What is DMSetup?
DMSETUP.EXE
Is a file that autosends itself from infected persons
without their knowledge.
They also are forced to quit via a command in private
message.
What makes this file so dangerous, is that when it is
run, it copies itself to several
directories on the hard drive, modifies the autoexec.bat,
and creates a configg.sys file.
Some versions also create thousands of folders on your
harddrive.
DM Setup also comes in many names.
Diagnosing DMSetup in your System
There are two types of DMSetup we are aware of :-
DMSetup 1
When using Irc Client type the following in any window.
//say $findfile(c:\,configg.sys,0))
//say $findfile(c:\,mircrem.ini,0))
//say $findfile(c:\,dmsetup.exe,0))
DMSetup 2-4
When using Irc Client type the following in any window.
//say $findfile(c:\,ni.cfg,0))
Most of this can all be done from Within mIRC
on a quiet channel or in a message window (NOT IN STATUS)
Type the Following Commands VERY CAREFULLY mistakes can
cause you problems
type them all in SEQUENCE.
NOTE the filename may be DMSETUP.EXE but it may have been
renamed
It will be the filename that you have been automatically
sending.
- to find what
file your sending find a friend
- out get off
all the channels you are on (IMPORTANT)
- tell your
friend DON'T ACCEPT FILE JUST NOTE NAME OF FILE
- type /remote
on
- get them to
join a channel with no one on like /join #test
- Join Channel
after they have with /join #test
- ask them did
you send a file to them and what was the name of it?
- NOTE THIS
NAME EXACTLY
If the file you are sending to people if its different to
dmsetup.exe
then substitute DMSETUP.EXE this filename in the commands
below
Substitute c:\mirc for the drive letter mIRC is located
on where needed
1. type /remote off
THIS STOPS ALL EXECUTING OF THE SCRIPTS
2. Unload the script file:
type /unload
-rs mircrem.ini in any mirc screen
3.Next you need to edit your autoexec.bat
first make a
backup of it by
type /copy
c:\autoexec.bat c:\autoexec.vir
Next you edit the AUTOEXEC.BAT FILE
type /run
c:\windows\notepad "C:\AUTOEXEC.BAT"
this should
bring up autoexec.bat in a notepad
If this doesnt work try on windows taskbar START then
RUN
and in the box
type notepad
"c:\autoexec.bat"
With notepad find and remove the line(s)
containing dmsetup
- close
notepad save and overwrite the old file
NOTE THIS IS ALMOST ALWAYS THE LAST LINE IN THE
FILE
type /run
c:\windows\notepad "c:\autoexec.bat" in any mirc window
4. Delete the following files from the folowing
directorys
type /remove
c:\configg.sys This Deletes c:\configg.sys
5. Search For ALL copys of Dmsetup.exe on your system and
display how many.
SUBSTITUTE
DMSETUP FOR THE FILENAME YOU HAVE IF DIFFERENT TO THIS
type //say
$findfile(c:\,dmsetup.exe,0)
Remember the
NUMBER you get here
if you get 0 then check you have the CORRECT FILENAME see
step 3
6. on the windows taskbar with the mouse goto:
START then
FIND then FILES OR FOLDERS
then Search
for file(s) named DMSETUP.EXE
(if different
then change this to the name)
set the "look in" set to "My
Computer"
next hit the find button.
Ok Compare the number of files you find with step 5's
answer
It should be the same or larger BUT NOT SMALLER and NOT 0
NEXT DELETE
ALL OF THE FILES THAT YOU HAVE FOUND
NOTE: DO NOT
RUN THEM! (VERY IMPORTANT)
7. type //say $findfile(c:\,dmsetup.exe,0)
THIS MUST GIVE YOU 0
ELSE YOU HAVENT DONE THE PREVIOUS INSTRUCTIONS
PROPERLY
REDO ABOVE STEPS IF YOU HAVE OTHER THAN 0 HERE
IF YOU CANT DELETE ONE OR MORE OF THE FILES
AFTER YOU COMPLETE THE FIX DO STEPS 5 - 6 AGAIN
AFTER YOU HAVE REBOOTED!.
8. Locate where your mirc is located: with
type //say
$mircdir
you should get in the window similiar to this
c:\mirc
Substitute what you get here in lines below if
different
to c:\mirc
9. Delete the Folowing files from the following
directorys
(should mIRC be located elseware substitute the path for
c:\mirc)
NOTE NOT ALL OF THESE MAY BE FOUND
BUT MAKE SURE YOU CHECK THE NAMES YOU TYPE ARE CORRECT
type /remove
c:\mirc\mircrem.ini This Deletes
c:\mirc\mircrem.ini
type /remove
c:\mirc\backup0412.ini This Deletes
c:\mirc\backup0412.ini
type /remove
c:\mirc\backup04.ini This Deletes c:\mirc\backup04.ini
type /unload
-rs c:\mirc\mirc.ini This Unloads
mirc.ini from mIRC
type /remove
c:\mirc\mirc.ini This Deletes
c:\mirc\mirc.ini
10. Close mIRC (IMPORTANT) then Shutdown Windows
and then reboot and come back to IRC.
NOTE You May need to Reconfigure or Reinstall
mIRC it in order to use it again
11. Now you probably need to reconfigure mIRC again now,
First of all type /NICK THE_NICK_YOU_WANT
Next go FILE then SETUP then in the IRC SERVERS tab fix
up the
Information in there i.e. put in your NAME(fake if you
want)
EMAIL(put in correct one here) etc.
Next hit the IDENTD tab and Put in the
PREFIX@OF.YOUR.EMAIL i.e. if your EMAIL is
FRED@lame.com.au then put in
FRED in the USERID. UNIX in the SYSTEM and PORT 113
enable the "ENABLE IDENTD SERVER" box
Hit OK and then in any window in mirc
type /SERVER
12. when you get back on to the server
type /whois
THE_NICK_YOU_HAVE_NOW and look to see
if the info you have entered is correct and not
s@blah.blah.blah
or a number like 3@blah.blad
13. Theres no 13 thats unlucky :P
14. Type //titlebar I JUST LEARNT MY LESSON!
15. Type /remote on
16. Type /sreq ask
18. GO BACK TO THE DMSETUP1 CHECK SECTION AND CHECK
AGAIN
IF STEP 7 FAILED TO DELETE ALL FILES DO STEP 6 and 7
again
DMSETUP 2-4
Most of this can all be done from Within mIRC
on a quiet channel or in a message window (NOT IN STATUS)
Type the Following Commands VERY CAREFULLY mistakes can
cause you problems
do ALL steps and in SEQUENCE.
*** NOTES the filename may be DMSETUP2.EXE or it will
have been renamed
*** it will be the filename that you have been
automatically
*** sending to people if its different then substitute
WHATEVER for
*** this filename is in the commands below (see step 2)
Substitute c:\mirc for the drive letter mIRC is located
on where needed
1. Type /remote off
2. Next you need to edit your autoexec.bat in notepad or
editor program
first make a backup of it by
type /copy
c:\autoexec.bat c:\autoexec.vir
next edit the AUTOEXEC.BAT FILE
type /run
c:\windows\notepad c:\autoexec.bat
If that dont work GOTO START then RUN and put on the
line
NOTEPAD C:\AUTOEXEC.BAT
next in the notepad find the line with there WHATEVER
-inauto and
remove the line completely. REMEMBER THE NAME BEFORE THE
-inauto
THIS NAME YOU WILL SUBSITUTE FOR "WHATEVER" IN
THE REST OF THE FOLLOWING.
REMOVE THAT LINE ONLY and save the file and replace the
old one!
NOTE IF IT IS VARIANT 4 of the DMSETUP then there
May be some more lines in there starting with copy
Containing "copy" and "WHATEVER.EXE"
in them remove
Those lines too if you have them.
next close the notepad and SAVE the file OVERWRITING the
old file
3. Type /unload
-rs WHATEVER.INI
(SEE STEP 2 and change WHATEVER TO WHAT WAS IN
AUTOEXEC.BAT)
4. Type /remove
WHATEVER.ini (NOTE USE CORRECT FILENAME see step 2 above)
5. goto start / find / files or folders in windows
In "NAMED:" put in WHATEVER.EXE (note name in
autoexec.bat from step 2)
In "LOOK IN:" change that to "MY
COMPUTER" and then hit find
You should find around 6 or 7 files you need to delete
ALL OF THEM!
TO DELETE RIGHTMOUSE ON THE FILE AND SELECT
"DELETE"
when finished deleting all of them goto step 6
YOU MAY HAVE ONE FILE THAT YOU CANT DELETE
REMOVE THIS LATER IF THIS IS THE CASE AFTER REBOOTING in
step 11
6. type //say
$findfile(c:\,WHATEVER.EXE,0) (note use correct filename)
If result is 0 then go to step 7, else repeat step 5
again
MAKE SURE YOU HAVE THE NAME CORRECT FOR WHATEVER (see
step 2)
Note if you had problems and couldnt delete one of
them
You will get 1 here) thats ok just remember to remove it
after you reboot
later.
Type //remove
$findfile(c:\,WHATEVER.EXE,1)
7. type /remove c:\ni.cfg
8. type /remove mIRC.ini
9. type the folowing commands (note some may not be
found)
NOTE THE SPELLING AS SOME ARE STANGE NAMES (GET IT RIGHT)
Type /remove
bakupwrks.ini
Type /remove
C:\Windows\logox.sys
Type /remove
C:\Windows\FreePorn.exe
Type /remove
C:\WINDOOM.EXE
Type /remove
C:\taged.lmr*
10. remove the following directories (it probably wont
say anything in status)
Type /rmdir
C:\CODEDBYTHECREATOR
Type /rmdir
c:\youarenotsupposedtobelookingatthis
11. Close mIRC(important) and Shutdown and Reboot your
computer
12. Come back to mIRC and type //say $exists(c:\ni.cfg)
13. there is no 13 its unlucky :P
14. If this returns $False then you are should be
cleared,
Type /remote
on
Type /sreq
ask
If you have two folders left over in the mirc download
dir called
Ødm2yif and suckØit
Type //run
command /c deltree c:\mirc\download\ $+ [ $chr(255) $+ dm2yif ]
Type //run
command /c deltree c:\mirc\download\ $+ [ suck $+ $chr(255) $+ it ]
That should delete them???.
Type /remove
c:\ $+ [ $chr(255)] $+ u $+ [ $chr(255) $+ *.* ]
If You can't delete these directories using any 'normal'
method.
If this fails You MUST BOOT in dos and type CHKDSK /F to
fix the directories.
NOTE VARIANT 4 CREATES A WHOLE HEAP OF CRAP DIRS LIKE
_u_25___ etc...
LIKE THE ABOVE WHICH MULTIPLY EVERY TIME YOU REBOOT
I AT THIS STAGE HAVE NO FIX FOR ALL OF THESE DIRECTORIES
except chkdsk /f
If that dont work the only way i can sugest is backing up
your computer
Files and REFORMATTING (SORRY)
16. If the title bar says "your mirc is
buggy"
you can change this by typing
//titlebar The Crew from #virushelp are
Legends THEY TAUGHT ME NOT TO RUN ANY FILES I GET ON HERE!!!
17. Now you probably need to reconfigure mIRC again now,
first of all Type /NICK THE_NICK_YOU_USE
Next go FILE then SETUP then in the IRC SERVERS tab fix
up the
Information in there i.e. put in your NAME(fake if you
want)
EMAIL(put in correct one here) etc.
Next hit the IDENTD tab and Put in the
PREFIX@OF.YOUR.EMAIL i.e. if your EMAIL is
FRED@lame.com.au then put in
FRED in the USERID. UNIX in the SYSTEM and PORT 113
Enable the "ENABLE IDENTD SERVER" box
Hit OK and then in any window in mirc
Next type
/SERVER
18. when you get back on type /whois
THE_NICK_YOU_HAVE_NOW and look to see
If the info you have entered is correct and not
typehere@blah.blah.blah :)
NOTE you should goto C:\MIRC\DOWNLOADS and delete ALL
files
with .exe extentions they are possibly viruses too