1. The entry below indicate that you may be controlling startup entries with Msconfig. Not that there's anything wrong with that but you may be unknowingly be hiding some malicious activity so I need to make sure all "
Startup" entries are selected
2. You are also running 2 Antivirus programs...
Norton and Trend Micro PC-cillin 2000... Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time. Recommend one be uninstalled but it is your choice.
Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Step 2. ========== We need to stop a service...
- Click "
Start" button then select "
Run"
- Type "
services.msc" (without quotes) then hit
OK - Scroll down and find the service called
Workstation NetLogon Service
- Right-click on the service and choose "
Properties"
- On the "
General" tab under "
Service Status" click the "
Stop" button to stop the service
- Beside "
Startup Type" in the dropdown menu select "
Disabled"
- Click
Apply then
OK. Exit the Services utility
(Note: If the service isn't listed proceed with the rest of these instructions)
Step 3. ========== Disconnect from the internet
<<<= Very Important Reboot computer into "
Safe Mode" Using the
F8 method...
- Restart the computer
- As soon as the
BIOS is loaded begin tapping the
F8 key until the
Boot Menu appears
- Use the arrow keys to select the
Safe Mode menu item
- Press the
Enter key
Step 4. ========== We need to make sure all hidden files are showing...
- Open "
My Computer"
- Click on "
Tools" and from the drop down menu select "
Folder Options"
- Select the "
View" tab
- Under the "
Hidden files and folders" heading
SELECT "
Show hidden files and folders"
-
UNCHECK the "
Hide file extensions for known types option"
-
UNCHECK the "
Hide protected operating system files (recommended) option"
- Click "
Yes" to confirm
- Click "
OK"
Step 5. ========== We need to stop some Windows Processes
- Start
HiJackThis...
1. Click "
Config..." button
2. Click "
Misc Tools" button
3. Click "
Open process manager" button
4. While holding down the
CTRL key, locate (if present) and click on (highlight) each of the following...
C:\WINDOWS\system32\msnu.exe
5. Double-check to make sure that only those item(s) above are highlighted, then click "
Kill process" button
6. Click "
Refresh". Check to make sure they are not listed
7. Repeat this step if any remain.
- Close HijackThis
Step 6. ========== - Browse to
C:\Antispyware\cwsservice folder
- Double click on the
cwsserviceemove.reg file to start it
- Grant it permission to add the registry items
Step 7. ========== - Browse to
C:\Antispware\cws folder
- Double-click on
CWShredder.exe file to start it
- click the "
Fix ->" button
- You will be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows. click "
OK" to continue
- Let it run completely to delete anything it finds
- After its scan, click "
Next", then "
Exit"
Step 8. ========== Delete the following file(s) and folder(s) in
BOLD only.
(Don't be concern if they do not exist but advise what files could not be found or deleted)
C:\WINDOWS\system32\
crby.dll
<<<= Delete This File
C:\WINDOWS\system32\
sdopl.dll
<<<= Delete This File C:\WINDOWS\
ntzj32.exe
<<<= Delete This File C:\WINDOWS\system32\
winpy32.exe
<<<= Delete This File
C:\WINDOWS\system32\
msnu.exe
<<<= Delete This File
C:\WINDOWS\
ipqu.exe
<<<= Delete This File
Step 9. ========== - Close all Windows and programs
- Start
HijackThis...
-
Select\check the following entries,
Double-check to make sure that only these entries are checked...
Step 10. ========== We now need to cleanup all the Temp files and such
- Click the "
Start" button, then select "
Run"
- Enter
cleanmgr in the "
Run" menu to start XP's "
Disk Cleanup" tool
- Make sure
Temporary Files, Temporary Internet Files, and
Recycle Bin are selected then click
OK - When done close "
Disk Cleanup"
- Browse to
C:\Windows\Prefetch folder. Delete All files within the
Prefetch folder
<<<= Not the Prefetch folder itself
Step 11. ========== - Browse to
C:\Antispware\aboutuster5 folder
- Double-click
AboutBuster.exe to start it
- Click "
Begin Removal" button
- Please wait while AboutBuster scans your computer for malicious files
- When it has finished, click "
OK" at the "
Scan was COMPLETED SUCCESSFULLY at..." wndow
- Click "
Exit" at next window and click "
OK" again when it tells you a log has been saved.
- Post log back in your next post.
Step 12. ========== - Browse to
C:\Antispware\silentrunners folder
- Double-click the
SilentRunners.vbs file to start it
(Note: It will start scanning your computer and could take a little time. Be patient.) - If your antivirus complains, tell it to allow this script
- Copy and paste the contents of the Silent Runners log in your next reply
Step 13. ========== - Browse to
C:\Antispyware\rkfiles folder
- Double-click the
RKFiles.bat file to start it
(Note: It will start scanning your computer and could take a little time. Be patient.) - Copy and paste the contents of the RKFiles log in your next reply
Step 14. ==========
- Reboot computer into "Normal Mode"
- Connect up to the Internet
Step 15. ========== - Double click on the
Registrar Lite icon on your desktop
(Note: If not there start it from the "Start Menu.")
- After the program opens copy and paste the below line, into the
address field of Registrar Lite.
- Now press "
Enter". You will now be presented with new information in the bottom Left and Right sections
- On the right-hand section right-click on
11Fßä#·ºÄÖ`I and
delete it.
(Note: If not found continue on with the rest of the fixes)
- Close program
- Reboot computer
Step 17. ========== - Click on "
Start" button then select "
Run".
- Enter\type "
msconfig" in the "
Run" window
- Click the "
Startup" tab and make sure all startup entries are checked\selecte
- Reboot computer
Step 18.
==========
- Post back a new fresh "
HijackThis" log
- Post back the "
About:Buster5" log
- Post back "
Silent Runners" log
- Post back "
RKFiles" log
Thanks, I'll get to work on this after I get off work. I looked through the steps, everything seems straight forward enough. I do have couple of questions
1. I ran cwshredder before and it would cause my machine to reboot. Is this normal?
2. Before I start I should reboot with all startup items rather than the selective startup I'm using?
I'll post any other questions as they arise. Thanks again.
1. No CWShredder 2.15 should not cause your PC to reboot. Remove\delete the one you have now and download a new version per my instructions. Lets see a freshly dowloaded copy does.
2. Not at this time...or I will have to ammend my fixes. I don't mind doing that for you but I will need a brand new HJT log with all the "Startup" items turned on. I will then analyze your log and re-post a new round of fixes as HijackThis entries might have changed. So if your game, forget the fixes I just posted, give me a new HijackThis log ASAP after rebooting with Startup items enabled. I will go through the log, ammend my fixes, and post back later tonight but I need your new log right away as it's 05:10 PM central here right now.
If not then run the fixes with selective then at the end, per the last Step, enable all startup items, reboot, and give me a new log. It's your choice...just let me know how you want to handle it.
______________________________________
Note, I forgot to add a step...You need to disable Microsoft Antispyware and Counterspy while your running the fixes as they could interfer with the fixes. Re-anable them when your done the round of fixes.
I should be back on around 9:30 \ 10:00 PM tonight for a couple hours. Just going home from work. If you can get me a new log tonight I'll see if I can post the next round (if there is) of fixes. It may takes 2 or 3 kicks at the can to get you all clean but we'll get it done.
I'll go ahead with the fixes as you have them. I don't want to make this any more difficult than necessary. I'm also central time, so I'll work on this tonight and post the logs. I'm just now getting a chance to start and I'll probably have some kid duty tonight that will slow my progress.
4. All I want you to do is cleanout the Temp folders, Temporary Internet Folders, Recycle Bin...etc. If Clean Sweep does that then Yes that is OK
5. You need to allow the SR (Silent Runners) script to work. If you notice in Step 12, Line 3 I say "If your antivirus complains, tell it to allow this script". So please run SR again (insafe mode) and allow it to run. We need to run SR as it checks for Hidden nasties. There is no uninstall for SR...it's just a script that runs a scan no so uninstall. When you are all clean you can just delete the Silent Runners folder I got you to create.
Go back into "Safe Mode" run SR and continue on with the rest of the steps.
I wasn't trying to remove silent runners, I was trying to remove Symantec. I was patient, I let the thing go for about 30 min. then looked at the task manager. Seeing no activity I assumed that Symantec had completely stopped the script because the pop up message didn't give an option to let the script run you could only acknowledge it by clicking OK. I'll run home and start SR and let it run this morning.
1. Step 5 The file C:\WINDOWS\system32\msnu.exe wasn't present. I went on to step 6.
2. Step 8. C:\WINDOWS\system32\sdopl.dll wasn't present. C:\WINDOWS\ntzj32.exe wasn't present. Two files were present ntzj32.exe.tcf and ntjz32.exe.dll.tcf were there and I deleted them. C:\WINDOWS\system32\winpy32.exe wasn't present. C:\WINDOWS\system32\msnu.exe and C:\WINDOWS\ipqu.exe weren't present. I deleted what ws there and went on to the next step.
3. Step 9.None of the R1 items were there.
4. Disk cleanup hung at the beginning where it calculates disk space. I emptied the folders with Norton clean sweep. I don't know if that will work as well.
5. Step 12. When silent runners started the following message popped up - Symantec Script Blocking has prevented a script action that could be harmful to you. I went into Norton Antivirus and turned off script blocking but the message kept coming up. I also rebooted into safe mode and still the same thing. I was going to uninstall the software but I can't find an uninstall for it. Any ideas? It appears that silent runners is stopped. If you open the task manager after the message pops up the file shows as being open but there is no activity in the processes. It nevers shows anything but system idle.
I was able to run rkfiles. This is where I stopped. I ran a program removal tool in clean sweep and it shows the antivirus stuff as being removable. I didn't do this yet. Wanted to get your thoughts. I booted into normal mode to see if I could get the script blocking fixed. I figure I will go through the steps again in safe mode.
I started SR and got the same message. If I went into HJT and removed the following would that shut off the antivirus? I just left the machine after clicking the messages from script blocking to see if it will run. I'll check it in about 1 hour. But, there didn't appear to be any activity on the task manager under open processes so I don't know if it will work. Just to let you know, I rebooted into safe mode and went through all the steps.
I tried disabling in the services manager, both script blocking and symantec, still got the message. I started the script answered the messages then let it go for 1 hour got no result? I looked at the Symantec site and saw instructions for manually removing the antivirus, should I do that? Sorry to keep pestering you about this, just can't seem to get past this step. I looked at the SR didn't see any answers there.
dobhar
1.1K Posts
0
June 21st, 2005 21:00
My name is dobhar and I will be looking over your log. Please give me some time to go look it over. I will post back as soon as possible.
If you have any questions post them back in this thread. Do not start another.
Just a quick look shows me that you are infected with an About Blank. I will try to post a "FIX" later tonight.
Thanks,
Message Edited by dobhar on 06-22-2005 10:40 AM
dobhar
1.1K Posts
0
June 22nd, 2005 17:00
==========
- Create a folder called Antispyware on your C: Drive
- Download the following tools but do not run programs until asked
1. Download cwsserviceremove.zip from http://ralphcaddell.com/Uploads/cwsserviceremove.zip. Extract\Unzip it into its own folder in C:\Antispyware. Call it cwsservice
2. Download About:Buster from http://downloads.malwareremoval.com/AboutBuster5.zip . Extract\Unzip it into its own folder in C:\Antispyware. Call it aboutbuster5. Once extracted you will need to update it. A tutorial can be found at http://www.bleepingcomputer.com/files/aboutbuster.php
3. Download CWShredder from http://cwshredder.net/bin/CWShredder.exe . Save it to its own folder in C:\Antispyware. Call it cws
4. Download Silent Runners from http://www.silentrunners.org/Silent%20Runners.zip. Extract\Unzip it into its own folder in C:\Antispyware. Call it silentrunners
5. Download RKFiles from http://skads.org/special/rkfiles.zip. Extract\Unzip it into its own folder in C:\Antispyware. Call it rkfiles
==========
We need to stop a service...
- Click " Start" button then select " Run"
- Type " services.msc" (without quotes) then hit OK
- Scroll down and find the service called
- On the " General" tab under " Service Status" click the " Stop" button to stop the service
- Beside " Startup Type" in the dropdown menu select " Disabled"
- Click Apply then OK. Exit the Services utility
(Note: If the service isn't listed proceed with the rest of these instructions)
==========
Disconnect from the internet <<<= Very Important
Reboot computer into " Safe Mode" Using the F8 method...
- Restart the computer
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
- Press the Enter key
==========
We need to make sure all hidden files are showing...
- Open " My Computer"
- Click on " Tools" and from the drop down menu select " Folder Options"
- Select the " View" tab
- Under the " Hidden files and folders" heading SELECT " Show hidden files and folders"
- UNCHECK the " Hide file extensions for known types option"
- UNCHECK the " Hide protected operating system files (recommended) option"
- Click " Yes" to confirm
- Click " OK"
==========
We need to stop some Windows Processes
- Start HiJackThis...
1. Click " Config..." button
2. Click " Misc Tools" button
3. Click " Open process manager" button
4. While holding down the CTRL key, locate (if present) and click on (highlight) each of the following...
6. Click " Refresh". Check to make sure they are not listed
7. Repeat this step if any remain.
- Close HijackThis
==========
- Browse to C:\Antispyware\cwsservice folder
- Double click on the cwsserviceemove.reg file to start it
- Grant it permission to add the registry items
==========
- Browse to C:\Antispware\cws folder
- Double-click on CWShredder.exe file to start it
- click the " Fix ->" button
- You will be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows. click " OK" to continue
- Let it run completely to delete anything it finds
- After its scan, click " Next", then " Exit"
==========
Delete the following file(s) and folder(s) in BOLD only. (Don't be concern if they do not exist but advise what files could not be found or deleted)
C:\WINDOWS\system32\ sdopl.dll <<<= Delete This File
C:\WINDOWS\ ntzj32.exe <<<= Delete This File
C:\WINDOWS\system32\ winpy32.exe <<<= Delete This File
C:\WINDOWS\system32\ msnu.exe <<<= Delete This File
==========
- Close all Windows and programs
- Start HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sdopl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sdopl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sdopl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sdopl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sdopl.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sdopl.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {59AC6BEF-5B61-2B7A-2C62-D55A9708772D} - C:\WINDOWS\system32\crby.dll
O4 - HKLM\..\Run: [ntzj32.exe] C:\WINDOWS\ntzj32.exe
O4 - HKLM\..\Run: [winpy32.exe] C:\WINDOWS\system32\winpy32.exe
O4 - HKLM\..\RunOnce: [msnu.exe] C:\WINDOWS\system32\msnu.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipqu.exe (file missing)
==========
We now need to cleanup all the Temp files and such
- Click the " Start" button, then select " Run"
- Enter cleanmgr in the " Run" menu to start XP's " Disk Cleanup" tool
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are selected then click OK
- When done close " Disk Cleanup"
==========
- Browse to C:\Antispware\aboutuster5 folder
- Double-click AboutBuster.exe to start it
- Click " Begin Removal" button
- Please wait while AboutBuster scans your computer for malicious files
- When it has finished, click " OK" at the " Scan was COMPLETED SUCCESSFULLY at..." wndow
- Click " Exit" at next window and click " OK" again when it tells you a log has been saved.
==========
- Browse to C:\Antispware\silentrunners folder
- Double-click the SilentRunners.vbs file to start it (Note: It will start scanning your computer and could take a little time. Be patient.)
- If your antivirus complains, tell it to allow this script
- Copy and paste the contents of the Silent Runners log in your next reply
==========
- Browse to C:\Antispyware\rkfiles folder
- Double-click the RKFiles.bat file to start it (Note: It will start scanning your computer and could take a little time. Be patient.)
- Copy and paste the contents of the RKFiles log in your next reply
==========
- Reboot computer into "Normal Mode"
==========
- Double click on the Registrar Lite icon on your desktop (Note: If not there start it from the "Start Menu.")
- After the program opens copy and paste the below line, into the address field of Registrar Lite.
- On the right-hand section right-click on 11Fßä#·ºÄÖ`I and delete it. (Note: If not found continue on with the rest of the fixes)
- Close program
==========
- Click on " Start" button then select " Run".
- Post back the " About:Buster5" log
- Post back " Silent Runners" log
- Post back " RKFiles" log
Jason05216
23 Posts
0
June 22nd, 2005 18:00
Thanks, I'll get to work on this after I get off work. I looked through the steps, everything seems straight forward enough. I do have couple of questions
1. I ran cwshredder before and it would cause my machine to reboot. Is this normal?
2. Before I start I should reboot with all startup items rather than the selective startup I'm using?
I'll post any other questions as they arise. Thanks again.
Jason
dobhar
1.1K Posts
0
June 22nd, 2005 21:00
1. No CWShredder 2.15 should not cause your PC to reboot. Remove\delete the one you have now and download a new version per my instructions. Lets see a freshly dowloaded copy does.
2. Not at this time...or I will have to ammend my fixes. I don't mind doing that for you but I will need a brand new HJT log with all the "Startup" items turned on. I will then analyze your log and re-post a new round of fixes as HijackThis entries might have changed. So if your game, forget the fixes I just posted, give me a new HijackThis log ASAP after rebooting with Startup items enabled. I will go through the log, ammend my fixes, and post back later tonight but I need your new log right away as it's 05:10 PM central here right now.
If not then run the fixes with selective then at the end, per the last Step, enable all startup items, reboot, and give me a new log. It's your choice...just let me know how you want to handle it.
______________________________________
Note, I forgot to add a step...You need to disable Microsoft Antispyware and Counterspy while your running the fixes as they could interfer with the fixes. Re-anable them when your done the round of fixes.
Thanks,
Kent
dobhar
1.1K Posts
0
June 22nd, 2005 21:00
I should be back on around 9:30 \ 10:00 PM tonight for a couple hours. Just going home from work. If you can get me a new log tonight I'll see if I can post the next round (if there is) of fixes. It may takes 2 or 3 kicks at the can to get you all clean but we'll get it done.
Cya later,
Kent
Jason05216
23 Posts
0
June 22nd, 2005 21:00
Kent,
I'll go ahead with the fixes as you have them. I don't want to make this any more difficult than necessary. I'm also central time, so I'll work on this tonight and post the logs. I'm just now getting a chance to start and I'll probably have some kid duty tonight that will slow my progress.
Jason
dobhar
1.1K Posts
0
June 23rd, 2005 11:00
1. No problem, continuing with steps was correct
2. Correct
3. No problem
4. All I want you to do is cleanout the Temp folders, Temporary Internet Folders, Recycle Bin...etc. If Clean Sweep does that then Yes that is OK
5. You need to allow the SR (Silent Runners) script to work. If you notice in Step 12, Line 3 I say "If your antivirus complains, tell it to allow this script". So please run SR again (insafe mode) and allow it to run. We need to run SR as it checks for Hidden nasties. There is no uninstall for SR...it's just a script that runs a scan no so uninstall. When you are all clean you can just delete the Silent Runners folder I got you to create.
Go back into "Safe Mode" run SR and continue on with the rest of the steps.
Keep up the good work... :)
Message Edited by dobhar on 06-23-2005 07:49 AM
Jason05216
23 Posts
0
June 23rd, 2005 11:00
Jason05216
23 Posts
0
June 23rd, 2005 11:00
Morning,
Ran into several issues with the fix last night.
1. Step 5 The file C:\WINDOWS\system32\msnu.exe wasn't present. I went on to step 6.
2. Step 8. C:\WINDOWS\system32\sdopl.dll wasn't present. C:\WINDOWS\ntzj32.exe wasn't present. Two files were present ntzj32.exe.tcf and ntjz32.exe.dll.tcf were there and I deleted them. C:\WINDOWS\system32\winpy32.exe wasn't present. C:\WINDOWS\system32\msnu.exe and C:\WINDOWS\ipqu.exe weren't present. I deleted what ws there and went on to the next step.
3. Step 9.None of the R1 items were there.
4. Disk cleanup hung at the beginning where it calculates disk space. I emptied the folders with Norton clean sweep. I don't know if that will work as well.
5. Step 12. When silent runners started the following message popped up - Symantec Script Blocking has prevented a script action that could be harmful to you. I went into Norton Antivirus and turned off script blocking but the message kept coming up. I also rebooted into safe mode and still the same thing. I was going to uninstall the software but I can't find an uninstall for it. Any ideas? It appears that silent runners is stopped. If you open the task manager after the message pops up the file shows as being open but there is no activity in the processes. It nevers shows anything but system idle.
I was able to run rkfiles. This is where I stopped. I ran a program removal tool in clean sweep and it shows the antivirus stuff as being removable. I didn't do this yet. Wanted to get your thoughts. I booted into normal mode to see if I could get the script blocking fixed. I figure I will go through the steps again in safe mode.
dobhar
1.1K Posts
0
June 23rd, 2005 12:00
Sorry, Jason...my bad. I misunderstood you. The written word can be a pain sometimes.
I think that you can just disable script blocking in NAV so disable that first then run SR...Note that MS Antispyware may pop up also.
Thanks,
Kent
Jason05216
23 Posts
0
June 23rd, 2005 12:00
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Jason05216
23 Posts
0
June 23rd, 2005 12:00
dobhar
1.1K Posts
0
June 23rd, 2005 14:00
Kent
Jason05216
23 Posts
0
June 23rd, 2005 14:00
I tried disabling in the services manager, both script blocking and symantec, still got the message. I started the script answered the messages then let it go for 1 hour got no result? I looked at the Symantec site and saw instructions for manually removing the antivirus, should I do that? Sorry to keep pestering you about this, just can't seem to get past this step. I looked at the SR didn't see any answers there.
Jason
dobhar
1.1K Posts
0
June 23rd, 2005 16:00
Thanks,
Kent