Tech Support Forum - View Single Post - Help

tetonbob · 04-26-2007, 10:09 AM

Hold off on the online scan for now....these instructions supercede any previous....

We'll take another route. Some other nasties have reared their head. Might be best to keep the machine disconnected from the network and internet, and transport tools from a clean machine.

Right click on this link http://www.mvps.org/winhelp2002/DelDomains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Download this file:

http://downloads.malwareremoval.com/Nel/FixP.zip

extract and double click Fix_Protocol_zones_ranges.reg and allow it to merge with the registry.

---------------------------------------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\System32\clcl6.exe

Close HijackThis now.

---------------------------------------------------------------------------------------------

Delete the following if they exist:

C:\WINDOWS\System32\clcl6.exe

---------------------------------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum in your next reply.

---------------------------------------------------------------------------------------------

Download ComboFix from one of these locations:
- http://www.techsupportforum.com/sect...s/ComboFix.exe
- http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also post a new HJT log.

So, I need logs from:

SDFix
ComboFix
HJT

04-26-2007, 10:09 AM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,773 OS: 2000 Pro; XP Pro; XP Home	Re: Help - win32 Trojan Hold off on the online scan for now....these instructions supercede any previous.... We'll take another route. Some other nasties have reared their head. Might be best to keep the machine disconnected from the network and internet, and transport tools from a clean machine. Right click on this link http://www.mvps.org/winhelp2002/DelDomains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again. Download this file: http://downloads.malwareremoval.com/Nel/FixP.zip extract and double click Fix_Protocol_zones_ranges.reg and allow it to merge with the registry. --------------------------------------------------------------------------------------------- Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\System32\clcl6.exe Close HijackThis now. --------------------------------------------------------------------------------------------- Delete the following if they exist: C:\WINDOWS\System32\clcl6.exe --------------------------------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum in your next reply. --------------------------------------------------------------------------------------------- Download ComboFix from one of these locations: http://www.techsupportforum.com/sect...s/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe Double click on ComboFix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Also post a new HJT log. So, I need logs from: SDFix ComboFix HJT __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 04-26-2007 at 10:11 AM.