Tech Support Forum - View Single Post

Vikesrock8411 · 07-28-2006, 04:19 PM

Hello and welcome to TSF

I recommend you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please follow these instructions to redownload Hijackthis and install it to a permanent folder:

* Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Downloads(make sure to save these in a permanent location)
smitRem.exe - Run it and extract it to it's own folder on the Desktop.
Cleanup!- Install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.
Ewido Anti-Malware

Install Ewido Anti-Malware
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.
combofix.exe-Save it to your Desktop.
Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Add/Remove
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
PurityScan by OIN
Snowball Wars by OIN
Yazzle by OIN
Outerinfo
Cowabanga by OIN
or any programs by OIN
If none of these are listed please let me know

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - {C23F9E8B-053F-01B9-1876-2910962377C7} - C:\WINDOWS\System32\bgk.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\bfjjp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mapnawa. exe
O4 - HKLM\..\Run: [Winsock2 driver] IPCNFG.EXE
O4 - HKLM\..\Run: [Windows Jump Drive] JUMPDRIVE32.EXE
O4 - HKLM\..\Run: [wscfg32] C:\WINDOWS\ssloop.exe
O4 - HKLM\..\RunServices: [Windows System32] explorer.exe
O4 - HKLM\..\RunServices: [Microsoft Windows] win32.exe
O4 - HKLM\..\RunServices: [Windows Shell Interface] wInterface.exe
O4 - HKCU\..\Run: [Windows System32] explorer.exe
O4 - HKCU\..\Run: [fzzk] C:\PROGRA~1\COMMON~1\fzzk\fzzkm.exe
O4 - HKCU\..\Run: [gjdxq] C:\WINDOWS\System32\kvrfpr.exe reg_run
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [Semr] "C:\PROGRA~1\aDOBE\dllhost.exe" -vt yazr
O4 - HKCU\..\Run: [Ufdhmeia] C:\Documents and Settings\Alfredo\Application Data\?racle\d?dplay.exe
O4 - HKCU\..\Run: [8a3ba9d3.exe] C:\Documents and Settings\Alfredo\Local Settings\Application Data\8a3ba9d3.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Alfredo\LOCALS~1\Temp\34.tmp3072.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [ÿ_zsk^aqsjusn^_yicerc50inkrwksz_] c:\windows\system32\_zskwrkni05creciy_^nsujsqa^.ex e
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\RunServices: [Windows System32] explorer.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: adslcomr.dll netiqosn.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\p8r4li9q18.dll (file missing)
O20 - Winlogon Notify: catswebv - C:\WINDOWS\System32\catswebv.dll (file missing)
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\lscmgr10.dll (file missing)
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\ksdgr1.dll (file missing)
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\System32\dxvwkxif.exe (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_27.dll
O21 - SSODL: WaQwpkjIlXB - {312816E6-9B82-BC4C-A3D4-94AC622A0E45} - C:\WINDOWS\System32\qtm.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\WINDOWS\System32\2236_27.dll
C:\WINDOWS\System32\bgk.dll
C:\WINDOWS\System32\taskdir.exe
c:\windows\system32\_zskwrkni05creciy_^nsujsqa^.exe
C:\WINDOWS\ssloop.exe
win32.exe <<Find via Start>Search
wInterface.exe <<Find via Start>Search
JUMPDRIVE32.EXE <<Find via Start>Search
adslcomr.dll <<Find via Start>Search
netiqosn.dll <<Find via Start>Search
C:\PROGRAM Files\COMMON Files\fzzk
C:\Program Files\Common Files\svchostsys
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Purity Scan
C:\Program Files\BraveSentry
C:\Documents and Settings\Alfredo\Local Settings\Application Data\8a3ba9d3.exe

Tools
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it’s checked.

Click OK
Press the CleanUp! button to start the program. If prompted to reboot, click No.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine
Then click Apply all actions

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

Reboot your system in Normal Mode.

Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. That log will be located at C:\Combofix.txt and the previous log will be renamed to C:\combofixDateTime.txt Please post the contents of both logs.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next post please include:

Both Combofix logs
Smitrem.txt
Ewido Log
A new Hijackthis! Log

07-28-2006, 04:19 PM	#2 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Hello and welcome to TSF I recommend you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please follow these instructions to redownload Hijackthis and install it to a permanent folder: * Click here to download HJTsetup.exe Save HJTsetup.exe to your desktop. Doubleclick on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This. Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue. Put a check by Create a desktop icon then click Next again. Continue to follow the rest of the prompts from there. At the final dialogue box click Finish and it will launch Hijack This. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. Come back here to this thread and Paste the log in your next reply. DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Downloads(make sure to save these in a permanent location) smitRem.exe - Run it and extract it to it's own folder on the Desktop. Cleanup!- Install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does not make backups. Ewido Anti-Malware Install Ewido Anti-Malware Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. I also recommend changing the "Update interval" to something more reasonable like 12 hours. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. combofix.exe-Save it to your Desktop. Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Next, please reboot your computer in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Add/Remove Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: PurityScan by OIN Snowball Wars by OIN Yazzle by OIN Outerinfo Cowabanga by OIN or any programs by OIN If none of these are listed please let me know HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si= R3 - URLSearchHook: (no name) - {C23F9E8B-053F-01B9-1876-2910962377C7} - C:\WINDOWS\System32\bgk.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\bfjjp.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mapnawa. exe O4 - HKLM\..\Run: [Winsock2 driver] IPCNFG.EXE O4 - HKLM\..\Run: [Windows Jump Drive] JUMPDRIVE32.EXE O4 - HKLM\..\Run: [wscfg32] C:\WINDOWS\ssloop.exe O4 - HKLM\..\RunServices: [Windows System32] explorer.exe O4 - HKLM\..\RunServices: [Microsoft Windows] win32.exe O4 - HKLM\..\RunServices: [Windows Shell Interface] wInterface.exe O4 - HKCU\..\Run: [Windows System32] explorer.exe O4 - HKCU\..\Run: [fzzk] C:\PROGRA~1\COMMON~1\fzzk\fzzkm.exe O4 - HKCU\..\Run: [gjdxq] C:\WINDOWS\System32\kvrfpr.exe reg_run O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe O4 - HKCU\..\Run: [Semr] "C:\PROGRA~1\aDOBE\dllhost.exe" -vt yazr O4 - HKCU\..\Run: [Ufdhmeia] C:\Documents and Settings\Alfredo\Application Data\?racle\d?dplay.exe O4 - HKCU\..\Run: [8a3ba9d3.exe] C:\Documents and Settings\Alfredo\Local Settings\Application Data\8a3ba9d3.exe O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Alfredo\LOCALS~1\Temp\34.tmp3072.exe O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKCU\..\Run: [ÿ_zsk^aqsjusn^_yicerc50inkrwksz_] c:\windows\system32\_zskwrkni05creciy_^nsujsqa^.ex e O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe O4 - HKCU\..\RunServices: [Windows System32] explorer.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O18 - Filter: text/html - (no CLSID) - (no file) O20 - AppInit_DLLs: adslcomr.dll netiqosn.dll O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\p8r4li9q18.dll (file missing) O20 - Winlogon Notify: catswebv - C:\WINDOWS\System32\catswebv.dll (file missing) O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\lscmgr10.dll (file missing) O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\ksdgr1.dll (file missing) O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\System32\dxvwkxif.exe (file missing) O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_27.dll O21 - SSODL: WaQwpkjIlXB - {312816E6-9B82-BC4C-A3D4-94AC622A0E45} - C:\WINDOWS\System32\qtm.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\System32\2236_27.dll C:\WINDOWS\System32\bgk.dll C:\WINDOWS\System32\taskdir.exe c:\windows\system32\_zskwrkni05creciy_^nsujsqa^.exe C:\WINDOWS\ssloop.exe win32.exe <<Find via Start>Search wInterface.exe <<Find via Start>Search JUMPDRIVE32.EXE <<Find via Start>Search adslcomr.dll <<Find via Start>Search netiqosn.dll <<Find via Start>Search C:\PROGRAM Files\COMMON Files\fzzk C:\Program Files\Common Files\svchostsys C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe C:\Program Files\Purity Scan C:\Program Files\BraveSentry C:\Documents and Settings\Alfredo\Local Settings\Application Data\8a3ba9d3.exe Tools Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it’s checked. Click OK Press the CleanUp!* button to start the program. If prompted to reboot, click No. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine Then click Apply all actions Once finished, click the Save report button, then click Save Report As and save it to your desktop. Reboot your system in Normal Mode. Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. That log will be located at C:\Combofix.txt and the previous log will be renamed to C:\combofixDateTime.txt Please post the contents of both logs. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall In your next post please include: Both Combofix logs Smitrem.txt Ewido Log A new Hijackthis! Log __________________