Midnight Star
5 Rhenium

Re: Repetitive Virus called: Win32.SillyDLCS Please Help

MenaceOfMen,

First, let's get rid of the viruses in your system restore and temp folder(s), just in case we need to use it for any reason:

  1. Run "Disk Cleanup" and allow it to remove everything it finds.
  2. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.
     



Download, unzip to your desktop CWShredder and run it, then:

 
1.  Click "Check For Update"
 
   (If an update isn't available, skip to step #4.)
 
2.  Click "Click here to Download the upate".
3.  When the new version has been downloaded, click "Save".
4.  Click "Fix ->"
 


Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
 
regsvr32  /u  BTGrab.dll
regsvr32  /u  systb.dll
 
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.



Run HiJackThis and click "Scan", then check(tick) the following, if present:
 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
 
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
 
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
 
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
 

Now, with all windows closed except HiJackThis, click "Fix checked".
 


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
 
files...
 
   C:\WINDOWS\BTGrab.dll
    C:\WINDOWS\systb.dll
    C:\WINDOWS\farmmext.exe
    C:\WINDOWS\wupdt.exe
 


Post back a new log.
 
-
 
Mike.
 
Edits: Added an additional cleanup item; pre-hijackthis.

Message Edited by Midnight Star on 01-31-2005 12:37 PM

0 Kudos