Tech Support Forum - View Single Post

tetonbob · 08-03-2006, 01:29 PM

Good job...let's continue.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

I see you have Ewido already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run Ewido

From the main ewido screen, click on update, then click the Start
update button.
After the update finishes (the status bar at the bottom will display "Update
successful")
select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Exit Ewido. DO NOT scan yet.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

---------------------------------------------------------------------------------------------

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools>Options.
Scroll down and uncheck "Use real-time protection (recommended)".
After you uncheck this, click on the Save button and close Windows Defender.

---------------------------------------------------------------------------------------------

I have attached a file to this post - cwheat.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [wkkfuy] C:\WINDOWS\system32\xsgnub.exe reg_run
O4 - HKCU\..\Run: [thrhv] C:\WINDOWS\system32\xsgnub.exe reg_run
O4 - HKCU\..\Run: [Aapb] "\\SERVER\Users\CWheat\MYDOCU~1\APPATC~1\rundll32. exe" -vt yazr

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\paroc.exe
C:\WINDOWS\pss\paroc.exe
Z:\CWheat\My Documents\APPATC~1 <<<This is on a network drive, it appears. It may appear as Appatch, was created 2006-08-01 12:52 Check properties of folder to be sure.
C:\\WINDOWS\system32\xsgnub.exe
C:\WINDOWS\system32\CROSOF~1.NET<<<May appear as Microsoft.Net, was created on 2006-08-01 12:53 Check properties of folder to be sure.

---------------------------------------------------------------------------------------------

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

Ewido
Panda
HJT

08-03-2006, 01:29 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Good job...let's continue. Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- I see you have Ewido already. Please update it's definitions, and run a scan where I have placed it in this fix. Run Ewido From the main ewido screen, click on update, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Exit Ewido. DO NOT scan yet. Download and install CleanUp! NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe --------------------------------------------------------------------------------------------- Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools>Options. Scroll down and uncheck "Use real-time protection (recommended)". After you uncheck this, click on the Save button and close Windows Defender. --------------------------------------------------------------------------------------------- I have attached a file to this post - cwheat.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKLM\..\Run: [wkkfuy] C:\WINDOWS\system32\xsgnub.exe reg_run O4 - HKCU\..\Run: [thrhv] C:\WINDOWS\system32\xsgnub.exe reg_run O4 - HKCU\..\Run: [Aapb] "\\SERVER\Users\CWheat\MYDOCU~1\APPATC~1\rundll32. exe" -vt yazr --------------------------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following if they exist: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\paroc.exe C:\WINDOWS\pss\paroc.exe Z:\CWheat\My Documents\APPATC~1 <<<This is on a network drive, it appears. It may appear as Appatch, was created 2006-08-01 12:52 Check properties of folder to be sure. C:\\WINDOWS\system32\xsgnub.exe C:\WINDOWS\system32\CROSOF~1.NET<<<May appear as Microsoft.Net, was created on 2006-08-01 12:53 Check properties of folder to be sure. --------------------------------------------------------------------------------------------- Run Cleanup! using the following configuration: Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted. * CleanUp! will not create any backups!! --------------------------------------------------------------------------------------------- Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with results from: Ewido Panda HJT __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 09-19-2006 at 01:53 PM.