CDROM-Guide forums

Go Back   CDROM-Guide forums > Main Forums > Open to All Computer Related Topics > Computer Networking & Security
FAQ Calendar Mark Forums Read
Open   CSec   Data   DevDrv   CoOp   Audio   CDRW   CDG   VCD   DVD   HD DVD   Mac   VGB   PS2   DC   Xbox  


 
 
Thread Tools Display Modes
  #7  
Old Jul 13, 2002, 10:02 PM
stuisthebestintheworld stuisthebestintheworld is offline
Junior Member
 
Join Date: Aug 2001
Location: glendale, b.c., canada
Posts: 17
Default

sponsored links

 
haha, no man im 99% positive, believe me if it was part of windows i would have destroyed my comp by now, ive deleted it a dozen times in ms-dos, it just keeps comming back from somewhere and i have no clue where. doesnt anyone have any ideas on where this is copying itself from or how to remove it, common people, someone take a guess.



stu.
  #8  
Old Jul 13, 2002, 10:06 PM
uk_trader uk_trader is offline
Veteran
 
Join Date: Dec 2001
Location: United Kingdom
Posts: 1,103
Default

For now just look for any registry keys asociated with that file and delete them also if yourrunning win me or xp disable system restore. I may be able to help you more when sober lol.
  #9  
Old Jul 13, 2002, 10:12 PM
stuisthebestintheworld stuisthebestintheworld is offline
Junior Member
 
Join Date: Aug 2001
Location: glendale, b.c., canada
Posts: 17
Default

haha, ya i already used regcleaner on the registry, and i went into regedit and searched for kernal and deleted everything that came up, ive virus scanned my whole C drive, still duplicating itself, this thing is so annoying, common someone must have some ideas.



stu.
  #10  
Old Jul 13, 2002, 10:22 PM
uk_trader uk_trader is offline
Veteran
 
Join Date: Dec 2001
Location: United Kingdom
Posts: 1,103
Default

Im still sure its legit but maybe Ill tjhink different tomorow but bad trans use to cause illegal errors in kernel32.exe. It probably wont show up in find files and folders because its a system file. So ok youv run a full virus scan latest update yeah? Get a trojan scanner then scan.
  #11  
Old Jul 13, 2002, 10:26 PM
zack371 zack371 is offline
Veteran
 
Join Date: Jul 2000
Location: USA
Posts: 1,944
Default

I had a customer with this not too long ago. It is memory-resident. . .

You [b]MUST[/b] turn off your computer for a minute or so and leave it off before trying to clean it...

Hang on, I had a link somewhere...

Here is it -

[URL=***********.symantec.com/avcenter/venc/data/backdoor.doly.html][b]Backdoor.Doly[/b]

Here are removal instructions from above. By the way, this info is not my own. It is from Symantec. They do an incredible service with their site and the info it contains!!

Anyways, here you go -

Quote:
To remove this virus, please follow the instructions in each section.

NOTE: The procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.

Start the computer in MS-DOS mode
The first part of the removal procedure must be performed in MS-DOS mode. Please follow these steps:

Windows 95
1. If the computer is on, then close all programs and, if possible, shut down Windows.
2. Turn off the computer, and wait thirty seconds. You must turn off the power to clear memory. Do not simply press the reset button.
3. Restart the computer, and watch the screen. When you see "Starting Windows 95," press F8.
4. Select "Safe mode Command Prompt Only" from the startup menu, and then press Enter.
Windows 98
1. If the computer is on, then close all programs and, if possible, shut down Windows.
2. Turn off the computer and wait thirty seconds. You must turn off the power to clear memory. Do not simply press the reset button.
3. Restart the computer, and immediately press and hold down the Ctrl key until the Windows 98 startup menu appears.
4. Select "Safe mode Command Prompt Only" from the startup menu, and then press Enter.

Remove infected files in MS-DOS mode
At the DOS prompt, which should appear similar to C:\> , type the following commands in the sequence shown. Press Enter after each one.

NOTE: These instructions assume that the path to your Windows folder is C:\Windows. If you installed Windows to a different folder, for example, C:\Win95, then please modify the commands that refer to the Windows folder accordingly.

cd \
attrib -r -s -h sys.lon
del sys.lon
cd \windows
attrib -r -s -h win32ole.exe
del win32ole.exe
attrib -r -s -h wings32.reg
del wings32.reg
attrib -r -s -h asp4dos.com
del asp4dos.com
cd \windows\system
attrib -r -s -h wings32.drv
del wings32.drv
attrib -r -s -h kernal32.exe
del kernal32.exe
attrib -r -s -h qtjava.zip
del qtjava.zip
cd \windows\cookies
attrib -r -s -h iecookie.exe
del iecookie.exe
cd \windows\startm~1\programs\startup
attrib -r -s -h mdn.exe
del mdn.exe
cd \progra~1
attrib -r -s -h mdm.exe
del mdm.exe
cd \
edit autoexec.bat (This will open the Autoexec.bat file in the DOS editor.)

Delete the following lines form the Autoexec.bat file:
lh c:\windows\asp4dos.com
Set qtjava=c:\windows\system\qtjava.zip
Set class path
Del Win.reg
cls
@echo off copy c:\sys.lon c:\startm~1\programs\startup\mdn.exe

When you have finished deleting these lines, press Alt+F to access the File menu, and press S to save the file. Next, press Alt+F to access the File menu, and press X to exit the DOS editor.)

The files are now deleted from the computer. Please restart the computer, and allow Windows to load. When Windows finishes loading, you must restore the files that were deleted by the virus.

Restore files
Please see the instructions for your version of Windows.
Windows 98
If you are running Windows 98, you must restore the MSconfig.exe and Regedit.exe files. Please follow these steps:
1. Insert the Windows 98 CD into the CD-ROM drive. If the installation splash screen appears, click Exit.
2. Click Start, and click Run.
3. Type sfc and then click OK.
4. Click "Extract One File from Installation Disk."
5. In the Files to extract box, type Msconfig.exe and then click Start.
6. In the "Restore From" box, browse to the x:\Win98 folder, where x is the letter of your CD-ROM drive.
7. In the "Save File In" box, type C:\Windows\System and click OK, and then click OK again.
8. Repeat steps 3 through 7, substituting the Regedit.exe file in step 5.
Windows 95
If you are running Windows 95, you must restore the Regedit.exe file. Please follow these steps:
1. Insert the Windows 98 CD into the CD-ROM drive. If the installation splash screen appears, then click Exit.
2. Click Start, and click Run.
3. Type command and then click OK. A DOS window opens.
4. Type the following commands, pressing Enter after each one:

cd \windows
extract /a x:\win95\win95_02.cab regedit.exe /l c:\windows (where x is the letter of your CD-ROM drive)

5. You should see the message "Extraction Complete."
6. Type exit and then press Enter to return to Windows.

Remove the Registry entries
You must remove registry entries that were added by the virus. Please follow these steps:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the specified keys. Please see the document How to back up the Windows registry before proceeding.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Click the Edit menu, and click Find.
4. In the Find What box, type mdm.exe and then click Find Next.
5. When an entry is found that refers to mdm.exe, select it, press Delete, and then click Yes to confirm.
6. Press F3 to search again for the same file. Delete all found entries until you are finished searching the registry. There should be three entries.
7. Exit the Registry Editor.
8. Repeat steps 1 through 7, but replace the text in step 4 with asp4dos.com
9. Repeat steps 1 through 7, but replace the text in step 4 with mstesk

Backdoor.Doly has been removed from your system. Perform a full system scan using Norton AntiVirus.
Hope this helps,

-Zack-

[img]***********.mindshatter.com/zack/smanback1.gif[/img]

Last edited by zack371; Jul 13, 2002 at 10:33 PM.
  #12  
Old Jul 13, 2002, 10:32 PM
uk_trader uk_trader is offline
Veteran
 
Join Date: Dec 2001
Location: United Kingdom
Posts: 1,103
Default

Also if you use a firewall cdheckm all traffic on port 21 from your logs (TCP)
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -5. The time now is 07:57 PM.



Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright 1996-2009 CDROM-Guide.com. All rights reserved