[inactive]Need help removing Trojans Win32:Small-EK [Trj]

2»

Comments

  • TroganTrogan London, UK
    edited July 2006
    Hi The_Dude! Make sure, that when you copy everything in the quote box, that you also copy Files to delete:. That is a vital part of the script.

    Please try again! :)
  • fujimi
    edited December 2006
    hi i also have to same problem with ip popping up.
    using NOD ESET antivirus.
    I only get the warning with Firefox and not with IE
    Using Zonealarm firewall also behind router so Im not sure how this got on.Its really annoying Plz help..TIA



    the log is


    Fixwareout
    Last edited 12/06/2006
    Post this report in the forums please
    ...
    Prerun check
    [HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"="csney.exe"

    ...
    ...
    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\3
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\4
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\5
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\6
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\7
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\8
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\9
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\10
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\11
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\12
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\13
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\14
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\16
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\17
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\18
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\19
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\20
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
    ...

    Random Runs removed from HKLM
    ...
    ...

    PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    »»»»» Searching by size/names...
    * csr.exe C:\WINDOWS\System32\CSNEY.EXE

    »»»»»
    Search five digit cs, dm kd and jb files.
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    C:\WINDOWS\SYSTEM32\CSNEY.EXE 51,213 2006-09-10

    Other suspects.
    C:\WINDOWS\System32\{79EB60D3-41AC-4306-B68A-DEBF7EDD82AE}.exe

    »»»»» Misc files.

    »»»»» Checking for older varients covered by the Rem3 tool.
    ...
    Postrun check
    [HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "system"=""

    ...

    Fujimi, this is an old thread..please start your own thread..thread closed-jmoney
This discussion has been closed.