I recommend that you do the following so you will have an electronic copy of the instructions since you will need to have Internet Explorer closed during most of the fix. We will probably have to make several passes at it since you have a real collection of malware.
Select the instructions: Put your mouse at the top left corner of my post then hold down the left button and drag it down to the bottom of the post. Copy the instructins to your clipboard: Ctrl + c (or Edit, Copy). Start notepad: Start, Run, notepad, OK The cursor will be in notepad now so just Ctrl + v (or Edit, Paste) to paste the instructions into the notepad. Save the file: File, Save As, (navigate to your desktop), fix, OK
You should now have a file called fix on your desktop which you can open by double clicking.
Unpack to your desktop and run it. If you have green print at the top then just press Restore Original Hosts then OK. IF you have red print then press make Hosts Writeable first. After you Restore Original Hosts then press Make Hosts Read Only?
Save it to your desktop then run it. It will extract a folder called smitrem with a bunch of files in it. (THe default is to extract it to your desktop. If you have logging in with your usual login when in safe mode you may need to run smitrem again and change the path to C:\ and you can then start the runthis.bat program from any login by Start, Run, c:\smitrem\runthis.bat, OK. But do not run it yet.)
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC maker's logo. Keep tapping until it tells you it is going to Safe Mode or you see the Safe Mode menu. Select the top option. Log in as your usual login or you won't find the programs you put on the desktop and some of the entries we want to remove will not appear in HijackTHis.
Run HijackThis and just do a Scan only. Check then Fix Checked the following:
Select Options then Advanced and uncheck the box in front of: Only Delete file in Windows Temp folders older than 48 hours. Now select Cleaner
Under Cleaner Settings, Windows uncheck everything on the first page except: under Internet Explorer - Temporary Internet Files under System - Empty Recycle Bin - Temporary Files Under Cleaner Settings, Applications uncheck everything except: Under Internet - Sun Java Run Cleaner.
This should clean out all of the temp files including those of your java program (where recently we are finding a lot of garbage. You really should be running the latest version of java and uninstall all old versions). The reason I have you uncheck most of the options is that I have had problems with it deleting too much so I want to limit it to things where I think malware might be hiding.
Run killbox. Open Options and check Remove Directories Where it says Full Path of File to Delete you need to type or copy (Hightlight and Ctrl + c) and Paste (move to the killbox and place the cursor in the box and Ctrl + V):
C:\Program Files\Toolbar888
Then check the Delete on Reboot box and the End Explorer Shell while killing file box then the red button. It will say: File Will Be Removed On Reboot, Do you want to reboot Now. Tell it NO. (If it can't find it that's OK just go on to the next one) The desktop will vanish. This is normal.
Let it reboot after the last one. If you get a message about an external process then Killbox is not going to work. Let me know and we will try something else.
and remove new dot net following the procedures there.
"Please download Look2Me-Destroyer.exe to your desktop. http://www.atribune.org/ccount/click.php?id=7 Close all windows before continuing. Double-click "Look2Me-Destroyer.exe" to run it. Put a check next to "Run this program as a task".
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK When Look2Me-Destroyer re-opens, click the "Scan for L2M" button, your desktop icons will disappear, this is normal. Once it's done scanning, click the "Remove L2M" button. You will receive a Done Scanning message, click OK. When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. Your computer will then shutdown. Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.
RKinner
2 Intern
•
5.9K Posts
0
April 4th, 2006 19:00
I recommend that you do the following so you will have an electronic copy of the
instructions since you will need to have Internet Explorer closed during most of
the fix. We will probably have to make several passes at it since you have a real collection of malware.
Select the instructions: Put your mouse at the top left corner of my post then
hold down the left button and drag it down to the bottom of the post.
Copy the instructins to your clipboard: Ctrl + c (or Edit, Copy).
Start notepad: Start, Run, notepad, OK
The cursor will be in notepad now so just Ctrl + v (or Edit, Paste) to paste the
instructions into the notepad.
Save the file: File, Save As, (navigate to your desktop), fix, OK
You should now have a file called fix on your desktop which you can open by
double clicking.
Download the Hoster from:
http://www.funkytoad.com/
Unpack to your desktop and run it. If you have green print at the top then just
press Restore Original Hosts then OK.
IF you have red print then press make Hosts Writeable first.
After you Restore Original Hosts then press Make Hosts Read Only?
Get DelDomain.inf from:
http://www.mvps.org/winhelp2002/DelDomains.inf and then right click on it and
Install. Nothing obvious will happen.
Get smitrem from http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Save it to your desktop then run it. It will extract a folder called smitrem
with a bunch of files in it. (THe default is to extract it to your desktop.
If you have logging in with your usual login when in safe mode you may need to
run smitrem again and change the path to C:\ and you can then start the
runthis.bat
program from any login by Start, Run, c:\smitrem\runthis.bat, OK. But do not
run it yet.)
Get the latest version of ccleaner from:
from http://www.ccleaner.com.
(the actual download is at: http://www.filehippo.com/download_ccleaner/
click on on Download Latest Version)
Install it. Don't let it clean anything yet.
Download the killbox:
http://www.bleepingcomputer.com/files/killbox.php
Unzip it to your desktop but don't run it.
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackTHis.
Run HijackThis and just do a Scan only. Check then Fix Checked the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\dkkqr.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ngrucmi.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard8.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname8.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms036204995] C:\WINDOWS\ms036204995.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [w02fb65b.dll] RUNDLL32.EXE w02fb65b.dll,I2 000047fa002fb65b
O4 - HKLM\..\Run: [w0026ae5.dll] RUNDLL32.EXE w0026ae5.dll,I2 000047fa00026ae5
O4 - HKLM\..\Run: [ms050499562] C:\WINDOWS\ms050499562.exe
O4 - HKLM\..\Run: [w06e75d5.dll] RUNDLL32.EXE w06e75d5.dll,I2 000047fa006e75d5
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [w002c5a7.dll] RUNDLL32.EXE w002c5a7.dll,I2 000047fa0002c5a7
O4 - HKLM\..\Run: [w008ef89.dll] RUNDLL32.EXE w008ef89.dll,I2 000047fa0008ef89
O4 - HKLM\..\Run: [w002404b.dll] RUNDLL32.EXE w002404b.dll,I2 000047fa0002404b
O4 - HKLM\..\Run: [w002bdd7.dll] RUNDLL32.EXE w002bdd7.dll,I2 000047fa0002bdd7
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [w0032164.dll] RUNDLL32.EXE w0032164.dll,I2 000047fa00032164
O4 - HKLM\..\Run: [w0021543.dll] RUNDLL32.EXE w0021543.dll,I2 000047fa00021543
O4 - HKLM\..\Run: [w0021c96.dll] RUNDLL32.EXE w0021c96.dll,I2 000047fa00021c96
O4 - HKLM\..\Run: [w00215c0.dll] RUNDLL32.EXE w00215c0.dll,I2 000047fa000215c0
O4 - HKLM\..\Run: [w002524c.dll] RUNDLL32.EXE w002524c.dll,I2 000047fa0002524c
O4 - HKLM\..\Run: [w0024442.dll] RUNDLL32.EXE w0024442.dll,I2 000047fa00024442
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [w0021802.dll] RUNDLL32.EXE w0021802.dll,I2 000047fa00021802
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinsrag.exe CORN001
O4 - HKLM\..\Run: [w2aaf353.dll] RUNDLL32.EXE w2aaf353.dll,I2 000047fa02aaf353
O4 - HKLM\..\Run: [w001e5e6.dll] RUNDLL32.EXE w001e5e6.dll,I2 000047fa0001e5e6
O4 - HKLM\..\Run: [w001f671.dll] RUNDLL32.EXE w001f671.dll,I2 000047fa0001f671
O4 - HKLM\..\Run: [w01c0835.dll] RUNDLL32.EXE w01c0835.dll,I2 000047fa001c0835
O4 - HKLM\..\Run: [w001eb64.dll] RUNDLL32.EXE w001eb64.dll,I2 000047fa0001eb64
O4 - HKLM\..\Run: [w001e5a8.dll] RUNDLL32.EXE w001e5a8.dll,I2 000047fa0001e5a8
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\rwinsrag.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\l26o0cj3efo.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VHlsZXIgU3ViZXI\command.exe (file missing)
Run ccleaner.exe,
Select Options then Advanced and uncheck the box in front of:
Only Delete file in Windows Temp folders older than 48 hours.
Now select Cleaner
Under Cleaner Settings, Windows
uncheck everything on the first page
except:
under Internet Explorer
- Temporary Internet Files
under System
- Empty Recycle Bin
- Temporary Files
Under Cleaner Settings, Applications uncheck everything
except:
Under Internet
- Sun Java
Run Cleaner.
This should clean out all of the temp files including those of your java program
(where recently we are finding a lot of garbage. You really should be running
the latest version of java and uninstall all old versions). The reason I have
you uncheck most of the options is that I have had problems with it deleting
too much so I want to limit it to things where I think malware might be hiding.
Run killbox. Open Options and check Remove Directories
Where it says Full Path of File to Delete you need to type or copy (Hightlight
and Ctrl + c)
and Paste (move to the killbox and place the cursor in the box and Ctrl + V):
C:\Program Files\Toolbar888
Then check the Delete on Reboot box and the End Explorer Shell while killing file box
then the red button.
It will say: File Will Be Removed On Reboot, Do you want to reboot Now.
Tell it NO. (If it can't find it that's OK just go on to the next one)
The desktop will vanish. This is normal.
Repeat for:
C:\Program Files\webHancer
C:\WINDOWS\system32\dkkqr.exe
C:\WINDOWS\system32\ngrucmi.exe
C:\WINDOWS\VHlsZXIgU3ViZXI
Let it reboot after the last one. If you get a message about an external
process then Killbox is not going to work. Let me know and we will try something else.
Reboot into regular mode
Go to
http://www.newdotnet.net/removal.html
and remove new dot net following the procedures there.
"Please download Look2Me-Destroyer.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=7
Close all windows before continuing.
Double-click "Look2Me-Destroyer.exe" to run it.
Put a check next to "Run this program as a task".
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the "Scan for L2M" button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the "Remove L2M" button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX"
Run another HijackThis log and post it as a reply. Let's
see how we did.
Ron