DougHeil
The Seasoned Pro
- Joined
- Jun 2, 2009
- Messages
- 10,529
- Reaction score
- 6,093
- Points
- 113
First and foremost you need to clear out the user temp directories located at "\Documents and Settings\%USERNAME%\Local Settings\Temp" and also "\Documents and Settings\%USERNAME%\Local Settings\Application Data\Temp" Be certain that no hidden files or folders remain in these locations. You may need to boot into safe mode with command prompt and recursively delete the hidden files and folders manually. Use the "attrib" comand with the string "attrib -r -s -h *.*" to remove hidden, system, and read-only attributes from the files in those directories. Feel free to delete everything in these temp directories.
My best advice is to load Process Explorer, add the table header for "Command Line," sort by command line, and find all instances of executables or instances of rundll loading a library that is located in ~\Local Settings\Temp or ~\Local Settings\Application Data.
Particularly these files should be deleted if found in your user directory: winlogon.exe*, winamp.exe*, AVE.exe, AVE99.exe, AVP.exe, taskmgr.exe*, smss.exe*, svchost.exe*, iexplorar.exe (note the "a"), ose00000.exe. I noted several of the filenames with "*" not as a wildcard but to make sure you only delete these files if their found in your temp directories, and/or if you cannot verify their Microsoft signature in the executable. A good rule of thumb is don't delete these files if they happen to reside in the \Windows\ directory.
Beyond that, make sure you can still view hidden files and folders as the FakeRean trojans like to modify the Registry values for explorer to prevent you from finding the files. Also, run a registry scan for the value "ave.exe," particularly checking \HKEY_CLASSES_ROOT\exefile\shell\open\command to verify that AVE.exe has not hijacked executable association. The proper line should read "%1" %*. Feel safe in eliminating all instances of AVE.exe located within your registry. If located in any exefile association, replace the AVE start command (which starts the fake "XP Security Center" trojan) with "%1" %* for default values.
If you find that you can no longer launch the registry editor, even by executing regedit.exe directly from the command prompt; or you are prompted with "Registry editing has been disabled," then you can re-enable the function by launching "gpedit.msc" from either the Start>Run... menu or by using "start.exe" from the command prompt. Once loaded, goto Computer Configuration->Administrative Templates->System->Prevent Registry Editing (or some such). You may find no value has been set, this is fine. First, enable prevention and press Apply, then disable prevention and press Apply. Disabling prevention without first enabling it doesn't actually work due to an unresolved bug. Perform the same step at User Configuration->Administrative Templates->System->Prevent Registry Editing.
Run a good registry cleaner, install an antivirus suite like Avast, and also, make sure to clear out the \Windows\Prefetch directory. (Remember to delete any hidden files or folders there as well).
Other than that if you have any problems just let me know...
This is excellent. Thanks. I already did a lot of what you just wrote, but you added extra stuff I'll get right on. My Symantec Anti-virus software did some of that by itself, but other stuff it did not take care of.
What a nasty, nasty ad. How the hell do ads like this get past a good ad distributor? Amazing.