Win32:Kreper-I How the hell do I get rid of it

[drgooding]

Peoples, Win32:Kreper-I is annoying me. Some git sent it to me as a link, and dumb me clicked on it. OPS. Anyhow, It keeps regenerating its self in either the C:\Windows directory or C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\ as an .exe file with a bogus name thats never the same. It also automatically connects me onto the net whenever I turn on the computer.
I need some sort of help to get rid of this. PLEASE HELP.


Don

[galooma]

Hi and welcome DRgooding,
first thing you can do is empty out all your temp files , this is the place where its sitting after all.
then scan again and see if its still around

[galooma]

A board search reveals several others having dealt with it using HJT analysis
you can d/l it here http://www.allsecpros.com/hjt.html
There`s also a tutorial available at that site which might be of use. good luck

[drgooding]

OK. I d/l hijackthis but i didn't use it yet, but i think i got rid of it now. i found two programs that were created on the day i got the virus, and deleted them, after checking to see what they do of course.

C:\WINDOWS\winini.exe - opens IE and starts the default dial-up connection.

C:\WINDOWS\test.exe - this seems to be the program that generates the virus.

I deleted them yesterday afternoon and rebooted the computer a couple of times and haven't gotten any more virus alerts.

A tone of text files were also created at the same time stamp as the two programs. Some of them contain system info gathered by the virus. All where found in C:\WINDOWS

tsoc.txt
tabletoc.txt
ocmsn.txt
ntdtcsetup.txt
netfaxocm.txt
msnqinst.txt
msgsocm.txt
MedCtrOC.txt
imsins.txt
iis6.txt
FaxSetup.txt
comsetup.txt

I left these as they were till I figure out which can be deleted.

Don

[DavidR]

Hijackthis is definately the tool of choice and to download it and not use it seems a waste of effort. If Krepper is such a pain to get rid of, it would pay to ensure that there are no registry entries to run something again.

[Eddy]

If you click on the link in my signature and visit the HijackThis Section, you will be able to find all the information on how to use it and how to look at the log file.

[drgooding]

Thanks guys, I downloaded HJT  last nite but I did not run it, I'll try doing that when I get home.

[drgooding]

I ran HJT and did an online log analysis and there was one entry still there, so I fixed it.

O4 - HKLM\..\Run: [FX] C:\WINDOWS\winini.exe

everything esle was acounted for.

Thaks for your help guys, and I hope this info can save alot of people some trouble.

Don

[DavidR]

I think it should help others, a valuable lesson in using the right tools, requesting help, rather than struggle through manually editing the registry.

Happy that you are now clear of the malware.