Tech Support Forum - View Single Post

dorts · 08-06-2006, 12:29 AM

Hello and welcome back to TSF

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

Downloads and others

Please download Cleanup! and install it. You will use this later.

Note:Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Download this file -

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

ComboFix

Now, run the tool you just downloaded from Start > Run and Copy/Paste the following in the open field:

"%userprofile%\desktop\combofix.exe" /v pmnlm
Follow the prompts
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Fixes with HijackThis

Open HijackThis and click on 'Do a System Scan Only'. Check the following entry (If it still exist, make sure you do not miss any)

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Unhide Files

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

Unregister

The file UWA6P_0001_N822M1605NetInstaller.exe in Downloaded Program Files folder may not visible to you. So please follow the instructions here to make it visible.

Go to Start > Run and Copy and Paste: regsvr32 /u occache.dll and click 'OK.

Delete the following:

C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N822M1605NetInstaller.exe

Go to Start > Run and Copy and Paste: regsvr32 occache.dll and click 'OK'.

Files Deletion

Delete the following Folder indicated in BLUE if it still exist.

C:\Documents and Settings\Shawn\Application Data\WinAntiVirus Pro 2006

CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program and reboot when prompted.

I would like you to perform one last online scan to ensure you've gotten all the nasties.

Online Scan

Click here to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.

Then click the F-Secure Online Scanner Next Generation Beta link.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.

Logs

Please post the following logs in your next reply...

A New HijackThis Log
ComboFix’s Log
F-Secure’s Online Scan Log

08-06-2006, 12:29 AM	#8 (permalink)
dorts Analyst, Security Team Join Date: Mar 2006 Location: Singapore Posts: 1,599 OS: Windows XP SP2 My System	Hello and welcome back to TSF Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. Downloads and others Please download Cleanup! and install it. You will use this later. Note:Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location. Download this file - http://download.bleepingcomputer.com/sUBs/combofix.exe http://www.techsupportforum.com/sectools/combofix.exe ComboFix Now, run the tool you just downloaded from Start > Run and Copy/Paste the following in the open field: "%userprofile%\desktop\combofix.exe" /v pmnlm Follow the prompts When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Fixes with HijackThis Open HijackThis and click on 'Do a System Scan Only'. Check the following entry (If it still exist, make sure you do not miss any) O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* Unhide Files Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. Unregister The file UWA6P_0001_N822M1605NetInstaller.exe in Downloaded Program Files folder may not visible to you. So please follow the instructions here to make it visible. Go to Start > Run and Copy and Paste: regsvr32 /u occache.dll and click 'OK. Delete the following: C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N822M1605NetInstaller.exe Go to Start > Run and Copy and Paste: regsvr32 occache.dll and click 'OK'. Files Deletion Delete the following Folder indicated in BLUE if it still exist. C:\Documents and Settings\Shawn\Application Data\WinAntiVirus Pro 2006 CleanUp! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program and reboot when prompted. I would like you to perform one last online scan to ensure you've gotten all the nasties. Online Scan Click here to use the F-Secure Online Scanner It's explained there with images how to allow the ActiveX to start the scan, so read that first. Then click the F-Secure Online Scanner Next Generation Beta link. Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan. Click the Full System Scan button. It will start to download scanner components and databases. This can take a while. The main scan will start. Once the scan finished scanning, click the Automatic cleaning (recommended) button It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure. The cleaning can take a while, so please be patient. Then click the Show report button and copy and paste what's present under results in your next reply. Logs Please post the following logs in your next reply... A New HijackThis Log ComboFix’s Log F-Secure’s Online Scan Log __________________ If you think TSF have helped you, please kindly donate to TSF and help keep this site free to all.