Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 2008


  • Please log in to reply
No replies to this topic

#1 berend

berend

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 10 August 2008 - 06:08 PM

Hello,

I registered today because I followed your "How to remove Antivirus XP 2008 (Uninstall Instructions)", but I believe I was still infected after that. I noticed something that I did not find described anywhere and may be of help to others:

When I was first infected with that thing I noticed a new file %WINDIR%\system32\el32.dll that was in use while the virus did its thing. I removed it in the recovery console (started from XP CD), but it reappeared shortly after that.

The malwarebytes software that you recommend removed most symptoms but left el32.dll in place. Also it claimed that the dll was "not infected". However, it was still newly created and still in use, which made me suspicious. I got rid of it as follows:
- downloaded PrcView 5.2.15 (google for newest version of PrcView)
- In PrcView, go to menu View | Module Usage, find el32.dll in the list. Right-click dll, select "Filter Process List"
- Now only one instance of svchost.exe is shown in the main window of PrcView (note that svchost.exe is a generic process host, it is not necessarily bad). Rightclick that instance and select kill (it would have been smart to first check how it was run - that prcview also can do, but I did not think of that - sorry)
- After that I run combofix which deleted some files:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Berend\Application Data\macromedia\Flash Player\#SharedObjects\Q92H8EFP\interclick.com
C:\Documents and Settings\Berend\Application Data\macromedia\Flash Player\#SharedObjects\Q92H8EFP\interclick.com\ud.sol
C:\Documents and Settings\Berend\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Berend\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\userini.exe

It also found a new file c:\windows\el.ini, with this contents:

[proxy]
host1=a.meza69.com
host2=s.tras63.com
host3=pool.westpop.com
file1=vcgi/epart/update.cgi
file2=vcgi/epart/update.cgi
file3=vcgi/epart/update.pl
id=17339062

I removed that manually, just to be sure. Will also reinstall symantec antivirus, that appears to be broken (each time I access a file in explorer, it tries to reinstall symantec av).

Edited by berend, 10 August 2008 - 06:09 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users