Edited by moegossard, 11 October 2006 - 06:59 PM.
Help with viruses please..
Started by
moegossard
, Aug 18 2005 01:15 PM
#1
Posted 18 August 2005 - 01:15 PM
#2
Posted 18 August 2005 - 05:53 PM
Welcome to the Geeks To Go forum.
Step 1
Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.
Download the trial version of Ewido Security Suite from here.
Setup the program following the instructions here and update the program with the latest definitions.
Then close it without running a scan. We'll use it in Safe Mode.
Download Nailfix from here.
Unzip it to the desktop but please do NOT run it yet.
Download and install Cleanup! from here to your desktop.
Download dsrfix.zip from here and unzip it to your desktop (you should have a dsrfix folder on the desktop if you've done this correctly).
Download APT and unzip the contents to a new folder on your desktop.
Copy the below steps to notepad, close Internet Explorer and disconnect from the internet.
Step 2
We'll take care of the Epolvy Trojan as it reinstalls Nail.exe on reboot if not removed first.
It's easy to spot in your log. It's the random '04' HKLM entry with an 'r' after the .exe process. In your previous log it was:
O4 - HKLM\..\Run:nqkcmed] C:\windows\system32\nexywo.exe r
Take a scan with HijackThis (don't fix anything) and note down the exact filepath of this file. C:\Windows\System32\nexywo.exe r
Now open the APT folder you've just created and click on apt.exe and search in the window for C:\Windows\System32\random.exe
Open your C:\Windows\system32 folder and search for C:\Windows\System32\nexywo.exe
Don't delete it yet, just leave the system32 folder open so you can see the bad file.
In APT again, Select C:\Windows\System32\nexywo.exe and Click Kill3
Then immediately delete C:\Windows\System32\nexywo.exe from your system32 folder.
Close APT.
Step 3
Reboot into Safe Mode and double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Step 3
Now open ewido and do a scan of your system.
Step 4
Run HijackThis again and place a check before the following entries (if still present):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: (no name) - {BB664BD8-9C92-4F27-9680-485F7E42B090} - C:\WINDOWS\madopew.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [LVZGJQ] C:\WINDOWS\LVZGJQ.exe
O4 - HKLM\..\Run: [Configuration Loader] msconfig32.exe
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\Run: [nqkcmed] c:\windows\system32\nexywo.exe r
O4 - HKLM\..\RunServices: [Configuration Loader] msconfig32.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://email2.uncg.edu/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
Close ALL OPEN WINDOWS except for HijackThis and click Fix Checked.
Step 5
Now open the dsrfix folder on your desktop.
Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.
Step 6
Now using Windows Explorer find and delete the following files/folders:
C:\WINDOWS\dsr.dll <-- File
C:\WINDOWS\dinst.exe<-- File
C:\WINDOWS\farmmext.exe<-- File
C:\WINDOWS\satmat.exe<-- File
C:\WINDOWS\LVZGJQ.exe<-- File
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools <-- Folder
Step 7
Now run CleanUp!.
*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp
Click the Options button.
Make sure only the following are checked:
Click the CleanUp! button to begin cleaning. It may take a while depending on the size of the hard drive so be patient.
When it has finished, close CleanUp! but decline to logoff when prompted.
Step 8
Restart your computer in normal mode and post a fresh HijackThis log and Ewido log.
Step 1
Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.
Download the trial version of Ewido Security Suite from here.
Setup the program following the instructions here and update the program with the latest definitions.
Then close it without running a scan. We'll use it in Safe Mode.
Download Nailfix from here.
Unzip it to the desktop but please do NOT run it yet.
Download and install Cleanup! from here to your desktop.
Download dsrfix.zip from here and unzip it to your desktop (you should have a dsrfix folder on the desktop if you've done this correctly).
Download APT and unzip the contents to a new folder on your desktop.
Copy the below steps to notepad, close Internet Explorer and disconnect from the internet.
Step 2
We'll take care of the Epolvy Trojan as it reinstalls Nail.exe on reboot if not removed first.
It's easy to spot in your log. It's the random '04' HKLM entry with an 'r' after the .exe process. In your previous log it was:
O4 - HKLM\..\Run:nqkcmed] C:\windows\system32\nexywo.exe r
Take a scan with HijackThis (don't fix anything) and note down the exact filepath of this file. C:\Windows\System32\nexywo.exe r
Now open the APT folder you've just created and click on apt.exe and search in the window for C:\Windows\System32\random.exe
Open your C:\Windows\system32 folder and search for C:\Windows\System32\nexywo.exe
Don't delete it yet, just leave the system32 folder open so you can see the bad file.
In APT again, Select C:\Windows\System32\nexywo.exe and Click Kill3
Then immediately delete C:\Windows\System32\nexywo.exe from your system32 folder.
Close APT.
Step 3
Reboot into Safe Mode and double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Step 3
Now open ewido and do a scan of your system.
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- You will be prompted to clean the first infection.
- Select "Perform action on all infections", then proceed.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Save the report .txt file to your desktop or a location where you can find it easily.
Step 4
Run HijackThis again and place a check before the following entries (if still present):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: (no name) - {BB664BD8-9C92-4F27-9680-485F7E42B090} - C:\WINDOWS\madopew.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [LVZGJQ] C:\WINDOWS\LVZGJQ.exe
O4 - HKLM\..\Run: [Configuration Loader] msconfig32.exe
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\Run: [nqkcmed] c:\windows\system32\nexywo.exe r
O4 - HKLM\..\RunServices: [Configuration Loader] msconfig32.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://email2.uncg.edu/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
Close ALL OPEN WINDOWS except for HijackThis and click Fix Checked.
Step 5
Now open the dsrfix folder on your desktop.
Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.
Step 6
Now using Windows Explorer find and delete the following files/folders:
C:\WINDOWS\dsr.dll <-- File
C:\WINDOWS\dinst.exe<-- File
C:\WINDOWS\farmmext.exe<-- File
C:\WINDOWS\satmat.exe<-- File
C:\WINDOWS\LVZGJQ.exe<-- File
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools <-- Folder
Step 7
Now run CleanUp!.
*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp
Click the Options button.
Make sure only the following are checked:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files (XP only)
- Scan local drives for temporary files
- Cleanup! All Users
Click the CleanUp! button to begin cleaning. It may take a while depending on the size of the hard drive so be patient.
When it has finished, close CleanUp! but decline to logoff when prompted.
Step 8
Restart your computer in normal mode and post a fresh HijackThis log and Ewido log.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users