G
George Hester
Yesterday while surfing I noticed my modem clicking. I don't use the modem for Internet connection I only use it for FAX service. Anyway I knew something was wrong. In the Task Manager Windows 2000 this file was running:
dale.exe
This file has no Version tab in properties and thus is suspect. It is 27KB about the size of the NETSKY virus and variants. It has an accompanying dll called 2.01.00.dll. The name is not important here. It is a self-registering dll so yiou can remove its information from the registry using this command in command prompt in the folder where it resides (%SYSTEMROOT%\system32\services)
regsvr32 /u 2.01.00.dll <ENTER> | OK <OK>
That should be the very first step. Once that is done you can End the Process of dale.exe in the Task Manager. But there is still a long way to go before you've cleaned out this coolwebsearch hijack.
Next get Merlin's CWShredder. That will fix the Windows Media Player 9 whose executable is replaced by this worm. Also the other files in the above services folder (which you should not have there) are:
crontab.ini
keywords.ini
sl.ini
titles.ini
wmplayer.exe (the worm)
You will also find the above executable called in the Registry in these keys:
HKCR\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
(remove the call to the executable on right)
Also it infests win.ini. CWShredder will find that and take care of it.
Still not done.
At this point you have to make sure that your dllcache is replenished with bona fide files. This is a smart worm and the developers have gone to great lengths to make sure you overlook something. To replensish the dllcache you insert your Windows 2000 (in my case) CD-ROM go to the command prompt and type:
sfc /purgecache /scannow
The last switch is only necessary in Windows 2000 Professional.
Now you have a new dllcache and you should be able to fire up the other Spyware catchers you have:
Adaware 6
BHODemon
HijackThis
Rebooting during this process when significant changes are made should get everything back to normal. Oh I forgot. You also have to reinstall Windows Media Player 9. If you are in XP I'm not sure what to do here...
And one last caveat. If you are using Windows 2000 SP3 then sfc will break your system. You need to get qfecheck.exe and determine with that what Hotfixes you need to reapply. Watch out for HTML Help breaking and you might need to reinstall Windows Messaging if you use it.
HTM someone.
dale.exe
This file has no Version tab in properties and thus is suspect. It is 27KB about the size of the NETSKY virus and variants. It has an accompanying dll called 2.01.00.dll. The name is not important here. It is a self-registering dll so yiou can remove its information from the registry using this command in command prompt in the folder where it resides (%SYSTEMROOT%\system32\services)
regsvr32 /u 2.01.00.dll <ENTER> | OK <OK>
That should be the very first step. Once that is done you can End the Process of dale.exe in the Task Manager. But there is still a long way to go before you've cleaned out this coolwebsearch hijack.
Next get Merlin's CWShredder. That will fix the Windows Media Player 9 whose executable is replaced by this worm. Also the other files in the above services folder (which you should not have there) are:
crontab.ini
keywords.ini
sl.ini
titles.ini
wmplayer.exe (the worm)
You will also find the above executable called in the Registry in these keys:
HKCR\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
(remove the call to the executable on right)
Also it infests win.ini. CWShredder will find that and take care of it.
Still not done.
At this point you have to make sure that your dllcache is replenished with bona fide files. This is a smart worm and the developers have gone to great lengths to make sure you overlook something. To replensish the dllcache you insert your Windows 2000 (in my case) CD-ROM go to the command prompt and type:
sfc /purgecache /scannow
The last switch is only necessary in Windows 2000 Professional.
Now you have a new dllcache and you should be able to fire up the other Spyware catchers you have:
Adaware 6
BHODemon
HijackThis
Rebooting during this process when significant changes are made should get everything back to normal. Oh I forgot. You also have to reinstall Windows Media Player 9. If you are in XP I'm not sure what to do here...
And one last caveat. If you are using Windows 2000 SP3 then sfc will break your system. You need to get qfecheck.exe and determine with that what Hotfixes you need to reapply. Watch out for HTML Help breaking and you might need to reinstall Windows Messaging if you use it.
HTM someone.