Log in

View Full Version : Advice needed re polymorphic worm



Prodigal
12-05-2006, 14:06
Hi, was wondering if anyone could help please, I have a "exinjs" polymorphic worm on my PC & although I can block it from using my net access I can't find anything to get rid of it without fear or wrecking Windows.

Can anyone please advise if there is a virus scanner that can rip this things still beating heart from my PC without killing my system?

Tried Pest Patrol, PC-Cillin, McAffe, AdAware, Zone Alarm Pro.

caravel
12-05-2006, 16:19
Hi, was wondering if anyone could help please, I have a "exinjs" polymorphic worm on my PC & although I can block it from using my net access I can't find anything to get rid of it without fear or wrecking Windows.

Can anyone please advise if there is a virus scanner that can rip this things still beating heart from my PC without killing my system?

Tried Pest Patrol, PC-Cillin, McAffe, AdAware, Zone Alarm Pro.

I'm pretty sure CCleaner gets rid of exinjs. Download it from here, install it and run a full scan and fix all problems: http://www.ccleaner.com/download/

If that doesn't work then I'm sure we can clean it up using Hijack this and some other methods.

Regardless of whether it works or not you'll still need to download HijackThis from here so that I can check that the malware has been completely removed (ignore the commerical ads on the site):

http://www.majorgeeks.com/download3155.html

Extract HijackThis.exe to C:\Hijackthisxyz\

Rename HijackThis.exe to Hijackthis1991.exe

Run HijackThis and do a full scan and save a log. Post up the full log here, don't do anything yet. Please IGNORE any advice from other posters as to what to delete or remove. You can seriously mess up your system by deleting the wrong thing from HijackThis. HijackThis is not an anti-spyware scanner. Not everything in your log is spyware, some things are critical, so you need to be careful and not delete anything until it's been positively identified.

Do this after you have tried to fix the problem with CCleaner

Good luck with that.

Manco

Edit: If CCleaner doesn't work for you, remove PCcillin, Mcafee and Pest Patrol and install the programs on this page: https://forums.totalwar.org/vb/showpost.php?p=1302352&postcount=21

Run full scans with those programs, after updating them, and fix all problems. If that fails try the manual method:

Run HijackThis and search the log for these two entries:


O4 - HKLM \. \ Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

O23 - Service: Windows Log - Unknown to owner - C:\WINDOWS\system32\nvsvcd.exe

Start -> run -> "services.msc" and click in OK.

look in the services for "Windows Log", right click -> Properties, Startup type Disabled, and Stop it.

Open HijackThis and click Misc Tools -> Delete an NT service.

Delete: "Windows Log" and OK, DO NOT RESTART.

Reboot into safe mode, (hit F8 repeatedly just before WinXP starts to boot and browse to "C:\WINDOWS\system\" and delete "smss.exe"

Browse to "C:\WINDOWS\system32\" delete "nvsvcd.exe"

Scan with the HijackThis again fix, the above quoted problems.

Close HijackThis and run CCleaner again. This will remove temp files left behind by the malware.

Restart normally. Run HijackThis again and post up the log file here.

Xiahou
12-05-2006, 21:03
Try SwatIT (http://www.swatit.org). As I've said, I had luck with it before- but haven't used it in quite awhile.