Please do not open Internet Explorer during any portion of this process.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Step 1:
Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the service to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.
Step 2:
Press control-alt-delete to get into the task manager and end the follow processes if they exist:
The name of the file from the service above
C:\WINDOWS\addfc.exe
lshuf.dll
addds.dll
Step 3:
I now need you to delete the following files:
The name of the file from the service above
C:\WINDOWS\addfc.exe
lshuf.dll
addds.dll
Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
Step 4:
Then run hijackthis and fix these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lshuf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lshuf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lshuf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lshuf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lshuf.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lshuf.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FEDEFD60-10D5-72B0-53AE-90868EAC08A6} - C:\WINDOWS\system32\addds.dll
O4 - HKLM\..\Run: [qu] c:\documents and settings\dpierce\local settings\temp\qu.exe
O4 - HKLM\..\Run: [K2K83] c:\documents and settings\dpierce\local settings\temp\K2K83.exe
O4 - HKLM\..\Run: [addfc.exe] C:\WINDOWS\addfc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
Step 5:
In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 but may be called something differently on your computer.
Go to Start>Run and type regedit.
Press enter.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
If __NS_Service_3 exists , right click on it and choose delete from the menu.
Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.
If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.
Step 6:
Restore files deleted by this malware.
- Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
- If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
- If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
Now reboot and post a new log.