Hello cptz,
System.ini is clean, the keylogger usually adds a line in the load section. Maybe you didn't get the full install or Ewido did already delete some files the first time. Something I would like you to check :
Using windows explorer, navigate to c:\windows and look for a folder that starts with inet and some numbers - example : C:\WINDOWS\inet20001 - Delete the folder if found.
______________________________
Keep all browsers closed. Click on
Start then
Control Panel
Double click on the
Java plug-in icon (there may be more than one). The Java Control Panel appears.
- Click Settings under Temporary Internet Files. The Temporary Files Settings dialog box appears.
- Click the Delete Files. The Delete Temporary Files dialog box appears.
Put a checkmark next to the three options on this window to clear the cache.
- Downloaded Applets
- Downloaded Applications
- Other Files
- Click Ok on the Delete Temporary Files window.
- Click Ok on Temporary Files Settings window.
If there are other Java plug-in icons... perform the same action on all of them. That should clean out the infected files.
______________________________
Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{D49E9D35-254C-4C6A-9D17-95018D228FF5}"=-
"{D49E9D35-254C-4C6A-9D17-95018D228FF5}"-
"{2D51D869-C36B-42BD-AE68-0A81BC771FA5}"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\skip\\Local Settings\\Temp\\dmx76E.tmp"=-
"C:\\Documents and Settings\\skip\\Local Settings\\Temp\\dmx76F.tmp"=-
"C:\\Documents and Settings\\skip\\Local Settings\\Temp\\dmx780.tmp"=-
"C:\\Documents and Settings\\skip\\Local Settings\\Temp\\dmx7A2.tmp"=-
"C:\\WINDOWS\\system32\\sachostw.exe"=-
"C:\\WINDOWS\\system32\\sachostc.exe"=-
"C:\\WINDOWS\\system32\\sachosts.exe"=-
Save it to your desktop as
Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg
Locate
Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click
YES. Wait for the
merged successfully prompt.
______________________________
A small cleanup ...
If you already have the latest Ad-Aware SE 1.06 version, skip to
Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from
here and install it. Uncheck all the options before leaving the Install Wizard.
Run Ad-Aware and Click on the
World Icon. Click the
Connect button on the webupdate screen. If an update is available download it and install it. Click the
Finish button to go back to the main screen.
Click on the
Gear Icon (second from the left at the top of the window) to access the Configuration Window.
Click on the
General Button on the left and select in
green- Under Safety
- Automatically save log-file
- Automatically quarantine objects prior to removal
- Safe Mode (always request confirmation)
- Under Definitions
- Prompt to udate outdated definitions - set to 7 days
Click on the
Scanning Button of the left and select in
green- Under Driver, Folders & Files
- Under Select drives & folders to scan
- Under Memory & Registry
- Scan Active Processes
- Scan Registry
- Deep Scan Registry
- Scan my IE favorites for banned URL’s
- Scan my Hosts file
Click on the
Advanced Button on the left and select in
green- Under Shell Integration
- Move deleted files to Recycle Bin
- Under Logfile Detail Level
- Include addtional object information
- DESELECT - Include negligible objects information (make it show a red X)
- Include environment information
- Under Alternate Data Streams
- Don't log streams smaller than 0 bytes
- Don't log ADS with the following names: CA_INOCULATEIT
Click the
Tweak Button and select in
green- Under the Scanning Engine (Click on the + sign to expand)
- DESELECT Unload recognized processes & modules during scan (make it show a red X)
- Scan registry for all users instead of current user only
- Under the Cleaning Engine (Click on the + sign to expand)
- Always try to unload modules before deletion
- During Removal, unload Explorer and IE if necessary
- Let Windows remove files in use at next reboot
- Under the Log Files (Click on the + sign to expand)
- Include basic Ad-aware SE settings in logfile
- Include additional Ad-aware SE settings in logfile
- Include reference summarry in log file
- Include alternate data stream details in log file
Click on
Proceed to save the settings and close the program.
______________________________
If Spybot - S&D 1.4 is already installed on your system, skip to
Update Spybot - S&D before using it. Otherwise download Spybot - S&D from the following link:
Spybot - Search and DestroyWhen you have downloaded the program, double click on the downloaded file to start the installation. Follow the default selections, pressing the Next button until you get to the
Select Additional Tasks screen.
Under
Permanent protection, make sure to
uncheck the following items for now:
- Use Internet Explorer Protection
- Use system settings Protection (TeaTimer)
Press the Next button and then the Install button to start the installation process. When the installation process is complete, make sure that
Run Teatimer is
unchecked.
Launch Spybot - S&DIf you told Spybot to launch when it was done installing, the program should now be open. Otherwise find the icon on your desktop and double-click on it. When you use Spybot - S&D for the first time, it will prompt you for certain tasks to complete. Skip all tasks for now by pressing the
Next button. Click on the button labeled
Start using this program to begin using Spybot - Search & Destroy.
Update Spybot - S&D before using itClick on the
Search for Updates button. If there are available updates, they will be listed. Click on the
Download Updates button and Spybot - S&D will download the updates and install them.
______________________________
Run Ad-Aware and Click on the
Scan Now Button
- Choose Perform Full System Scan
- DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click
Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to
Scan Complete.
Click the
Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the
Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects,
right click on one of them, click the
Select All entry in the pop-up menu to mark all entries. Click
Next and then
OK in the dialog box to confirm the removal.
Reboot to complete the removal of what Ad-Aware SE found.
______________________________
Run Spybot - S&D
Click the button
Check for Problems
When Spybot is complete, it will be showing
RED entries,
BLACK entries and
GREEN entries in the window.
Make sure that there is a check mark beside all of the
RED entries
ONLY.
Choose
Fix Selected Problems and allow Spybot to fix the
RED entries.
If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply
Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.
At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows.
______________________________
Let me know how the computer behaves please. The virtualguy2.exe is probably just like the virtualgirl thingie. I fully understand that you don't want to find out more about it. Asking him about the program may make him feel embarrassed too.
Kim
