Re: IE5 Exploit Trojan
From: Sandi - Microsoft MVP (sandi_hardmeier_at_mvps.org)
Date: 07/09/04
- Next message: Greg R: "Re: Can I Run Two Browsers"
- Previous message: flemming eriksen: "Re: glue find warn"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 9 Jul 2004 21:59:25 +0800
You're more than welcome Lori. For additional assistance with the final
cleanup, feel free to move to www.auhma.org (forums) for dedicated
assistance.
-- _______________________________________ Sandi - Microsoft MVP since 1999 (IE/OE) http://inetexplorer.mvps.org "Lori" <anonymous@discussions.microsoft.com> wrote in message news:219c401c45c71$c8edbd20$a601280a@phx.gbl... > Sandy, > Did what your email suggested. Happy...no, thrilled to > say we're back online. I was able to install the newest > upgrade for our etrust ez antivirus from ca and it found > the exploit trojan FINALLY and deleted it. We are still > coming up with registry entries with Spybot, even though > we keep telling it to fix the problem. It says it does, > but when scanned again, lists the same RSO Exploit and > PurityScan, I believe the category is. I was afraid to > use the HijackThis because it said it lists everything > and the user should know what to keep and what to delete, > and I wasn't sure. > But at least we're back online and eliminating some of > this stuff. Thanks again for your intelligent > suggestions and helpful reply. >>-----Original Message----- >>Sandy, >>Thank you so much for the time you put into this reply. >>I am printing out these instructions and will go to > these >>sites and do what you wrote. However, since we no > longer >>have Internet access on that machine, I hope it's do- > able >>to download this software on my machine and use them in >>the other computer's CD drive. >>I will keep you posted. Thank you again for your >>response. I pray it will work. >>Lori >>>-----Original Message----- >>>"Lori" <anonymous@discussions.microsoft.com> wrote in >>message >>>news:21d7801c45bca$735afa00$a101280a@phx.gbl... >>>> George, by the way, I did a search and looked for the >>two >>>> files this article of Microsoft's mentioned, the >>Kk32.dll >>>> and the surf.dat, and couldn't find either one. Does >>>> that tell me something? >>> >>>I think it was erroneous to blame your problems on the >>ject incident, >>>especially considering the pop-ups you mentioned. Ject >>didn't do that. >>>You've got other malware on your system somewhere. >>> >>>There are many people who have helped this FAQ improve >>over time - MVPs and >>>newsgroup users. I thank all of you who have made the >>newsgroups, >>>anti-malware websites and dedicated mailing lists into >>such a wonderful >>>resource. >>> >>>Read the advice at my prevention link >>>(http://inetexplorer.mvps.org/data/prevention.htm) to >>reduce the chances of >>>your computer being infected. >>> >>>IMPORTANT: Before trying to remove spyware, download a >>copy of LSPFIX from >>>the URL below - some malware can kill your internet >>connection when it is >>>removed, and this software should get things going for >>you again: >>>http://www.cexx.org/lspfix.htm >>> >>>Also get a copy of WINSOCKFIX available at: >>>http://www.spychecker.com/program/winsockxpfix.html >>> >>>The software you should download and have ready to use >>is: >>> >>>AdAware - www.lavasoft.de [..Warning: AdAware is now >>version 6.181. All >>>previous versions are NO LONGER SUPPORTED and will not >>be updated...] >>>Spybot Search and Destroy - http://spybot.eon.net.au >>>HijackThis - >>http://209.133.47.12/~merijn/files/HijackThis.exe >>>CWShredder - http://www.merijn.org/files/CWShredder.exe >>> >>>IMPORTANT: After obtaining the required software above, >>make sure you check >>>for updates and run the programmes in safe mode. >>> >>>Malware removal (beginner's guide): >>> >>>First, go to Control Panel, add/remove programs. Check >>for malware entries >>>and use the uninstall programs, then reboot. >>> >>>Go to start/run and type MSCONFIG. Go to the startup >>tab. Disable >>>everything that you do not recognise as legitimate (do >>not disable any power >>>profile options). >>> >>>Now go to the Services tab. Turn on the option > to 'hide >>all Microsoft >>>Services'. Disable everything that remains. If you >>don't have this option, >>>don't worry about it. >>> >>>Reboot your computer and hold down the F8 key until the >>boot menu options >>>appear. Choose Safe Mode as your startup choice. You >>will find >>>information about what safe mode is, and what it does, >>at this link >>>[http://inetexplorer.mvps.org/data/safe_mode.htm] >>> >>>Start CWSHREDDER, update it and fix anything it finds. >>Reboot back into >>>safe mode. >>> >>>Start AdAware. Use the 'check for updates now' option. >>After you have >>>updated, click 'start'. >>> >>>Note that when run using default settings, AdAware does >>not cope with new >>>'intelligent' malware. Make the following changes to >>the default settings. >>> >>>Use the option 'select drives/folders to scan'. Set >>AdAware to scan your >>>entire hard drive. >>> >>>Make sure 'activate in depth scan' is enabled. >>> >>>Select 'use custom scanning options' and then click on >>the 'customize' >>>button. Turn on the following scan options - scan > within >>archives, scan >>>active processes, scan registry, deep registry scan, >>scan [my] IE favorites >>>for banned URLs, and scan [my] hosts file. >>> >>>Use the 'tweak' button. Turn on the following options: >>> >>>Cleaning engine: 'automatically try to unregister >>objects prior to >>>deletion', 'let windows remove files in use at next >>reboot', 'delete >>>quarantined objects after restoring'. >>>Scanning engine: 'unload recognized processes during >>scan'. >>> >>>After you have finished with AdAware run Spybot to pick >>up any leftovers. >>>Fix anything marked in red. Again, don't forget to >>check for updates first. >>> >>>Also do the following: >>> >>>Empty your IE cache and your other temporary file >>folders, eg: c:\temp, >>>c:\windows\temp or C:\Documents and >>Settings\<name>\Local Settings\Temp (the >>>path to your temp folder will change depending on your >>name) - sometimes >>>programmes can be hidden in there - watch out for >>mysterious *.exe files or >>>*.dll files in those folders. >>> >>>Go to IE Tools, Internet Options, Temporary Internet >>Files {Settings >>>Button}, View Objects, Downloaded Program Files. Check >>for unrecognised >>>objects there. >>> >>>Go to IE Tools, Internet Options, Accessibility. Make >>sure there is no style >>>sheet chosen (under User Style Sheet - format documents >>using my style >>>sheet). If the option is turned on, turn it OFF. >>> >>>If the problem comes back, start all over again but > with >>the following >>>changes (this section requires advanced computer > skills - >> inexperienced >>>users will require assistance): >>> >>>Examine win.ini using MSCONFIG to see what is loading. >>You may find >>>something there. Go to MSCONFIG and go to the General >>tab. Turn off >>>process win.ini file, load system services and load >>startup items. Restart >>>Windows and run AdAware etc once more. >>> >>>Use services.msc to see what is running. Some malware > is >>now registering >>>itself as a Service. The problem is working out what > is >>legitimate and what >>>is not. >>> >>>I strongly recommend that unless you have strong >>experience working in this >>>area that until such time as I am able to track down a >>comprehensive list of >>>legitimate services (or put one together myself), that >>you post details of >>>the services revealed by services.msc to a >>microsoft.public newsgroup for >>>professional guidance. If you turn off the wrong > service >>you could cause >>>serious problems, and at the very worst, leave the >>computer unbootable. >>> >>>An experienced computer technician can use programme >>such as AutoStart >>>Viewer for in-depth diagnosis: >>>http://www.diamondcs.com.au/index.php?page=asviewer >>> >>>Another excellent programme for the experienced user is >>APM (Advanced >>>Process Manipulation), available at: >>>http://www.diamondcs.com.au/index.php?page=apm >>> >>>Once the computer is clean, and if it applies to the >>operating system, >>>create a new restore point. The old ones may, of >>course, be infected with >>>the malware and therefore cannot be used. Run disk >>cleanup to remove old >>>restore points (if your operating system has this > option >>you will find it on >>>the 'more options' tab of the disk cleanup utility. If >>the option to remove >>>old restore points is not available, stop and restart >>the restore service >>>which will flush out old restore points and prevent >>accidental reloading of >>>malware. >>> >>>MS have released a limited KB article regarding what >>they call 'deceptive >>>software'. >>>http://support.microsoft.com/default.aspx?scid=kb;EN- >>US;827315 >>> >>>Here is advice specific to: >>> >>>home page hijackings >>>http://inetexplorer.mvps.org/answers.htm#home_page >>> >>>pop-up ads >>>http://inetexplorer.mvps.org/data/popup.htm >>> >>>search engine hijackings >>>http://inetexplorer.mvps.org/answers4.htm#search_engine >>> >>> >>>-- >>>_______________________________________ >>>Sandi - Microsoft MVP since 1999 (IE/OE) >>>http://inetexplorer.mvps.org >>> >>>. >>> >>. >>
- Next message: Greg R: "Re: Can I Run Two Browsers"
- Previous message: flemming eriksen: "Re: glue find warn"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
