Tech Support Forum - View Single Post

tetonbob · 07-29-2006, 10:39 PM

Good job...now for round 2. This is still very messy, and will take more time.

I have attached a file to this post - betty.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

---------------------------------------------------------------------------------------------

Next, click Start > Control Panel > Add/Remove Programs
In the list of installed software, look for PuritySCAN By OIN, OuterInfo, OIN Snowballwars By OIN Cowabanga By OIN or similar
If you find it:
Click on it and click Remove.
Reboot and delete the folder C:\Program Files\PurityScan (if it's still there)
if not:
Download and run the Oiuninstaller
There is a tutorial for the uninstaller available
When the uninstaller is done, reboot and delete the folder C:\Program Files\PurityScan (if it's still there)

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [{4D-DE-E6-6D-ZN}] C:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\QV6FYDER\WinAntiVirusPro2006Free Install[1].exe" -nag

---------------------------------------------------------------------------------------------

Delete the following if they exist:

c:\program files\AdTools Service
c:\program files\NewDotNet
C:\bintheredunthat
C:\found.000\file0000.chk
C:\Program Files\Common Files\{50D4DE6D-0B74-1033-0827-040802200001}
C:\services.exe
C:\Trelew.exe
C:\WINDOWS\cmdmgr.exe
C:\WINDOWS\cmdmgr3.exe
C:\WINDOWS\hostsmgr.exe
C:\WINDOWS\comsonie.exe
C:\picture012.exe
C:\cmdhost.exe
C:\setup64.exe
C:\runstd1.exe
C:\runstd0.exe
C:\runstd.exe
C:\runst.exe
C:\runset.exe
C:\runme.exe
C:\WINDOWS\cmdmgr.exe
C:\hotshot.exe
C:\rwar.exe
C:\WINDOWS\system32\rvn896b6.sys
C:\autoexec02.exe
C:\autoexec.exe
C:\execfile01.exe
C:\execfile00.exe
C:\corruptfile.exe
C:\WINDOWS\comexec.bat
C:\webnexmk.exe
C:\526_620.exe
C:\WINDOWS\uqneg.dll

Also, delete this folder:

C:\Program Files\Common Files\F?nts<<<May appears as Fonts. Only delete the folder with this creation date: 2006-06-28 19:23:56 Right click on the folder, and select properties to be sure.

Please tell me the contents of this folder:

C:\Program Files\ornu<<created 2006-06-28 19:23:34

If any resist deletion, boot to safe mode and delete from there.

---------------------------------------------------------------------------------------------

From normal mode:

Please submit the following file to Jotti File Scan

C:\msnotify.com

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

Repeat for:

C:\msts.com
C:\install64.exe
C:\install62.exe
C:\install32.exe

---------------------------------------------------------------------------------------------

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

---------------------------------------------------------------------------------------------

We need to update your Java as it is out of date. The older version is a security risk, as malware writers exploit the weaknesses in it's code.

Updating Java:

Go to Start > Control Panel double-click on the Software icon, Add or Remove programs.
Search in the list for all previous installed versions of Java. (Java 2 Runtime Environment, SE 1.4.2_03, J2SE Runtime Environment 5.0 Update 2.... )
Select it and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply

Download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.php#adaware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

---------------------------------------------------------------------------------------------

Run ComboFix once again.

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

DrWeb
ComboFix
HJT
jotti scan

Is your Norton subscription up to date? Have you run a scan recently?

Let me know how your system is behaving at the end of all this.

07-29-2006, 10:39 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,578 OS: 2000 Pro; XP Pro; XP Home	Good job...now for round 2. This is still very messy, and will take more time. I have attached a file to this post - betty.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. --------------------------------------------------------------------------------------------- Next, click Start > Control Panel > Add/Remove Programs In the list of installed software, look for PuritySCAN By OIN, OuterInfo, OIN Snowballwars By OIN Cowabanga By OIN or similar If you find it: Click on it and click Remove. Reboot and delete the folder C:\Program Files\PurityScan (if it's still there) if not: Download and run the Oiuninstaller There is a tutorial for the uninstaller available When the uninstaller is done, reboot and delete the folder C:\Program Files\PurityScan (if it's still there) --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKLM\..\Run: [{4D-DE-E6-6D-ZN}] C:\windows\system32\dwdsregt.exe GID003 O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\QV6FYDER\WinAntiVirusPro2006Free Install[1].exe" -nag --------------------------------------------------------------------------------------------- Delete the following if they exist: c:\program files\AdTools Service c:\program files\NewDotNet C:\bintheredunthat C:\found.000\file0000.chk C:\Program Files\Common Files\{50D4DE6D-0B74-1033-0827-040802200001} C:\services.exe C:\Trelew.exe C:\WINDOWS\cmdmgr.exe C:\WINDOWS\cmdmgr3.exe C:\WINDOWS\hostsmgr.exe C:\WINDOWS\comsonie.exe C:\picture012.exe C:\cmdhost.exe C:\setup64.exe C:\runstd1.exe C:\runstd0.exe C:\runstd.exe C:\runst.exe C:\runset.exe C:\runme.exe C:\WINDOWS\cmdmgr.exe C:\hotshot.exe C:\rwar.exe C:\WINDOWS\system32\rvn896b6.sys C:\autoexec02.exe C:\autoexec.exe C:\execfile01.exe C:\execfile00.exe C:\corruptfile.exe C:\WINDOWS\comexec.bat C:\webnexmk.exe C:\526_620.exe C:\WINDOWS\uqneg.dll Also, delete this folder: C:\Program Files\Common Files\F?nts<<<May appears as Fonts. Only delete the folder with this creation date: 2006-06-28 19:23:56 Right click on the folder, and select properties to be sure. Please tell me the contents of this folder: C:\Program Files\ornu<<created 2006-06-28 19:23:34 If any resist deletion, boot to safe mode and delete from there. --------------------------------------------------------------------------------------------- From normal mode: Please submit the following file to Jotti File Scan C:\msnotify.com At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here. Repeat for: C:\msts.com C:\install64.exe C:\install62.exe C:\install32.exe --------------------------------------------------------------------------------------------- * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. --------------------------------------------------------------------------------------------- We need to update your Java as it is out of date. The older version is a security risk, as malware writers exploit the weaknesses in it's code. Updating Java: Go to Start > Control Panel double-click on the Software icon, Add or Remove programs. Search in the list for all previous installed versions of Java. (Java 2 Runtime Environment, SE 1.4.2_03, J2SE Runtime Environment 5.0 Update 2.... ) Select it and click Remove. Then Download and install the newest version from here: http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- Go here and do the BitDefender online virus scan. Click "I Agree" to agree to the EULA. Allow the ActiveX control to install when prompted. Leave the scanning options at default and press "Click here to scan" to begin the scan. Please refrain from using the computer until the scan is finished. When the scan is finished, click on "Click here to export the scan results" Save the report to your desktop then come back here and post it in your next reply Download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.php#adaware for better scan results. Run the scan and fix everything that it finds. Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete. Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation. --------------------------------------------------------------------------------------------- Run ComboFix once again. --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with results from: DrWeb ComboFix HJT jotti scan Is your Norton subscription up to date? Have you run a scan recently? Let me know how your system is behaving at the end of all this. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 09-19-2006 at 01:53 PM.