Tech Support Forum - View Single Post - My scary looking log file!!!

sUBs · 07-13-2005, 11:58 PM

You have done well. Log looks so much cleaner.

cmappclient.exe - Since jotti gave it a clean bill of health, I think we'll leave it alone.

Let's clear up the remainder of the malware.

~~~~~~~~~~~~~~~

Go to Start>Run - type regedit
Go to File>Export & save the Registry somewhere as a backup.
After you have done that, Navigate to thes keys -
HKEY_CURRENT_USER\Software\aurora
Right click & delete the key
Close the Registry Editor when you've finished

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

WARNING - Only keys listed in red need to be deleted.

~~~~~~~~~~~~~~

Using HijackThis, select & fix this entry

O4 - HKLM\..\Run: [wnfkvb] c:\windows\system32\qyceyi.exe r

~~~~~~~~~~~~~~

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

c:\windows\system32\qyceyi.exe
C:\WINDOWS\GVPPPC~1.EXE
C:\WINDOWS\VISFXUN.EXE

Start KillBox.

Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* "Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.
Click [Yes] at the 'Delete on Reboot' prompt.
Click [Yes] at the Pending Operations prompt.

~~~~~~~~~~~~~~

Reboot & post a new HJT log

07-13-2005, 11:58 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,326 OS: N/A	You have done well. Log looks so much cleaner. cmappclient.exe - Since jotti gave it a clean bill of health, I think we'll leave it alone. Let's clear up the remainder of the malware. ~~~~~~~~~~~~~~~ Go to Start>Run - type regedit Go to File>Export & save the Registry somewhere as a backup. After you have done that, Navigate to thes keys - HKEY_CURRENT_USER\Software\aurora Right click & delete the key Close the Registry Editor when you've finished If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. WARNING - Only keys listed in red need to be deleted. ~~~~~~~~~~~~~~ Using HijackThis, select & fix this entry O4 - HKLM\..\Run: [wnfkvb] c:\windows\system32\qyceyi.exe r ~~~~~~~~~~~~~~ Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. c:\windows\system32\qyceyi.exe C:\WINDOWS\GVPPPC~1.EXE C:\WINDOWS\VISFXUN.EXE Start KillBox. Go to the File menu, and choose Paste from Clipboard. Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there. Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File * "Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt. ~~~~~~~~~~~~~~ Reboot & post a new HJT log __________________ Question - what have you done for the community today?