You may cancel your Bitdefender subscription from Bitdefender Central or by contacting Customer Support at: https://www.bitdefender.com/consumer/support/help/
Thank you for your understanding.
Vundo Help Please
I have read this forum for weeks on in i've tried everything. I tried fix vundo it says nothing found, i tried deleting posxxx files it wont let me. please help me fix this issue If some one can provide me with a step by step please.
Comments
-
I dont know how to use hijack this or w/e but i have seen that i need to do that and i have seen it on other sites please help..
0 -
I hope this helps this is my HJT log (I think I figured that much out)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:47 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\cohene-asante\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\firefox.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Documents and Settings\cohene-asante\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0444CABA-0E52-444B-AE4A-858965884DDC} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gsvgewwg.dll
O2 - BHO: {84aac315-c48b-b43b-cc34-042b52285d1c} - {c1d58225-b240-43cc-b34b-b84c513caa48} - (no file)
O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SPL.INTERNAL
O17 - HKLM\Software\..\Telephony: DomainName = SPL.INTERNAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SPL.INTERNAL
O20 - Winlogon Notify: gsvgewwg - C:\WINDOWS\SYSTEM32\gsvgewwg.dll
O20 - Winlogon Notify: urqnmmk - urqnmmk.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 4982 bytes0 -
Hi,
Step 1.
Remove old Java versions due to serious security vulnerability (specially for Vundo family malware): Download the latest version of JRE from here: http://java.sun.com/javase/downloads/index.jsp
Click download button right to Java Runtime Environment (JRE) 6 Update 4
Then select platform: windows - check licence agreement -click continue-download windows offline installation.
But don't install it yet.
Go to control panel -add/remove programs – uninstall/remove all the old versions of Java, or any item with Java (JRE or J2SE).
Repeat the uninstall one by one until all the Java versions are removed. Reboot once all Java components are removed.
Install Java you have downloaded.
Step 2.
Download ComboFix.exe to your desktop using this link:
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
Double click on combofix.exe to run the programme & then follow the prompts.
When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post.ComboFix may need to reboot to finish its work. Let it.
Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
Step 3.
Post a fresh Hijackthis log into your reply.0 -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:51, on 2008-02-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\Documents and Settings\cohene-asante\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\firefox.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\cohene-asante\Desktop\FixVundo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0444CABA-0E52-444B-AE4A-858965884DDC} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gsvgewwg.dll
O2 - BHO: {84aac315-c48b-b43b-cc34-042b52285d1c} - {c1d58225-b240-43cc-b34b-b84c513caa48} - (no file)
O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Documents and Settings\cohene-asante\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SPL.INTERNAL
O17 - HKLM\Software\..\Telephony: DomainName = SPL.INTERNAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SPL.INTERNAL
O20 - Winlogon Notify: gsvgewwg - C:\WINDOWS\SYSTEM32\gsvgewwg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 4602 bytes0 -
Now my clock and date is acting up showing military time or a 0 before the time if i try to change it, and the date is right but backwards ??
0 -
O.K. And where is the combofix log?
0 -
ComboFix 08-02-23 - cohene-asante 2008-02-22 4:09:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.89 [GMT -5:00]
Running from: C:\Documents and Settings\cohene-asante\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\StorageProtector
C:\Program Files\StorageProtector\SysRep.exe
C:\Program Files\StorageProtector\SysRep.exe.xml
C:\Program Files\StorageProtector\unins000.dat
C:\Program Files\StorageProtector\unins000.exe
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\system32\bburomfx.dll
C:\WINDOWS\system32\fkixatmm.dll
C:\WINDOWS\system32\gsvgewwg.dllbox
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\mmtaxikf.ini
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\tqwpcomx.ini
C:\WINDOWS\system32\vqpcikcw.ini
C:\WINDOWS\system32\xfmorubb.ini
C:\WINDOWS\system32\xjstvuyt.ini
C:\WINDOWS\system32\xnqntldp.ini
C:\WINDOWS\uninstall_nmon.vbs
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.
2008-02-22 15:25 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-22 15:23 . 2008-02-22 15:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-22 12:36 . 2008-02-22 12:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 03:45 . 2008-02-22 03:45 22 --a------ C:\WINDOWS\system32\gsvgewwg.zip
2008-02-06 09:41 . 2008-02-06 09:49 <DIR> d-------- C:\Documents and Settings\cohene-asante\Application Data\wsInspector
2008-02-06 09:37 . 2008-02-06 09:39 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2008-01-31 08:28 . 2008-01-31 08:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 08:28 . 2008-01-31 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 08:24 . 2008-01-31 08:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 23:40 . 2008-01-29 23:40 163,904 --------- C:\WINDOWS\system32\gsvgewwg.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-22 20:25 --------- d-----w C:\Program Files\Java
2008-01-30 15:18 --------- d-----w C:\Documents and Settings\cohene-asante\Application Data\Yahoo!
2008-01-30 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-30 15:09 --------- d-----w C:\Program Files\Yahoo!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-01-29 23:40 163904 --------- C:\WINDOWS\system32\gsvgewwg.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\Documents and Settings\cohene-asante\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe" [2007-02-20 15:15 190696]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 08:48 147514]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gsvgewwg]
gsvgewwg.dll 2008-01-29 23:40 163904 C:\WINDOWS\system32\gsvgewwg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2109043195-537022207-5522801-2906\Scripts\Logon\0\0]
"******"=D:\Public\inventory.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"5800:TCP"= 5800:TCP:VNC1
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 16:17:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
.
**************************************************************************
.
Completion time: 2008-02-22 16:19:27 - machine was rebooted [cohene-asante]
ComboFix-quarantined-files.txt 2008-02-22 21:19:16
.
2008-02-13 08:04:44 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:27, on 2008-02-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\cohene-asante\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gsvgewwg.dll
O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SPL.INTERNAL
O17 - HKLM\Software\..\Telephony: DomainName = SPL.INTERNAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SPL.INTERNAL
O20 - Winlogon Notify: gsvgewwg - C:\WINDOWS\SYSTEM32\gsvgewwg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 4190 bytes0 -
Step 1.
Please copy and archive (rar, 7-zip, etc.) the file in bold, password protected using the word infected as password. If you don't know how you may read more on that here Virus Submission.
C:\WINDOWS\SYSTEM32\gsvgewwg.dll
Note that the file may be hidden. In that case you should unhide it. To do that please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, check Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck: Hide protected operating system files (recommended) option.
Click Yes to confirm.
Step 2.
go to add/remove programs and uninstall all p2p applications (bitlord, etc). You may install them later on when we are finished (hopefully the next post).
Step 3.
Open a notepad (start menu-all programs-accessorie-notepad)
Copy and paste the text in the code box below into it.
* Select save in:desktop
* Fill in File name: CFScript.txt
* save as type: All file types (*.*)
* click save Open notepad and copy/paste into it:<BR><BR>file::<BR>C:\WINDOWS\SYSTEM32\gsvgewwg.dll<BR>C:\WINDOWS\system32\gsvgewwg.zip<BR>registry::<BR>[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]<BR>[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gsvgewwg]<BR>
Drag CFScript.txt into ComboFix.exe. You can see the image showing this here:
http://www.fromsej.saknet.dk/billeder/cfscript.gif
ComboFix will now run a scan on your system.
It may reboot your system when it finishes. This is normal.
Please post the combofix log and a fresh HJT log into your reply.
BTW the way: You were talking about Pos*.tmp in your next post. I see nothing on combofix log. Do you still have them. Please give me some feedback.0 -
Yes there are still a ton of pos*.tmp filed under the c:/ directory! I also could not find bit lord or yahoo IM in my add/remove programs under the control panel as i never found the java either? So i went under start meny and uninstalled bitlord but wasnt able to find the uninstaller for yahoo hope that helps!??
0 -
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\gsvgewwg.dllbox
.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.
2008-02-25 08:59 . 2008-02-25 09:00 153,969 --a------ C:\WINDOWS\system32\gsvgewwg.zip
2008-02-22 15:25 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-22 15:23 . 2008-02-22 15:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-22 15:01 . 2008-02-22 15:01 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-02-22 12:36 . 2008-02-22 12:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 09:41 . 2008-02-06 09:49 <DIR> d-------- C:\Documents and Settings\chi-chi\Application Data\wsInspector
2008-02-06 09:37 . 2008-02-06 09:39 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2008-01-31 08:28 . 2008-01-31 08:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 08:28 . 2008-01-31 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 08:24 . 2008-01-31 08:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 23:40 . 2008-01-29 23:40 163,904 --------- C:\WINDOWS\system32\gsvgewwg.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 14:06 --------- d-----w C:\Program Files\BitLord
2008-02-22 20:25 --------- d-----w C:\Program Files\Java
2008-01-30 15:18 --------- d-----w C:\Documents and Settings\cohene-asante\Application Data\Yahoo!
2008-01-30 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-30 15:09 --------- d-----w C:\Program Files\Yahoo!
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 14:37 3,059,200 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-01-29 23:40 163904 --------- C:\WINDOWS\system32\gsvgewwg.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 08:48 147514]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gsvgewwg]
gsvgewwg.dll 2008-01-29 23:40 163904 C:\WINDOWS\system32\gsvgewwg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2109043195-537022207-5522801-2906\Scripts\Logon\0\0]
"******"=D:\Public\inventory.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"5800:TCP"= 5800:TCP:VNC1
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 09:21:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-25 9:22:16
ComboFix-quarantined-files.txt 2008-02-25 14:22:07
.
2008-02-13 08:04:44 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:36, on 2008-02-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\chi-chi\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\firefox.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\verclsid.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gsvgewwg.dll
O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SP.INTERNAL
O17 - HKLM\Software\..\Telephony: DomainName = SP.INTERNAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SP.INTERNAL
O20 - Winlogon Notify: gsvgewwg - C:\WINDOWS\SYSTEM32\gsvgewwg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 4257 bytes0 -
Yes there are still a ton of pos*.tmp filed under the c:/ directory! I also could not find bit lord or yahoo IM in my add/remove programs under the control panel as i never found the java either? So i went under start meny and uninstalled bitlord but wasnt able to find the uninstaller for yahoo hope that helps!??
Of course that helps, the more you give me feedback the more I know what is happening there and the better I can help.
Please read all my post and follow the steps in the order they are written. If you face a problem please report back before going to the next step.
So please do the step 1. before we go further.0 -
Of course that helps, the more you give me feedback the more I know what is happening there and the better I can help.
Please read all my post and follow the steps in the order they are written. If you face a problem please report back before going to the next step.
So please do the step 1. before we go further.
well how do i delete the old java as it isnt in the remove programs list nor on the start menu? i have already installed the new java! but i will start all over again and try again i guess0 -
well how do i delete the old java as it isnt in the remove programs list nor on the start menu? i have already installed the new java! but i will start all over again and try again i guess
Uninstall Java.
Remove its folder from program files.
Don't install it yet, we will do it in the coming two posts.
I ment the step 1 of the previous post:
The virus researchers may want to take a look at some files and if needed add them to BD for future detection.
Please copy the files in bold.
Archive them password protected (using .rar,7.zip, etc.).
The password you use should be infected.
Upload them as attachment.
If they are more than 2 MB you should make more than one archive file/folder.
If you don't know how read this topic Virus Submission.
To attach the archive to your reply: when you press the reply, under the reply window press Browse... show the path to the file on your computer then press the green UPLOAD button.0 -
chi-chi,
I removed your PM because you have given me a link (probably to the uploaded infected file?) without any explanation and I didn't wanted to risk clicking on it. The instruction to upload a file is given in my previous post. The attachments are going to be downloaded by virus researchers and the moderators of the site to avoid infecting others. Members can't download attachment.0 -
chi-chi,
I removed your PM because you have given me a link (probably to the uploaded infected file?) without any explanation and I didn't wanted to risk clicking on it. The instruction to upload a file is given in my previous post. The attachments are going to be downloaded by virus researchers and the moderators of the site to avoid infecting others. Members can't download attachment.
Yea dont open it it is the "infected" file. I sent it to the email address listed but it also said to PM it to moderators which i knew none and thought you were on sorry next post contains the HJT and CF logs, thanks let me know what else you need.0 -
ComboFix 08-02-23 - chi-chi 2008-02-25 17:43:56.3 - NTFSx86
Running from: C:\Documents and Settings\chi-chi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\chi-chi\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\gsvgewwg.dllbox
.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.
2008-02-25 17:33 . 2008-02-25 17:33 153,969 --a------ C:\WINDOWS\system32\gsvgewwg.zip
2008-02-25 17:29 . 2003-02-20 18:42 229,487 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-02-22 15:01 . 2008-02-22 15:01 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-02-22 12:36 . 2008-02-22 12:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 09:41 . 2008-02-06 09:49 <DIR> d-------- C:\Documents and Settings\chi-chi\Application Data\wsInspector
2008-02-06 09:37 . 2008-02-06 09:39 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2008-01-31 08:28 . 2008-01-31 08:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 08:28 . 2008-01-31 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 08:24 . 2008-01-31 08:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 23:40 . 2008-01-29 23:40 163,904 --------- C:\WINDOWS\system32\gsvgewwg.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 15:18 --------- d-----w C:\Documents and Settings\chi-chi\Application Data\Yahoo!
2008-01-30 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 14:37 3,059,200 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-01-29 23:40 163904 --------- C:\WINDOWS\system32\gsvgewwg.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 08:48 147514]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gsvgewwg]
gsvgewwg.dll 2008-01-29 23:40 163904 C:\WINDOWS\system32\gsvgewwg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2109043195-537022207-5522801-2906\Scripts\Logon\0\0]
"******"=D:\Public\inventory.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"5800:TCP"= 5800:TCP:VNC1
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 17:49:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-25 17:50:38
ComboFix-quarantined-files.txt 2008-02-25 22:50:28
.
2008-02-13 08:04:44 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:43, on 2008-02-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\chi-chi\Desktop\Unused Desktop Shortcuts\Mozilla Firefox\firefox.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gsvgewwg.dll
O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = S.INTERNAL
O17 - HKLM\Software\..\Telephony: DomainName = S.INTERNAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = S.INTERNAL
O20 - Winlogon Notify: gsvgewwg - C:\WINDOWS\SYSTEM32\gsvgewwg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 3933 bytes0 -
Step 1.
we will take care of the infected file later on. We have done this before but when I have uploaded the text it was changed, and I did not noticed it at that time. That is why it did not worked.
Open a notepad (start menu-all programs-accessorie-notepad). Make sure the wordwrap is not selected.
Copy and paste the text in bold into it.
file::
C:\p*.tmp
C:\Documents and Settings\chi-chi\My Documents\p*.tmp
C:\WINDOWS\SYSTEM32\gsvgewwg.dll
C:\WINDOWS\system32\gsvgewwg.zip
folder::
C:\Program Files\BitLord
C:\Program Files\Java
C:\Program Files\Common Files\Java
registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gsvgewwg]
* Select save in:desktop
* Fill in File name: CFScript.txt
* save as type: All file types (*.*)
* click save
Drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system.
It may reboot your system when it finishes. This is normal.
Please post the combofix log and a fresh HJT log into your reply. And tell me if the pos*.tmp files are removed.0 -
The posxx.tmp files are gone!!
here is the log
ComboFix 08-02-23 - chi-chi 2008-02-26 9:50:25.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.56 [GMT -5:00]
Running from: C:\Documents and Settings\chi-chi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\chi-chi\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\SYSTEM32\gsvgewwg.dll
C:\WINDOWS\system32\gsvgewwg.zip
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\gsvgewwg.dll
C:\WINDOWS\system32\gsvgewwg.dllbox
C:\WINDOWS\system32\gsvgewwg.zip
.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.
2008-02-25 17:29 . 2003-02-20 18:42 229,487 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-02-22 15:01 . 2008-02-22 15:01 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-02-22 12:36 . 2008-02-22 12:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 09:41 . 2008-02-06 09:49 <DIR> d-------- C:\Documents and Settings\chi-chi\Application Data\wsInspector
2008-02-06 09:37 . 2008-02-06 09:39 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2008-01-31 08:28 . 2008-01-31 08:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 08:28 . 2008-01-31 08:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 08:24 . 2008-01-31 08:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 15:18 --------- d-----w C:\Documents and Settings\chi-chi\Application Data\Yahoo!
2008-01-30 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 08:48 147514]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2109043195-537022207-5522801-2906\Scripts\Logon\0\0]
"******"=D:\Public\inventory.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"5800:TCP"= 5800:TCP:VNC1
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 10:00:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
.
**************************************************************************
.
Completion time: 2008-02-26 10:02:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 15:02:15
ComboFix2.txt 2008-02-25 22:50:38
.
2008-02-13 08:04:44 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02, on 2008-02-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = S.INTERNAL
O17 - HKLM\Software\..\Telephony: DomainName = S.INTERNAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = S.INTERNAL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 3406 bytes0 -
The icon for the c:/ drive is still showing the red "X" and I still have the "help and support center" and "windows update" icons on my desktop. However the img. for the icon is now not showing and the generic default pic is there although the name and place holder for the icons remain, FYI. Hope any of this helps?
0 -
The icon for the c:/ drive is still showing the red "X" and I still have the "help and support center" and "windows update" icons on my desktop. However the img. for the icon is now not showing and the generic default pic is there although the name and place holder for the icons remain, FYI. Hope any of this helps?
First of all congratulation! you log is clean. There is no active infection on your system.
You didn't mentioned pos*.tmp in your post, I suppose they are taken care of.
Now we are going to take care of the repair and cleaning. Please do the following steps in order they are written.
[*]Uninstall combofix to do that go to: Start >> Run... Type: Combofix /u and click OK.
If you face any problem with uninstalling manually remove combofix and C:\Qoobox
[*]Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)- Double-click
Under Main "Select Files to Delete" choose: Select All.
If you use Firefox browser
Click the Empty Selected button.- Click
Click the Empty Selected button.
If you use Opera browser
NOTE: If you would like to keep your saved passwords, please click No at the prompt.- Click
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
[*]Open notepad, make sure the wordwrap under format menu is not selected,copy and paste the text in bold in it:
regedit /e look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons"
start notepad look.txt
Save this as look.bat , choose to save as *all files and place it on your desktop.
Doubleclick look.bat
Notepad will open with some txt in it. Copy and paste the contents in your next reply.0 -
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon]
@="%SystemRoot%\\system32\\shell32.dll,131"0 -
[*]Open a notepad, make sure the word wrap under format menu is not selected.
Copy and paste the text in bold into it.
REGEDIT 4
[-KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon]
Save the file to the desktop as driveicons.reg and make sure the "Save as type" field says "All files". Locate driveicons.reg on the Desktop and double-click on it and confirm.
[*]Remove the icons on the desktop using "desktop cleanup wizard"to do that right click on your desktop with all the windows closed, select Ärrange Icons By"- run desktop cleanup wizard - next - what you want to clean should be checked - finish
chi-chi: After doing that tell me about:
1. p*.tmp (the third time I am requesting feedback on this)
2. The red x on drive c.
3. The icons.
4. Did you do the steps I suggested? (uninstall combofix and applying ATF cleaner?). Please five me feedback, I am not with you to see what you are doing.0 -
[*]Open a notepad, make sure the word wrap under format menu is not selected.
Copy and paste the text in bold into it.
REGEDIT 4
[-KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon]
Save the file to the desktop as driveicons.reg and make sure the "Save as type" field says "All files". Locate driveicons.reg on the Desktop and double-click on it and confirm.
[*]Remove the icons on the desktop using "desktop cleanup wizard"to do that right click on your desktop with all the windows closed, select Ärrange Icons By"- run desktop cleanup wizard - next - what you want to clean should be checked - finish
chi-chi: After doing that tell me about:
1. p*.tmp (the third time I am requesting feedback on this)
2. The red x on drive c.
3. The icons.
4. Did you do the steps I suggested? (uninstall combofix and applying ATF cleaner?). Please five me feedback, I am not with you to see what you are doing.
I apologize for not giving the feedback.
1. The p*.tmp files are gone from volume c:/
2. The red x on drive c:/ still remains??
3. The icons are now gone after running the desktop icon wizard you just had me do
4. I have followed all your step and they seem to have worked as there is no longer the error pop ups and my pc is alot quicker
5. Just a reminder as to how will I change my clock and time back to normal since combo fix adjusted its formatting thanks in advance.0 -
I apologize for not giving the feedback.
1. The p*.tmp files are gone from volume c:/
2. The red x on drive c:/ still remains??
3. The icons are now gone after running the desktop icon wizard you just had me do
4. I have followed all your step and they seem to have worked as there is no longer the error pop ups and my pc is alot quicker
5. Just a reminder as to how will I change my clock and time back to normal since combo fix adjusted its formatting thanks in advance.
No problem and thank you for the feedback.
We do this once more with a little differnce:
1. please remove driveicons.reg from your desktop.
[*]Open a notepad, make sure the word wrap under format menu is not selected.
Copy and paste the text in bold into it.
REGEDIT4
[-KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon]
Save the file to the desktop as removex.reg and make sure the "Save as type" field says "All files". Locate removex.reg on the Desktop and double-click on it and confirm.
Reboot and see if the red x in gone.
2. Combofix should have fixed the clock after finishing the scan. But you can go to control panel - Date and time icon - and reset your clock.0 -
OK i really appreciate all your help farbar as the red x is gone and everything seems to be back to normal minus the clock. Its showing the time right but soon as 1pm hits it will be in military time and the date shows as 2008-02-27 which is the correct date but the formatting is off? this is not a big deal but just a heads up on it and if u know how to fix it that would be helpful. I went to the time settings and since the time and date are right I need to figure out how to change the formatting rather and it was no setting for it.
I might need help with my home PC as its also slow very slow lqtm thanks again!0 -
OK i really appreciate all your help farbar as the red x is gone and everything seems to be back to normal minus the clock. Its showing the time right but soon as 1pm hits it will be in military time and the date shows as 2008-02-27 which is the correct date but the formatting is off? this is not a big deal but just a heads up on it and if u know how to fix it that would be helpful. I went to the time settings and since the time and date are right I need to figure out how to change the formatting rather and it was no setting for it.
I might need help with my home PC as its also slow very slow lqtm thanks again!
Lets finish the job and then we find the solution for the the date format.
Step 1.
Apply ATF cleaner.
Step 2.
Empty your system volume information to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore points. Reboot and uncheck "turn off system restore on all drives' to create a clean restore point.
Step 3.
Optional but highly recomended: Let your computer be scanned by:
Malwarebytes' Anti-Malware
Let them remove everything they find.0 -
When you are finished with previous post you can change the date format:
Click Start - Control Panel - Regional and Language Options - Customize - under Date and time you can change the order of the date and time.0 -
Ok the online scanner got hung up and is frozen but it got toward the end and no infections found so its just sitting on freeze right now maybe it will load? the malware is running now and i changed the time! thanks a million
0 -
Ok the online scanner got hung up and is frozen but it got toward the end and no infections found so its just sitting on freeze right now maybe it will load? the malware is running now and i changed the time! thanks a million
You are most welcome. If there is anything you need assistance with let me know.0 -
SAY MAN I GOT JUST THE ANSWER YOU WAS LOOKING FOR. VUNDO HAPPENED TO GET ME AND WAS ###### ME OFF WITH THE POP UPS AND THE RE APPEARING OF INFECTED FILES. I SEARCHED EVERY KEY WORD IN GOOGLE AND TRIED EVERY PROGRAM I STUMBLED UPON. BUT JUST LIKE YOU THEY AINT WORK!!!!!! I ASKED GOD TO LEAD ME TO A SITE THAT WOULD FIX MY PROBLEM AND THIS IS WHAT HE LED ME TO.http://wiki.castlecops.com/Vundo_Rootkit_Detection_and_Removal_Procedure
I KNOW ITS NOT A LINK BUT JUST COPY AND PASTE IT INTO THE WEB ADDRESS THINGY. SCROLL DOWN AND DOWNLOAD THE
F-SECURE BLACKLIGHT BETA.DONT THINK THIS IS JUST ANOTHER PROGRAM THATS NOT GOING TO WORK. TRUST ME IT WILL ITS GOING TO LOOK LIKE A CMD PROMPT. MAKE SHO NO OTHER PROGRAM IS RUNNING WHEN YOU USE THIS!!!!! AND DONT CLICK IT WITH YOUR MOUSE!!!!!! ITS GOING TO SAY SOMETHING LIKE 1/50 ETC.. ARE YOU SHORE. SAY YES. THEN IT A BE ABOUT 5 MINTURES AND YOUR DESKTOP A GO BLANK. DONT WORRY THATS A GOOD THING . AFTER A LIL WHILE LONGER ITS GOING TO CLENSE EVERYTHING AND IT WILL RESTART YOUR COMPUTER. YOUR COMPUTER SHOULD RESTART BACK UP AND BLACKLIGHT BETA IS GOING TO AUTOMATICALY LAUNCH. LET IT DO ITS THING AND ABOUT 7 MINUTES LATER VUNDO IS GOING TO BE GOOOOOOOOOONE!!!!!!! THIS IS GUARANTEED TO WORK. IF YOU HAVE ANY PROBLEMS LET ME KNOW0
