Hey guys, this is my first post. I came across this site when I was struggling with Vundo.
To get rid of these I use a combination of three free virus scanners. and a little elbow grease, I didn't have register any of them but I think I will now.
3.0 (Needs registration for removal) http://www.prevx.com/
2. Spyware doctor
(Needs registration for removal) http://www.pctools.com/spyware-doctor/
3. AVG Internet security
(free 30 day trial) http://free.avg.com/us-en/homepage
My system started running very slow. I think I got this Trojan from a bad copy of Ad aware.
I noticed through scanning I had a file named IPSEMEM.dll
attaching itself to my running applications and background services.
I was able to use notepad and open this file and delete all of its contents and I re-saved it under the same name.
(The file was located in c:\Documents and settings\administrator\local settings\temp\IPsemem.dll)
I couldn't see this file in the dir but the scanner said it was there so I tried to just open it manually with note pad and it worked.
Prior to me deleting this file I was unable to start in safe mode then after I modified it I could get in. I used safe mode with command prompt.
I also searched for this file in the registry and found it pairing itself with another DLL called Nozigita.dll
The scanners also pick that one up.
Make sure to delete all references to IPSEMEM.Dll in the registry also because it attaches itself to the win logon and runs at the password screen.
Now start safe mode and run Prevx, do this by using the CMD change your dir to c:\programfiles\prevx\ and then run the prevx.exe
The scanner will popup, do a scan and record all of the Trojan names along with the path name where they are located.
I loaded all of these files into EDIT and manually deleted their contents. I did this by going to the DIR the Trojans were located in and typing (For Example) EDIT NOZIGITA.DLL.
Some of them are write protected and wont let you delete them but we just want to wreak as much havoc on this little SOB as we can.
remember to not change the file name or the Trojan will probably just make another copy. Just kill its contents.
Here are some of the names you should look for in your system32 dir and in your registery.
Nozigita <---Seems to be the main
Zunifata <---Possible other main
There were also some temporary files in my c:\documents and settings\Administrator\local settings\temp with the name of somthing like 0.06738347824.tmp delete those too they show'd up on the scan after I was poking around in the folder.
I did a search of my registry and deleted all strings that had those names in them. Also, don't forget to delete IPSEMEM
from the reg also.
All and all this took me four days of trial and error to come up with this information. Anywho it worked and now im back to normal. This thing is tricky and its gonna through you for a few loops. After you get most of the Trojans files corrupted you will be able to delete them manually using the Notepad trick on the ones that usually attach them selves to the running processes.
I just hope this information can be of some use to some of you out there.
Edited by Kroltz, 02 February 2010 - 10:09 PM.