Tech Support Forum - View Single Post

Hustler24 · 09-27-2006, 11:28 AM

We've got rid of the major infection, but there's loads more. Take your time in completing the next steps andif you have any problems, please let me know.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

---------------

DOWNLOADS

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

---------------------

Download and run the Norton uninstall tool to remove the version of Norton that you do not need anymore.

-----------------

You are running Zero Knowledge Freedom which is a security suite. This means that you no longer need McAfee VirusScan.

Please visit this site for details of how to uninstall it.

------------------

Download Ewido Anti-Malware

Install Ewido Anti-Malware
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly.

-------------------

SAFE MODE

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

--------------------

ADD/REMOVE PROGRAMS

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

BHOPlugin

-----------------------

FIXES WITH HIJACK THIS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsr10.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll (file missing)
O2 - BHO: (no name) - {D3C2D060-60D4-3D26-F5A9-631333DF389F} - C:\WINDOWS\system32\zyqm.dll (file missing)
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [ms052346715437] C:\WINDOWS\ms052346715437.exe
O4 - HKLM\..\Run: [win32074671543723] C:\WINDOWS\win32074671543723.exe
O4 - HKLM\..\Run: [ms047234671543] C:\WINDOWS\ms047234671543.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [pcucb187] RUNDLL32.EXE w002935c.dll,n 004cb18300000005002935c
O4 - HKLM\..\Run: [win32086715437234] C:\WINDOWS\win32086715437234.exe
O4 - HKLM\..\Run: [{35-59-9C-CB-ZN}] C:\windows\system32\ordsregs.exe ELT001
O4 - HKLM\..\Run: [sys015437234671] C:\WINDOWS\sys015437234671.exe
O4 - HKLM\..\Run: [ms063467154372] C:\WINDOWS\ms063467154372.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [oqum] C:\PROGRA~1\COMMON~1\oqum\oqumm.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://10.208.1.1/CAT/CNICAT.cab
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

------------------------

FILE DELETIONS

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\nsr10.dll
C:\Program Files\BHO Plugin
C:\WINDOWS\system32\zyqm.dll
C:\WINDOWS\sachostx.exe
C:\WINDOWS\ms052346715437.exe
C:\WINDOWS\win32074671543723.exe
C:\WINDOWS\ms047234671543.exe
c:\windows\system32\stonedrv.exe
w002935c.dll < Find via Start > Search > All Files and Folders
C:\WINDOWS\win32086715437234.exe
C:\windows\system32\ordsregs.exe
C:\WINDOWS\sys015437234671.exe
C:\WINDOWS\ms063467154372.exe
C:\PROGRAM FILES\COMMON FILES\oqum
C:\WINDOWS\system32\dwdsregt.exe
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\WINDOWS\srvtcogesu.exe
C:\WINDOWS\srvczpqlfm.exe
C:\WINDOWS\srvotfewuo.exe
C:\WINDOWS\system32\svch05t.dll < Not the legitimate svchost.exe
C:\WINDOWS\system32\ulhakjl.dll
C:\WINDOWS\system32\nlkkmve.dll
C:\WINDOWS\1205.exe
C:\WINDOWS\srvjfwxbdl.exe
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\TIELT001.exe
C:\WINDOWS\DXCecho.exe
C:\WINDOWS\popupwithcast.exe
C:\WINDOWS\MirarSetup_876057.exe
C:\WINDOWS\system32\pcucb187.sys
C:\WINDOWS\system32\2000.exe
C:\WINDOWS\system32\index.exe
C:\WINDOWS\system32\500.exe
C:\WINDOWS\system32\100.exe
C:\WINDOWS\system32\pusk.exe
C:\WINDOWS\uni_7eh.exe
C:\WINDOWS\system32\unload.exe
C:\WINDOWS\system32\svch10.dll

------------------------

CLEANUP!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK
Press the CleanUp! button to start the program. DO NOT reboot/logoff when prompted.

-------------------------

EWIDO

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

--------------------------

ONLINE SCAN

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJackThis log, Ewido's log and a new Combofix log.

09-27-2006, 11:28 AM	#18 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	We've got rid of the major infection, but there's loads more. Take your time in completing the next steps andif you have any problems, please let me know. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. --------------- DOWNLOADS Download and install CleanUp! but do not run it yet. WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. --------------------- Download and run the Norton uninstall tool to remove the version of Norton that you do not need anymore. ----------------- You are running Zero Knowledge Freedom which is a security suite. This means that you no longer need McAfee VirusScan. Please visit this site for details of how to uninstall it. ------------------ Download Ewido Anti-Malware Install Ewido Anti-Malware Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly. ------------------- SAFE MODE Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. -------------------- ADD/REMOVE PROGRAMS Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): BHOPlugin ----------------------- FIXES WITH HIJACK THIS Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/ O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsr10.dll O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll (file missing) O2 - BHO: (no name) - {D3C2D060-60D4-3D26-F5A9-631333DF389F} - C:\WINDOWS\system32\zyqm.dll (file missing) O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe O4 - HKLM\..\Run: [ms052346715437] C:\WINDOWS\ms052346715437.exe O4 - HKLM\..\Run: [win32074671543723] C:\WINDOWS\win32074671543723.exe O4 - HKLM\..\Run: [ms047234671543] C:\WINDOWS\ms047234671543.exe O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKLM\..\Run: [pcucb187] RUNDLL32.EXE w002935c.dll,n 004cb18300000005002935c O4 - HKLM\..\Run: [win32086715437234] C:\WINDOWS\win32086715437234.exe O4 - HKLM\..\Run: [{35-59-9C-CB-ZN}] C:\windows\system32\ordsregs.exe ELT001 O4 - HKLM\..\Run: [sys015437234671] C:\WINDOWS\sys015437234671.exe O4 - HKLM\..\Run: [ms063467154372] C:\WINDOWS\ms063467154372.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [oqum] C:\PROGRA~1\COMMON~1\oqum\oqumm.exe O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://10.208.1.1/CAT/CNICAT.cab O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* ------------------------ FILE DELETIONS Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\nsr10.dll C:\Program Files\BHO Plugin C:\WINDOWS\system32\zyqm.dll C:\WINDOWS\sachostx.exe C:\WINDOWS\ms052346715437.exe C:\WINDOWS\win32074671543723.exe C:\WINDOWS\ms047234671543.exe c:\windows\system32\stonedrv.exe w002935c.dll < Find via Start > Search > All Files and Folders C:\WINDOWS\win32086715437234.exe C:\windows\system32\ordsregs.exe C:\WINDOWS\sys015437234671.exe C:\WINDOWS\ms063467154372.exe C:\PROGRAM FILES\COMMON FILES\oqum C:\WINDOWS\system32\dwdsregt.exe C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll C:\WINDOWS\srvtcogesu.exe C:\WINDOWS\srvczpqlfm.exe C:\WINDOWS\srvotfewuo.exe C:\WINDOWS\system32\svch05t.dll < Not the legitimate svchost.exe C:\WINDOWS\system32\ulhakjl.dll C:\WINDOWS\system32\nlkkmve.dll C:\WINDOWS\1205.exe C:\WINDOWS\srvjfwxbdl.exe C:\WINDOWS\system32\winpfg32.sys C:\WINDOWS\TIELT001.exe C:\WINDOWS\DXCecho.exe C:\WINDOWS\popupwithcast.exe C:\WINDOWS\MirarSetup_876057.exe C:\WINDOWS\system32\pcucb187.sys C:\WINDOWS\system32\2000.exe C:\WINDOWS\system32\index.exe C:\WINDOWS\system32\500.exe C:\WINDOWS\system32\100.exe C:\WINDOWS\system32\pusk.exe C:\WINDOWS\uni_7eh.exe C:\WINDOWS\system32\unload.exe C:\WINDOWS\system32\svch10.dll ------------------------ CLEANUP! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK Press the CleanUp!* button to start the program. DO NOT reboot/logoff when prompted. ------------------------- EWIDO Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. -------------------------- ONLINE SCAN Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan Paste the Panda Scan report here together with a new HiJackThis log, Ewido's log and a new Combofix log. __________________