Tech Support Forum - View Single Post

Sempurna · 02-25-2007, 02:40 AM

Hi xsaintseiyax,

Looks like we would have to manually fix this as the automatic fixer didn’t work.

OK, here’s what we do next.

Do you have Netpumper or Bitgrabber or BitRoll installed? If so, uninstall them via Start -> Control Panel -> Software -> Add or Remove Programs. This is because they are bundled with the malware you are dealing with (Swizzor aka Lop).

Also, please check to see if the following are present in Add or Remove Programs and uninstall them if found:

CiD Manager
CiD Help
Download Plugin for Internet Explorer
Messenger Plus!
Messenger Plus! 2
Messenger Plus! 3
Zone Media
DAEMON Tools WhenU SearchBar
Desktop Toolbar [WhenUSearch]
WhenU CrunchGames Bar
WhenU Save
WhenU SaveNow
WhenUSave
WhenUSearch
WhenUSearch Desktop Toolbar
WhenUSearch Toolbar
WhenUShop

If during uninstall, you are asked for uninstall Verification, please enter the numbers that will appear in the window.

Then reboot. <-- Important!

NEXT:

After reboot, please download Deljob.exe and save it on your desktop.

Double-click Deljob.exe.

A log named logit.txt should open afterwards. This log will be present on your desktop.

Please post the contents of the Deljob.exe log in your next reply together with a new HijackThis log.

NEXT:

Reconfigure Windows XP to show hidden files

Click Start -> My Computer.
Select the Tools menu and click Folder Options. Select the View tab.
Under the Hidden files and folders heading check "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

CAUTION : You will see many folders and files which you may not recognize. Most of these folders and files are LEGITIMATE. Please do NOT delete anything you deem suspicious unless you are specifically instructed to do so. To do otherwise may irreparably damage your system.

NEXT:

Then please run HijackThis and click "Scan." Place checks next to the following entries:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" –atboottime
O4 - HKLM\..\Run: [THUNK CURB SAFE ITCH] C:\Documents and Settings\All Users\Datos de programa\2 bone thunk curb\help frag.exe
O4 - HKCU\..\Run: [RULE DUMB] C:\DOCUME~1\Carolaa\DATOSD~1\DRAWJU~1\bindclock.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Archivos de programa\Save\Save.exe"
O18 - Filter: text/html - (no CLSID) - (no file)

Close ALL browsers (including this one) and other windows except for HijackThis, and click "Fix checked".

NEXT:

Please reboot your computer into Safe Mode by doing the following:

Reboot your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
Instead of Windows loading as normal, a menu should appear.
Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter.

NEXT:

Using Windows Explorer, please navigate to and delete the following FOLDERS in BOLD (if they exist):

C:\Archivos de programa\Save
C:\Documents and Settings\All Users\Datos de programa\2 bone thunk curb
C:\Documents and Settings\Carolaa\Datos de programa\DRAWJU~1 <-- the filename begins with DRAWJU…)

Please let me know if you encountered any problems finding or deleting the folders.

NEXT:

Please reboot normally into Windows.

Please post the contents of the Deljob.exe log in your next reply together with a new HijackThis log.

02-25-2007, 02:40 AM	#5 (permalink)
Sempurna Analyst, Security Team Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Hi xsaintseiyax, Looks like we would have to manually fix this as the automatic fixer didn’t work. OK, here’s what we do next. Do you have Netpumper or Bitgrabber or BitRoll installed? If so, uninstall them via Start -> Control Panel -> Software -> Add or Remove Programs. This is because they are bundled with the malware you are dealing with (Swizzor aka Lop). Also, please check to see if the following are present in Add or Remove Programs and uninstall them if found: CiD Manager CiD Help Download Plugin for Internet Explorer Messenger Plus! Messenger Plus! 2 Messenger Plus! 3 Zone Media DAEMON Tools WhenU SearchBar Desktop Toolbar [WhenUSearch] WhenU CrunchGames Bar WhenU Save WhenU SaveNow WhenUSave WhenUSearch WhenUSearch Desktop Toolbar WhenUSearch Toolbar WhenUShop If during uninstall, you are asked for uninstall Verification, please enter the numbers that will appear in the window. Then reboot. <-- Important! NEXT: After reboot, please download Deljob.exe and save it on your desktop. Double-click Deljob.exe. A log named logit.txt should open afterwards. This log will be present on your desktop. Please post the contents of the Deljob.exe log in your next reply together with a new HijackThis log. NEXT: Reconfigure Windows XP to show hidden files Click Start -> My Computer. Select the Tools menu and click Folder Options. Select the View tab. Under the Hidden files and folders heading check "Show hidden files and folders". Uncheck the "Hide protected operating system files (recommended)" option. Uncheck the "Hide file extensions for known file types" option. Click Yes to confirm. Click OK. CAUTION : You will see many folders and files which you may not recognize. Most of these folders and files are LEGITIMATE. Please do NOT delete anything you deem suspicious unless you are specifically instructed to do so. To do otherwise may irreparably damage your system. NEXT: Then please run HijackThis and click "Scan." Place checks next to the following entries: O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" –atboottime O4 - HKLM\..\Run: [THUNK CURB SAFE ITCH] C:\Documents and Settings\All Users\Datos de programa\2 bone thunk curb\help frag.exe O4 - HKCU\..\Run: [RULE DUMB] C:\DOCUME~1\Carolaa\DATOSD~1\DRAWJU~1\bindclock.exe O4 - HKCU\..\Run: [WhenUSave] "C:\Archivos de programa\Save\Save.exe" O18 - Filter: text/html - (no CLSID) - (no file) Close ALL browsers (including this one) and other windows except for HijackThis, and click "Fix checked". NEXT: Please reboot your computer into Safe Mode by doing the following: Reboot your computer. After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again. Instead of Windows loading as normal, a menu should appear. Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter. NEXT: Using Windows Explorer, please navigate to and delete the following FOLDERS in BOLD (if they exist): C:\Archivos de programa\Save C:\Documents and Settings\All Users\Datos de programa\2 bone thunk curb C:\Documents and Settings\Carolaa\Datos de programa\DRAWJU~1 <-- the filename begins with DRAWJU…) Please let me know if you encountered any problems finding or deleting the folders. NEXT: Please reboot normally into Windows. Please post the contents of the Deljob.exe log in your next reply together with a new HijackThis log. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum Last edited by Sempurna; 02-25-2007 at 02:43 AM.