Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help with viruses please..

Started by moegossard , Aug 18 2005 01:15 PM

  • Please log in to reply

#1
moegossard
Posted 18 August 2005 - 01:15 PM

moegossard

    New Member

  • Member
  • Pip
  • 1 posts
In the town where i was born, there lived a man who sailed to sea.

Edited by moegossard, 11 October 2006 - 06:59 PM.

  • 0

Advertisements

#2
bricat
Posted 18 August 2005 - 05:53 PM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Welcome to the Geeks To Go forum.:tazz:



Step 1

Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.

Download the trial version of Ewido Security Suite from here.
Setup the program following the instructions here and update the program with the latest definitions.
Then close it without running a scan. We'll use it in Safe Mode.

Download Nailfix from here.
Unzip it to the desktop but please do NOT run it yet.

Download and install Cleanup! from here to your desktop.

Download dsrfix.zip from here and unzip it to your desktop (you should have a dsrfix folder on the desktop if you've done this correctly).

Download APT and unzip the contents to a new folder on your desktop.

Copy the below steps to notepad, close Internet Explorer and disconnect from the internet.


Step 2

We'll take care of the Epolvy Trojan as it reinstalls Nail.exe on reboot if not removed first.

It's easy to spot in your log. It's the random '04' HKLM entry with an 'r' after the .exe process. In your previous log it was:

O4 - HKLM\..\Run:nqkcmed] C:\windows\system32\nexywo.exe r

Take a scan with HijackThis (don't fix anything) and note down the exact filepath of this file. C:\Windows\System32\nexywo.exe r


Now open the APT folder you've just created and click on apt.exe and search in the window for C:\Windows\System32\random.exe

Open your C:\Windows\system32 folder and search for C:\Windows\System32\nexywo.exe

Don't delete it yet, just leave the system32 folder open so you can see the bad file.

In APT again, Select C:\Windows\System32\nexywo.exe and Click Kill3

Then immediately delete C:\Windows\System32\nexywo.exe from your system32 folder.

Close APT.


Step 3

Reboot into Safe Mode and double-click on nailfix.exe.

Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".

Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.


Step 3

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Save the report .txt file to your desktop or a location where you can find it easily.
Then close Ewido Security Suite.


Step 4

Run HijackThis again and place a check before the following entries (if still present):


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: (no name) - {BB664BD8-9C92-4F27-9680-485F7E42B090} - C:\WINDOWS\madopew.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [LVZGJQ] C:\WINDOWS\LVZGJQ.exe
O4 - HKLM\..\Run: [Configuration Loader] msconfig32.exe
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\Run: [nqkcmed] c:\windows\system32\nexywo.exe r
O4 - HKLM\..\RunServices: [Configuration Loader] msconfig32.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://email2.uncg.edu/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe


Close ALL OPEN WINDOWS except for HijackThis and click Fix Checked.


Step 5

Now open the dsrfix folder on your desktop.

Double-Click on dsrfix.bat

A window will pop up briefly then close, this is normal.


Step 6

Now using Windows Explorer find and delete the following files/folders:

C:\WINDOWS\dsr.dll <-- File
C:\WINDOWS\dinst.exe<-- File
C:\WINDOWS\farmmext.exe<-- File
C:\WINDOWS\satmat.exe<-- File
C:\WINDOWS\LVZGJQ.exe<-- File
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools <-- Folder


Step 7

Now run CleanUp!.

*IMPORTANT NOTE*

CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Click the Options button.
Make sure only the following are checked:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (XP only)
  • Scan local drives for temporary files
  • Cleanup! All Users
Click the Ok button to close the Options dialog.
Click the CleanUp! button to begin cleaning. It may take a while depending on the size of the hard drive so be patient.
When it has finished, close CleanUp! but decline to logoff when prompted.


Step 8

Restart your computer in normal mode and post a fresh HijackThis log and Ewido log.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP