72 replies to this topic

[Siggyx]

Download hijackthis to its own folder C:/HJT for example. Extrat the zip file to that folder. Then close all browseer windows, open hijackthis and click on scan. Once the scan has completed click on Save Log, this will produce a text file log. Highlight all of the information from in that text box then right click and copy. Come back to this post you made and click on "add reply" at the bottom right and a new window will open. Paste the hijackthis log into the new window hit add reply in that new window.

HJT download >>> http://www.softpedia.../10-17-69.shtml

[Siggyx]

You have a lot of nasty infections. Lets see if we can get some of it cleaned off. This will take a number of steps.

You may need to conenct in safe mode with network options to download these.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
  
• Double-click Look2Me-Destroyer.exe to run it.
  
• Put a check next to Run this program as a task .
  
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  
• When Look2Me-Destroyer re-opens, click the Scan for L2M button , your desktop icons will disappear, this is normal.
  
• Once it's done scanning, click the Remove L2M button .
  
• You will receive a Done Scanning message, click OK .
  
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK .
  
• Your computer will then shutdown.
  
• Turn your computer back on.
  
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339'. please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32. Directory
http://www.ascentive...ib/MSWINSCK.OCX

[Siggyx]

Did it produce a log?

[Siggyx]

Are you able to download progreams? If so let me know and we will do this the long way.

[Siggyx]

Good, ok hang on. I need to write up the next part of the fix and it is a long one.

[Siggyx]

The Fix:

Step#1:Getting Ready


Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available.

After downloading the tools, you must disconnect from the internet totally, because staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening either will reinstall the infection.

To replace Internet Explorer to use during this fix, please use Internet Explorer once to download and install FireFox, to be used as your alternate browser throughout this fix.

Close Outlook Express and Internet Explorer for the duration of this fix

Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Please start by downloading the tools you will need to clean this infection with FireFox. If you have a problem or question with any please continue to follow the list step by step to the end and ask the questions when you are asked to reply. Just be sure to let us know what the problem was when you finally reply.



Step#2:Show All Hidden Files Very Important

Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.
http://www.davehigha...ds/xphidden.zip

(or copy all of the instructions for the specific OS from http://www.xtra.co.n...1916458,00.html to the post)



Step#3:Download CWShredder Do Not Use Yet

1. Please Download the most recent version of CWShredder, from CWSInstall.exe

2. Check for Updates but please Do NOT use it yet



Step#4:Download About Buster Do Not Use Yet

1. Please download About:Buster from here: http://www.malwareby...AboutBuster.zip

2. Once it is downloaded extract it to c:\aboutbuster.





Step#5:Download Registrar Lite Do Not Use Yet

Another program to download is Registrar Lite for use later: Please download Registrar Lite and install it to C:\Program Files\RegLite\ . This is a registry editor that is very easy to use. Caution should be exercised when editing the registry as it is very easy to render a Computer unbootable by deleting the wrong key



Step#6:Download Ewido Security Suite Only For Windows 2000 and XP Do Not Use Yet

• Download and install Ewido security suite
• Right Click on the “E” icon in your taskbar and open Ewido Security Suite then click “update” to get the most recent definitions for it to use.
• When it prompts you to update, click the OK button.
• download the updates and when they are finished installing, close the window
• Please Do Not Use It Yet

Step#6:Download A Registry File to Remove Registry Entries Do Not Use Yet

• Please download the following zip file to your desktop:
  HSfix
• Double Click on HSfix.zip and it will unzip to a new folder it makes on your desktop, called HSfix
• Do Not Use It Yet

Please disconnect from the Internet




Step#7:Disable The Bad Service ** Very Important!!**

• Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE
  
• Click on start > control panel > administrative programs or could be administrative tools > services. Look for a service called Workstation NetLogon Service . Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step#8:Stop The Running Processes


Press control-alt-delete to get into the task manager and end the following processes if they exist:

sdkvc32.exe
ntqr32.exe
msqn32.exe
ipxq32.exe


Step#9:Use HijackThis to Delete About Blank Bad Files

I now need you to delete the following files:

C:\WINDOWS\system32\zkqso.dll
C:\WINDOWS\system32\sdkvc32.exe
C:\WINDOWS\system32\ntqr32.exe
C:\WINDOWS\system32\msqn32.exe
C:\winstall.exe
C:\WINDOWS\system32\ipxq32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.



Step#10:Cleaning With HijackThis

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\System32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\System32\search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zkqso.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [sdkvc32.exe] C:\WINDOWS\system32\sdkvc32.exe
O4 - HKLM\..\Run: [ntqr32.exe] C:\WINDOWS\system32\ntqr32.exe
O4 - HKLM\..\Run: [msqn32.exe] C:\WINDOWS\system32\msqn32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [WindowsUpdateNT] C

O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://little-flower...hm::/loader.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O20 - Winlogon Notify: docent0 - C:\WINDOWS\SYSTEM32\docent0.dll
O20 - Winlogon Notify: mdfpro - C:\WINDOWS\SYSTEM32\mdfpro.dll

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipxq32.exe


O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)



click "fix checked"


Step#11: Backup The Registry

In the next step we are going to remove a service that gets installed by this malware.

1. Open Registrar Lite and run it.

2. Copy and paste the bold text below into the address bar of Registrar Lite:(this is making a Registry backup for safety in case of error)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Go to File> Export and and save as (in the C:\Program Files\Registrar Lite (Reglite) folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)
2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)


Step#12: Use the HSfix.reg file

• Navigate to the HSfix folder on your Desktop
• Then double-click on the HSfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
• if you have a popup from any of your protection programs asking if you want to make a change to the registry, say Yes or Accept it

Step#13:Fixing With CWShredder

• CLOSE ALL WINDOWS except CWShredder
  
• Run the program by clicking 'fix' and letting it fix all CWS remnants.

Step#14:Fixing With About Buster

This is the step where we will use About:Buster that you had downloaded previously.

• Navigate to the c:\aboutbuster directory
• double-click on aboutbuster.exe
• When the tool opens press the OK button, then Start button, then the OK button
• then finally the Yes button. It will start scanning your computer for files.
• If it asks if you would like to do a second pass, allow it to do so.
• Post the log file in your next reply

Step#15:Scan With Ewido Security Suite

• Launch Ewido again
  
• Click on Scanner>Complete System Scan.
  
• Let the program scan your PC.
  
• When the scan asks to clean files click OK.
  
• When scan is completed, click Save report. to your desktop.
  
• Post the report in your next reply.

Reboot your computer back to normal mode and

Reconnect To The Internet

NEXT

Please download VundoFix.exe from here:

http://www.atribune..../click.php?id=4

and save it to your desktop


Double-click VundoFix.exe to run it.

Checkmark the box "Run Vundo as task"

You will receive a message saying vundofix will close and re-open in a minute or less. Click OK

When VundoFix re-opens, click the Scan for Vundo button

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.



Step#16:Scan and Post a New HJT log with other logs

• Scan again with HijackThis.
  
• Post your logs from HijackThis, About Buster, and Ewido Security Suite here in this thread with any questions or problems that you have run into.
  
• There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

Good Luck!

[Siggyx]

The disabling of Notepad is part of the infection. Please scan with Ewido again, in safe mode, fix whats it finds and then post a new hijackthis log please.