Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Just A Test


  • Please log in to reply
No replies to this topic

#1 DumbTerminal

DumbTerminal

    Silver Member

  • Authentic Member
  • PipPipPip
  • 258 posts

Posted 18 January 2005 - 10:55 AM

Mods.
If you must, you can lock this if you deem necessary, but please do not delete. I need someone to see this, and I'm having extremely strange errors getting this to show up properly elsewhere.
Thanks

PBHewitt

These steps must be done, and must be done in this order for the fix to work.
Please read through them first and make sure you understand.
If you have any questions,even if you think it is dumb, do not hesitate to ask.
These instructions aren't as overwhelming as they may look.
If you miss a step or do something wrong, we will just have to start over,no big deal, so relax and take your time! :)

Step 1

Turn off [L=System Restore]http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam[/L]

Start Windows in Safe Mode by pressing F8 as the computer is booting and choosing Safe Mode
For this fix to work, we HAVE to be in [L=Safe Mode]http://www.bleepingcomputer.com/forums/index.php?showtutorial=61

STEP 2

* Right-click on My Computer
* Choose Manage
* Double-click on Services and Applications
* Click on Services
* In the righthand column find " Remote Procedure Call (RPC) Helper ", and double-click on it
(in Safe Mode this may already be stopped)
* Choose Stop
* Set the Startup Type to Disabled
* Click Ok
* Close the Computer Management window
There are 2 other RPC services. Leave those alone
Only stop and disable Remote Procedure Call (RPC) Helper

STEP 3

Run HJT
Place a check next to these entries, if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINXP\system32\axmys.dll/sp.html#14044

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINXP\system32\axmys.dll/sp.html#14044

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINXP\system32\axmys.dll/sp.html#14044

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINXP\system32\axmys.dll/sp.html#14044

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINXP\system32\axmys.dll/sp.html#14044

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINXP\system32\axmys.dll/sp.html#14044

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINXP\system32\axmys.dll/sp.html#14044

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINXP\System32\Userinit.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: (no name) - {FE88300A-81B1-4D60-1B11-46041255D042} - C:\WINXP\system32\apitt32.dll

O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

O4 - HKLM\..\Run: [Narrator] C:\WINXP\System32\iuiqqy.exe

O4 - HKLM\..\Run: [syssb.exe] C:\WINXP\system32\syssb.exe

O4 - HKLM\..\Run: [1C9.tmp] C:\DOCUME~1\PAUL~1.NET\LOCALS~1\Temp\1C9.tmp.exe 0 10001

O4 - HKLM\..\Run: [ntechin] C:\WINXP\system32\n20050308.exe

O4 - HKLM\..\Run: [Dvx] C:\WINXP\System32\wsxsvc\wsxsvc.exe

O4 - HKLM\..\Run: [kalvsys] C:\winxp\system32\kalvcup32.exe

O15 - Trusted Zone: *.05p.com

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.scoobidoo.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.static.topconverting.com

O15 - Trusted Zone: *.05p.com (HKLM)

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.clickspring.net (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.mt-download.com (HKLM)

O15 - Trusted Zone: *.my-internet.info (HKLM)

O15 - Trusted Zone: *.scoobidoo.com (HKLM)

O15 - Trusted Zone: *.searchmiracle.com (HKLM)

O15 - Trusted Zone: *.static.topconverting.com (HKLM)

O15 - Trusted IP range: 206.161.125.149

O15 - Trusted IP range: 206.161.125.149 (HKLM)

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...8ab2292e6aa4d79

O16 - DPF: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} (HHCtrl Object) - http://206.161.207.9...dexe/hhctrl.ocx

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topcon...vex/loader2.ocx

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab

O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINXP\javaze32.exe (file missing)


Close ALL windows, including this one, and click on "Fix Checked"


STEP 4

Close HiJackThis and run About:Buster. Follow the directions and have the program search the system for offending files and remove them.

****If you run About:Buster and receive an error about a missing MSCOMCTL.OCX file, click on the following link to download a program to restore the file.
[l=LINK HERE]http://www.javacoolsoftware.net/downloads/missingfilesetup.exe[/L]

STEP 5

Now we must delete the offending files

Go to C:\WINXP and delete these files:
ippu32.exe
javaze32.exe

Go to C:\WINXP\system32 and delete the following files:
apitt32.dll
axmys.dll
iuiqqy.exe
kalvcup32.exe
n20050308.exe
syssb.exe

Delete this folder
wsxsvc

Go to C:\Program Files and delete this folder
VBouncer

Reboot, run your spyware scanners again, and post another HJT log please

Edited by DumbTerminal, 18 January 2005 - 10:58 AM.

We Thank-you for Donating To Show Your Appreciation

    Advertisements

Register to Remove

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users