Tech Support Forum - View Single Post - Very Slow PC, "pic009.com" infested possible trojan, hijacker, virus??

**Deckard** · 07-29-2006, 11:29 AM

Jose,

I hope you passed all your finals.

Looks like more malware has decided to take up residence on your computer since we last spoke. There's a lot to do, so make sure you read over everything and feel free to ask me any questions if you have any.

We don't recommend using any sort of cracks or illegal software here. You may have installed a cracked version of CHEMIX School and I suggest that you remove it if that is the case. This probably lead to your infection and could be the current source of re-infection.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Download Brute Force Uninstaller
Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All. Click "Next".
In the box to choose where to extract the files to, click "Browse".
Click on the + sign next to "My Computer".
Click on "Local Disk (C:) (or whatever your primary drive is).
Click "Make New Folder" and type in BFU. Click "Next".
Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download the Alcra PLUS Remover. Save it in the same folder you made earlier (i.e., C:\BFU).

Do not do anything with these yet!

Download FixISTBar
Please download the ISTBar removal tool from Symantec to your Desktop. Do not run it yet.

Download ComboFix
Download ComboFix from one of the following links:

Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply.

Download CWShredder
Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Disable Services
Click Start>Run - type SERVICES.MSC and then click on the OK button.

Locate the service - WKSSVC
Stop the service by using the Stop button.
Change the Startup Type to Disabled and click the OK button.
Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service.
In the popup box that appears, type in Windows Kernel System Service.
Click the OK button and answer No if prompted to reboot.

Registry Fixes
Download the attached carganegativa18.zip file to your Desktop. Double click on the zip folder, then double click on the carganegativa18.reg file within. Click yes to allow it to merge into your registry. You can delete both the carganegativa18.zip and carganegativa18.reg now.

Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Network Monitor
StripSaver2
TrustyHound-TB
WeatherBug

Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.

HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\srlgntfy.dll (file missing)
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\dav10.dll (file missing)
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\wL2topl.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\ovbccp32.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis.

Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

Go to Start > Run and type: regsvr32 /u occache.dll and click OK.
Delete:
C:\Documents and Settings\Jose D. Rincon\Desktop\12TH Grade\Mex Am Stu\Group Project - teotihuacan\kdap223h.exe
C:\Documents and Settings\Jose D. Rincon\Start Menu\Programs\UCmore - The Search Accelerator
C:\Program Files\AWS
C:\Program Files\StripSaver2
C:\Program Files\TheSearchAccelerator
C:\Program Files\TrustyHound-TB
C:\quarantine\binny.class.Vir
C:\quarantine\binny.class.Vir.0
C:\quarantine\binny.class.Vir.1
C:\WINDOWS\Downloaded Program Files\internazionale_ver3.INF
C:\WINDOWS\inf\polall1r.inf
C:\WINDOWS\Sm9zZSBKIEFuZ3VpYW5v
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\dav10.dll
C:\WINDOWS\system32\ovbccp32.dll
C:\WINDOWS\system32\srlgntfy.dll
C:\WINDOWS\system32\wL2topl.dll
C:\WINDOWS\cplmcm.exe
C:\WINDOWS\kwv2.dat
Go to Start > Run and type: regsvr32 occache.dll and click OK.

Clear Your Java Cache
Click on Start->Settings->Control Panel->Java Plug-in (If you do not see the icon, look to your left and click 'Switch to Classic View'). Click the Settings button under Internet Explorer near the bottom, and click on Delete Files and click OK and OK.

Clear Cookies
Clear your Firefox cookies. From the open browser, go to Tools>Options>Privacy>Cookies>Clear.

Run FixISTBar
Run the ISTBar removal Tool.

Run Ewido

Run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on Save Report, then Save Report As. Save the report so that you can find it again (like on the Desktop).
Close Ewido.

Run Brute Force Uninstaller
Please go to Start > My Computer and navigate to the folder you installed BFU in (i.e, C:\BFU).

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot
Reboot your system to Normal Mode.

Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded, click on NEXT.
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database: Standard
- Scan Options: Scan Archives and Scan Mail Bases
Click OK
Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
Now under select a target to scan, select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run all the way.
Once the scan is complete it will display if your system has been infected.
Click on the Save as Text button and save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

Re-run Combofix
Double click combofix.exe & follow the prompts. When the tool has finished, it will move the old log to C:\Combofix.previous.run.txt and produce a new log in C:\ComboFix.txt. Please include both logs in your next reply.

Generate An Uninstall List

Open HijackThis.
Click on the "Configure" button on the bottom right.
Click on the tab "Misc Tools".
Click on the Box that says "Open Uninstall Manager".
Click on the button "Save list"

Please save a copy and paste the contents with your next reply.

With Your Next Post...
Please paste the following with your next reply (in this order please):

The contents of C:\Combofix.previous.run.txt,
Ewido scan report,
Kaspersky Scan report,
The contents of C:\Combofix.txt,
Your Uninstall List,
a new HiJackThis log taken right before posting.

07-29-2006, 11:29 AM	#6 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Jose, I hope you passed all your finals. Looks like more malware has decided to take up residence on your computer since we last spoke. There's a lot to do, so make sure you read over everything and feel free to ask me any questions if you have any. We don't recommend using any sort of cracks or illegal software here. You may have installed a cracked version of CHEMIX School and I suggest that you remove it if that is the case. This probably lead to your infection and could be the current source of re-infection. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any. Download Brute Force Uninstaller Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All. Click "Next". In the box to choose where to extract the files to, click "Browse". Click on the + sign next to "My Computer". Click on "Local Disk (C:) (or whatever your primary drive is). Click "Make New Folder" and type in BFU. Click "Next". Uncheck the "Show Extracted Files" box and then click "Finish". RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download the Alcra PLUS Remover. Save it in the same folder you made earlier (i.e., C:\BFU). Do not do anything with these yet! Download FixISTBar Please download the ISTBar removal tool from Symantec to your Desktop. Do not run it yet. Download ComboFix Download ComboFix from one of the following links: http://download.bleepingcomputer.com/sUBs/combofix.exe http://www.techsupportforum.com/sectools/combofix.exe Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply. Download CWShredder Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Disable Services Click Start>Run - type SERVICES.MSC and then click on the OK button. Locate the service - WKSSVC Stop the service by using the Stop button. Change the Startup Type to Disabled and click the OK button. Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service. In the popup box that appears, type in Windows Kernel System Service. Click the OK button and answer No if prompted to reboot. Registry Fixes Download the attached carganegativa18.zip file to your Desktop. Double click on the zip folder, then double click on the carganegativa18.reg file within. Click yes to allow it to merge into your registry. You can delete both the carganegativa18.zip and carganegativa18.reg now. Uninstall Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Network Monitor StripSaver2 TrustyHound-TB WeatherBug Reboot Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows. HijackThis Fixes Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing) O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\srlgntfy.dll (file missing) O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\dav10.dll (file missing) O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\wL2topl.dll (file missing) O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\ovbccp32.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis. Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. Go to Start > Run and type: regsvr32 /u occache.dll and click OK. Delete: C:\Documents and Settings\Jose D. Rincon\Desktop\12TH Grade\Mex Am Stu\Group Project - teotihuacan\kdap223h.exe C:\Documents and Settings\Jose D. Rincon\Start Menu\Programs\UCmore - The Search Accelerator C:\Program Files\AWS C:\Program Files\StripSaver2 C:\Program Files\TheSearchAccelerator C:\Program Files\TrustyHound-TB C:\quarantine\binny.class.Vir C:\quarantine\binny.class.Vir.0 C:\quarantine\binny.class.Vir.1 C:\WINDOWS\Downloaded Program Files\internazionale_ver3.INF C:\WINDOWS\inf\polall1r.inf C:\WINDOWS\Sm9zZSBKIEFuZ3VpYW5v C:\WINDOWS\system32\atmtd.dll C:\WINDOWS\system32\dav10.dll C:\WINDOWS\system32\ovbccp32.dll C:\WINDOWS\system32\srlgntfy.dll C:\WINDOWS\system32\wL2topl.dll C:\WINDOWS\cplmcm.exe C:\WINDOWS\kwv2.dat Go to Start > Run and type: regsvr32 occache.dll and click OK. Clear Your Java Cache Click on Start->Settings->Control Panel->Java Plug-in (If you do not see the icon, look to your left and click 'Switch to Classic View'). Click the Settings button under Internet Explorer near the bottom, and click on Delete Files and click OK and OK. Clear Cookies Clear your Firefox cookies. From the open browser, go to Tools>Options>Privacy>Cookies>Clear. Run FixISTBar Run the ISTBar removal Tool. Run Ewido Run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared. Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side. Click on Save Report, then Save Report As. Save the report so that you can find it again (like on the Desktop). Close Ewido. Run Brute Force Uninstaller Please go to Start > My Computer and navigate to the folder you installed BFU in (i.e, C:\BFU). Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot Reboot your system to Normal Mode. Online Scan Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT. Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives and Scan Mail Bases Click OK Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done. Now under select a target to scan, select My Computer The program will start and scan your system. The scan will take a while so be patient and let it run all the way. Once the scan is complete it will display if your system has been infected. Click on the Save as Text button and save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. Re-run Combofix Double click combofix.exe & follow the prompts. When the tool has finished, it will move the old log to C:\Combofix.previous.run.txt and produce a new log in C:\ComboFix.txt. Please include both logs in your next reply. Generate An Uninstall List Open HijackThis. Click on the "Configure" button on the bottom right. Click on the tab "Misc Tools". Click on the Box that says "Open Uninstall Manager". Click on the button "Save list" Please save a copy and paste the contents with your next reply. With Your Next Post... Please paste the following with your next reply (in this order please): The contents of C:\Combofix.previous.run.txt, Ewido scan report, Kaspersky Scan report, The contents of C:\Combofix.txt, Your Uninstall List, a new HiJackThis log taken right before posting. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006 Last edited by Deckard; 11-02-2006 at 06:54 PM.