Tech Support Forum - View Single Post

**Deckard** · 10-07-2006, 09:33 PM

Hello quaa, and welcome to TSF. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Unhide Files
Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK.

Firewall Required
You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use:

Please pick one and install it.

Unpatched Operating System
IMPORTANT! Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system except Service Pack 2 (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least Service Pack 1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Download CleanUp!
Download and install CleanUp! but do not run it yet.

WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp!

WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it.

Download AVG Anti-Spyware
Please download, install, and update AVG Anti-Spyware Anti-Spyware.

Load AVG Anti-Spyware and then click the Shield tab at the top
- Click on the word active to change it to inactive.
Click the Update tab at the top:
- Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater.
- Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours.
Click the Scanner tab at the top and then the Settings sub-tab:
- Under How to act?, click Recommended actions and select Quarantine.
- Under Reports, select Automatically generate report after every scan
Close AVG Anti-Spyware. Do not run a scan with it yet.

Download Brute Force Uninstaller
Please download Brute Force Uninstaller to your desktop.

Right click bfu.zip on your desktop, and choose Extract All. Click "Next".
In the box to choose where to extract the files to, click "Browse".
Click on the + sign next to "My Computer".
Click on "Local Disk (C:) (or whatever your primary drive is).
Click "Make New Folder" and type in BFU. Click "Next".
Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download the Alcra PLUS Remover. Save it in the same folder you made earlier (i.e., C:\BFU).

Download ComboFix
Download ComboFix from one of the following links:

Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply.

Disable Service
You need to disable two services. Click Start>Run - type SERVICES.MSC and then click on the OK button.

Locate the service - MS Software Shadow Download Provider
Stop the service by using the Stop button.
Change the Startup Type to Disabled and click the OK button.
Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service.
In the popup box that appears, type in dnlsvc.
Click the OK button and answer No if prompted to reboot.

Locate the service - Win32Sr
Double-click on it to open the Properties dialog.
Under the General tab, write down the name of "Service name". We will need it momentarily.
Stop the service by using the Stop button.
Change the Startup Type to Disabled and click the OK button.
Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service.
In the popup box that appears, copy/paste the value you obtained in step 3.
Click the OK button and answer No if prompted to reboot.

Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

License_Manager
PSDream
webHancer

Please let me know if any of these were unable to uninstall.

Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.

HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IE HTTP Checker - {7A22BB1D-4B19-45CF-9A10-20534D997ED2} - C:\WINDOWS\system32\iehttpcheck.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsw4F.dll
O4 - HKLM\..\Run: [loaddr] C:\qeoa.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [ms0664089-11304] C:\WINDOWS\ms0664089-11304.exe
O4 - HKLM\..\Run: [sys011130464089-] C:\WINDOWS\sys011130464089-.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [win3208089-1130464] C:\WINDOWS\win3208089-1130464.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [orfm] C:\PROGRA~1\COMMON~1\orfm\orfmm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.elitemediagroup.net
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe

Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis.

Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Documents and Settings\Owner\Local Settings\Temp\dnlsvc.exe
C:\Program Files\Common Files\orfm
C:\Program Files\License_Manager
C:\Program Files\PSDream
C:\Program Files\webHancer
C:\WINDOWS\system32\crunner
C:\WINDOWS\system32\iehttpcheck.dll
C:\WINDOWS\system32\nsw4F.dll
C:\WINDOWS\Duce6.exe
C:\WINDOWS\ms0664089-11304.exe
C:\WINDOWS\sys011130464089-.exe
C:\WINDOWS\win3208089-1130464.exe
C:\WINDOWS\win32ssr.exe
C:\qeoa.exe

Run Brute Force Uninstaller
Please go to Start > My Computer and navigate to the folder you installed BFU in (i.e, C:\BFU).

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Run CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- Cleanup! All Users
- Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked.
Click OK.
Press the CleanUp! button to start the program.

Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later.

Run AVG Anti-Spyware

Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on Save Report, then Save Report As. Save the report so that you can find it again (like on the Desktop).
Close AVG Anti-Spyware.

Reboot
Reboot your system to Normal Mode.

Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded, click on NEXT.
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database: extended
- Scan Options: Scan Archives and Scan Mail Bases
Click OK
Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
Now under select a target to scan, select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run all the way.
Once the scan is complete it will display if your system has been infected.
Click on the Save as Text button and save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

With Your Next Post...
Please paste the following with your next reply (in this order please):

The contents of C:\ComboFix.txt,
AVG Anti-Spyware scan report,
Kaspersky scan report,
a new HiJackThis log taken after Kaspersky finishes.

10-07-2006, 09:33 PM	#2 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Hello quaa, and welcome to TSF. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any. Unhide Files Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK. Firewall Required You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use: Sygate Personal Firewall ZoneAlarm Tiny Personal Firewall Sunbelt Kerio Personal Firewall Outpost Firewall PRO Please pick one and install it. Unpatched Operating System IMPORTANT! Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system except Service Pack 2 (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least Service Pack 1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online. Download CleanUp! Download and install CleanUp! but do not run it yet. WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp! WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it. Download AVG Anti-Spyware Please download, install, and update AVG Anti-Spyware Anti-Spyware. Load AVG Anti-Spyware and then click the Shield tab at the top Click on the word active to change it to inactive. Click the Update tab at the top: Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater. Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours. Click the Scanner tab at the top and then the Settings sub-tab: Under How to act?, click Recommended actions and select Quarantine. Under Reports, select Automatically generate report after every scan Close AVG Anti-Spyware. Do not run a scan with it yet. Download Brute Force Uninstaller Please download Brute Force Uninstaller to your desktop. Right click bfu.zip on your desktop, and choose Extract All. Click "Next". In the box to choose where to extract the files to, click "Browse". Click on the + sign next to "My Computer". Click on "Local Disk (C:) (or whatever your primary drive is). Click "Make New Folder" and type in BFU. Click "Next". Uncheck the "Show Extracted Files" box and then click "Finish". RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download the Alcra PLUS Remover. Save it in the same folder you made earlier (i.e., C:\BFU). Download ComboFix Download ComboFix from one of the following links: http://www.techsupportforum.com/sectools/combofix.exe http://download.bleepingcomputer.com/sUBs/combofix.exe Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply. Disable Service You need to disable two services. Click Start>Run - type SERVICES.MSC and then click on the OK button. Locate the service - MS Software Shadow Download Provider Stop the service by using the Stop button. Change the Startup Type to Disabled and click the OK button. Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service. In the popup box that appears, type in dnlsvc. Click the OK button and answer No if prompted to reboot. Locate the service - Win32Sr Double-click on it to open the Properties dialog. Under the General tab, write down the name of "Service name". We will need it momentarily. Stop the service by using the Stop button. Change the Startup Type to Disabled and click the OK button. Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service. In the popup box that appears, copy/paste the value you obtained in step 3. Click the OK button and answer No if prompted to reboot. Uninstall Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): License_Manager PSDream webHancer Please let me know if any of these were unable to uninstall. Reboot Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows. HijackThis Fixes Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any): F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: IE HTTP Checker - {7A22BB1D-4B19-45CF-9A10-20534D997ED2} - C:\WINDOWS\system32\iehttpcheck.dll O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsw4F.dll O4 - HKLM\..\Run: [loaddr] C:\qeoa.exe O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKLM\..\Run: [ms0664089-11304] C:\WINDOWS\ms0664089-11304.exe O4 - HKLM\..\Run: [sys011130464089-] C:\WINDOWS\sys011130464089-.exe O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate" O4 - HKLM\..\Run: [win3208089-1130464] C:\WINDOWS\win3208089-1130464.exe O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe" O4 - HKCU\..\Run: [orfm] C:\PROGRA~1\COMMON~1\orfm\orfmm.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present *O15 - Trusted Zone: .elitemediagroup.net O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing) O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis. Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Documents and Settings\Owner\Local Settings\Temp\dnlsvc.exe C:\Program Files\Common Files\orfm C:\Program Files\License_Manager C:\Program Files\PSDream C:\Program Files\webHancer C:\WINDOWS\system32\crunner C:\WINDOWS\system32\iehttpcheck.dll C:\WINDOWS\system32\nsw4F.dll C:\WINDOWS\Duce6.exe C:\WINDOWS\ms0664089-11304.exe C:\WINDOWS\sys011130464089-.exe C:\WINDOWS\win3208089-1130464.exe C:\WINDOWS\win32ssr.exe C:\qeoa.exe Run Brute Force Uninstaller Please go to Start > My Computer and navigate to the folder you installed BFU in (i.e, C:\BFU). Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Run CleanUp! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked. Click OK. Press the CleanUp! button to start the program. Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later. Run AVG Anti-Spyware Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared. AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side. Click on Save Report, then Save Report As. Save the report so that you can find it again (like on the Desktop). Close AVG Anti-Spyware. Reboot Reboot your system to Normal Mode. Online Scan Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT. Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: extended Scan Options: Scan Archives and Scan Mail Bases Click OK Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done. Now under select a target to scan, select My Computer The program will start and scan your system. The scan will take a while so be patient and let it run all the way. Once the scan is complete it will display if your system has been infected. Click on the Save as Text button and save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. With Your Next Post... Please paste the following with your next reply (in this order please): The contents of C:\ComboFix.txt, AVG Anti-Spyware scan report, Kaspersky scan report, a new HiJackThis log taken after Kaspersky finishes. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting.** Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006