Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with removing HSA spyware


  • This topic is locked This topic is locked
4 replies to this topic

#1 nicefellow31

nicefellow31

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 29 September 2005 - 09:48 PM

Having problems removing HSA from my computer. I'm using XP home edition and used the most current hijack to get this log. I need some help interpreting it. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 10:44:51 PM, on 9/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\szserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\MICRO~10\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ipql32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ontrack\Internet Cleanup\icserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\msjd32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\New Kristina\Desktop\Hi-jack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = start.verizon.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O2 - BHO: (no name) - {4CCDA434-C422-8540-9760-CA3DCBB61E7B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {6570AC72-A038-A983-C7D7-83C78EDB1EC0} - C:\WINDOWS\system32\ipkb.dll
O2 - BHO: Class - {8F47AA16-0AB9-B41C-2067-C8F9B1E95AD1} - C:\WINDOWS\system32\appsa32.dll
O2 - BHO: Class - {A6702ADD-F9FC-F792-1265-9B33BE0904C6} - C:\WINDOWS\sdkgx32.dll
O2 - BHO: (no name) - {A8955C5E-7D09-18F5-1D0E-99FB9B61BC16} - (no file)
O2 - BHO: (no name) - {B28A5E86-2BEB-22A6-344A-308239C13BA8} - C:\WINDOWS\system32\appsa32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C375BE40-9B27-CB78-4A8E-D6E6F202BFA9} - C:\WINDOWS\system32\appsa32.dll
O2 - BHO: Class - {C3B52B2A-75CE-35EA-B7CE-0FE89E685E1F} - C:\WINDOWS\system32\ipvf32.dll (file missing)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICRO~10\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [68x=] C:\WINDOWS\68x=.exe
O4 - HKLM\..\Run: [immin] C:\WINDOWS\mm15201518.a.Stub.exe
O4 - HKLM\..\Run: [ipxo32.exe] C:\WINDOWS\ipxo32.exe
O4 - HKLM\..\Run: [HSW.] C:\WINDOWS\68x=.exe
O4 - HKLM\..\Run: [ippu.exe] C:\WINDOWS\ippu.exe
O4 - HKLM\..\Run: [sdkxw32.exe] C:\WINDOWS\sdkxw32.exe
O4 - HKLM\..\Run: [msiw.exe] C:\WINDOWS\msiw.exe
O4 - HKLM\..\Run: [winch.exe] C:\WINDOWS\winch.exe
O4 - HKLM\..\Run: [ipql32.exe] C:\WINDOWS\ipql32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Allow popups from this web page - C:\PROGRAM FILES\SUNBELT SOFTWARE\IHATEPOPUPS\allowsite.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Stop popups from this web page - C:\PROGRAM FILES\SUNBELT SOFTWARE\IHATEPOPUPS\denysite.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Dell Home - {C877CC60-22E0-11D4-8903-905651C10000} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: iHatePopups - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\PROGRAM FILES\SUNBELT SOFTWARE\IHATEPOPUPS\IHATEPOPUPS.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\PROGRAM FILES\SUNBELT SOFTWARE\IHATEPOPUPS\IHATEPOPUPS.exe (file missing) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\msjd32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: icservice - ONTRACK Data International, Inc. - C:\Program Files\Ontrack\Internet Cleanup\icserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\szserver.exe

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:47 AM

Posted 04 October 2005 - 11:17 AM

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:47 AM

Posted 04 October 2005 - 01:51 PM

HiJackThis can be run from the desktop but when anything is fixed, a folder called backups will be created on the desktop. To avoid having many unwanted items on your desktop, put HiJackThis in its own folder.

If you have it set up in a folder on the desktop, the backups will also be created in the same folder.

C:\Documents and Settings\(username)\Desktop\HJT\hijackthis.exe
C:\Documents and Settings\(username)\Desktop\HJT\backups\

You may want to print out this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 1

Click on the Start button, then click on Control Panel. When the control panel opens, double click on the Administrative Tools icon. When the Administrative Tools window opens, double click on the Services button.

The Services window will contain a listing of all the services that are installed on your machine. We need to find one of the following:

* Network Security Service
* Workstation NetLogon Service
* Remote Procedure Call (RPC) Helper

When you see a service of this name, and there should be only one, double click on that service name. You should now be in that service's properties page. Now please follow these steps:
  • Change the Startup Type drop down box to Disabled.
  • Then press the Stop button.
  • Then write down on a piece of paper the text found in the Path to executable field. This text is the filename for the service and we will need it later. You can ignore the /s at the end of the file name.
  • When you are done, press the OK button to exit the service's properties. Then exit the services window.
Now that we know the file being used as the service, we proceed to the next step.

Step 2

Please download CW-Shredder Save CWShredder.exe in C:\CWS. The first thing you should do is check for updates to CWShredder. You can do this by clicking on the button labeled "Check for update". If updates are found, click on the Download and open the update bar. We will use it later in safe mode.
NOTE: If CWShredder does not run, a variant of CWS could be preventing you from running the shredder. Download the CoolWebSearch.Smartkiller Mini Removal Tool and save that to a directory called C:\CWS. Run the downloaded program, called miniremoval_coolwebsearch_smartkiller.exe, to remove the variant of CoolWebSearch that is stopping you from running your removal tool.

Step 3

Please download AboutBuster , and unzip it to your desktop.
  • Double click on aboutbuster.exe
  • Click "Update".
  • Click "Check For Update"
  • Click "Download Update", and wait for it to be installed.
  • Unzip the file to its own folder (C:\AB).
  • We will use it later in safe mode.
Step 4

Please download HSFix Unzip it to a folder on your desktop. Name the folder HSfix.reg. We will use it later in safe mode.

Step 5

Please download the Pocket Killbox Unzip the contents of Pocket Killbox to your desktop. We will use it later.

If needed, Tutorial on Using Pocket Killbox. It will guide you through the installation process and the removal process.

Step 6

To avoid the risk of any of the files or folders not being found due to their having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
http://www.xtra.co.nz/help/0,,4155 1916458,00.html
Or items 8 & 9 from this link :
http://www.russelltexas.com/malware/faqhijackthis.htm

Step 7

Disconnect from the internet!!!

Reboot to safe mode. If you dont know how to boot in safe mode, there is a tutorial HERE

Step 8

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get task manager. Find these processes and 'end task' them.
OR]
Use the process viewer in HiJackThis, Open the Misc Tools Section then Open Process Manager, find these programs and kill process the following running processes (Do not worry if they are not there)

msjd32.exe

68x=.exe

mm15201518.a.Stub.exe

ipxo32.exe

ippu.exe

sdkxw32.exe

sdkxw32.exe

msiw.exe

winch.exe

ipql32.exe


Lets address the HiJackThis fixes.

Please run HiJackThis and click "Scan." Place checks next to the following entries (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {4CCDA434-C422-8540-9760-CA3DCBB61E7B} - (no file)

O2 - BHO: Class - {6570AC72-A038-A983-C7D7-83C78EDB1EC0} - C:\WINDOWS\system32\ipkb.dll

O2 - BHO: Class - {8F47AA16-0AB9-B41C-2067-C8F9B1E95AD1} - C:\WINDOWS\system32\appsa32.dll

O2 - BHO: Class - {A6702ADD-F9FC-F792-1265-9B33BE0904C6} - C:\WINDOWS\sdkgx32.dll

O2 - BHO: (no name) - {A8955C5E-7D09-18F5-1D0E-99FB9B61BC16} - (no file)

O2 - BHO: (no name) - {B28A5E86-2BEB-22A6-344A-308239C13BA8} - C:\WINDOWS\system32\appsa32.dll

O2 - BHO: Class - {C375BE40-9B27-CB78-4A8E-D6E6F202BFA9} - C:\WINDOWS\system32\appsa32.dll

O2 - BHO: Class - {C3B52B2A-75CE-35EA-B7CE-0FE89E685E1F} - C:\WINDOWS\system32\ipvf32.dll (file missing)

O4 - HKLM\..\Run: [68x=] C:\WINDOWS\68x=.exe

O4 - HKLM\..\Run: [immin] C:\WINDOWS\mm15201518.a.Stub.exe

O4 - HKLM\..\Run: [ipxo32.exe] C:\WINDOWS\ipxo32.exe

O4 - HKLM\..\Run: [HSW.] C:\WINDOWS\68x=.exe

O4 - HKLM\..\Run: [ippu.exe] C:\WINDOWS\ippu.exe

O4 - HKLM\..\Run: [sdkxw32.exe] C:\WINDOWS\sdkxw32.exe

O4 - HKLM\..\Run: [msiw.exe] C:\WINDOWS\msiw.exe

O4 - HKLM\..\Run: [winch.exe] C:\WINDOWS\winch.exe

O4 - HKLM\..\Run: [ipq132.exe] C:\WINDOWS\ipq132.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

O23 - Service: Workstation NetLogon Service ( 11F #`I) - Unknown owner - C:\WINDOWS\msjd32.exe


Close all browsers and other windows except for HiJackThis, and click "Fix Checked" to have HiJackThis fix the entries you checked.

Let's delete this O23 service.
  • Start HiJackThis
  • Click "Config" button
  • Click "Misc Tools" button
  • Click Delete an NT Service button
  • Copy and Paste the bold text below in the "Delete an NT Service" window

    O23 - Service: Workstation NetLogon Service (11F #`I) - Unknown owner - C:\WINDOWS\msjd32.exe
  • Click "OK"
  • Close HiJackThis
Step 9

Run CWShredder.
  • Close all programs and windows.
  • Navigate using windows explorer or My Computer to the C:\CWS folder and double click on the file CWShredder.exe.
  • Click on the Fix icon and let it scan your computer.
  • CWShredder will then start scanning your hard drive for the various CoolWebSearch variants and remove them if they are found. If one is found it will tell you, otherwise it will state that it is "not present". When it is done you will be presented with a button labeled "Next".
  • When you are finished examining the results, press the Next button to see a summary of the fixing process.
Step 10

Run About:Buster.
  • Click "Start".
    (Wait for the initial ADS scan to complete.)
  • Click "Yes", to shutdown any IE session currently open.
    (Wait for the about:blank scan to complete.)
  • Click "Ok", to scan once more.
  • Click "Yes", to shutdown any IE sessions currently open.
  • Click "Yes", to begin the second pass.
  • Click "Save log", and post this log back along with your new log.
  • Click "Exit".
Step 11

Reboot to safe mode.

Step 12

Doubleclick HSfix.reg to merge the info to the registry.

Step 13

Run Pocket Killbox.
  • Disconnect from internet and shut down all running programs
  • Double click on KillBox.exe.
  • Click on Tools > Delete Temp Files and click ok.
  • Use Pocket Killbox to end process on all instances of explorer.exe and rundll32.exe
    Your desktop will disappear but that's normal. It will come back after Reboot part of this fix
  • As you Paste each entry into Killbox, place a check by any of these Selections available
    "Delete on Reboot"
    "Unregister .dll before Deleting"
    "End Explorer Shell while Killing File"
  • Paste this file into the top "Full Path of File to Delete" box.

    C:\WINDOWS\system32\ipkb.dll

  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5 9 above for these files:

    C:\WINDOWS\system32\appsa32.dll

    C:\WINDOWS\sdkgx32.dll

    C:\WINDOWS\system32\appsa32.dll

    C:\WINDOWS\system32\ipvf32.dll (file missing)

    C:\WINDOWS\mm15201518.a.Stub.exe

    C:\WINDOWS\ipxo32.exe

    C:\WINDOWS\68x=.exe

    C:\WINDOWS\ippu.exe

    C:\WINDOWS\sdkxw32.exe

    C:\WINDOWS\msiw.exe

    C:\WINDOWS\winch.exe

    C:\WINDOWS\ipql32.exe

    C:\WINDOWS\msjd32.exe


  • Click the "Delete File" button which looks like a stop sign.
  • Killbox will tell you that all listed files will be deleted on next reboot, click YES
  • When it asks if you would like to Reboot now, click YES Reboot to safe mode.
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Please note that we may need to repeat this process a few times before we kill all the files.

The KillBox creates a folder called "!submit" in C:\ , after you are done, you can delete the folder.

Step 14

Clean out temporary files:
  • Start | Run | type cleanmgr | OK
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked
  • Click OK to remove them.
  • Click Yes to confirm the deletion.
Step 15

Reboot into normal mode.

Step 16

Please download and install Ewido Security Suite v3.5
If Ewido finds something that you KNOW is legitimate (watch for alerts that have the word "Heuristic" in them these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch Ewido by double clicking the "e" icon on your desktop.
  • The program will now go to the main screen.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click Update.
    • Then click on "Start Update".
    • The update will begin and a progress bar will show the updates being installed. If you are having problems with the updater, use Update Ewido
    • After the update finishes, the status bar at the bottom will display "Update successful"
  • After the updates are installed do the following:
    • Click on Scanner and select "Settings"
    • Under the bottom section "What to Scan?" select "Scan every file"
    • Select "OK" and you will return to scanning options
    • Click on "Complete System Scan" [This can take a while to complete so please be patient]
    • While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then CHECK or UNCHECK "Perform action on all infections" and click "OK". Note: You will have to watch the scan all the way through and delete items manually
  • After the scan has completed, Ewido will create a report.
  • There will be a button located on the bottom of the screen named "Save report". Click "Save report" [to your desktop] and post it in your next response.
  • Exit Ewido Security Suite when done.
If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
  • Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
  • If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and uncheck "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
Ewido offers a FREE 14 day full working trial. After the 14 day trial the only option that will be disabled is the "real time" scanning which we did not install anyway and the automatic updating. You will have to do the updating manually by clicking on the Update button and then Start Update.

Step 17

Run this free online virus scan.

TrendMicro

Make sure you check "AutoClean"

When you have completed the scans, if you get a report of files that can=t be cleaned / deleted, please write down the filenames and locations and post that in your reply.

Step 18

Please post a new HiJackThis log and the log from Ewido.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 nicefellow31

nicefellow31
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 04 October 2005 - 03:19 PM

I appreciate your response. I will post again when I am complete.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:47 AM

Posted 05 October 2005 - 12:19 PM

Please post in the same thread as a reply. I am closing this thread and will work with you in the new thread. :thumbsup:
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users