View Single Post

**Buzz1927** · 01-06-2007, 07:24 AM

I haven't seen this for ages, these instructions are a bit outdated but should still work.

You may want to print or save these instructions locally before starting.

Please download, install, and update the free version of Ewido trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT scan yet.

Download CCleaner and install, but do not run it yet.

Please download the Nailfix utility.
DO NOT run it yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:

Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
Select an option when the Windows Advanced Options menu appears, and then press ENTER.
When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run Ewido again.

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then run HijackThis, click Scan, and place a checkmark by the following item:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [vnybin] C:\WINDOWS\system32\xsiuqlv.exe r
O4 - HKLM\..\Run: [ahxjxx] C:\WINDOWS\system32\onrslmu.exe r
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273 (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Close all open windows except for HijackThis and click Fix Checked.

Now, run CCleaner.

Uncheck "Cookies" under "Internet Explorer".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

01-06-2007, 07:24 AM	#4 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,104	I haven't seen this for ages, these instructions are a bit outdated but should still work. You may want to print or save these instructions locally before starting. Please download, install, and update the free version of Ewido trojan scanner: When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment. From the main ewido screen, click on update in the left menu, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") Exit Ewido. DO NOT scan yet. Download CCleaner and install, but do not run it yet. Please download the Nailfix utility. DO NOT run it yet. Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft: Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears. Select an option when the Windows Advanced Options menu appears, and then press ENTER. When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Next, run Ewido again. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. Then run HijackThis, click Scan, and place a checkmark by the following item: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [vnybin] C:\WINDOWS\system32\xsiuqlv.exe r O4 - HKLM\..\Run: [ahxjxx] C:\WINDOWS\system32\onrslmu.exe r O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273 (file missing) O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) Close all open windows except for HijackThis and click Fix Checked. Now, run CCleaner. Uncheck "Cookies" under "Internet Explorer". Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run. Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan. __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!