There is no "automated" anti-spyware removal tool for this type
infection. There are 2 DLLs involved, the "BHO" DLL which you see in
your log and the main culprit which is totally hidden. Removing the
"BHO" DLL has no effect as it (main culprit) will simply generate a
new BHO DLL.
Ok, here goes ... this is my "How To:" (Hint: print out the below)
[Tools and files needed]
Download: "RepairAppInit.reg" (XP\2K only!)
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.
Download: CWShredder
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.
Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.
Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.
Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.
Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.
[Step1]
Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:
Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the
culprit.
[Step2]
Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
[NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)
[Step3]
Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows
Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.
IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.
[Step 4]
Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)
Open Winfile
Navigate to System32 folder. N.B. File may have HIDDEN attribute.
Click File (up top) select: Move
Copy and paste this into the 'From' box:
C:\WINDOWS\System32\<filename>.dll Copy and paste this into the 'To'
box: C:\Junk\<filename>.dll
Note: where "<filename>" = culprit dll from "output.txt"
Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll"
file.
At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)
[Step 5]
Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt
[Step 6]
Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next
Note: where "<filename>" = culprit dll from "output.txt"
Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.
Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"
[Step 7]
Run CWShredder and reboot.
[Step 8]
Run Ad-Aware
Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp.com/howto/updref/index.html
Launch the program, and click on the Gear at the top of the start
screen.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your
installed hard drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you
proceed.
After the above post a fresh log ...
--
Disclaimer: Renaming the "Windows" key modified some security
settings.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
[NT\CurrentVersion\Windows]
Right-click the "Windows" key, select: Permissions
[Example]
Before renaming the "Windows" key:
"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows" "Read":
*"Administrators
*Power Users
*Users"
"Write"
*"Administrators"
--
[Example]
After Renaming the key:
"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows" "Read":
***"Everyone"***
"Write"
*"Administrators
--
You need to check that and if 'Everyone' was added (as seen above)
You need to reset your original settings as follows:
Note: do this after removing the infection.
Right-click "Windows", select: Permissions
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
[NT\CurrentVersion\Windows]
Click Advanced [button]
If the "inherit permissions" box is checked = Uncheck it.
Then select "COPY" on the prompt.
Select "Everyone Group" (if listed) and remove. (only the group)
You can individually view/edit each group settings.
Be sure "Administrators" and "System" have full control on all.
Note: Creator owner full control on Sub keys only.
"Power users" and "users" = "read control".
--
Ross
imoorthy said:
I have a Dell Inspiron 8200, laptop, 256 MB/30GB as my computer,
and of course runs WIN XP PRO. I have the following problems.
Extremely slow startup - 5-6 minutes and a slightly faster
shutdown. 2-3 minutes.
Slow response - click on the IE on quickstart it will take 2
minutes for about blank IE to come up.
I have triied to use the earlier solutions but with the following
results. I
tried to download cwshredder and other such utilitites but I get
the message
you are not allowed to access the (download) page.
I also see that my dialup internet connection gets disconnected frequently.
I used the Dell modem helper and it says my modem is in use when I
am not connected to the net (error code 67 - com port conflict)
I have Norton AVS and ZL pro firewall.
Please advise on next course of action.
thanks in advance to the various wizards out there.
RIM