Tech Support Forum - View Single Post

Sempurna · 04-26-2007, 08:32 PM

Hi ThePaper88,

You’ve done a great job so far. Well done, and keep up the good work!

Yes, AntiVir and some other AVs will flag some of the tools we use as malware. That is because the tools use the same coding as malware to fight them. Something like fighting fire with fire, you could say.

OK, let’s pick up the leftovers.

Please run OTMoveIt and move these files:

C:\WINDOWS\system32\wml.exe
C:\WINDOWS\wml.exe

NEXT:

Please run ComboFix one more time to make sure that the pe386 rootkit on your system is gone.

Then please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\\Program Files\\Yahoo!\\Companion\\Installs\\cpn\\yt.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\\Program Files\\Java\\jre1.5.0_11\\bin\\ssv.dll"

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.

NEXT:

See if you can now run Panda ActiveScan and the Kaspersky Online Scanner. Let me know how things go.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

The log from OTMoveIt.
The log from the ComboFix scan.
The log from the Panda scan (if possible).
The log from the Kaspersky scan (if possible).
A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

04-26-2007, 08:32 PM	#9 (permalink)
Sempurna Analyst, Security Team Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: Win32.Trojan.RX Hi ThePaper88, You’ve done a great job so far. Well done, and keep up the good work! Yes, AntiVir and some other AVs will flag some of the tools we use as malware. That is because the tools use the same coding as malware to fight them. Something like fighting fire with fire, you could say. OK, let’s pick up the leftovers. Please run OTMoveIt and move these files: C:\WINDOWS\system32\wml.exe C:\WINDOWS\wml.exe NEXT: Please run ComboFix one more time to make sure that the pe386 rootkit on your system is gone. Then please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well): Code: REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\\Program Files\\Yahoo!\\Companion\\Installs\\cpn\\yt.dll" "{53707962-6F74-2D53-2644-206D7942484F}"="C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll" "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\\Program Files\\Java\\jre1.5.0_11\\bin\\ssv.dll" Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. In case you still are unsure on how to create a REG file, please take a look HERE with screenshots. NEXT: See if you can now run Panda ActiveScan and the Kaspersky Online Scanner. Let me know how things go. NEXT: Please REBOOT your computer normally into Windows and post these logs in your next reply: The log from OTMoveIt. The log from the ComboFix scan. The log from the Panda scan (if possible). The log from the Kaspersky scan (if possible). A new HijackThis log. (You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software). Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum Last edited by Sempurna; 04-26-2007 at 08:33 PM.