shanenin

thanks for clearing that up. Being a linux guy(use command paramters daily), I should have realized that.

I also have been trying to infect my spare machine. I too wnat to learn how to remove these things. I have installed about 30 exes found on shady sights, but have not caught anything to bad. If you find some nasty hard to remove stuff, plaese email me a link to get infected.

I fixed my bug, so now no dormant(unregistered) file is left behind. i also worte the script to read the registry directly, so you do not need to use a hjt log file. This code seems much cleaner. I left lots of comments to show wha tis happening import os from win32api import * from win32con import * #this line opens the registry key so changes can be accessed key = RegCreateKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run") # this loop reads all values in the registry key, it parses out the O4 fiel that is malware trojanval = None for i in range(100): try: info =

Funny I just realized something dumb I did with my code. I had the path set incorrectly to the file in system32, so innesence it is not getting deleted. But.... since I suspended the process, and deleted the O4 entrie from them registry the file is no longer getting started. So everytime I did a test, I have left behind one dormant copy of the infected file in system32. Without the registry starting this fie as a process it is not doing any harm. None the less, I don't like the idea of just leaving the file sitting there

yes python can create a registry key or value Why does it have to create a registry value, doen't it just have to delete the value that the trojan created? I don't think I am following you totally.

I have no idea how to do it with batch. the cool thing about python is it allows direct interaction with the win32 api. I don't think batch can do that. The huge negative to python is it needs to be installed on the system. That is where batch is a great method to use(everyone can run it). I wonder if the new windows powershell can access this win32 api?

I was thinking. A better way of doing this would be just to read the values in the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run directly. thier is no reason to have to indirecty get this info from the hjt log.

Thanks Matt. I may have coded this python version, but I used your idea of suspending it then deleting it. That was a good idea on your part :-)

if you set an admin password, isn't it pretty hard to get in? They would have to do some serious hacking.

DISCLAIMER: BE CAREFUL, WHILE I HAVE TESTED THIS SCRIPT AND IT SEEMS TO WORK WELL, IT MAY HAVE BUGS I AM UNAWARE OF. THIS SCRIPT WILL DELETE ANY FILE THE IS LISTED IN THE O4s THAT ENDS WITH ".exe r" AND IS ALSO IS IN THE SYSTEM32 FOLDER. ANY LEGETIMATE(IMPORTANT) FILE THAT MEETS THESE REQUIRMENTS WILL GET REMOVED. IT MIGHT NOT BE SMART TO RUN THIS I love to script simple stuff with python. I was able to automate the removal of the epolvy trojan. This is not very practical, because you do need to have both python and process.exe installed on your system. Python can be made into an executable(no

I am just lost trying to follow this guide. I want to delete a value for a registry key. The syntax for the method is winapi32.RegDeleteValue(key, value) value is a string, which is the name of the value. That part is easy. I don't understand the key argument. Below is what I am referencing http://aspn.activestate.com/ASPN/docs/Acti...Value_meth.html Any suggestions woudl be appreciated, thanks. edit added later// This seems to be working import win32apiimport win32con key = win32api.RegCreateKey( win32con.HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" )win32api.RegDelete

in the following line what does the "r" mean? O4 - HKLM\..\Run: [zdkyzf] C:\WINDOWS\system32\bcqzzkw.exe r

I also would like to learn. I have photshop elemernts-2.0. I wonder if most of the stuff is similar.

Using your idea, I think I was able to remove the trojan. I did these steps 1. I ran this command using the windows xp command line process -s random_filename.exe 2. I deleted the entry from the registry manually located here hklm\software\microsoft\windows\currentversion\run I then used my python script to kill file on reboot. You can use any method that works for you import win32api import win32con win32api.MoveFileEx("random_filename.exe", None, win32con.MOVEFILE_DELAY_UNTIL_REBOOT)

ya please :-) this must be somthing different http://www.bleepingcomputer.com/startups/p...s.exe-7200.html thid looks like what I need http://www.beyondlogic.org/solutions/proce...processutil.htm

when I try and run that command using cmd.exe(xp commmand line), it says the command "process" is not available. Are you sure that will work in a batch file?

that sounds easy enough

I also like a project to learn. cool :-) by the way, what method do you use to suspend a process?

as of now, is the preferred way to remove this trojan adaware the the vx2 plugin? Are you trying to make a simple tool that does not have the need to install adaware and the plugin?

I pretty much just used add/remove progrmas to dleete a bunch of stuff. Just curious, if epolvy always changes its name, you can you tell if you have it? Would you what for changed 04s at reboot? Scan saved at 12:43:39 AM, on 6/23/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WIN

I reinstalled the trojan then just did a before and after of my hjt log. I noticed this new entry O4 - HKLM\..\Run: [oyspwe] C:\WINDOWS\system32\ziqfcw.exe r this must be from the trojan. Would you say any 04 that is in the system32 directory would be suspicious?

When I try and clean a clients computer I usually run spy sweeper first. It normally is not able to remove a lot of stuff. For testing on my home machine it has done well. It only has not been able to remove stareware, plus a few things it did not even detect.

does the "delete file at reboot feature" that hjt can perform, do the same as killbox does? I wonder if the all ar just using the simple MoveFileEx call to perform this?

spy sweeper needed to rid that one(the one you sent) at reboot. It seems to be a pretty good program.

I disabled all of spysweeper shields which prevent infections. I did let spy sweeper run, but this is what I have left over. This is kind of a before hjt log. Logfile of HijackThis v1.99.1 Scan saved at 11:23:21 PM, on 6/22/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SO