Trojan/Browsela/Looksky

[Guest]

I have a Trojan download in C:\windows\system32\browsela.dll, and can't
delete it.

Same applies to w32.looksky.A@mm in local settings somewhere.

How can I get rid of these things if my antivirusdoesn't?

 

[Guest]

Try booting in safe mode/command prompt. The file shouldn't be open then.

 

[David H. Lipman]

From: "benjammin" <[email protected]>

| I have a Trojan download in C:\windows\system32\browsela.dll, and can't
| delete it.
|
| Same applies to w32.looksky.A@mm in local settings somewhere.
|
| How can I get rid of these things if my antivirusdoesn't?

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Malke]

I have a Trojan download in C:\windows\system32\browsela.dll, and
can't delete it.

Same applies to w32.looksky.A@mm in local settings somewhere.

How can I get rid of these things if my antivirusdoesn't?

Since you didn't mention what av you are using, run either Sysclean or
Dave Lipman's Multi-AV:

http://www.elephantboycomputers.com/page2.html#TrendMicros_Sysclean
http://www.ik-cs.com/multi-av.htm - how to use Dave Lipman's Multi-AV
http://www.ik-cs.com/programs/virtools/Multi_AV.exe - Multi-AV download

Continue with general malware removal -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke

 

[Guest]

I tried using your method - in command prompt, i typed sfc.exe, then tried
scannow, but it said 'error code is 0x000006ba (The RPC server is
unavailable) and same sort of thing with other scans - what does this mean?

 

[Guest]

Command prompt is different from Safe Mode with command prompt

The sollution:
http://free.hit.bg/fightmalware/homepage_en.htm


Panda_man

 

[Guest]

These are helpful, but no spyware removal things will remove this, I need
something different - what does Dave Lipman's thing actually do? Preferably,
I'd just like to run the sfc/scannow, so does anyone know why it might not
work?

 

[Leythos]

what does Dave Lipman's thing actually do?

David's product works wonders using the manual scan engines from several
different vendors, and it has several fixes he's created to resolve
problems caused by malware that are not fixed by virus removal.

You really need to follow this directions exactly, and if you do, it
will leave you with a clean machine.

 

[cquirke (MVP Windows shell/user)]

(e-mail address removed) says...

David's product works wonders using the manual scan engines from several
different vendors, and it has several fixes he's created to resolve
problems caused by malware that are not fixed by virus removal.

You really need to follow this directions exactly, and if you do, it
will leave you with a clean machine.

I've downloaded it and read the HTML, but haven't used it yet - I'm
interested in seeing if it can be adapted to more formal use.

As it is, AFAIK it starts by downloading stuff (updates etc.) from
within normal (infected) Windows, then is to be used from Safe Mode,
etc. As Safe Mode doesn't suppress all explicit integrations and will
be likely to run intrafile code infectors, I'd really prefer to work
"from orbit", e.g. from Bart CDR boot.

At the least, I'd like to get updates etc. and prepare the scanners
from a clean PC, and then run them from Safe Mode on the infected PC,
preferably from read-only storage such as locked USB stick or CDRW.

Also, remember to re-apply any HOSTS-mediated static protection, such
as Spyware Blaster or certain off-the-peg antimalware HOSTS files, as
Dave's procedure appears to leave the existing HOSTS deactivated.

I'm working on a scanning wizard for Bart PE CDR boot that will run a
sequence of 5 av scanners with a minimum of stop/go interaction, so I
was interested in how Dave's worked.

------------ ----- ---- --- -- - - - -

The most accurate diagnostic instrument
in medicine is the Retrospectoscope

 

[David H. Lipman]

From: "benjammin" <[email protected]>

| These are helpful, but no spyware removal things will remove this, I need
| something different - what does Dave Lipman's thing actually do? Preferably,
| I'd just like to run the sfc/scannow, so does anyone know why it might not
| work?
|

SFC is the System File Checker and is NOT a program for dealing with malware. It is a tool
for dealing with OS corruption where a specific EXE or DLL file was accidentdetally replaced
with an older version file. For example, you install WinXP SP2 and you installed a new
printer but did not slipstream the installation files and a SP1 DLL replaced a SP2 DLL file.

The SFC can replace the faulty DLL with a SP2 DLL from a cache.

The tool that I suggested spaecifically seeks out Trojans, Viruses and other forms of
malware and removes them.

I suggest you use my tool and start with the McAfee module.

 

[David H. Lipman]

From: "cquirke (MVP Windows shell/user)" <[email protected]>


|
| I've downloaded it and read the HTML, but haven't used it yet - I'm
| interested in seeing if it can be adapted to more formal use.
|
| As it is, AFAIK it starts by downloading stuff (updates etc.) from
| within normal (infected) Windows, then is to be used from Safe Mode,
| etc. As Safe Mode doesn't suppress all explicit integrations and will
| be likely to run intrafile code infectors, I'd really prefer to work
| "from orbit", e.g. from Bart CDR boot.
|
| At the least, I'd like to get updates etc. and prepare the scanners
| from a clean PC, and then run them from Safe Mode on the infected PC,
| preferably from read-only storage such as locked USB stick or CDRW.
|
| Also, remember to re-apply any HOSTS-mediated static protection, such
| as Spyware Blaster or certain off-the-peg antimalware HOSTS files, as
| Dave's procedure appears to leave the existing HOSTS deactivated.
|
| I'm working on a scanning wizard for Bart PE CDR boot that will run a
| sequence of 5 av scanners with a minimum of stop/go interaction, so I
| was interested in how Dave's worked.
|| The most accurate diagnostic instrument
| in medicine is the Retrospectoscope
Any time you'd like to discuss my tool(s), you have my email address.

While you mention booting from a Bart PE, the included PDF file does provide instructions
for creating a DOS Boot Disk or DOS Boot Disk with NTFS4DOS for outside the OS scanning.

 

[Guest]

I'm currently running them all in normal mode, and I'll do them in safe
later. Thanks for the help - I'll tell you if they do the job.

 

[David H. Lipman]

From: "benjammin" <[email protected]>

| I'm currently running them all in normal mode, and I'll do them in safe
| later. Thanks for the help - I'll tell you if they do the job.
|


I'll be looking for your reply back.

 

[Leythos]

I've downloaded it and read the HTML, but haven't used it yet - I'm
interested in seeing if it can be adapted to more formal use.

As it is, AFAIK it starts by downloading stuff (updates etc.) from
within normal (infected) Windows, then is to be used from Safe Mode,
etc. As Safe Mode doesn't suppress all explicit integrations and will
be likely to run intrafile code infectors, I'd really prefer to work
"from orbit", e.g. from Bart CDR boot.

At the least, I'd like to get updates etc. and prepare the scanners
from a clean PC, and then run them from Safe Mode on the infected PC,
preferably from read-only storage such as locked USB stick or CDRW.

I did - I loaded it on a clean PC, then did the updates, stopped the
scans if they started, then burned the entire folder to a CD, copied the
folder to the infected C drive, made sure that the folder was not read-
only, ran it without any network connection, clean, easy, works great.

Also, remember to re-apply any HOSTS-mediated static protection, such
as Spyware Blaster or certain off-the-peg antimalware HOSTS files, as
Dave's procedure appears to leave the existing HOSTS deactivated.

I'm working on a scanning wizard for Bart PE CDR boot that will run a
sequence of 5 av scanners with a minimum of stop/go interaction, so I
was interested in how Dave's worked.

The only reason it needs to be on a drive is to expand the definitions
and create the log files - at least it appears that way.

 

[David H. Lipman]

From: "Leythos" <[email protected]>

|
| I did - I loaded it on a clean PC, then did the updates, stopped the
| scans if they started, then burned the entire folder to a CD, copied the
| folder to the infected C drive, made sure that the folder was not read-
| only, ran it without any network connection, clean, easy, works great.
||
| The only reason it needs to be on a drive is to expand the definitions
| and create the log files - at least it appears that way.
|

It is hard-coded to use; C:\AV-CLS as the base directory ONLY.

 

[Leythos]

| The only reason it needs to be on a drive is to expand the definitions
| and create the log files - at least it appears that way.
|

It is hard-coded to use; C:\AV-CLS as the base directory ONLY.

Sorry, forgot about that one.

 

[Guest]

I've tried them all in normal mode - no luck. At least one of them found the
exact file but couldn't open it. I'll try them in safe mode - might that
make a difference? I have also tried to manually delete the file myself, but
I can't because it is always 'in use'.

 

[David H. Lipman]

From: "benjammin" <[email protected]>

| I've tried them all in normal mode - no luck. At least one of them found the
| exact file but couldn't open it. I'll try them in safe mode - might that
| make a difference? I have also tried to manually delete the file myself, but
| I can't because it is always 'in use'.
|

You said..."At least one of them found the exact file but couldn't open it."

Please Copy and Paste the contents of the log of the AV module log file that did find this.

 

[Guest]

I have a similar problem:
I work a lot from my home PC for a university and has sophos loaded in it.
The regular daily scan on Monday revealed that I have a Troj/spyaks-B
infected in c:\windows\system32\wbeconm.dll and it cannot delete the file. I
went in via command prompt and deleted the infected file but the home page
still set to a security centre page. Yesterday I followed the sophos
instruction and downloaded a SAV32CLI fix onto a CD-R and try to run it on
command prompt via F8 re-start. I am running Window XP 2002 home service
pack 2, and it will not let me get onto safe mode with command prompt at
restart, so I cannot run the fix on my PC.

 

[David H. Lipman]

From: "Bill Suen" <[email protected]>

| I have a similar problem:
| I work a lot from my home PC for a university and has sophos loaded in it.
| The regular daily scan on Monday revealed that I have a Troj/spyaks-B
| infected in c:\windows\system32\wbeconm.dll and it cannot delete the file. I
| went in via command prompt and deleted the infected file but the home page
| still set to a security centre page. Yesterday I followed the sophos
| instruction and downloaded a SAV32CLI fix onto a CD-R and try to run it on
| command prompt via F8 re-start. I am running Window XP 2002 home service
| pack 2, and it will not let me get onto safe mode with command prompt at
| restart, so I cannot run the fix on my PC.



Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *