Thread: help!! HKsRv dll pop up plus more :(
View Single Post
Old 08-06-2006, 09:23 AM   #5 (permalink)
tetonbob
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,235
OS: 2000 Pro; XP Pro; XP Home


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

combofix was not run from the desktop, and it may have altered it's effectiveness.

Quote:
* IMPORTANT !!! Place it on your Desktop.
Quote:
Start Time= 06-08-06 9:20:54.28
Running from: C:\DOCUME~1\Paul\LOCALS~1\Temp\
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.



---------------------------------------------------------------------------------------------

Please submit the following file to Jotti File Scan

C:\WINDOWS\system32\pisia32.dll

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

---------------------------------------------------------------------------------------------

Download Ewido Anti-Malware
  • Install Ewido Anti-Malware
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe


Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop aspi113210
sc delete aspi113210
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.


---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll infoitss.dll lzexkbdu.dll
O21 - SSODL: CallBack Ware - {8e29f930-135a-4568-3338-24cbc8cbbfc1} - C:\WINDOWS\system32\pisia32.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi22588.exe


---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------------------------------------


Delete the following:

C:\WINDOWS\comdlg66.dll
C:\WINDOWS\system32\2240_28.dll
C:\WINDOWS\system32\aspi22588.exe
C:\WINDOWS\system32\mswmmqce.dll
C:\WINDOWS\system32\rsmpmcis.dll
C:\WINDOWS\system32\shmecmse.dll
C:\WINDOWS\system32\ciaddavc.dll
C:\WINDOWS\system32\tapidpus.exe
C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\testtestt.exe
C:\WINDOWS\system32\clcbt.exe
C:\WINDOWS\ms059333253362006.exe

Find these via Start>Search:

infoitss.dll
lzexkbdu.dll

---------------------------------------------------------------------------------------------


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

---------------------------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner
  1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

Ewido
Panda
HJT
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline