ripped from
http://www.bleepingcomputer.com/forums/index.php?
s=0ee671a760956dc86016078ccd728010&showtopic=6827&st=0&#ent
ry44796:
You may want to print out these directions as the Internet
will not be available. Please continue with the next step
if you run into a problem with the current one. Just be
sure to let us know what the problem was when you reply.
This is very important ! Internet Explorer should remain
closed during the cleanup. If you open Internet Explorer
the fix will fail. (Steps 1 - 8)
Please make sure that you can view all hidden files:
A. On the Tools menu in Windows Explorer, click Folder
Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files
and folders.
D. Uncheck Hide extensions for known filetypes and Hide
protected operating system files.
How to see hidden files in Windows
Please download About:Buster from here: About:Buster
Download. Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this
process. Don't use it yet.
Download Ad-aware SE: here
Install it. When you get the last screen, with
the "Finish" button and 3 options, uncheck those three
items.
Open AdAware and click the "Check for updates now" link.
Close AdAware. Don't use it yet.
Download the cws-hsa.reg file to your desktop. We will use
it later.
Step 1:
Go to Start -> Run and type Services.msc, then press the
OK button. Look for a service called Network Security
Service (NSS) . Double click on that service and press the
Stop button, and then set the Startup type to Disabled.
Press OK, and close all the windows.
Step 2:
Press control-alt-delete to get into the task manager and
end the follow processes if they exist:
ntbj.exe
This is very important ! Internet Explorer should remain
closed during the cleanup. If you open Internet Explorer
the fix will fail. (Steps 1 - 8)
Step 3:
Run HijackThis!, press "Scan" and tick the boxes next to
all these, close all other windows and browsers, then
press "Fix Checked" button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\WINDOWS\wltbf.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = res://C:\WINDOWS\wltbf.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\wltbf.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\WINDOWS\wltbf.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = res://C:\WINDOWS\wltbf.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://C:\WINDOWS\wltbf.dll/sp.html#10001
O2 - BHO: (no name) - {5CE5B985-51B1-3958-E5DB-
92DD9091CFBB} - C:\WINDOWS\javavq.dll
O4 - HKLM\..\Run: [ntbj.exe] C:\WINDOWS\system32\ntbj.exe
O15 - Trusted Zone:
http://jupiter.apc.com
O15 - Trusted Zone:
http://order1.apc.com
O15 - Trusted Zone:
http://trojan.apc.com
O15 - Trusted Zone:
http://jupiter.apcc.com
O15 - Trusted Zone:
http://order1.apcc.com
O15 - Trusted Zone:
http://trojan.apcc.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone:
http://jupiter.apc.com (HKLM)
O15 - Trusted Zone:
http://order1.apc.com (HKLM)
O15 - Trusted Zone:
http://trojan.apc.com (HKLM)
O15 - Trusted Zone:
http://jupiter.apcc.com (HKLM)
O15 - Trusted Zone:
http://order1.apcc.com (HKLM)
O15 - Trusted Zone:
http://order2.apcc.com (HKLM)
O15 - Trusted Zone:
http://trojan.apcc.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
These are restrictions. Leave them unchecked if these were
set by you using a software like Spybot Search & Destroy,
SpywareBlaster or another similar protection software, or
if these were set by your system administrator.
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
Step 4:
Reboot your computer into Safe Mode.
I now need you to delete the following files:
C:\WINDOWS\wltbf.dll <-- this file
C:\WINDOWS\javavq.dll <-- this file
C:\WINDOWS\system32\ntbj.exe <-- this file
If you get an error when deleting a file, right click on
the file and check to see if the read only attribute is
checked. if it is, uncheck it and try again.
Step 5:
Double-click on the cws-hsa.reg file you saved earlier on
your desktop, and when it prompts to merge say Yes, and
this will clear some registry entries left behind by the
process.
Step 6:
This is the step where we will use About:Buster that you
had downloaded previously.
Navigate to the c:\aboutbuster directory and double-click
on aboutbuster.exe When the tool is open press the OK
button, then the Start button, then the OK button, and
then finally the Yes button. It will start scanning your
computer for files. If it asks if you would like to do a
second pass, allow it to do so.
When it completed move on to step 7.
Step 7:
Run AdAware, press the Start button, uncheck Scan for
negligible risk entries, select Perform full system scan
and press Next. Let AdAware remove anything it finds.
Step 8:
Clean out temporary and Temporary Internet Files. Go to
Start -> Run and type in the box: cleanmgr. Let it scan
your system for files to remove. Make sure these 3 are
checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
Step 9:
Reboot your computer back to normal mode so that we can
restore files that were deleted by this infection:
This infection deletes the windows file, shell.dll.
If you are using XP,2000, or NT please download shell.dll
from here: shell-dll.zip. Once the file is downloaded
uncompress the zip file and copy shell.dll to the
following locations (%windir% being the windows or winnt
directory):
%windir%\system32
%windir%\system
Download the Hoster from here. Press Restore Original
Hosts and press OK. Exit Program. This will restore the
original deleted Hosts file.
If you have Spybot S&D installed you will also need to
replace one file. Go here: SDHelper.zip and download
SDHelper.dll. Copy the file to the folder containing you
Spybot S&D program (normally C:\Program Files\Spybot -
Search & Destroy). Then click Start -> Run -> type
regsvr32 "C:\Program Files\Spybot - Search &
Destroy\SDHelper.dll and press the OK button
Step 10:
Please check Internet Explorer settings:
Open Internet Explorer - > Tools -> Internet Options ... -
click the Security tab -> click Internet icon -> press
the Custom Level ,,, button.
Under ActiveX controls and plug-ins tick:
- Download signed ActiveX controls - Prompt
- Download unsigned ActiveX controls Disable
- Initialize and script ActiveX controls not marked as
safe Disable
- Run ActiveX controls and plug-ins Enabled
- Script ActiveX controls marked safe for scripting Prompt
Run an online antivirus scan at:
http://housecall.antivirus.com/
Please make sure that AutoClean is checked.
Reboot and post a new HJT log.
