Tech Support Forum - View Single Post

fredmh · 09-22-2006, 08:56 PM

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

----------------------------------------

DOWNLOADS

CWSHREDDER

If you still have CWS on your system, please run it again, otherwise

Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree.
Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file,
choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

ComboFix

1. Download this file - You MUST save it to your desktop

http://download.bleepingcomputer.com/sUBs/combofix.exe

or

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------

DISABLE ANTI-SPYWARE APPLICATIONS

Please disable thesse Anti-Spyware programs as they may interefere with this fix. You may re-enable them after we clean your computer.

Microsoft AntiSpyware

Right click the Microsoft AntiSpyware icon located in the system tray
Click on Security Agents Status (Enabled)
Click on Disable Real-time Protection

----------------------------------------

SAFE MODE RE-BOOT

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).
In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Begin2Search

----------------------------------------

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)
(You must kill them one at a time)

C:\Program Files\Common Files\{DCAC8667-04AC-1033-0107-040920020001}\Update.exe

----------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsg3E.dll
O2 - BHO: (no name) - {9CFBE683-5F4E-08C1-6AEE-27800A3D0493} - C:\WINDOWS\System32\fvl.dll
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_16.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\qwinlpex.exe GEN001
O4 - HKLM\..\Run: [newname] C:\\dfndrff_16.exe
O4 - HKLM\..\Run: [{C8-86-66-67-ZN}] c:\windows\system32\okdsregs.exe GEN001
04 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SKS~1\chkdsk.exe" -vt tzt
O4 - HKCU\..\Run: [Lzuxfpzj] C:\WINDOWS\SYSTEM32\?racle\rundll32.exe

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\System32\nsg3E.dll
C:\WINDOWS\System32\fvl.dll
C:\WINDOWS\System32\qwinlpex.exe
c:\windows\system32\okdsregs.exe

C:\WINDOWS\thiselt.exe

kybrdff_16.exe>>>>Find via Start>>Search
dfndrff_16.exe>>>>Find via Start>>Search

----------------------------------------
SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

ComboFix - 2nd Run

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

FOLLOW-UP

Please return and post these items:

ComboFix - txt-1
Combofix - txt-2
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

09-22-2006, 08:56 PM	#4 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result. Absence of symptoms does not mean that everything is clear. So lets do this to the end! ---------------------------------------- DOWNLOADS CWSHREDDER If you still have CWS on your system, please run it again, otherwise Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. ComboFix 1. Download this file - You MUST save it to your desktop http://download.bleepingcomputer.com/sUBs/combofix.exe or http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------- DISABLE ANTI-SPYWARE APPLICATIONS Please disable thesse Anti-Spyware programs as they may interefere with this fix. You may re-enable them after we clean your computer. Microsoft AntiSpyware Right click the Microsoft AntiSpyware icon located in the system tray Click on Security Agents Status (Enabled) Click on Disable Real-time Protection ---------------------------------------- SAFE MODE RE-BOOT Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Begin2Search ---------------------------------------- Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist) (You must kill them one at a time) C:\Program Files\Common Files\{DCAC8667-04AC-1033-0107-040920020001}\Update.exe ---------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsg3E.dll O2 - BHO: (no name) - {9CFBE683-5F4E-08C1-6AEE-27800A3D0493} - C:\WINDOWS\System32\fvl.dll O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_16.exe O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\qwinlpex.exe GEN001 O4 - HKLM\..\Run: [newname] C:\\dfndrff_16.exe O4 - HKLM\..\Run: [{C8-86-66-67-ZN}] c:\windows\system32\okdsregs.exe GEN001 04 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SKS~1\chkdsk.exe" -vt tzt O4 - HKCU\..\Run: [Lzuxfpzj] C:\WINDOWS\SYSTEM32\?racle\rundll32.exe *Please remember to close all other windows, including browsers then click Fix checked.* ---------------------------------------- UNHIDE HIDDEN FILES Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. ---------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\System32\nsg3E.dll C:\WINDOWS\System32\fvl.dll C:\WINDOWS\System32\qwinlpex.exe c:\windows\system32\okdsregs.exe C:\WINDOWS\thiselt.exe kybrdff_16.exe>>>>Find via Start>>Search dfndrff_16.exe>>>>Find via Start>>Search ---------------------------------------- SYSTEM RE-BOOT Reboot into Normal Mode. ---------------------------------------- ON-LINE SCANS Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ComboFix - 2nd Run 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------- FOLLOW-UP Please return and post these items: ComboFix - txt-1 Combofix - txt-2 Panda scan A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode