Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Help with viruses please..

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
In the town where i was born, there lived a man who sailed to sea.

Edited by moegossard, 11 October 2006 - 06:59 PM.

  • 0




    Visiting Staff

  • Visiting Consultant
  • 645 posts
Welcome to the Geeks To Go forum.:tazz:

Step 1

Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.

Download the trial version of Ewido Security Suite from here.
Setup the program following the instructions here and update the program with the latest definitions.
Then close it without running a scan. We'll use it in Safe Mode.

Download Nailfix from here.
Unzip it to the desktop but please do NOT run it yet.

Download and install Cleanup! from here to your desktop.

Download dsrfix.zip from here and unzip it to your desktop (you should have a dsrfix folder on the desktop if you've done this correctly).

Download APT and unzip the contents to a new folder on your desktop.

Copy the below steps to notepad, close Internet Explorer and disconnect from the internet.

Step 2

We'll take care of the Epolvy Trojan as it reinstalls Nail.exe on reboot if not removed first.

It's easy to spot in your log. It's the random '04' HKLM entry with an 'r' after the .exe process. In your previous log it was:

O4 - HKLM\..\Run:nqkcmed] C:\windows\system32\nexywo.exe r

Take a scan with HijackThis (don't fix anything) and note down the exact filepath of this file. C:\Windows\System32\nexywo.exe r

Now open the APT folder you've just created and click on apt.exe and search in the window for C:\Windows\System32\random.exe

Open your C:\Windows\system32 folder and search for C:\Windows\System32\nexywo.exe

Don't delete it yet, just leave the system32 folder open so you can see the bad file.

In APT again, Select C:\Windows\System32\nexywo.exe and Click Kill3

Then immediately delete C:\Windows\System32\nexywo.exe from your system32 folder.

Close APT.

Step 3

Reboot into Safe Mode and double-click on nailfix.exe.

Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".

Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Step 3

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Save the report .txt file to your desktop or a location where you can find it easily.
Then close Ewido Security Suite.

Step 4

Run HijackThis again and place a check before the following entries (if still present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: (no name) - {BB664BD8-9C92-4F27-9680-485F7E42B090} - C:\WINDOWS\madopew.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Configuration Loader] msconfig32.exe
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\Run: [nqkcmed] c:\windows\system32\nexywo.exe r
O4 - HKLM\..\RunServices: [Configuration Loader] msconfig32.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://email2.uncg.edu/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

Close ALL OPEN WINDOWS except for HijackThis and click Fix Checked.

Step 5

Now open the dsrfix folder on your desktop.

Double-Click on dsrfix.bat

A window will pop up briefly then close, this is normal.

Step 6

Now using Windows Explorer find and delete the following files/folders:

C:\WINDOWS\dsr.dll <-- File
C:\WINDOWS\dinst.exe<-- File
C:\WINDOWS\farmmext.exe<-- File
C:\WINDOWS\satmat.exe<-- File
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools <-- Folder

Step 7

Now run CleanUp!.


CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Click the Options button.
Make sure only the following are checked:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (XP only)
  • Scan local drives for temporary files
  • Cleanup! All Users
Click the Ok button to close the Options dialog.
Click the CleanUp! button to begin cleaning. It may take a while depending on the size of the hard drive so be patient.
When it has finished, close CleanUp! but decline to logoff when prompted.

Step 8

Restart your computer in normal mode and post a fresh HijackThis log and Ewido log.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP