RetouchPRO

Go Back   RetouchPRO > Tools > Hardware
Register Blogs FAQ Site Nav Search Today's Posts Mark Forums Read


Hardware Computers, displays, tablets, scanners, cameras, printers, etc.

Virus , Posting for Help and Direction

Reply
 
Thread Tools
  #61  
Old 11-18-2005, 03:30 PM
chrishoggy's Avatar
chrishoggy chrishoggy is offline
Senior Member
 
Join Date: Dec 2004
Location: Yorkshire
Posts: 578
Blog Entries: 1
No need to win Neb over. We've PM'd quite a few times, as well as chatted on another forum.

Quote:
Twit

Personal insults will not get a rise from me I'm afraid. Water off a ducks back n all that
Reply With Quote top
  #62  
Old 11-20-2005, 08:17 AM
Cameraken's Avatar
Cameraken Cameraken is offline
Senior Member
 
Join Date: Feb 2005
Location: Lancashire (UK)
Posts: 1,158
Thanks Everyone.

Update.

I went to my friends. In the meantime he had paid Norton for an update and run it.
He had also installed Microsoft AntiSpy

I started his PC in safe mode (System Restore Disabled) and ran Trend SysClean, Stinger and Adaware.
I cleared the things Adaware suggested but found No virus.

I restarted his PC in normal mode and ran WinsockFix and Hijack This. I repaired all the items marked in red at Hijack.De and uninstalled a toolbar he had installed.

A few of the nasties returned after restarting his PC. So Im not sure whether he is virus free or not.(I think he is probably not)

I have attached his Hijack Log

Gary. I wondered if you could find time to take a quick look. The nasties regarding ydurw.dll were the ones that I deleted but returned after restarting the PC.
There are no comments on ydurw.dll at hijack this and a google search finds nothing.


Ken
Attached Files
File Type: zip hijackthis.zip (2.6 KB, 6 views)
Reply With Quote top
  #63  
Old 11-20-2005, 10:28 AM
chrishoggy's Avatar
chrishoggy chrishoggy is offline
Senior Member
 
Join Date: Dec 2004
Location: Yorkshire
Posts: 578
Blog Entries: 1
Hi Ken,
That zip folder is showing as empty
Can you double check it at your end
Reply With Quote top
  #64  
Old 11-20-2005, 10:40 AM
Cameraken's Avatar
Cameraken Cameraken is offline
Senior Member
 
Join Date: Feb 2005
Location: Lancashire (UK)
Posts: 1,158
Chris.

I just downloaded it and it works OK for me.

RetouchPro will not allow LOG files to be attached. so I attached it again as a .TXT file.

It is not zipped. Just rename it to a .LOG file.

Thanks.


Ken

Last edited by Cameraken; 12-01-2005 at 03:42 PM.
Reply With Quote top
  #65  
Old 11-21-2005, 02:26 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Hi Ken,

Got your HJT log. Will take a bit of time to check it out, get back to you later.

Not a good idea to use HijackThis.de, they just run it through an automatic process, which often gives a lot of false positives. I've seen quite a few cases where they've recommended removing essential windows processes.

From just a quick glance though, there's still a lot of junk on there.

Gary

Get back to you on this.
Reply With Quote top
  #66  
Old 11-21-2005, 03:09 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Hi Ken, the HJT log shows a classic case of one of the Coolwebsearch variants, known as About Blank 02/04

First of all I need you to download some programs for use later.

Download this file and unzip it to your desktop

Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder from here , install it, check for updates but again, don't use it yet.

Download and install Ewido Security Suite Trial from here . Run and update the program but do not scan with it yet.

Make sure that you can see hidden files.
1. Click Start.
2. Click My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Click Yes to confirm.
7. Uncheck the Hide file extensions for known file types.
8. Click OK.

We need to stop a service...
- Click Start button then select Run
- Type services.msc then hit OK
.- Scroll down and find the service called.

Remote Procedure Call (RPC) Helper Note the "Helper", as there is a legitimate Remote Procedure Call (RPC).

- Right-click on Service and choose Properties.
- On the General tab under Service Status click the Stop button to stop the service.
- Beside Startup Type in the dropdown menu select Disabled
- Click Apply then OK. Exit the Services utility
(Note: If the service isn't listed go ahead with the rest of the instructions)

Quote:
Please print out these instructions, or save to a text file that you can view, as you are going to be offline for part of the cure, and will not have access to them.
Please disconnect from the Internet and unplug your modem for the duration of this fix

Shutdown your computer, and Boot Up into Safe Mode, by hitting the F8 key repeatedly as you power up.

This will bring up a menu, select Safe Mode and press enter. Log on as a user with administrator priviledges. Continue for the rest of the fix in SAFE MODE

Double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Halt these Processes (if found), by pressing Ctrl+Alt+Del, this will bring up Windows Task Manager. Click on the Processes tab, scroll down to find the process, then click on the End Process button. Repeat till all processes are halted.
winms.exe
ntkw32.exe


Perform a scan using HJT, and check the following items (if found).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydurw.dll/sp.html#83556

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {97853963-D003-7871-69E2-70710B4A6915} - C:\WINDOWS\addbo.dll
O2 - BHO: Class - {E436CD32-AE4D-738A-E06E-D227AC75B577} - C:\WINDOWS\apiir32.dll (file missing)
O4 - HKLM\..\Run: [winms.exe] C:\WINDOWS\system32\winms.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINDOWS\ntkw32.exe


Close all windows except for the HJT window, and click the Fix Checked button.

Exit out of HijackThis.

Find and delete the following, if found.

These Files


C:\WINDOWS\system32\winms.exe
C:\WINDOWS\ntkw32.exe
C:\WINDOWS\web\related.htm
C:\WINDOWS\ydurw.dll


Next we need to delete your Temporary Files.

Use Start > Run and type in %temp% . Delete the entire contents of that temp folder (use Edit > Select All, press Delete, click Yes).

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use Control Panel > Internet Options > General tab and click the Delete File button. When prompted place a check in: Delete all offline content, then click OK.

Then, use Windows Explorer to clean out ALL the other temp folders on your system (navigate to these folders, use Edit > Select All, press Delete, click Yes): Note: Do not Delete the Folder itself

* C:\Documents and Settings\Your Profile\Local Settings\Temp\
* C:\Documents and Settings\Any other users Profile\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\Any other users Profile\Local Settings\Temp\

* Empty your "Recycle Bin".


Please let me know about any problems with the temp file deletes.

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty.

Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a Scan Completed window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

Run Ewido and do a full System Scan with it. Let it clean anything it finds. Save the report it creates.

Close all open Windows before starting scan. Do not use your Computer at all while Ewido is performing its scan.

Now reboot,and run hijackthis again and post a fresh log along with the about buster log and the Ewido log.

Important It is important that you disable Microsoft Anti-Spyware before starting the fix, as it will attempt to stop the removals you are making.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Last edited by Gary Richardson; 11-22-2005 at 01:33 AM. Reason: Forgot to add advice to disable MSAS
Reply With Quote top
  #67  
Old 11-22-2005, 03:56 PM
Cameraken's Avatar
Cameraken Cameraken is offline
Senior Member
 
Join Date: Feb 2005
Location: Lancashire (UK)
Posts: 1,158
Gary.

Thanks very much for taking the time to help.

I have downloaded the programs and printed out the instructions ready to take to my friends PC.

I am just doing a dummy run on my PC to make sure I am clear on the method.

Remote Procedure Call (RPC) Helper

I dont have this on My PC
I have
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator

So I would skip this step on my PC Right?

I knew there was something still wrong with his PC even though Trend Sysclean and Stinger both came back clear Its most concerning when a virus checker does not find this.

I have always relied on the info from HJT for my PC, but it sounds like this can be wrong as well.

Thanks again for your very clear instructions

I will post the logs next week

Ken
Reply With Quote top
  #68  
Old 11-22-2005, 04:32 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Hi Ken,

You'll only have Remote Procedure Call (RPC) Helper on your computer if it's infected.

The other two are legitimate services, and should be there.

Automatic tools are excellent at getting rid of well defined infections, it's just a matter of getting the right tool for the right infection. Some work better on some infections than others, and vice versa.

Trouble is these beasties have a nasty habit of evolving, so it's always a case of playing catch up.

Good luck with your friends computer, and keep me posted as to what happens.

Gary
Reply With Quote top
  #69  
Old 11-22-2005, 05:20 PM
Legacy~Art's Avatar
Legacy~Art Legacy~Art is offline
Senior Member
 
Join Date: Jan 2005
Location: Lancashire
Posts: 927
Did you actually help Neb, or scare her away with all this male testosterone?
Reply With Quote top
  #70  
Old 11-22-2005, 05:33 PM
Legacy~Art's Avatar
Legacy~Art Legacy~Art is offline
Senior Member
 
Join Date: Jan 2005
Location: Lancashire
Posts: 927
Just like to add i listening to some of the tips you added before Ron got alittle high on his knowledge, and i am now scanning my pc!

So thank you!!!
Reply With Quote top
Reply

  RetouchPRO > Tools > Hardware


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -6. The time now is 09:19 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
Copyright 2016 Doug Nelson. All Rights Reserved