Help again!!!!

christie_m

Tell you what I'd be scared "cuddling" up to some of the techies at my work in the way your smilie shows TOG!!!

albertross_2

It reminds me of two cats and a bag of cat nip..

Ok, luvvies, lets wait for itsbeef to update us, he's probably down the pub, or at the ATM checking his bank balance..

I knew this would turn into a 5 pager..

djohn2002uk

In all these posts I may have missed an odd statement but I can't go through them all again. And this/these question/s are in no way picking fault in your help.
After the first few posts it appeared to me that that things may have been getting worse and after his scan with Avast he said the problem came back. This led me to think, why have they not asked if he has a firewall running and why hasn't someone asked him to turn off system restore before using Avast.
One other observation, which happens quite a bit in all forums of this type is, when a non technical poster asks a question, is it not better that one person takes over the guidance so that the person with the problem doesn't become overwhelmed by instruction comming from all directions (get this, D/L that, run this, check this site ) and I cringed for him as he asked for further info on carrying out one instruction by which time there were two more on screen.
I will repeat that this isn't meant to take anything away from the efforts you chaps put in late last night to try and get him up and running again but simply to learn myself from the first two questions and maybe aid any future help from my third observation. Plus I may be feathering my own nest a little here as I have a question to go on here shortly.

albertross_2

You have to bear in mind, that the site was running like a dog last night, so reading every post took 5-7 minutes, writing every post, took 5-7 minutes, in that time the other contributors had added other posts that were relevant and overlapping.., and reading them took 5-7 minutes. It was painful..

The gist was the same, we needed a virus scan of some sort to find out what we were dealing with. It took a few hours to get there..

The system restore point is only an issue if/when he does a system restore. We need to stop the active trojan first.

djohn2002uk

albertross wrote:

The system restore point is only an issue if/when he does a system restore. We need to stop the active trojan first.

But I thought that some of these nasties were returning after removal because they had installed something in system restore and that was the reason for turning it off to remove all the restore points before removal of the worm/trojan/spyware or whatever.

albertross_2

Fair point..

I don't think we have managed to clarify how/when/with what they are being picked up yet. Have asked what the path/filenames are, but beefy wasn't able to answer that at the time.

I assumed (possibly wrongly) that they were still resident in memory, or he was constantly being re-infected, either across the internet (due to insufficient XP patching), or insufficient cleaning, but it could just be system restore files as you say..

As I said, it was a long and painfully slow night - always easy to miss things.

EDIT.. just reviewed the posts, and found this:

the scans have identified the following as being present and cant seem to delete it?

C:\WINDOWS\DVPD.DLL\[UPX]

So it is still resident..

djohn2002uk

Apreciate what you're saying. I only read it all this afternoon, easy for me to pick my way through it at leisure but also no firewall was mentioned. I think he seemed to be running totally open to anything that was flying around.

christie_m

djohn - Like Albertross has said you've got a fair point about the postings...suppose us techies are too willing to help.

The way we were playing it was the "two heads are better than one...", which helped cover off the key points which could be missed at 11.30pm-12.45am. Ultimately the key aim was to get the machine cleaned in a way that Itsbeef could continue working today.

Ultimately we've failed so far...but it'll get sorted.

albertross_2

We were also trying to get him SP2'd/patched, which should sort out the firewall (unless the trojan kills it). He was also asking a while ago about getting a firewalled wireless router, but not sure if he "followed through" and bought it.

albertross_2

BEEF,

I am going to assume that you have got the infection mentioned in TOG's post earlier.

These are some manual instructions that may or may not eradicate it: (totally untested!)


Go into control panel/system/system restore, turn off system restore by removing the tick
click ok, and ok to deleting restore points.

Download this, and decompress it to your desktop

http://www.sysinternals.com/Utilities/autoruns.html

Run it, if you see any reference to the files listed below, remove the tick out of the box next to them..

Shutdown and restart in safe mode (F8 at boot), and delete these files (if they exist)

c:\WINdows\dvpd.dll
c:\WINdows\netdx.dat
c:\WINdows\system32\winldra.exe
c:\WINdows\Temp\fe43e701.htm
c:\windows\System32\drivers\etc\hosts
delete everything under c:\windows\temp
c:\windows\prntk.log (you may wish to read this file in notepad before deleting it)

Empty your recycle bin
Run ccleaner if you have it

if you fancy having a go with regedit (start run regedit)

SKIP THIS STEP IF YOU DONT FEEL CONFIDENT WITH REGEDIT
MAKE A MISTAKE, AND YOU COULD KILL YOUR PC COMPLETELY


Delete this key:

HKCU\S-1-5-21-448539723-1383384898-725345543-500\Software\SARS\SocksPort

be very careful not to delete anything else!


Then do an avast virus scan.
Then startup, and run windowsupdate again,
then run the protection scan you did earlier.

Report back with what happened, everything you found or didn't find, what the scans found at what stage.