|
Doly
This trojan is bloody hard to remove , it is probably one of the hardest I've come across so far.
Doly is characterised by its irc notify ability , and its graphics , earlier editions where a bit buggy but the latest ones are very powerful and its very very dangerous to become infected with this trojan .
Removal ( please note , I recommend formatting your pc if you become infected with this one but if you want to try your hand at manual removal here are the instructions )
Removal directions for Doly 1.1 - 1.5x
Doly installs the trojan in 3 separate places, adds 2 registry lines, adds a line in win.ini, and also adds to your Startup Items.
As said above, this one is hard to remove if you don't know what your doing.
Fortunately version 1.1 is set so the filenames of the trojan are tesk.exe and mstesk.exe and install in the same places for the most part.
Version 1.35 installs as Mdm.exe.
Step one is to click Start, go to find, and find files.
In the box type *tesk*.* and click search.
You should see three items listed in the find box, which should look similar to the following default paths:
C:\WINDOWS\SYSTEM\tesk.sys
C:\WINDOWS\Start Menu\Programs\Startup\mstesk.exe
c:\Program Files\MStesk.exe
c:\Program Files\Mdm.exe
You will want to write down the paths as the find dialog shows so you can look for them next.
Step two:
Go to Start, and shutdown. Change the setting to 'Restart the computer in MS DOS mode" and click OK.
After windows shuts down, you should be at a c:\WINDOWS\> prompt.
Now we need to delete the programs you found above. Assuming the directories are the same as the defaults listed above, type the following lines:
cd \windows\system
del tesk.exe
cd \Progra~1
del mstesk.exe
cd \windows\startm~1\programs\startup
del mstesk.exe
cd \Progra~1
del mdm.exe
exit
Remember in DOS mode, any folder/file that is over 8 letters is shown only using the first 6 letters and ~1 at the end. "Start Menu" becomes "Startm~1" etc.
After typing exit, your system should start back into Windows, and you will see errors that it cannot start tesk.exe. Click OK and ignore these warnings, we will fix them below.
Step 3:
We need to edit the win.ini file first, which can be done by going to Start, Find, Find files/folders, and type win.ini in the box.
You should see a file at C:\WINDOWS\WIN.INI.
Double click on this file and it will open in a text editor.
At the top under the section [windows] you will see a line such as load=c:\windows\system\tesk.exe.
(This will begin with load= or run= and point to the filename containing 'tesk')
Delete this one line, save the file, and exit the win.ini file.
Step 4: (last one, your almost there)
Go to Start, and Run. In the box type regedit and click the Run button. This will start the Regedit program.
Go to the Edit menu and Search. Type tesk in the box and click find.
There should only be two lines total, which will look as follows :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Ms tesk = "C:\Program Files\MStesk.exe"
and
HKEY_USER\.Default\Software\Microsoft\Windows\CurrentVersion\Run
Ms tesk = "C:\Program Files\MStesk.exe"
Right click on the item itself (Ms tesk) and click Delete.
Also look for the line
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ss
This line contains all the preferences and settings for the server, as well as what its stored. You can right click on the 'ss' group and delete the whole thing.
Now close regedit and it will save.
Last step is, you'll want to Open (Not run or double click) on c:\autoexec.bat
There will be two lines to remove, as follows:
@echo off copy c:\sys.lon c:\windows\StartMenu\Startup Items\
del c:\win.reg
Then delete the file c:\sys.lon
Removal directions for Doly 1.6
Doly 1.6 is one of the worst yet when trying to remove it. And you will most defiantly know your infected. This version will disable your ability to restart, shutdown, or boot into MSDOS mode. The only way to restart is to use ALT-CTL-Delete, or power down. This makes it next to impossible to get into Dos mode correctly.
However following these steps in order has removed the trojan with no damage to the system in our testing lab.
Go to Start, Settings, and Control Panels. Open your 'Add/remove Programs' control panel. In the list, you should see 'Memory Manager 3.0' listed. This is actually the trojan Doly. And, if you click on that item and tell it to uninstall, it removes almost all of the related files so you wont need to later.
However this helps not in removing the trojan exe's.
Next, you will need a boot floppy, either a DOS disk, or your Win 95/98 rescue floppy. Put your boot floppy in your A: drive, and either hit your reset switch, or hit ALT-Control- Delete twice quickly (Do not have windows try to reboot or shutdown. Normally this is NOT a preferred way to restart, however in this case it is less damaging than leaving your system infected.)
After you've booted into DOS, switch to your C: drive by typing C:
First, youll want to type edit autoexec.bat and hit enter. This will let you edit the autoexec script from DOS. There should be two lines similar to the ones below:
@echo off copy c:\sys.lon c:\windows\startm~1\programs\startup\mdm.exe
del c:\win.reg
Delete these two lines, and save the file (You can save by hitting Alt, then F, then S, but dont hold down ALT or any other key.)
You can exit edit by taping Alt, then F, then X.
If your mouse driver is installed for DOS mode, you may beable to use the mouse to work edit.
Next we delete the executables. Make sure your in the C:\ directory (If not, type cd \).
Then type the following to delete the trojan files:
del sys.lon
del windows\startm~1\programs\startup\mdm.exe
del progra~1\mdm.exe
Eject your boot floppy, and reboot your computer. (This time its ok to just hit the reset switch.)
While rebooting, Scandisk should come up and tell you Windows was not shut down properly, and it will need to check your drives. Let it and tell it to fix any problems it finds (You usually dont need an undo disk as it recommends however.)
After scan disk runs, you should be back in windows.
Finally, using Windows Explorer, open C:\Program Files\ and delete the folder 'Memory Manager 3.0'.
Removal directions for Doly 1.7
First, youll want to type edit your autoexec.bat . There should be two lines similar to the ones below:
@echo off copy c:\sys.lon c:\windows\startm~1\programs\startup\mdm.exe
del c:\win.reg
Delete these two lines, and save the file
Then you need to edit the registry. Go to Start, and Run. In the box, type regedit and click Run.
On the left hand side, you will see a tree of folders. By clicking the + sign, you can open a folder.
You will want to open the folders in the order:
HKEY_USER/.Default/Software/Microsoft/Windows/CurrentVersion/Run
You should see a line on the right reading: c:\windows\system\mdm.exe
Right click on this line and choose Delete.
Then, backup on the left hand side, and follow the path:
HKEY_USER/.Default/Software/Marabilis/ICQ/Agent/Apps/
You may see a line reading: Path = "C:\windows\system\kernal32.exe"
(Note the spelling of kernel with an A)
Right click on this line and choose Delete.
Close regedit and follow the steps below.
Next we delete the executables.
Doly stores itself in many places. Only ONE of the below files will be running, and thus not deletable in windows.
You should try to remove all of them in windows First, skipping the one that is running and wont let you, but continuing to get the ones listed after.
Then the one that remains can be deleted in DOS mode below.
Then type the following to delete the trojan files:
The following list is where you can find the executables:
c:\sys.lon
c:\iecookie.exe
c:\windows\start menu\programs\startup\mdm.exe
c:\program files\mdm.exe
c:\windows\system\mdm.exe
c:\windows\system\kernal32.exe
(Note spelling of kernel with an A)
Remember or note the one that you could not delete.
Click Start, and Shutdown. Select to reboot into MS-DOS mode.
From here, you can type del followed by the Full path from above. This will delete the file.
For example, if it was the c:\program files\mdm.exe that you could not delete, you would type:
del c:\program files\mdm.exe
Type exit to return to windows.
Now you should be uninfected!
Removal directions for Doly 1.7 SE (Special Edition)
1.7SE is pretty much the same as 1.7, with only few features changed related to loading.
Unfortunately one change is a line added to the registry, which keeps windows from allowing Regedit to open.
Hopefully after uninfecting yourself, you will beable to restore your registry from a backup previous to infection.
As for removing the trojan itself, its usually best to do from Dos.
Click Start, go to Shutdown, and choose Reboot in MS-DOS mode.
First to delete the executables of the trojan:
C:
cd \
del \windows\system\kernal32.exe
(Note, kernal with an A)
del \progra~1\mdm.exe
del \windows\startm~1\programs\startup\mdm.exe
del iecookie.exe
del sys.lon
Then use MSDOS edit to fix autoexec.bat by typing:
exit autoexec.bat
and following the dos directions in the 1.7 instructions.
When you type exit and return to windows, you will be uninfected, however from changes made to the registry, you will not be able to use regedit. And I have no idea how to fix that problem ……………………………..
|
|
