Virus , Posting for Help and Direction

[chrishoggy]

No need to win Neb over. We've PM'd quite a few times, as well as chatted on another forum.

Quote:

Twit

Personal insults will not get a rise from me I'm afraid. Water off a ducks back n all that

[Cameraken]

Thanks Everyone.

Update.

I went to my friends. In the meantime he had paid Norton for an update and run it.
He had also installed Microsoft AntiSpy

I started his PC in safe mode (System Restore Disabled) and ran Trend SysClean, Stinger and Adaware.
I cleared the things Adaware suggested but found No virus.

I restarted his PC in normal mode and ran WinsockFix and Hijack This. I repaired all the items marked in red at Hijack.De and uninstalled a toolbar he had installed.

A few of the nasties returned after restarting his PC. So I’m not sure whether he is virus free or not.(I think he is probably not)

I have attached his Hijack Log

Gary. I wondered if you could find time to take a quick look. The nasties regarding ydurw.dll were the ones that I deleted but returned after restarting the PC.
There are no comments on ydurw.dll at hijack this and a google search finds nothing.


Ken

[chrishoggy]

Hi Ken,
That zip folder is showing as empty
Can you double check it at your end

[Cameraken]

Chris.

I just downloaded it and it works OK for me.

RetouchPro will not allow LOG files to be attached. so I attached it again as a .TXT file.

It is not zipped. Just rename it to a .LOG file.

Thanks.


Ken

[Gary Richardson]

Hi Ken,

Got your HJT log. Will take a bit of time to check it out, get back to you later.

Not a good idea to use HijackThis.de, they just run it through an automatic process, which often gives a lot of false positives. I've seen quite a few cases where they've recommended removing essential windows processes.

From just a quick glance though, there's still a lot of junk on there.

Gary

Get back to you on this.

[Gary Richardson]

Hi Ken, the HJT log shows a classic case of one of the Coolwebsearch variants, known as About Blank 02/04

First of all I need you to download some programs for use later.

Download this file and unzip it to your desktop

Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder from here , install it, check for updates but again, don't use it yet.

Download and install Ewido Security Suite Trial from here . Run and update the program but do not scan with it yet.

Make sure that you can see hidden files.
1. Click Start.
2. Click My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Click Yes to confirm.
7. Uncheck the Hide file extensions for known file types.
8. Click OK.

We need to stop a service...
- Click Start button then select Run
- Type services.msc then hit OK
.- Scroll down and find the service called.

Remote Procedure Call (RPC) Helper Note the "Helper", as there is a legitimate Remote Procedure Call (RPC).

- Right-click on Service and choose Properties.
- On the General tab under Service Status click the Stop button to stop the service.
- Beside Startup Type in the dropdown menu select Disabled
- Click Apply then OK. Exit the Services utility
(Note: If the service isn't listed go ahead with the rest of the instructions)

Quote:

Please print out these instructions, or save to a text file that you can view, as you are going to be offline for part of the cure, and will not have access to them.

Please disconnect from the Internet and unplug your modem for the duration of this fix

Shutdown your computer, and Boot Up into Safe Mode, by hitting the F8 key repeatedly as you power up.

This will bring up a menu, select Safe Mode and press enter. Log on as a user with administrator priviledges. Continue for the rest of the fix in SAFE MODE

Double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Halt these Processes (if found), by pressing Ctrl+Alt+Del, this will bring up Windows Task Manager. Click on the Processes tab, scroll down to find the process, then click on the End Process button. Repeat till all processes are halted.
winms.exe
ntkw32.exe

Perform a scan using HJT, and check the following items (if found).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydurw.dll/sp.html#83556

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {97853963-D003-7871-69E2-70710B4A6915} - C:\WINDOWS\addbo.dll
O2 - BHO: Class - {E436CD32-AE4D-738A-E06E-D227AC75B577} - C:\WINDOWS\apiir32.dll (file missing)
O4 - HKLM\..\Run: [winms.exe] C:\WINDOWS\system32\winms.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntkw32.exe

Close all windows except for the HJT window, and click the Fix Checked button.

Exit out of HijackThis.

Find and delete the following, if found.

These Files


C:\WINDOWS\system32\winms.exe
C:\WINDOWS\ntkw32.exe
C:\WINDOWS\web\related.htm
C:\WINDOWS\ydurw.dll

Next we need to delete your Temporary Files.

Use Start > Run and type in %temp% . Delete the entire contents of that temp folder (use Edit > Select All, press Delete, click Yes).

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use Control Panel > Internet Options > General tab and click the Delete File button. When prompted place a check in: Delete all offline content, then click OK.

Then, use Windows Explorer to clean out ALL the other temp folders on your system (navigate to these folders, use Edit > Select All, press Delete, click Yes): Note: Do not Delete the Folder itself

* C:\Documents and Settings\Your Profile\Local Settings\Temp\
* C:\Documents and Settings\Any other users Profile\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\Any other users Profile\Local Settings\Temp\

* Empty your "Recycle Bin".

Please let me know about any problems with the temp file deletes.

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty.

Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a Scan Completed window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

Run Ewido and do a full System Scan with it. Let it clean anything it finds. Save the report it creates.

Close all open Windows before starting scan. Do not use your Computer at all while Ewido is performing its scan.

Now reboot,and run hijackthis again and post a fresh log along with the about buster log and the Ewido log.

Important It is important that you disable Microsoft Anti-Spyware before starting the fix, as it will attempt to stop the removals you are making.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

[Cameraken]

Gary.

Thanks very much for taking the time to help.

I have downloaded the programs and printed out the instructions ready to take to my friends PC.

I am just doing a dummy run on my PC to make sure I am clear on the method.

Remote Procedure Call (RPC) Helper

I don’t have this on My PC
I have
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator

So I would skip this step on my PC – Right?

I knew there was something still wrong with his PC even though Trend Sysclean and Stinger both came back clear – It’s most concerning when a virus checker does not find this.

I have always relied on the info from HJT for my PC, but it sounds like this can be wrong as well.

Thanks again for your very clear instructions

I will post the logs next week

Ken

[Gary Richardson]

Hi Ken,

You'll only have Remote Procedure Call (RPC) Helper on your computer if it's infected.

The other two are legitimate services, and should be there.

Automatic tools are excellent at getting rid of well defined infections, it's just a matter of getting the right tool for the right infection. Some work better on some infections than others, and vice versa.

Trouble is these beasties have a nasty habit of evolving, so it's always a case of playing catch up.

Good luck with your friends computer, and keep me posted as to what happens.

Gary

[Legacy~Art]

Did you actually help Neb, or scare her away with all this male testosterone?

[Legacy~Art]

Just like to add i listening to some of the tips you added before Ron got alittle high on his knowledge, and i am now scanning my pc!

So thank you!!!

[Cameraken]

Elle.

Sorry. It’s probably my fault. I had a question that I thought was related so I posted it in Neb’s thread

Maybe I should have started a new thread.

Sorry Neb.


Gary.
I have just been banned from malwareremoval.com ‘cos I didn’t put the code in capitals. What do I do now?

Ken

[Gary Richardson]

Don't really know Ken, it's a while since I joined, so I don't really remember what I did to subscribe, I guess from your post that you had to enter a security code.

Send me a PM with details of what you tried to enter, and I'll PM one of the administrators at MRU, and ask how to get round this problem.

Alternatively, try subscribing with a different name and a hotmail address.

I know that many use disposable e-mail addresses, and it doesn't seem to prevent them from joining.

Hi Elle,

Firstly my apologies to Neb, for hi-jacking her thread. But Ken's friend has a real and present threat to his computer, and it's important that he deal with it as soon as possible, as this particular infection has a habit of inviting more friends to the party once it's got a foothold.

More than happy to move to a new post, if this is causing problems to anyone.

And Elle, it's important that you keep your defences updated, and that you scan regularly. I find once a week is quite adequate, and can usually be fitted in quite easily while you have a cuppa. It's a whole lot easier to keep it off, than it is to remove it once it gets a foothold.

Keep safe,

Gary

[Cameraken]

Update.

Gary I have now been back to my friends PC. I ran the fixes as you suggested. When I had finished Norton popped up asking

Sysin.exe is attempting to connect to a DNS server
Msjz32.exe is attempting to connect to a DNS server

I blocked them both.

I still don’t think he is clean as the About Blank page is still a Search page.

I have attached all three logs.


Ken

[Gary Richardson]

Hi Ken,

At first glance, a great deal of the major infection seems to have been removed.

Will take me a while to go through your logs, will get back to you on this, but things look better.

Gary

PS. Just need to ask you. Did you disconnect from the Internet for the duration of the fix. It's essential that you totally disconnect from the Internet (remove telephone lead), and close Internet Explorer and Outlook Express, or fix will fail.

Will get back to ypu with update on what to do next.

[Cameraken]

Gary.

His Internet comes via a LAN card. I disconnected the cable.

I think I did everything correctly, except I forgot to update Ewido.

Thanks for your help.

Ken

[Gary Richardson]

Hi Ken,

OK, looks like we've pretty much got a total re-infection here. Probable reason is the time delay between posting the HJT log, and instigating the fix.

As I said earlier, this baby likes to update and morph itself, so the version I gave the fix for wasn't totally the version that was on the computer when the fix was applied.

There was obviously a "guard" file on there that we didn't remove, and that's what's re-installing the infection.

As long as your friend's computer is connected to the Internet, we're going to have this problem. He must disconnect from it, and keep disconnected until we get this removed.

The HJT log I've now got is not really of any use, as his machine has been connected since our removal attempts, and will almost certainly have morphed again.

I need him to disconnect his connection, then provide a new HJT log. If he's not connected it will not be able to update, and we should be able to get rid of it.

It would be helpful if you could post the next log at http://spywarewarrior.com/index.php

I am a helper there, online name Gary R, so if you post the log in the HJT forum, then PM me to let me know (include a link to the log), I'll be able to see to it.

There's a few reasons for this. One, the forum is set up to deal with large posts, and you can post the logs without having to post as attachments, and two, the most important, I can reference it to some of the more experienced helpers, in case it continues to be difficult, or in case it's a new variety. Lastly Retouch Pro is a reouching forum, and I feel kind of guilty using up Doug's bandwidth on a non-retouching topic.

Good luck, and look forward to seeing your post at SWW.

Gary


PS. Sorry I'm a bit late coming back, got called out to see to my mother-in-law's plumbing last night. She got a burst pipe with the cold weather, and I had to replace it, and fit the lagging that they should have had in the first place.

[Cameraken]

Gary.

I have told my friend that I cannot help him unless I bring his PC home. That way I’ll be able to keep his PC disconnected and still use mine to post the log files.
If he agrees I will PM you and post them at SpyWarrior.

I will delete the logs I have posted as they are of no use.

Thanks Again for all your help.

Ken

[Gary Richardson]

Hi Ken,

You're welcome. Look forward to your post at SWW,

Gary