. Once the tool has finished the computer will reboot automatically. If it does not reboot...please do so manually by turning the power off and then back on. Post the contents of the logfile c:\windelf.txt when every task is complete * * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * * Download & install - CleanUp.exe (not recommended for WinXP64) Donwload & save on Desktop, the file attached to this post - sUBs000.zip Dont do anything with it yet. We'll use it later Please download SmitfraudFix Extract the content (a folder named SmitfraudFix) to your Desktop. Download Ewido Anti-Malware Install Ewido Anti-Malware Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. If you are having problems with the updater, you can use this link to manually update Ewido Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet. 'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. * * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * * Go to Start → Control Panel → Add or Remove Programs and uninstall the following programs: Oin Yazzle by Oin Purityscan by Oin Snowballwars by Oin Cowabanga by OIN or anything similar with Oin in it In case Purityscan or OINS is not listed, download and use this uninstaller: http://www.outerinfo.com/OiUninstaller.exe Please note any other programs that you dont recognize in your next response * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {29DC52A8-BEA3-4CDE-8F20-FC3A50BBE49B} - C:\WINDOWS\system32\awtqq.dll O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\g59559484.dll O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/hwspade..._9 256677.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123 O20 - AppInit_DLLs: C:\WINDOWS\system32\alg.dll O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\SYSTEM32\winjgf32.dll O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - (no file) * * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * * 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. * * * * * * Locate the attachment you downloaded earlier - sUBs000.zip Double click the file within & it shall produce a log for you * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Delete Cookies 4. Click OK 5. Press the CleanUp! button to start the program. 6. Do NOT reboot/logoff if prompted. * CleanUp! will not create any backups!! * * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * * Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner & select the Scan tab Click Complete System Scan to begin scanning. If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. ** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. * * * * Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. * * * * Next go to Control Panel click Display>Desktop>Customize Desktop>Website Under the 'Web pages' box, Uncheck everything present. * * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * * Establish an internet connection & perform an online scan with Internet Explorer with Panda ActiveScan Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh copies of: HiJackThis log Fresh combofix log c:\windelf.txt Online scan Log produced by sUBs.bat rapport.txt Ewido's log Let us know if any problems persist. __________________ Question - what have you done for the community today? Last edited by sUBs; 07-26-2006 at 10:09 AM.