Trojans & Worm

  • Thread starter Thread starter Cristian
  • Start date Start date
C

Cristian

Can anyone give me intructions how clean my computer.

I have three Trojans:

Glieder
Fantibag
Mitglieder

and this worm

Mytob-CM

I'm by no means a professional software tester or computer
guru, no computer wiz, so please respond in layman's terms.

Thank you

Cristian
 
Most of these are items that can be handled with an antivirus program.
Please make sure that automatic updates are turned on as well (right click
my computer -> properties -> Automatic Updates) . Set options to
automatically download and install so you get all the updates you need.
--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
Hi Christian

Download Hoster 1.6 to your desktop :

http://andymanchesta.com/Downloads2/hoster.zip


Download Ccleaner :

http://download.ccleaner.com/download119bin.asp


Download The Beagle remover to your desktop :

http://securityresponse.symantec.com/avcenter/FxBeagle.exe


Download the Mytob remover to your desktop :

http://securityresponse.symantec.com/avcenter/FixMytob.exe


Download Trend's Damage clean up tool

http://www.trendmicro.com/ftp/products/tsc/tsc.zip

Save to desktop



Go to My Computer->Tools/View->Folder Options->View tab
and make sure that 'Show hidden files and folders'
(or 'Show all files') is enabled & uncheck 'Hide
extentions for known types '. Also make sure
that 'Display the contents of system folders' is checked.

You can reset these when you are clean by pressing
restore defaults.


Windows XP's search feature is a little different. When
searching you click on 'All files and folders' on the
left pane,
click on the 'More advanced options' at the bottom. Make
sure that Search system folders, Search hidden files and
folders, and Search subfolders are checked.


Disable System Restore:

Goto start > right click my computer > choose properties
then goto system restore and check the box ' Turn off
Click to expand...
system restore ' then press apply,Again you can set a new
restore point when you are clean by following the above
but unchecking turn off system restore .


Safe Mode:

To Boot into safe mode (Reboot & keep tapping F8 untill
you see the option page then press safe mode)



Once you have all the downloads goto into safe mode.First
run Trends Damage Clean up tool,with system restore
turned off.The results will show in a folder called
reports once it has finished its scan.If it finds viruses
that cannot be deleted save the report so you have the
filenames that still exist.




Glieder




This is a variant of the beagle worm,use this fix tool
from symantec(download it to your desktop,reboot into
safe mode and run the remover)


Run the beagle remover

Delete this file if it still exists after running the
remover.

C:\Windows\System32\winshost.exe



Click Start > Run.

Type regedit

Click OK.

Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Run


In the right pane, delete the value:

"winshost.exe" = "%System%\winshost.exe"


Exit the Registry Editor.





Fantibag





Files connected are:

C:\WINDOWS\system32\firewall_anti.exe.
C:\WINDOWS\system32\firewall_anti.exe.dll.

In safe mode search for these files and delete if
found.If they are in use press(control,alt & delete -
task manager) and goto processes and stop the process for
any you need to remove,


Click Start > Run.
Type regedit
Click OK.


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run

In the right pane, delete the value:

"firewall_anti" = "%Windir%\firewall_anti.exe"


Exit the Registry Editor.






Mitglieder


File connected :


C:\Windows\System32\System.exe.

delete in safe mode:



Click Start, and then click Run. Type

regedit

Then click OK.


Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run


In the right pane, delete the value:

"ssgrate.exe"="%System%\system.exe"


Navigate to this key:


HKEY_CURRENT_USER/Software/DateTime


In the right pane, delete the values:

"pid"= <Process ID>
"uid"= <Random value>
"port"=<Listening Proxy Port>


Exit the Registry Editor.





Mytob-CM



Download this fixtool and run it in safe mode.

http://securityresponse.symantec.com/avcenter/FixMytob.exe


File connected:

C:\Windows\System32\nec.exe.


Delete in safe mode,stop process if needed(control,alt &
delete)


Click Start > Run.
Type regedit
Click OK.


Navigate to the subkey:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM

In the right pane, delete the value:

nec.exe

Navigate to the subkey:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM

In the right pane, delete the value:

nec.exe


Exit Regedit


It also modifies your Hosts file to prevent you getting
access to security related sites.

Download Hoster 1.6 to your desktop :

http://andymanchesta.com/Downloads2/hoster.zip

Extract and run,choose to 'Restore Original Hosts' then
exit hoster.


Run Ccleaner on all 3 settings (windows,applications and
issues) and remove anything found


Reboot into normal mode and run a online virus scan at at
least two of these sites with system restore still turned
off.


Online scanners:


Trend Micro

http://housecall.antivirus.com/

E Trust

http://www3.ca.com/virusinfo/virusscan.aspx

Panda

http://www.pandasoftware.com/activescan/

Bitdefender

http://www.bitdefender.com/scan/Msie/index.php

Trojan Scanner

http://www.windowsecurity.com/trojanscan/trojanscan.asp


And remove anything found,If your clean again you can re-
enable system restore and set the view folder options to
default.If not let me know what the virus scanners are
still detecting

All the best


Andy Manc
 
Andy (I can not read your response, the screen is blank).

Andy,Plun and Steve:

Gracias for your indications.

Good job, keep it up.

Cristian
 
No Problem Cristian

Your not missing much its just basic removal instructions
for the malware you have but you may not be able to read
this message either so no point me saying what the first
reply contains ;) Good luck cleaning up anyway

All the best


Andy Manc
 
Andy, FYI

Funny thing, your last message is readble, but the first
one was blank.

Cristian
 
Hy Andy

FYI your last message imposible to read.

No need to replay.

Some times yours is able to read, some times not.

Any way, thanks for your input.

Take care, when I am able to read your pots, I learn a lot.

Cristian
 
Yeah no problem Cristian,


Thanks for letting me know theres a problem,Hopefully all
my posts are not like that but if some are getting
through then its still worthwhile

All the best


Andy
 
Back
Top