Tech Support Forum - View Single Post

Ried · 07-31-2006, 11:31 AM

Hello scalelar,

Our apologies for the delay. We are a bit short-handed due to summer vacations.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

**********************************************************************************************************

Download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

----------------------

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

----------------------

Please download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your Desktop. Do not run it yet.

----------------------

Click Start > Control Panel > Add/Remove Programs

In the list of installed software, look for:
PuritySCAN By OIN
OuterInfo OIN
Snowballwars
Cowabunga or similar
If you find it:
Click on it and click Remove.
Reboot and delete the folder C:\Program Files\PurityScan and also delete the folders of any of the programs you found in the Add/Remove panel. These would be located in C:\Program Files.
if not:
Download and run the Oiuninstaller
There is a tutorial for the uninstaller available
When the uninstaller is done, reboot and delete the folder C:\Program Files\PurityScan (if it's still there)

--------------------------------------------------

Click Start->Run - type services.msc & then click on the OK button
*Locate the service - zrPRxDGgC
*Double-click on it to open the Properties dialog.
*Under the General tab:
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the zrPRxDGgC Click OK and allow reboot. Go directly to Safe Mode.

-----------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login on your usual account. Make sure to close any open browsers.

-----------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

BHO Plugin

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any)

R3 - URLSearchHook: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O2 - BHO: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll
O4 - HKLM\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O4 - HKLM\..\Run: [c886e747.exe] C:\WINNT\system32\c886e747.exe
O4 - HKLM\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\testtestt.exe
O4 - HKCU\..\Run: [Nxbc] C:\WINNT\??crosoft.NET\m?dtc.exe
O4 - HKCU\..\Run: [Wlrs] "C:\WINNT\ECURIT~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [c886e747.exe] C:\Documents and Settings\LWS\Local Settings\Application Data\c886e747.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\LWS\LOCALS~1\Temp\4F.tmp3072.exe
O4 - HKCU\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O4 - HKCU\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: zrPRxDGgC - {98CCC060-3266-6ACA-09B6-8EC095FC6302} - C:\WINNT\system32\opp.dll (file missing)

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Delete the following Files and Folder if they still exist.

C:\WINNT\system32\rdtypk.dll
C:\WINNT\system32\c886e747.exe
C:\WINNT\system32\testtestt.exe
C:\Documents and Settings\LWS\Local Settings\Application Data\c886e747.exe
C:\Program Files\BHO Plugin

------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

------------------------------------------------

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
Click on see report. Then click Save report

----------------------

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Please include the following in your next reply:

Ewido results
Panda results
SmitfraudFix log
New HijackThis log

07-31-2006, 11:31 AM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,596 OS: WinXP and Vista	Hello scalelar, Our apologies for the delay. We are a bit short-handed due to summer vacations. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ******************************************************************************************************** Download ewido anti-spyware from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete you will need run ewido and update the definition files. On the main screen select the icon "Update" then select the "Update now" link. Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close ewido anti-spyware, Do Not run a scan just yet, we will shortly. ---------------------- Download and install CleanUp! but do not run it yet. (Not Recommended for XP64). ---------------------- Please download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your Desktop. Do not run it yet. ---------------------- Click Start > Control Panel > Add/Remove Programs In the list of installed software, look for: PuritySCAN By OIN OuterInfo OIN Snowballwars Cowabunga or similar If you find it: Click on it and click Remove. Reboot and delete the folder C:\Program Files\PurityScan and also delete the folders of any of the programs you found in the Add/Remove panel. These would be located in C:\Program Files. if not: Download and run the Oiuninstaller There is a tutorial for the uninstaller available When the uninstaller is done, reboot and delete the folder C:\Program Files\PurityScan (if it's still there) -------------------------------------------------- Click Start->Run - type services.msc** & then click on the OK button Locate the service - zrPRxDGgC* Double-click on it to open the Properties dialog. Under the General tab: Stop the service by using the Stop* button. Change the Startup type to Disabled* & then click on the OK button Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in the zrPRxDGgC* Click OK and allow reboot. Go directly to Safe Mode. ----------------------------------- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login on your usual account. Make sure to close any open browsers. ----------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: BHO Plugin ----------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) R3 - URLSearchHook: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll O2 - BHO: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll O4 - HKLM\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O4 - HKLM\..\Run: [c886e747.exe] C:\WINNT\system32\c886e747.exe O4 - HKLM\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\testtestt.exe O4 - HKCU\..\Run: [Nxbc] C:\WINNT\??crosoft.NET\m?dtc.exe O4 - HKCU\..\Run: [Wlrs] "C:\WINNT\ECURIT~1\alg.exe" -vt yazr O4 - HKCU\..\Run: [c886e747.exe] C:\Documents and Settings\LWS\Local Settings\Application Data\c886e747.exe O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\LWS\LOCALS~1\Temp\4F.tmp3072.exe O4 - HKCU\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O4 - HKCU\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file) O21 - SSODL: zrPRxDGgC - {98CCC060-3266-6ACA-09B6-8EC095FC6302} - C:\WINNT\system32\opp.dll (file missing) Click 'Fix Checked' and close HijackThis. ----------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. ----------------------------------- Delete the following Files and Folder if they still exist. C:\WINNT\system32\rdtypk.dll C:\WINNT\system32\c886e747.exe C:\WINNT\system32\testtestt.exe C:\Documents and Settings\LWS\Local Settings\Application Data\c886e747.exe C:\Program Files\BHO Plugin ------------------------------------------------ WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files"* and uncheck the box for "Scan drives for file matching" if it's checked. Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. ------------------------------------------------ IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess: Lauch ewido-anti-spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". ewido will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan. Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner. ----------------------------------- Reboot into Normal Mode. ----------------------------------- Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report ---------------------- Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! Please include the following in your next reply: Ewido results Panda results SmitfraudFix log New HijackThis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."