Hi =] Trojan gen =/

[jc81]

me?
thanks
 
just following everything i'm told lol

[jc81]

Hi jc81,

First and foremost undo system restore:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

Adclicker removal instructions

You have to be the Administrator (full priviledges). The way it works, it loads into RAM and then uses your O/S as it's slave to replicate and try to do its damage. One of the first things we do is temporarily kill its slave off.
-------------

1) Quit all open apps. Kill off everything except avast, your firewall, and anti-spyware programs, drivers.
2) Open the Task Manager (CTRL-ALT-DEL)
3) Find "Explorer.exe" and RIGHT-CLICK on it. Choose "end-process tree" to kill Explorer entirely.
4) Start DrWebCureIT from a mem stick. Scan your entire disk to get rid of all those infecting DLLs (You can have over 15,000).
5) Now that the slave is killed, lets go identify the "master" still in RAM. Under the Task Manager, Launch "sysinfo32".
6) Go to "Software Environment->Loaded Modules". Choose Advanced View. Once it's preflighted everything and displayed a list, sort it by date, so you can see what was most recently installed. Look at the Manufacturer column and look for "Melkosoft". You might see more than one evil entry.
7) Under SysInfo32, go to "Software Environment->Startup Programs" THIS is the one that causes it to launch when Explorer.exe runs.: It could look like

"c:\winnt\system32\.exe"

Under the Task Manager, now that you know its name, go to File->Start Task and launch regedit. Search for the name. Mine was found in the registry here:

Computer->HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->CurrentVersion->Run->Control handler
Delete registry values:

Browse to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete the values 'SVCHOST', 'TcpDetect' and 'win32app'

DELETE the specific entry for "??.exe" (whatever yours was named).
9) Back in the Task Manager, go to File->Start Task, and launch Explorer.exe to bring your O/S back up. avast  should not holler because when Explorer.exe starts, it no longer launches the virus.
10) Go into where the replicating DLLs are:

c:\winnt\system32\

and add ".vir" to the end of the DLLs that anti-virus couldn't clean out because they were "in use" and couldn't be deleted (you identified these in Step #6.
11) Reboot
12) Go back into

c:\winnt\system32\

and delete all files you added the ".vir" suffix to.

13) Lastly, run your anti-spyware program and have it search your entire disk. This will remove malicious cooks that this thing also seems to plant.
14) Reboot.

polonus

Okay, so I'm doing this tomorrow. I'm so afraid I'm going to mess it up and kill my computer somehow.

But I have a question about number 4. Start DrWebCureIT from a mem stick.
I have no idea what that means or how to do it. A memory stick?? What is that? lol

[wyrmrider]

Polonus is referring to one of those USB memory dongle things

Polonus  do you want her to Download Dr Web on a different computer
I think she needs to know how to ge Dr Web on whatever a memstick is

jc
Polonus is in the Netherlands he may be in neverland by now
hang tight and ask all these questions ahead of time

[jc81]

Polonus is referring to one of those USB memory dongle things

Polonus  do you want her to Download Dr Web on a different computer
I think she needs to know how to ge Dr Web on whatever a memstick is

jc
Polonus is in the Netherlands he may be in neverland by now
hang tight and ask all these questions ahead of time

This is the only computer I haveeee.
I'm really freaked out about doing this stuff btw lol.
I think I'll destroy it somehow and...goodbye computer.

[wyrmrider]

give polonus a pm with your concerns and have him give you explicit directions
he is really good at that  this is sort of a bump

[jc81]

give polonus a pm with your concerns and have him give you explicit directions
he is really good at that  this is sort of a bump

Thank you wyrmrider, I have.
 

[wyrmrider]

A Squared also has a memsitckable anti Trojan tool

http://www.emsisoft.com/en/software/download/
scroll down
a-squared Emergency USB Stick files
start download

should be handy to have around

did pol get back to you?
He PM'ed me about another post earlier today

[polonus]

Hi wyrmrider,

Yes he PM-ed with the instruction as how to achieve a USB stick. Also known as pendrive or removable flash drive and how to download DrWebCureIt  onto there with save launch.exe  onto the drive number that the computer has given to the new removable drive, that is the USB stick when attached to the USB plughole (most modern XP machines have at least two of these). You can buy a memory stick or USB stick or pen drive or removable flash drive for a couple of bucks really (from 1 GB to 8 or more GB), and it is nice to have security scanners and tools on there to keep computers clean as well as other data to carry around, I hope I explained this right enough for people that are not actually geeks,

polonus

[wyrmrider]

Pol
Have you had your glasses checked lately?

[YoKenny]

My favorite USB stick:
http://winpatrol.stores.yahoo.net/winpatrol-usb-flash-wristband.html

I put CCleaner on it as well.

[DavidR]

My favourite usb stick, smallest 8GB usb

[YoKenny]

Another favorite USB stick:
http://reviews.cnet.com/mp3-players/sony-nwz-b105f-2gb/4505-6490_7-32593879.html?tag=mncol;lst

Rock on.

[wyrmrider]

JC

you ok?

[wyrmrider]

jc
here is another tool that might help
http://forums.spybot.info/showthread.php?t=34034

[jc81]

JC

you ok?

Yeah, thanks...

I still haven't done what polonus said...just kind of putting it off hoping the computer fixes itself. LOL You're welcome to come over and do it for me  hahaha

Thanks for the link, I'll check it out.

jc