Tech Support Forum - View Single Post

**Glaswegian** · 10-07-2006, 09:37 AM

Hi again Vinny

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.

Disable AVG Anti Spyware's Guard
Please disable AVG Anti Spyware's Guard, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
Exit AVG

Download CWShredder and run it. Click Check for Update. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Reboot
Reboot your system in Safe Mode.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.

HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any)

O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsa10AB.dll
O2 - BHO: Banner Rotator - {E954DB82-1533-4714-92F2-59C98D5C18CC} - C:\WINDOWS\system32\brrotate.dll
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"

Please remember to close all other windows, including browsers then click Fix checked.

File Deletions
Delete the following Files indicated in RED if they still exist.

C:\WINDOWS\system32\nsa10AB.dll
C:\WINDOWS\system32\brrotate.dll
C:\WINDOWS\system32\ehlzi.dll
C:\WINDOWS\system32\ehlzic.exe
C:\WINDOWS\system32\qrkyfc.exe
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll
C:\WINDOWS\em.ocx
C:\WINDOWS\system32\six.exe
C:\WINDOWS\system32\joc0e388.sys
C:\WINDOWS\system32\nsu22.dll
C:\WINDOWS\uni_7eh.exe

Reboot
Reboot your system in Normal Mode.

Please run combofix again.

Run another online scan with Panda.

Logs required
combofix.txt
Panda Log
HijackThis Log

Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced from Normal Mode.

10-07-2006, 09:37 AM	#6 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,482 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Hi again Vinny Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below. Disable AVG Anti Spyware's Guard Please disable AVG Anti Spyware's Guard, as it may hinder the removal of some entries. You can re-enable it after you're clean. Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive Exit AVG Download CWShredder and run it. Click Check for Update. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Reboot Reboot your system in Safe Mode. Restart the computer. The computer begins processing a set of instructions known as BIOS. After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key) Instead of Windows loading as normal, a menu should appear Use the arrow key to highlight Safe Mode and press Enter. HijackThis Entries Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any) O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsa10AB.dll O2 - BHO: Banner Rotator - {E954DB82-1533-4714-92F2-59C98D5C18CC} - C:\WINDOWS\system32\brrotate.dll O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate" Please remember to close all other windows, including browsers then click Fix checked. File Deletions Delete the following Files indicated in RED if they still exist. C:\WINDOWS\system32\nsa10AB.dll C:\WINDOWS\system32\brrotate.dll C:\WINDOWS\system32\ehlzi.dll C:\WINDOWS\system32\ehlzic.exe C:\WINDOWS\system32\qrkyfc.exe C:\Documents and Settings\All Users\Application Data\AutoSearch.dll C:\WINDOWS\em.ocx C:\WINDOWS\system32\six.exe C:\WINDOWS\system32\joc0e388.sys C:\WINDOWS\system32\nsu22.dll C:\WINDOWS\uni_7eh.exe Reboot Reboot your system in Normal Mode. Please run combofix again. Run another online scan with Panda. Logs required combofix.txt Panda Log HijackThis Log Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced from Normal Mode. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner