Tech Support Forum - View Single Post

dorts · 11-30-2006, 11:23 PM

Hello and welcome to TSF

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. Please stay with me until your system has been declared clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

As long as HijackThis is in a permanent folder, it is fine.

Windows Defender

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable Real-Time Protection:

Go to "Tools" | "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on real-time protection (recommended)"
Remember to reactivate this feature when we have finished all our work.

Downloads and others

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop. DO NOT run it yet.

Please download ATF Cleaner - http://www.atribune.org/ccount/click.php?id=1

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

ComboFix

1. Download this file using either of these links

http://download.bleepingcomputer.com/sUBs/combofix.exe

http://www.techsupportforum.com/sectools/combofix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop

2. Go to Start => Run => paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /v ggw gebcd cluuwfri dmglaqd winuns32

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Safe Mode

Restart your computer.
Before the Windows logo appear, tap F8 repeatedly. In some systems, this may be the F5 key.
A menu should appear, select Safe Mode from the menu using your arrow keys and then hit Enter on your keyboard.
This will take a while than usual, so just wait.
After it loads, Login on your usual account.

Fixes with HijackThis

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R3 - URLSearchHook: (no name) - {88441D4E-A9AD-E73B-DCA8-D028E575319E} - F:\WINDOWS\system32\ggw.dll (file missing)
O2 - BHO: (no name) - {24CDD4B4-EA0B-46AC-A34D-EC294EC45334} - F:\WINDOWS\system32\gebcd.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - F:\WINDOWS\system32\cluuwfri.dll
O2 - BHO: (no name) - {3B9E242C-6F5E-7DCF-4F5D-013C44912EED} - F:\WINDOWS\system32\dmglaqd.dll
O2 - BHO: (no name) - {88441D4E-A9AD-E73B-DCA8-D028E575319E} - F:\WINDOWS\system32\ggw.dll (file missing)
O20 - Winlogon Notify: gebcd - F:\WINDOWS\system32\gebcd.dll
O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

SmitfraudFix - Option #2

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk F: (F:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Uncheck and Delete

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

AVG Anti-Spyware

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

You may now reboot back to normal mode

SmitfraudFix - Option #3

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

ComboFix

1. Run combofix again by just clicking on combofix.exe on your desktop.

2. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Logs

Please post the following logs of this order in your next reply...

F:\combofix2.txt
F:\rapport.txt
AVG Anti-Spyware's Log
Panda’s Online Scan Log
F:\combofix.txt
A New HijackThis Log

11-30-2006, 11:23 PM	#7 (permalink)
dorts Analyst, Security Team Join Date: Mar 2006 Location: Singapore Posts: 1,599 OS: Windows XP SP2 My System	Hello and welcome to TSF Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. Please stay with me until your system has been declared clean. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. As long as HijackThis is in a permanent folder, it is fine. Windows Defender Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Real-Time Protection: Go to "Tools" \| "General Settings" Scroll down to "Real-time protection options" Uncheck "Turn on real-time protection (recommended)" Remember to reactivate this feature when we have finished all our work. Downloads and others Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. DO NOT run it yet. Please download ATF Cleaner - http://www.atribune.org/ccount/click.php?id=1 Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly. ComboFix 1. Download this file using either of these links http://download.bleepingcomputer.com/sUBs/combofix.exe http://www.techsupportforum.com/sectools/combofix.exe * IMPORTANT !!! Place combofix.exe on your Desktop 2. Go to Start => Run => paste in the single line command & click OK "%userprofile%\desktop\combofix.exe" /v ggw gebcd cluuwfri dmglaqd winuns32 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Safe Mode Restart your computer. Before the Windows logo appear, tap F8 repeatedly. In some systems, this may be the F5 key. A menu should appear, select Safe Mode from the menu using your arrow keys and then hit Enter on your keyboard. This will take a while than usual, so just wait. After it loads, Login on your usual account. Fixes with HijackThis Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R3 - URLSearchHook: (no name) - {88441D4E-A9AD-E73B-DCA8-D028E575319E} - F:\WINDOWS\system32\ggw.dll (file missing) O2 - BHO: (no name) - {24CDD4B4-EA0B-46AC-A34D-EC294EC45334} - F:\WINDOWS\system32\gebcd.dll O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - F:\WINDOWS\system32\cluuwfri.dll O2 - BHO: (no name) - {3B9E242C-6F5E-7DCF-4F5D-013C44912EED} - F:\WINDOWS\system32\dmglaqd.dll O2 - BHO: (no name) - {88441D4E-A9AD-E73B-DCA8-D028E575319E} - F:\WINDOWS\system32\ggw.dll (file missing) O20 - Winlogon Notify: gebcd - F:\WINDOWS\system32\gebcd.dll O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* SmitfraudFix - Option #2 Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk F: (F:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Click Select All found at the bottom of the list. Click the Empty Selected button. If you use Firefox browser, do this also: Click Firefox at the top and choose Select All from the list. Click the Empty Selected button. NOTE : If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser, do this also: Click Opera at the top and choose Select All from the list. Click the Empty Selected button. NOTE : If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Uncheck and Delete Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" or something similar Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. AVG Anti-Spyware Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). You may now reboot back to normal mode SmitfraudFix - Option #3 Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ComboFix 1. Run combofix again by just clicking on combofix.exe on your desktop. 2. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Logs Please post the following logs of this order in your next reply... F:\combofix2.txt F:\rapport.txt AVG Anti-Spyware's Log Panda’s Online Scan Log F:\combofix.txt A New HijackThis Log __________________ If you think TSF have helped you, please kindly donate to TSF and help keep this site free to all.