Tech Support Forum - View Single Post - Am I clean - please help

sUBs · 07-12-2005, 10:24 AM

Please do not skip any of the steps I laid out. They must be carried out in the exact order.

Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

Ewido Security Suite - Install & Update it's database but do not run it yet.

ETRemover_v130.zip - Unzip to a new folder on Desktop.

From that folder, click on ETRemover_v130.exe
Click About >> check for updates
After it has updated itself, close that program. We'll run it later

~~~~~~~~~~~~~~

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\WINNT\system32\gxnorbp.dll
C:\WINNT\system32\PSof1.exe
C:\WINNT\system32\uci.exe
C:\WINNT\system32\wmvahl.exe
C:\WINNT\system32\elitegym32.exe
C:\WINNT\system32\elitezhk32.exe

Start KillBox

Go to the File menu, and choose [Paste from Clipboard].
Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there.
Select/tick the following:
- "Delete on Reboot"
- "End Explorer Shell While Killing File"
- "Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.
Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

~~~~~~~~~~~~~~

Reboot to SafeMode

Shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
Windows Advanced Options menu appears.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

~~~~~~~~~~~~~~

Run ETRemover_v130.exe, then click the "Kill Elite Toolbar" button and wait until it finishes its work.

* Occasionally a DOS box may appear asking your permission to delete some files in temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware!

~~~~~~~~~~~~~~

Run Cleanup! & configure the program as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

~~~~~~~~~~~~~~

Run Ewido:

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK.
Once finished, click the Save report button
Save the report to your desktop

Close Ewido

~~~~~~~~~~~~~~

Reboot to NormalMode.

Do an online scan at Panda

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

O4 - HKLM\..\Run: [KavSvc]

~~~~~~~~~~~~~~

Download FindQoologic - Unzip to Desktop.
Run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here

Run a new scan with HiJackThis. Save the log file and post the contents in your next reply.
In your next post, please include fresh copies of:

HiJackThis log
List of files that Panda failed to disinfect
Ewido's logs
Qoologic's log

Please provide details of any problems you encountered whilst performing the above steps.

07-12-2005, 10:24 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,341 OS: N/A	Please do not skip any of the steps I laid out. They must be carried out in the exact order. Please download these additional files/programs :- (Do not run them unless instructed to do so) Unplug your computer from the Internet when you have finished downloading Ewido Security Suite - Install & Update it's database but do not run it yet. ETRemover_v130.zip - Unzip to a new folder on Desktop. From that folder, click on ETRemover_v130.exe Click About >> check for updates After it has updated itself, close that program. We'll run it later ~~~~~~~~~~~~~~ Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINNT\system32\gxnorbp.dll C:\WINNT\system32\PSof1.exe C:\WINNT\system32\uci.exe C:\WINNT\system32\wmvahl.exe C:\WINNT\system32\elitegym32.exe C:\WINNT\system32\elitezhk32.exe Start KillBox Go to the File menu, and choose [Paste from Clipboard]. Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there. Select/tick the following: "Delete on Reboot" "End Explorer Shell While Killing File" "Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. ~~~~~~~~~~~~~~ Reboot to SafeMode Shut Windows down, and then turn off the computer. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. ~~~~~~~~~~~~~~ Run ETRemover_v130.exe, then click the "Kill Elite Toolbar" button and wait until it finishes its work. * Occasionally a DOS box may appear asking your permission to delete some files in temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware! ~~~~~~~~~~~~~~ Run Cleanup! & configure the program as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup ~~~~~~~~~~~~~~ Run Ewido: Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK. Once finished, click the Save report button Save the report to your desktop Close Ewido ~~~~~~~~~~~~~~ Reboot to NormalMode. Do an online scan at Panda Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan ~~~~~~~~~~~~~~ Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : O4 - HKLM\..\Run: [KavSvc] ~~~~~~~~~~~~~~ Download FindQoologic - Unzip to Desktop. Run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here Run a new scan with HiJackThis. Save the log file and post the contents in your next reply. In your next post, please include fresh copies of: HiJackThis log List of files that Panda failed to disinfect Ewido's logs Qoologic's log Please provide details of any problems you encountered whilst performing the above steps. __________________ Question - what have you done for the community today?