Tech Support Forum - View Single Post

tetonbob · 07-29-2006, 08:54 AM

Please don't fix anything on your own while we're working together. Also, don't disable anything through msconfig for now, as it will hinder my ability to see everything and help you.

Do you have an online stamp download program installed?

---------------------------------------------------------------------------------------------

Webroot SpySweeper

Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable Webroot SpySweeper:

Go to the Options>Program Options
Uncheck Load at Windows Startup
Click Shields on the left.
Click Internet Explorer and uncheck all items.
Click Windows System and uncheck all items.
Click Startup Programs and uncheck all items.
Click Browser Add-Ons and uncheck all items.
Exit Spysweeper.

---------------------------------------------------------------------------------------------

I have attached a file to this post - callie.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run

---------------------------------------------------------------------------------------------

Delete the following if it exists:

C:\WINDOWS\system32\oocqrc.exe

If it resists deletion, boot to safe mode and delete it from there. Don't worry if you cannot find it.

---------------------------------------------------------------------------------------------

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

---------------------------------------------------------------------------------------------

Create an uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

---------------------------------------------------------------------------------------------

Run a new scan with HijackThis. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately):

clkoptimizer

Save the file/files and post the results in the forum.

Please return with results from:

DrWeb
Uninstall list
HijackThis
regsearch

07-29-2006, 08:54 AM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,235 OS: 2000 Pro; XP Pro; XP Home	Please don't fix anything on your own while we're working together. Also, don't disable anything through msconfig for now, as it will hinder my ability to see everything and help you. Do you have an online stamp download program installed? --------------------------------------------------------------------------------------------- Webroot SpySweeper Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper: Go to the Options>Program Options Uncheck Load at Windows Startup Click Shields on the left. Click Internet Explorer and uncheck all items. Click Windows System and uncheck all items. Click Startup Programs and uncheck all items. Click Browser Add-Ons and uncheck all items. Exit Spysweeper. --------------------------------------------------------------------------------------------- I have attached a file to this post - callie.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oocqrc.exe reg_run --------------------------------------------------------------------------------------------- Delete the following if it exists: C:\WINDOWS\system32\oocqrc.exe If it resists deletion, boot to safe mode and delete it from there. Don't worry if you cannot find it. --------------------------------------------------------------------------------------------- * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. --------------------------------------------------------------------------------------------- Create an uninstall list: Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post --------------------------------------------------------------------------------------------- Run a new scan with HijackThis. Save the log file and post it here. --------------------------------------------------------------------------------------------- Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately): clkoptimizer Save the file/files and post the results in the forum. Please return with results from: DrWeb Uninstall list HijackThis regsearch __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 09-19-2006 at 01:53 PM.