Are you ready? It isn't pretty or easy.
MVP Mike Burgess writes:
<quote>
Ok, here goes ... this is my "How To:" (Hint: print out the below)
[Tools and files needed]
Download: "RepairAppInit.reg" (XP\2K only!)
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.
Download: CWShredder
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.
Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.
Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.
Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.
Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.
[Step1]
Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:
Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the
culprit.
[Step2]
Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)
[Step3]
Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows
Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.
IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.
[Step 4]
Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)
Open Winfile
Navigate to System32 folder.
Click File (up top) select: Move
Copy and paste this into the 'From' box: C:\WINDOWS\System32\<filename>.dll
Copy and paste this into the 'To' box: C:\Junk\<filename>.dll
Note: where "<filename>" = culprit dll from "output.txt"
Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll" file.
At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)
[Step 5]
Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt
[Step 6]
Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next
Note: where "<filename>" = culprit dll from "output.txt"
Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.
Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"
[Step 7]
Run CWShredder and reboot.
[Step 8]
Run Ad-Aware
Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp.com/howto/updref/index.html
Launch the program, and click on the Gear at the top of the start screen.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard
drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.
~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer: Renaming the "Windows" key modified some security settings.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
Right-click the "Windows" key, select: Permissions
[Example]
Before renaming the "Windows" key:
"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
"Read":
*"Administrators
*Power Users
*Users"
"Write"
*"Administrators"
~~
[Example]
After Renaming the key:
"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
"Read":
***"Everyone"***
"Write"
*"Administrators
~~
You need to check that and if 'Everyone' was added (as seen above)
You need to reset your original settings as follows:
Note: do this after removing the infection.
Right-click "Windows", select: Permissions
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
Click Advanced [button]
If the "inherit permissions" box is checked = Uncheck it.
Then select "COPY" on the prompt.
Select "Everyone Group" (if listed) and remove. (only the group)
You can individually view/edit each group settings.
Be sure "Administrators" and "System" have full control on all.
Note: Creator owner full control on Sub keys only.
"Power users" and "users" = "read control".
</quote>
--
HTH - Please Reply to This Thread
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP
AumHa Forums
http://forum.aumha.org
Protect Your PC
http://www.microsoft.com/security/protect