| ShadowPuterDude |
| Advanced Member |
| Kevin |
| Northern NY |
| Co-founder and Webmaster Malwareteks.com |
| Killing Malware |
| Male |
|
| Tuesday, May 23, 2006 |
| Monday, October 26, 2009 3:53:30 AM |
2,252
[6.51% of all post / 1.76 posts per day] |
|
Thread Closed
Reason: Resolved
The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.
All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
a-squared Team - www.emsisoft.com
|
Why are you still running Norman? PEV.exe is not a trojan that is a False Positive.
a-squared Team - www.emsisoft.com
|
Norman says it deleted the files. Restore points can't be individually deleted, you must trun off system Restore to remove Restore Points.
Post a fresh a-squared log.
a-squared Team - www.emsisoft.com
|
Doing a System Restore from an earlier Restore Point, may reinfect the system. If you choose to do so, post fresh logs. I will check to see if any malware was restored.
a-squared Team - www.emsisoft.com
|
Thread Closed
Reason: Lack of Response
PM either ShadowPuterDude or Lynx to have this thread reopened.
The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.
All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
a-squared Team - www.emsisoft.com
|
Download from this link http://www.istanto.net/wp-content/uploads/2009/03/repair.inf and right-click and select install.
a-squared Team - www.emsisoft.com
|
1. Disconnected your computer from the network.
2. Turn off “System Restore” when in cleaning process.
3. Copy the contents of the below quote box to Notepad; Save As repair.inf to your Desktop; make sure File Type: is set to All Files (*.*).Code:[Version]
Signature="$Chicago$"
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, AutoShareWks,0x00010001,0
HKLM, SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, AutoShareServer,0x00010001,0
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr Close Notepad.
Locate repair.inf on your Desktop. Right-click on it and choose 'install'.
4. Scan with Norman Malware Cleaner please note because this virus will infected files with extesion .exe .com and .scr you have to rename Norman_Malware_Cleaner.exe with new extension example Norman_Malware_Cleaner.cmd
Make sure you downloaded a fresh copy of the cleaner from norman's official website and don’t run it before you change the extension or this cleaner will get infected first before it can eliminate sality.
5. Repair Safe Mode: Download safemoderepair.zip and merge only registry patach for your Operating System.
7. Copy the contents of the below quote box to Notepad; Save As repair.inf to your Desktop; make sure File Type: is set to All Files (*.*).Code:[Version]
Signature="$Chicago$"
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, AutoShareWks,0x00010001,0
HKLM, SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, AutoShareServer,0x00010001,0
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
HKLM, SOFTWARE\Microsoft\Security Center, AntiVirusDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center, AntiVirusOverride,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center, FirewallDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center, FirewallOverride,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center, UacDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center, UpdatesDisableNotify,0x00010001,0
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKLM, SOFTWARE\Microsoft\Security Center\Svc
Close Notepad.
Locate repair1.inf on your Desktop. Right-click on it and choose 'install'.
8. Reboot your computer and scan again with norman malware cleaner.
Reboot
Post fresh logs for:
Norman Malware Cleaner
a-square Free/Anti-Malware
a-squared Team - www.emsisoft.com
|
OK. run the Norman Malware Cleaner again, and post the resulting log.
a-squared Team - www.emsisoft.com
|
This thread will not show in the new forum, the databases are not compatible with each other.
This may be a False Positive:Code:C:\WINDOWS\system32\OLEPRO32.DLL
Submit the file to http:/www.virustotal.com/ for analysis.
Post the link to the Virustotal scan results.
a-squared Team - www.emsisoft.com
|
Download file rmslt.exe
Then run the tool for removal of infected files. The tool will automatically scan all available discs and will try to heal the infected files. If an active virus is found in memory, the tool will ask the user to reboot the computer. Healing will be performed during operating system boot-up sequence, so any active virus cannot interfere with the healing process.
-----------------------------------------------------------
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See HERE for help
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. (C:\ComboFix.txt)
-----------------------------------------------------------
Post fresh logs for:
- ComboFix (C:\combofix.txt)
- a-squared Free
- ISeeYouXP
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
a-squared Team - www.emsisoft.com
|
|