Tech Support Forum - View Single Post

Sempurna · 04-25-2007, 11:35 PM

Hi ThePaper88,

You’re most welcome, ThePaper88.

OK, here’s what we do next.

Go to Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

SpyAway

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O4 - HKLM\..\Run: [SpyAway] C:\Program Files\SpyAway\spyaway.exe

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.

NEXT:

Please run OTMoveIt and quarantine the following files/folders (please also remember to copy the Results report and paste it in your next reply for me to see):

C:\WINDOWS\system32\msnhlp32.dll
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\system32\idleserv.exe
C:\WINDOWS\sysrlb32.exe
C:\WINDOWS\Biprep.exe
C:\WINDOWS\mssvr.exe
C:\WINDOWS\2020search2.dll
C:\WINDOWS\2020search.dll
C:\WINDOWS\bi.dll
C:\WINDOWS\loader.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\SUSP.exe
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\system32\idleserv.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\7search.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\voiceip.dll
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\user_32.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\bokja.exe
C:\WINDOWS\system32\msnhlp32.dll
C:\WINDOWS\mgrab.exe
C:\WINDOWS\ul.exe
C:\WINDOWS\system32\692D963F.exe
C:\WINDOWS\installer.exe
C:\WINDOWS\system32\bfmoxrnvva_nav.dat
C:\WINDOWS\ifinst27.exe
C:\Program Files\SpyAway

NEXT:

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

Code:

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.

NEXT:

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download Dr.Web CureIt and save it to your desktop:

Next, please reboot your computer into Safe Mode by doing the following:

Reboot your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
Instead of Windows loading as normal, a menu should appear.
Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter.

Now scan with Dr.Web CureIt:

Double-click the drweb-cureit.exe file. It will then suggest to run an "Express Scan" -- this you should allow.
After this (Dr.Web writes "Done" at the bottom left), you click "Options" menu -> "Change settings".
Choose the "Scan" tab, uncheck the mark at "Heuristic analysis".
Choose the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK".
Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen).
Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found.
After the scan, go to the "View" menu -> "Report list".
Then go to the "File" menu -> "Save report list".
Save the report to your desktop. The report will be called DrWeb.csv. Copy and paste the contents of the report in your next reply.
Close Dr.Web CureIt.
REBOOT your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

The results report from OTMoveIt.
The log from the Dr.Web CureIt scan.
A new ComboFix log.
A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

04-25-2007, 11:35 PM	#5 (permalink)
Sempurna Analyst, Security Team Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: Win32.Trojan.RX Hi ThePaper88, You’re most welcome, ThePaper88. OK, here’s what we do next. Go to Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed: SpyAway NEXT: Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present): O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file) O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file) O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file) O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file) O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file) O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file) O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file) O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file) O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file) O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file) O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file) O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file) O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file) O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file) O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file) O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file) O4 - HKLM\..\Run: [SpyAway] C:\Program Files\SpyAway\spyaway.exe Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked". Then please exit HijackThis. NEXT: Please run OTMoveIt and quarantine the following files/folders (please also remember to copy the Results report and paste it in your next reply for me to see): C:\WINDOWS\system32\msnhlp32.dll C:\WINDOWS\system32\tmrsrv32.exe C:\WINDOWS\system32\idleserv.exe C:\WINDOWS\sysrlb32.exe C:\WINDOWS\Biprep.exe C:\WINDOWS\mssvr.exe C:\WINDOWS\2020search2.dll C:\WINDOWS\2020search.dll C:\WINDOWS\bi.dll C:\WINDOWS\loader.exe C:\WINDOWS\system32\stfv.bin C:\WINDOWS\vxddsk.exe C:\WINDOWS\system32\vxddsk.exe C:\WINDOWS\satmat.exe C:\WINDOWS\SUSP.exe C:\WINDOWS\system32\MSIXU.DLL C:\WINDOWS\system32\idleserv.exe C:\WINDOWS\stcloader.exe C:\WINDOWS\salm.exe C:\WINDOWS\updatetc.exe C:\WINDOWS\saiemod.dll C:\WINDOWS\cdsm32.dll C:\WINDOWS\mspphe.dll C:\WINDOWS\flt.dll C:\WINDOWS\bjam.dll C:\WINDOWS\7search.dll C:\WINDOWS\180ax.exe C:\WINDOWS\swin32.dll C:\WINDOWS\voiceip.dll C:\WINDOWS\system32\tmrsrv32.exe C:\WINDOWS\pbar.dll C:\WINDOWS\system32\WER8274.DLL C:\WINDOWS\system32\user_32.dll C:\WINDOWS\system32\gtv_sd.bin C:\WINDOWS\bokja.exe C:\WINDOWS\system32\msnhlp32.dll C:\WINDOWS\mgrab.exe C:\WINDOWS\ul.exe C:\WINDOWS\system32\692D963F.exe C:\WINDOWS\installer.exe C:\WINDOWS\system32\bfmoxrnvva_nav.dat C:\WINDOWS\ifinst27.exe C:\Program Files\SpyAway NEXT: Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well): Code: REGEDIT4 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=- Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. In case you still are unsure on how to create a REG file, please take a look HERE with screenshots. NEXT: BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions. Please download Dr.Web CureIt and save it to your desktop: Next, please reboot your computer into Safe Mode by doing the following: Reboot your computer. After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again. Instead of Windows loading as normal, a menu should appear. Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter. Now scan with Dr.Web CureIt: Double-click the drweb-cureit.exe file. It will then suggest to run an "Express Scan" -- this you should allow. After this (Dr.Web writes "Done" at the bottom left), you click "Options" menu -> "Change settings". Choose the "Scan" tab, uncheck the mark at "Heuristic analysis". Choose the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK". Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen). Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found. After the scan, go to the "View" menu -> "Report list". Then go to the "File" menu -> "Save report list". Save the report to your desktop. The report will be called DrWeb.csv. Copy and paste the contents of the report in your next reply. Close Dr.Web CureIt. REBOOT your computer!! Because it could be possible that files in use will be moved/deleted during reboot. NEXT: Please REBOOT your computer normally into Windows and post these logs in your next reply: The results report from OTMoveIt. The log from the Dr.Web CureIt scan. A new ComboFix log. A new HijackThis log. (You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software). Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum