PPRuNe Forums - View Single Post - Constant C drive activity
Thread: Constant C drive activity
View Single Post
Old 27th August 2004 | 18:47
  #7 (permalink)  
E-Liam
 
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi Tone,

The first thing you need to do, is to place Hijack This in it’s own folder (e.g. C:\HJT\….) so it can generate backup files to the same folder; needed should an entry be accidentally deleted.

You’ve been hijacked by CoolWebSearch. Please go here and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.

CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. (After running Shredder, you will probably find that some entries have already been fixed) Next, close all browser windows and click the Fix checked button…

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz

O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\SYSTEM\MSHELPER.DLL

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINDOWS\SYSKEY.DLL

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINDOWS\SYSTEM\BACKUP.DLL

O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\SYSTEM\JFI.DLL

O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\win.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O21 - SSODL: DDE Control Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

Next, please double click on the My Computer icon on the desktop. Go to View | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\Windows\Temp (or C:\WINNT\Temp) folder, but not the folder itself. Next please find and delete the following bolded files...

C:\WINDOWS\SYSTEM\MSHELPER.DLL

C:\WINDOWS\SYSKEY.DLL

C:\WINDOWS\SYSTEM\BACKUP.DLL

C:\WINDOWS\SYSTEM\JFI.DLL

C:\WINDOWS\win.exe

Then please boot back into normal mode and download AdAware 6 181 from here.

Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts.

Now to set it up for optimum performance...

Make sure the following settings are configured. Remember that ON=GREEN.

From main window click Start | Activate in-depth scan.

Then click Use custom scanning options | Customize and have these options switched ON...

Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files

Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..

Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.

and uncheck..

Automatically try to unregister objects prior to deletion.

Then click Proceed, to save your settings.

Now click the Scan button.

When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them.


Next, reboot again and download Spybot - Search & Destroy 1.3 from here: if you haven't already got the program.

Click on Updates | Download Updates, and follow the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

Next reboot and go here, and run the online virus scan; choosing the Autoclean option just before clicking the Scan button.

Then go to here and click in the little box that has browse beside it and paste this line into it..

C:\WINDOWS\ICONRA.EXE

..then press submit.
That sends a copy of the file to their virus checker to see if it's infected. Please paste the results here.

Then please post a new log for a final once over.

Cheers

Liam
E-Liam is offline