Pages: 1 :: [one page] |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
I'm RickJames
|
Posted - 2011.02.02 22:13:00 -
[1]
Edited by: I''m RickJames on 02/02/2011 22:15:38 I have been having a series of problems with trojans and other malware and the older version of Kapersky is having trouble with them (2009 but new licenses) and I am manually removing them.
My my Application data folder in Windows, I see a folder and two files created at the same time this morning (only today I had problems)
delme.exe WtoSTzUZhXDMML directory QmtBfswILOGetm sub-directory 4.17.46.9198 sub-directory
Throughout thsi process I have seen alot of randomly named files hawe being added to my startup, and I suspect this is one of them.
And, also modified, but modified yesterday was a file s3rv3r.exe.
Get rid of this stuff? I plan toi quarantine them but do not want to mess up the OS's stability anymore than what it is now.
|
Grimpak
Gallente Noir. Noir. Mercenary Group
|
Posted - 2011.02.02 22:21:00 -
[2]
remove kasperski and download avast? it's free. ---
Quote: The more I know about humans, the more I love animals.
ain't that right. |
Barakkus
|
Posted - 2011.02.02 23:38:00 -
[3]
Edited by: Barakkus on 02/02/2011 23:40:09 Turn off system restore, right click my computer then click properties, then system restore then turn it off from there (they are getting archived into the system restore files)
Then reboot. Start in safe mode. Run the registry editor go to HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run. Delete anything listed in there that you don't know what it is (google stuff if you don't know) Then do the same in: HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\RunOnce
Go through your startup menu and delete anything from there. Check autoexec.bat on c:\ for anything weird. Go through each user's temp directories located in c:\documents and settings\<username>\Local Settings\Temp and delete everything you can from there. If there are any executables that you can not delete, kill the process from the task manager and try again. You also want to hit your temp internet cache in c:\documents and settings\<username>\Local Settings\temporary internet files. There is a hidden subdirectory you will have to actually type the name to get into c:\documents and settings\<username>\Local Settings\temporary internet files\content.ie5 and clear that out as well. Check c:\windows\temp as well.
This is all for XP some of the paths are different for windows 7 and vista for the user profile directories.
Reboot and start in safe mode again, go hunting one more time then reboot and install spybot search and destroy. Run that and hopefully it will clean up the remaining stuff that may have not gotten taken care of by the above steps.
You should make sure you're deleting stuff you know shouldn't be there. Don't worry about deleting stuff from the temp files directories, you should be ok with that.
You also want to make a sweep of your browser(s) and disable any plugins that you don't know what they are. - - [SERVICE] Corp Standings For POS anchoring
|
ivar R'dhak
|
Posted - 2011.02.03 00:31:00 -
[4]
Get Trend Micro¦s HiJack This. It¦ll help you greatly in your problem analysis. ______________ Mal-¦Appears we got here just in a nick of time. What does that make us?¦ Zoe-`Big damn heroes, sir.` Mal-¦Aint we just.¦ |
Benny Hill
Caldari General Thrusters
|
Posted - 2011.02.03 00:42:00 -
[5]
Thank you for suggestions.
I just bought the new version of software from Kapersky, as their tech support said their 2009 had difficulties. I have been using it but with new licenses. It detects it, just has trouble cleaning it and everything else that was added with this attack. I'll see what this does.
I hadn't thought about trojans archiving themselves in system restore files. So I will check that out now.
|
Cys Root
Gallente Onefix RD
|
Posted - 2011.02.03 01:16:00 -
[6]
Edited by: Cys Root on 03/02/2011 01:18:10 lol @ s3rv3r.exe
I know it sucks to be heard mate but at this point i'de just format your poor PC, backup your stuff and start fresh.
EDIT: funfact: googling s3rv3r.exe leads to this very thread.
|
Barakkus
|
Posted - 2011.02.03 01:45:00 -
[7]
Originally by: Benny Hill Thank you for suggestions.
I just bought the new version of software from Kapersky, as their tech support said their 2009 had difficulties. I have been using it but with new licenses. It detects it, just has trouble cleaning it and everything else that was added with this attack. I'll see what this does.
I hadn't thought about trojans archiving themselves in system restore files. So I will check that out now.
If you still can't delete files make sure you try in safe mode. If that still doesn't work, boot from your CD and go into recovery mode with a command prompt, don't have it repair your installation. Browse over to the files you need to get rid of from there and delete them. If all else fails, make take your drive out and slave it in another machine and delete the files, just make sure you don't run any of the executables on the new machine :P
Hijack this will help if you know what you're doing as well. - - [SERVICE] Corp Standings For POS anchoring
|
SirSpectre
Gallente Harbingers Of Destruction
|
Posted - 2011.02.03 15:24:00 -
[8]
Edited by: SirSpectre on 03/02/2011 15:24:05
Originally by: ivar R'dhak Get Trend Micro¦s HiJack This. It¦ll help you greatly in your problem analysis.
This. Hijack this is awesome.
www.hijackthis.de ----
Sig here. ---> X |
I'm RickJames
|
Posted - 2011.02.03 18:46:00 -
[9]
Thanks for suggestions. I checked through everything, got a new application version of Kaspersky, and have everything cleaned out now.
|
|
|
|
Pages: 1 :: [one page] |