Tech Support Forum - View Single Post - Some Sort of Trojan (I am computer savvy)

Vikesrock8411 · 10-17-2005, 02:11 PM

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads
KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Tools
Click Start->Run->Then Type "regedit"
Click File->Export and save a copy of your registry somewhere just in case
Then navigate to and delete the entries listed in Red:
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\nf syytsy

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

1. Checkmark/tick - Ignore Safe System Info Streams
2. Click Scan
3. When it has finished scanning, checkmark/tick all that it found
4. Click Remove Selected

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames below & then right-click & select Copy

C:\WINDOWS\untokuoitu.exe
C:\Documents and Settings\Caroline\Application Data\Sskdmns.dll
C:\Documents and Settings\Caroline\Application Data\Sskknwrd.dll
C:\Documents and Settings\Caroline\Application Data\Sskuknwrd.dll
C:\WINDOWS\system32\efqmm.dll
C:\WINDOWS\uhvokou.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Please go to Jotti Viruscan and upload the following files (one at a time):
C:\WINDOWS\SYSTEM32\identprv.dll
C:\WINDOWS\SYSTEM32\ride5.0.exe
C:\WINDOWS\SYSTEM32\wceprv.dll
C:\WINDOWS\ppc4Y

Please include the result of these scans in your next post

Please Run WinPFind again using the same directions as above.

In your next post please include:

A new Hijackthis! Log
WinPFind Log
Jotti results

10-17-2005, 02:11 PM	#12 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175) Tools Click Start->Run->Then Type "regedit" Click File->Export and save a copy of your registry somewhere just in case Then navigate to and delete the entries listed in Red: *HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\nf syytsy If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Start HijackThis & Go to Config> Misc Tools > Open ADS Spy 1. Checkmark/tick - Ignore Safe System Info Streams 2. Click Scan 3. When it has finished scanning, checkmark/tick all that it found 4. Click Remove Selected Launch KillBox.exe & select the following options*: delete on Reboot Select all the filenames below & then right-click & select Copy C:\WINDOWS\untokuoitu.exe C:\Documents and Settings\Caroline\Application Data\Sskdmns.dll C:\Documents and Settings\Caroline\Application Data\Sskknwrd.dll C:\Documents and Settings\Caroline\Application Data\Sskuknwrd.dll C:\WINDOWS\system32\efqmm.dll C:\WINDOWS\uhvokou.exe Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. Please go to Jotti Viruscan and upload the following files (one at a time): C:\WINDOWS\SYSTEM32\identprv.dll C:\WINDOWS\SYSTEM32\ride5.0.exe C:\WINDOWS\SYSTEM32\wceprv.dll C:\WINDOWS\ppc4Y Please include the result of these scans in your next post Please Run WinPFind again using the same directions as above. In your next post please include: A new Hijackthis! Log WinPFind Log Jotti results