Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

The Aurora PopUp[RESOLVED]


  • This topic is locked This topic is locked

#46
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Another one:

File: qkcrxvibs.exe
Path: C:\WINDOWS
Infection: Spyware.BetterInternet
  • 0

Advertisements


#47
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Here is the log from RKFiles:

C:\Program Files\AntiVirus\RKFiles\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\protector_update.exe: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\svcproc.exe: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
  • 0

#48
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
These files should be deleted:

C:\WINDOWS\protector_update.exe
C:\WINDOWS\svcproc.exe

Use the Killbox if necessary.

Then do me a favor and get this hosts file:
http://www.mvps.org/...p2002/hosts.htm

Am I correct in assuming that Ewido was able to get rid of the other two?

Regards,
  • 0

#49
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Right, I've reoved the two files using Killbox and have got the new hosts file and put that in the right folder.

As for Ewido it brings up the warning window and I tell it to clean what it has found, but the sae warning pops up at a later point in time, so it seems as if the file is deleted for a while and then re-downloaded - and Ewido picks it up again.
  • 0

#50
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Just had this from Symantec AV

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan.Admincash.B
File: C:\WINDOWS\explorer.exe
Location: C:\WINDOWS
Computer: GEO
User: George
Action taken: Clean failed : Quarantine failed : Access denied
Date found: 28 April 2005 14:01:35
  • 0

#51
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts

so it seems as if the file is deleted for a while and then re-downloaded - and Ewido picks it up again.

View Post


My theory exactly. So let's hope the hosts file blocks any traffic with their sites.

Regards,
  • 0

#52
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts

Threat: Trojan.Admincash.B
File:  C:\WINDOWS\explorer.exe

View Post


That makes sense:
http://www.symantec....dmincash.b.html

Follow the removal instructions there.

Regards,
  • 0

#53
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
I'm in process of running the steps from the link, I get the warning from my AV everytime I do something like open a folder or click on a link. I couldn't undrstand why but now I understand that explorer.exe is used to carry out these actions and when it does, Symantec notices that the file is infected
  • 0

#54
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
That's correct. The windows file responsible for opening folders etc. is explorer.exe
Since that file was replaced by the trojan, it gets activated every time.

This ought to stop once you have replaced it.

You can use IE (or any other browser) to move through your folders by the way. Just type the path to the file in the browser window.

Regards,
  • 0

#55
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

This ought to stop once you have replaced it.


I'm still getting the warning from my AV software telling me it has found explorer.exe even after I had replaced it.

I'm not so sure that that the explorer.exe was replaced using the steps from the Symantec website and I don't want to delete it if it hasn't been replaced.

I followed the steps it said to, I typed sfc /scannow into the coomand prompt and it asked me to put in my XP disc. I did that and it began checking the files against the ones on the XP disc.

But, when the status bar reached the end of the scale, it finished and just went without any promps saying if anything had been replaced and/or was corrupt.

Also, when I did a full scan with Symantec, it didn't delete the infected explorer.exe file it said 'action taken: None'

Sorry if I'm being stupid - I just don't want to kill my PC :tazz:

Edited by death_hand, 28 April 2005 - 09:13 AM.

  • 0

Advertisements


#56
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
You're not being stupid. Give me a minute to work something out.

Regards,

Pieter
  • 0

#57
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
You will have to copy the files over to the relevant locations in the command-prompt.

Best print this out.

See if you have this file: C:\i386\explorer.exe and compare it's properties with the infected one. If you can tell they are different use this one to copy to the C:\ directory, if not copy C:\Program Files\Internet Explorer\iexplore.exe to C:\WINDOWS\
Rename the file you are going to use to Explorer.new

Now open TaskManager by hitting Ctrl-Alt-Del
Open the command prompt f.e. by Start > Run > cmd
Divide to the two over your screen so you can work in both.
In taskmanager select all the explorer.exe processes and terminate them one by one.

At the first prompt type cd\
At the C:\> prompt type...
ren C:\WINDOWS\explorer.exe explorer.old press Enter.

Now at the C:\> prompt type....
ren C:\windows\explorer.new explorer.exe press Enter.

Now in Taskmanager on the Applications tab click "New Task"
and type C:\WINDOWS\explorer.exe

Now delete:
C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe

Now run sfc /scannow again

Let me know,
  • 0

#58
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi Pieter,

Thanks for the fast reply. Is it possible for you to do some more detailed instructions for the above steps. Everyone else on here probably understands them perfectly and I sort of get what I need to do, I just don't want to get it wrong.

Instead of modyfying the IEXPLORE.exe file could I copy the Explorer.exe file from my housemates PC? He has XP Home SP2, the same as me.

Thanks,

Geo :tazz:
  • 0

#59
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Hi Geo,

Sure, any explorer.exe you are sure to be clean can be used.

Running sfc /scannow after removing the infected one will alert you anyway if it is the wrong version.

Regards,
  • 0

#60
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
OK that makes life a bit easier then.

A few questions, where is the explorer.exe file located
And where do I put the uninfected one
Also how will I go about deleting the infected one, a simple file delete??
How can windows run if I terminate explorer.exe and delete the infected version and before it is replaced with the new one??

Sorry again for my poor computer knowledge
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP