open All Channels
seplocked Out of Pod Experience
blankseplocked delme.exe in Application Data a trojan?
 
This thread is older than 90 days and has been locked due to inactivity.


 
Author Topic

I'm RickJames
Posted - 2011.02.02 22:13:00 - [1]
 

Edited by: I''m RickJames on 02/02/2011 22:15:38
I have been having a series of problems with trojans and other malware and the older version of Kapersky is having trouble with them (2009 but new licenses) and I am manually removing them.

My my Application data folder in Windows, I see a folder and two files created at the same time this morning (only today I had problems)

delme.exe
WtoSTzUZhXDMML directory
QmtBfswILOGetm sub-directory
4.17.46.9198 sub-directory

Throughout thsi process I have seen alot of randomly named files hawe being added to my startup, and I suspect this is one of them.

And, also modified, but modified yesterday was a file s3rv3r.exe.

Get rid of this stuff? I plan toi quarantine them but do not want to mess up the OS's stability anymore than what it is now.

Grimpak
Gallente
Midnight Elites
Echelon Rising
Posted - 2011.02.02 22:21:00 - [2]
 

remove kasperski and download avast? it's free.

Barakkus
Posted - 2011.02.02 23:38:00 - [3]
 

Edited by: Barakkus on 02/02/2011 23:40:09
Turn off system restore, right click my computer then click properties, then system restore then turn it off from there (they are getting archived into the system restore files)

Then reboot. Start in safe mode. Run the registry editor go to HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run. Delete anything listed in there that you don't know what it is (google stuff if you don't know) Then do the same in:
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\RunOnce

Go through your startup menu and delete anything from there. Check autoexec.bat on c:\ for anything weird. Go through each user's temp directories located in c:\documents and settings\<username>\Local Settings\Temp and delete everything you can from there. If there are any executables that you can not delete, kill the process from the task manager and try again. You also want to hit your temp internet cache in c:\documents and settings\<username>\Local Settings\temporary internet files. There is a hidden subdirectory you will have to actually type the name to get into c:\documents and settings\<username>\Local Settings\temporary internet files\content.ie5 and clear that out as well. Check c:\windows\temp as well.

This is all for XP some of the paths are different for windows 7 and vista for the user profile directories.

Reboot and start in safe mode again, go hunting one more time then reboot and install spybot search and destroy. Run that and hopefully it will clean up the remaining stuff that may have not gotten taken care of by the above steps.

You should make sure you're deleting stuff you know shouldn't be there. Don't worry about deleting stuff from the temp files directories, you should be ok with that.

You also want to make a sweep of your browser(s) and disable any plugins that you don't know what they are.

ivar R'dhak
Minmatar
Posted - 2011.02.03 00:31:00 - [4]
 

Get Trend Micro´s HiJack This.
It´ll help you greatly in your problem analysis.

Benny Hill
Caldari
General Thrusters
Posted - 2011.02.03 00:42:00 - [5]
 

Edited by: Benny Hill on 03/02/2011 03:59:12

Cys Root
Gallente
Aliastra
Posted - 2011.02.03 01:16:00 - [6]
 

Edited by: Cys Root on 03/02/2011 01:18:10
lol @ s3rv3r.exe

I know it sucks to be heard mate but at this point i'de just format your poor PC, backup your stuff and start fresh.

EDIT: funfact: googling s3rv3r.exe leads to this very thread. Shocked

Barakkus
Posted - 2011.02.03 01:45:00 - [7]
 

Originally by: Benny Hill
Thank you for suggestions.

I just bought the new version of software from Kapersky, as their tech support said their 2009 had difficulties. I have been using it but with new licenses. It detects it, just has trouble cleaning it and everything else that was added with this attack. I'll see what this does.

I hadn't thought about trojans archiving themselves in system restore files. So I will check that out now.


If you still can't delete files make sure you try in safe mode. If that still doesn't work, boot from your CD and go into recovery mode with a command prompt, don't have it repair your installation. Browse over to the files you need to get rid of from there and delete them. If all else fails, make take your drive out and slave it in another machine and delete the files, just make sure you don't run any of the executables on the new machine :P

Hijack this will help if you know what you're doing as well.

SirSpectre
Gallente
Harbingers Of Destruction
Posted - 2011.02.03 15:24:00 - [8]
 

Edited by: SirSpectre on 03/02/2011 15:24:05
Originally by: ivar R'dhak
Get Trend Micro´s HiJack This.
It´ll help you greatly in your problem analysis.


This. Hijack this is awesome.

www.hijackthis.de

I'm RickJames
Posted - 2011.02.03 18:46:00 - [9]
 

Thanks for suggestions. I checked through everything, got a new application version of Kaspersky, and have everything cleaned out now.


 

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only