kimobrien
asked on
Virus - malware and grayware file removal
I have a virus. My virus scan cleaned most of my computer, but there are eight files that could not be cleaned, quarantined or removed. I want to remove them manually. I need a technician to walk me through that process. I have a list of the files. They are:
C:\WINDOWS\system32\cfgdei
C:\WINDOWS\system32\cfgijt
C:\WINDOWS\system32\diagde
C:\WINDOWS\system32\statde
C:\WINDOWS\system32\statij
C:\WINDOWS\system32\diagij
C:\WINDOWS\system32\brwmgr
C:\WINDOWS\system32\brwsta
C:\WINDOWS\system32\confbr
C:\WINDOWS\system32\alrsba
C:\WINDOWS\system32\e1.dll
C:\WINDOWS\system32\strmwi
C:\WINDOWS\system32\zlcoca
C:\WINDOWS\system32\zlcoca
C:\WINDOWS\alerter.exe
C:\WINDOWS\system32\cfgdei
C:\WINDOWS\system32\cfgijt
C:\WINDOWS\system32\diagde
C:\WINDOWS\system32\statde
C:\WINDOWS\system32\statij
C:\WINDOWS\system32\diagij
C:\WINDOWS\system32\brwmgr
C:\WINDOWS\system32\brwsta
C:\WINDOWS\system32\confbr
C:\WINDOWS\system32\alrsba
C:\WINDOWS\system32\e1.dll
C:\WINDOWS\system32\strmwi
C:\WINDOWS\system32\zlcoca
C:\WINDOWS\system32\zlcoca
C:\WINDOWS\alerter.exe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It would've been great if you let us look at your hijackthis log.
If these files are part of an infection, they will come back.
If they are not part of an infection, then both of sirbounty's adviced will work.
Killbox can kill all the files in one go if you prefer it.
Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\cfgdei
C:\WINDOWS\system32\cfgijt
C:\WINDOWS\system32\diagde
C:\WINDOWS\system32\statde
C:\WINDOWS\system32\statij
C:\WINDOWS\system32\diagij
C:\WINDOWS\system32\brwmgr
C:\WINDOWS\system32\brwsta
C:\WINDOWS\system32\confbr
C:\WINDOWS\system32\alrsba
C:\WINDOWS\system32\e1.dll
C:\WINDOWS\system32\strmwi
C:\WINDOWS\system32\zlcoca
C:\WINDOWS\system32\zlcoca
C:\WINDOWS\alerter.exe
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.
If these files are part of an infection, they will come back.
If they are not part of an infection, then both of sirbounty's adviced will work.
Killbox can kill all the files in one go if you prefer it.
Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\cfgdei
C:\WINDOWS\system32\cfgijt
C:\WINDOWS\system32\diagde
C:\WINDOWS\system32\statde
C:\WINDOWS\system32\statij
C:\WINDOWS\system32\diagij
C:\WINDOWS\system32\brwmgr
C:\WINDOWS\system32\brwsta
C:\WINDOWS\system32\confbr
C:\WINDOWS\system32\alrsba
C:\WINDOWS\system32\e1.dll
C:\WINDOWS\system32\strmwi
C:\WINDOWS\system32\zlcoca
C:\WINDOWS\system32\zlcoca
C:\WINDOWS\alerter.exe
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.
You may need to unregister the DLLs to remove them..
Click Start->Run->CMD <Enter>
to get to a command prompt...
Now for each file listed above, type
regsvr32 /u C:\WINDOWS\system32\cfgdei
regsvr32 /u C:\WINDOWS\system32\cfgijt
regsvr32 /u C:\WINDOWS\system32\diagde
regsvr32 /u C:\WINDOWS\system32\statde
regsvr32 /u C:\WINDOWS\system32\statij
regsvr32 /u C:\WINDOWS\system32\diagij
regsvr32 /u C:\WINDOWS\system32\brwmgr
regsvr32 /u C:\WINDOWS\system32\brwsta
regsvr32 /u C:\WINDOWS\system32\confbr
regsvr32 /u C:\WINDOWS\system32\alrsba
regsvr32 /u C:\WINDOWS\system32\e1.dll
regsvr32 /u C:\WINDOWS\system32\strmwi
regsvr32 /u C:\WINDOWS\system32\zlcoca
Click Start->Run->CMD <Enter>
to get to a command prompt...
Now for each file listed above, type
regsvr32 /u C:\WINDOWS\system32\cfgdei
regsvr32 /u C:\WINDOWS\system32\cfgijt
regsvr32 /u C:\WINDOWS\system32\diagde
regsvr32 /u C:\WINDOWS\system32\statde
regsvr32 /u C:\WINDOWS\system32\statij
regsvr32 /u C:\WINDOWS\system32\diagij
regsvr32 /u C:\WINDOWS\system32\brwmgr
regsvr32 /u C:\WINDOWS\system32\brwsta
regsvr32 /u C:\WINDOWS\system32\confbr
regsvr32 /u C:\WINDOWS\system32\alrsba
regsvr32 /u C:\WINDOWS\system32\e1.dll
regsvr32 /u C:\WINDOWS\system32\strmwi
regsvr32 /u C:\WINDOWS\system32\zlcoca
I'm never keen on unregistering bad dlls because it can be a booby trap and can explode, :)
Never heard that one before...?
I've register and unregister valid dlls all the time,
But I was taught not to unregister a malware dll because it can have bad consequences(if the virus writer include a code in that dll to do something)
This is what I've learn from a malware expert and a long time programmer(Bobbi Flekman)
Unregistering a dll through the commandline (regsvr32 /u dll-file) calls the function UnRegisterServer() in the dll file, which is simply a code. In normal programming, the programmer would remove all the modifications (s)he would have made to the Registry. But you can do anything there, as long as it can be programmed. So, just imagin things... The malware programmer could create an Internet connection and dowload more malware to your system. Or he could format your harddisc. Or.... Etc. As you can read unregistering a dll the "official" way can get you into bigger trouble.
According to him also,
Windows is based on something called the Component Object Model.
This way you can get a word processor to treat texts as different languages to be checked, or use a program in several other programs (just think about Windows Media Player or Adobe Acrobat in Internet Explorer). To let the system know that the file is there, and can do that, you have to register the dll in the Registry. You do that through RegSvr32. A normal program (like the aforementioned Adobe Acrobat) will just make modifications to the Registry, and next time you start Internet Explorer and click on a .pdf file it will be opened within Internet Explorer. To get rid of it you'd call RegSvr32 again, and Adobe will clean out the modifications it made to the Registry.
This shows you that for normal programs it is okay to call RegSvr32
But I was taught not to unregister a malware dll because it can have bad consequences(if the virus writer include a code in that dll to do something)
This is what I've learn from a malware expert and a long time programmer(Bobbi Flekman)
Unregistering a dll through the commandline (regsvr32 /u dll-file) calls the function UnRegisterServer() in the dll file, which is simply a code. In normal programming, the programmer would remove all the modifications (s)he would have made to the Registry. But you can do anything there, as long as it can be programmed. So, just imagin things... The malware programmer could create an Internet connection and dowload more malware to your system. Or he could format your harddisc. Or.... Etc. As you can read unregistering a dll the "official" way can get you into bigger trouble.
According to him also,
Windows is based on something called the Component Object Model.
This way you can get a word processor to treat texts as different languages to be checked, or use a program in several other programs (just think about Windows Media Player or Adobe Acrobat in Internet Explorer). To let the system know that the file is there, and can do that, you have to register the dll in the Registry. You do that through RegSvr32. A normal program (like the aforementioned Adobe Acrobat) will just make modifications to the Registry, and next time you start Internet Explorer and click on a .pdf file it will be opened within Internet Explorer. To get rid of it you'd call RegSvr32 again, and Adobe will clean out the modifications it made to the Registry.
This shows you that for normal programs it is okay to call RegSvr32
Makes sense I suppose. Thanx for the feedback. :^)
No problem, :)
I will leave the following recommendation for this question in the Cleanup topic area:
Split: sirbounty {http:#18147849} & rpggamergirl {http:#18150447}
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Tolomir
EE Cleanup Volunteer
Split: sirbounty {http:#18147849} & rpggamergirl {http:#18150447}
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Tolomir
EE Cleanup Volunteer
@rpggamergirl: you should post that comment to the weekly EE-newsletter, really good advice!
Tolomir
Tolomir
>> you should post that comment to the weekly EE-newsletter, really good advice!<<
Hi Tolomir,
Thanks, I never thought of posting it at EE newsletter thanks for the idea.
But if you like to do it, please go ahead, :)
~rpg
Hi Tolomir,
Thanks, I never thought of posting it at EE newsletter thanks for the idea.
But if you like to do it, please go ahead, :)
~rpg
Nope your merits...
I already had a hard time to write something usefull for my misc security zone on new-ee
Tolomir
I already had a hard time to write something usefull for my misc security zone on new-ee
Tolomir
http://www.scanwith.com/download/Pocket_KillBox.htm