• Announcements

    • Rodion Nagornov

      Недоступность форума // Forum maintenance   08/16/2017

      В связи с техническими работами форум будет недоступен с 20.00 (МСК) 18.08.2017. Максимальное время недоступности - до 20.00 (МСК) 20.08.2017. *** Due to maintenance forum will be unavailable since 8pm (+3 GMT) 18-Aug-2017. The longest possible time of maintenance - till 8.pm (+3 GMT) 20-Aug-2017.
elly00

remove AdWare

19 posts in this topic

[attachmentid=32769]

[attachmentid=32768]

 

HI,

 

I've a Pc where Ks detectes an adware that I cannnot remove ..

Os Windows XP-KIS 6.0.2.621

On the attached report you can see:

 

rilevato (means detected) : adware not-a-virus:AdWare.Win32.LinkOptimizer.hFile: C:\WINDOWS\qpbby1.dll//PE_Patch.Sue//PE-Crypt.Sue//PE_Patch.UPX//UPX

rilevato: malware Exploit.Win32.IMG-ANI.k URL: http://imxndm7rj.com/92b8d7b02bfcd6231869/fciaa/wliogxy.ani

 

Note that I cannot find this qpbby1.dll file even if I choose "go to file".

 

Then on this Pc sometimes the explorer.exe crashes and something tries to start a strange connections (see images)

 

Can you tell me the exact steps to clean all?

 

Thanks

Elena

report.txt

dialer.zip

Share this post


Link to post
Share on other sites
hello

try bootinng into safe mode and proceed with deleting the file from there.

it could also be good to do a scan with

an anti-rootkit tool like blacklight: http://www.f-secure.com/blacklight/

and superantispyware: http://www.superantispyware.com/

403025[/snapback]

 

 

Hi,

thanks...

Do you think I can see the file is safe mode? start windows "normally" the file is not visible..

 

smile.gif

Share this post


Link to post
Share on other sites
of course it's not visible, there's a rootkit involved. you might be able to see it in safe mode. if you can't then perform the blacklight scan in normal mode

403029[/snapback]

 

 

OK!!!

I'll do that and let you know the result....

I still don't know why if I've KIs installed this kind of adware can be passed on the system ?"

 

Thanks

rolleyes.gif

 

 

 

Share this post


Link to post
Share on other sites

Rootkits aren't a specific component of version 6(but still covers some), version 7 has more specifics for this.

 

As for the ANI exploit, it is a Microsoft exploit, not a KIS exploit. Is your system up to date ?

 

ANI info - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1765

 

But for now concentrate on what Lucian is asking. If you find this file maybe the date it was created will lead to what you were doing on the internet, or at least reflect on where.....

Share this post


Link to post
Share on other sites
Rootkits aren't a specific component of version 6(but still covers some), version 7 has more specifics for this.

 

As for the ANI exploit, it is a Microsoft exploit, not a KIS exploit. Is your system up to date ?

 

ANI info - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1765

 

But for now concentrate on what Lucian is asking. If you find this file maybe the date it was created will lead to what you were doing on the internet, or at least reflect on where.....

403061[/snapback]

 

 

Hi,

 

yes sure I'll do what he said and post the result..

and...yes the system is correctly updated...

 

Thanx

biggrin.gif

Share this post


Link to post
Share on other sites

Elly............next time please post about virus related issue's in the ....................virus-related issue's, you have been here long enough to know this by now. smile.gif

Share this post


Link to post
Share on other sites
Elly............next time please post about virus related issue's in the ....................virus-related issue's, you have been here long enough to know this by now.  smile.gif

403117[/snapback]

 

yes sorry ;( just a second after having send the message I remind that the post was on wrong place..... sory sorry .....never do that again....

wink.gif

Share this post


Link to post
Share on other sites

Hi,

 

I've restarted in safe mode but didn't find the file:

C:\WINDOWS\qpbby1.dll//PE_Patch.Sue//PE-Crypt.Sue//PE_Patch.UPX//UPX

 

Running spybot nothing is found...

 

What can I don now?

 

 

Thanx

 

Share this post


Link to post
Share on other sites

Looks like it's embedded in an archive.

 

 

[attachmentid=32769]

[attachmentid=32768]

 

HI,

 

I've a Pc where Ks detectes an adware that I cannnot remove ..

Os Windows XP-KIS 6.0.2.621

On the attached report you can see:

 

rilevato (means detected) : adware not-a-virus:AdWare.Win32.LinkOptimizer.hFile: C:\WINDOWS\qpbby1.dll//PE_Patch.Sue//PE-Crypt.Sue//PE_Patch.UPX//UPX

rilevato: malware Exploit.Win32.IMG-ANI.k URL: http://imxndm7rj.com/92b8d7b02bfcd6231869/fciaa/wliogxy.ani

 

Note that I cannot find this qpbby1.dll file even if I choose "go to file".

 

Then on this Pc sometimes the explorer.exe crashes and something tries to start a strange connections (see images)

 

Can you tell me the exact steps to clean all?

 

Thanks

Elena

403022[/snapback]

 

Share this post


Link to post
Share on other sites
Looks like it's embedded in an archive.

403228[/snapback]

 

 

Difficult to know... ;(

Any ideas?

 

wink.gif

Share this post


Link to post
Share on other sites

Do you have a removal tools?

 

Thanks

Elena

Share this post


Link to post
Share on other sites
Do you have a removal tools?

 

Thanks

Elena

403290[/snapback]

No.......elly, have you run a full scan with both Kaspersky, SUPERAntiSpyware with System restore disabled? Also try this Linkoptimizer tool

Share this post


Link to post
Share on other sites

Hi all,

 

some news about the Pc situation...

1) running http://killbox.net/downloads/KillBox.exe the error is :

PendingFileReneameOperatons Registry data has been removed by external process!

2) superantispyware and f-secure don't start

3) running Linkoptimizer tool it has restarted the Pc but then it gives "access denied" but after that I can run superantispyware..

Now I'm doing a full scan...I don't know if it could remove the rootkit

 

I'll inform you about the result

 

I've a service named "WinVhm started as .\TGyPWUmr that I cannot stop or set to start manually..now is automatic startup

 

Thanks

Elly

sad.gif

Edited by elly00

Share this post


Link to post
Share on other sites

Hi,

 

running superantispyware, fsecure..at the end ks has removed the C:\WINDOWS\qpbby1.dll//PE_Patch.Sue//PE-Crypt.Sue//PE_Patch.UPX//UPX

file...

 

Only the service "WinVhm started as .\TGyPWUmr is already present on the Pc...

(not started) but set on "automaticaslly".

 

Do you think I can leave it or what?

 

Thanx

smile.gif

 

 

 

Share this post


Link to post
Share on other sites
can you post a screenshot of that?

405115[/snapback]

 

Hi,

 

I don't have the option to send attachement anymore ?!!? I don't know why...

blink.gif

But in the image you can se that thi service is used for "save in cache DNS names"

 

 

Thanx

Share this post


Link to post
Share on other sites
yes attaching file isn't available here, you can try to host it on http://imageshack.us and post the link here.

 

also you can use the console command sc delete WinVhm to delete that service

405152[/snapback]

 

 

Hi,

 

I'll try to delete the service from console....

See the images here:

http://img260.imageshack.us/img260/7664/serviceva3.th.png

http://img260.imageshack.us/img260/4809/service2os7.th.png

 

Thanks for your help!

Share this post


Link to post
Share on other sites

Hi,

 

this is a never ended story..

Today I've deleted the service but on desktop I had the dialer warning again..

Opening ks I see that it has detected and removed the same rootkit (as it has done yesterday)..

 

25/07/2007 8.31.20 File C:\WINDOWS\QPBBY1.DLL//PE_Patch.Sue//PE-Crypt.Sue//PE_Patch.UPX//UPX: detected adware not-a-virus:AdWare.Win32.LinkOptimizer.h. Utente: WORKGROUP\MAURA$, computer: localhost.

 

May be there is something that regenerate infection?

Now I'm doing a new scan with superantispyware..I still don't know the result

blink.gif

Share this post


Link to post
Share on other sites
let's see if this can help: post a combofix log.

download combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

double click it, follow the steps on the screen. After the scan is complete post the combofix.txt file (should be in c:\)

do not click inside the combofix window while it's scanning

405404[/snapback]

 

 

Hi, here yiìou are the log:

 

"m a " - 2007-07-26 19.11.43 - ComboFix 07-07-23.6 - Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))

 

 

2007-07-26 19:10 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-25 08:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATIAP~1\SUPERAntiSpyware.com

2007-07-25 08:02 699 --a------ C:\armada.bat

2007-07-25 07:59 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\DATIAP~1\TEMP

2007-07-25 07:54 <DIR> d-------- C:\Programmi\SUPERAntiSpyware

2007-07-25 07:54 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard

2007-07-25 07:54 <DIR> d-------- C:\DOCUME~1\MAURAA~1\DATIAP~1\SUPERAntiSpyware.com

2007-07-24 13:06 <DIR> d-------- C:\!KillBox

2007-07-14 11:50 108,544 --a------ C:\WINDOWS\system32\services.exe

2007-07-10 07:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATIAP~1\Spybot - Search & Destroy

2007-07-07 13:34 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys

2007-07-07 13:34 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys

2007-07-07 13:33 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll

2007-07-07 13:33 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll

2007-07-07 13:33 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll

2007-07-07 13:33 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe

2007-07-07 13:33 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll

2007-07-07 13:33 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll

2007-07-07 13:33 <DIR> d-------- C:\Programmi\File comuni\Ahead

2007-07-07 13:28 <DIR> d-------- C:\Programmi\CCleaner

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-26 17:11:36 23,507,488 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2007-07-26 17:10:49 251,936 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat

2007-07-26 17:07:00 -------- d-----w C:\DOCUME~1\MAURAA~1\DATIAP~1\Skype

2007-07-26 16:04:57 -------- d-----w C:\Programmi\eMule

2007-07-25 19:51:56 311,924 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2007-07-25 19:51:56 24,140 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2007-07-25 17:04:23 -------- d-----w C:\Programmi\IMSI

2007-07-22 15:38:52 -------- d-----w C:\DOCUME~1\MAURAA~1\DATIAP~1\Vso

2007-07-22 15:37:26 -------- d-----w C:\DOCUME~1\MAURAA~1\DATIAP~1\VSO_HWE

2007-07-21 15:39:38 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2007-07-18 11:19:46 -------- d-----w C:\DOCUME~1\MAURAA~1\DATIAP~1\DataLayer

2007-07-18 07:27:15 -------- d-----w C:\Programmi\Dl_cats

2007-07-13 12:02:49 -------- d-----w C:\DOCUME~1\MAURAA~1\DATIAP~1\Nokia Multimedia Player

2007-07-08 18:03:35 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd1005.sys

2007-07-07 11:33:47 -------- d-----w C:\Programmi\Ahead

2007-07-07 11:29:03 -------- d-----w C:\Programmi\Yahoo!

2007-07-05 11:16:26 -------- d-----w C:\Programmi\Google

2007-07-05 11:16:08 -------- d--h--w C:\Programmi\InstallShield Installation Information

2007-07-05 11:09:57 -------- d-----w C:\Programmi\Elaborate Bytes

2007-07-01 17:54:38 -------- d-----w C:\Programmi\MSN Messenger

2007-06-13 18:08:04 82,258 ----a-w C:\WINDOWS\system32\drivers\klin.dat

2007-06-13 18:08:04 82,258 ----a-w C:\WINDOWS\system32\drivers\klick.dat

2007-06-13 18:01:16 -------- d-----w C:\Programmi\Kaspersky Lab

2007-06-13 17:50:13 -------- d-----w C:\Programmi\File comuni\Kaspersky Lab

2007-06-12 11:23:14 47,360 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys

2007-06-12 11:23:10 -------- d-----w C:\Programmi\VSO

2007-06-12 11:22:42 87,608 ----a-w C:\DOCUME~1\MAURAA~1\DATIAP~1\inst.exe

2007-06-12 11:22:42 47,360 ----a-w C:\DOCUME~1\MAURAA~1\DATIAP~1\pcouffin.sys

2007-06-12 11:16:57 -------- d-----w C:\Programmi\dvdSanta

2007-06-10 12:18:02 -------- d-----w C:\Programmi\DivX

2007-05-31 06:45:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2007-05-31 06:44:55 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2007-05-31 06:44:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2007-05-31 06:44:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2007-05-31 06:44:54 740,442 ----a-w C:\WINDOWS\system32\DivX.dll

2007-05-16 15:12:56 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2006-07-30 15:55:59 23,992 ----a-w C:\DOCUME~1\MAURAA~1\DATIAP~1\GDIPFONTCACHEV1.DAT

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8631209B-2637-CA07-C725-E3197F857874}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 02:20 C:\WINDOWS\stsystra.exe]

"P17Helper"="P17.dll" [2004-06-10 18:51 C:\WINDOWS\system32\P17.dll]

"dlccmon.exe"="C:\Programmi\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 21:03]

"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2006-04-28 11:33]

"WinampAgent"="C:\Programmi\Winamp\winampa.exe" [2006-06-21 19:14]

"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2005-12-20 20:54]

"SunJavaUpdateSched"="C:\Programmi\Java\jre1.5.0\bin\jusched.exe" [2006-08-05 21:42]

"OM_Monitor"="C:\Programmi\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-29 19:19]

"PCSuiteTrayApplication"="C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 14:27]

"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2007-02-07 08:57]

"remgk"="C:\DOCUME~1\MAURAA~1\IMPOST~1\Temp\45064859.exe" [2006-07-05 12:56]

"AVP"="C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" [2007-04-28 14:37]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:00]

"Skype"="C:\Programmi\Skype\Phone\Skype.exe" [2006-06-12 17:33]

"OM_Monitor"="C:\Programmi\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]

"updateMgr"="C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

"SUPERAntiSpyware"="C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"PcSync"=C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

 

C:\Documents and Settings\All Users.WINDOWS\Menu Avvio\Programmi\Esecuzione automatica\

Adobe Reader Speed Launch.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]

WinZip Quick Pick.lnk - C:\Programmi\WinZip\WZQKPICK.EXE [2006-01-15 19:53:23]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmi\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,\"c:\windows\system32\nokia-driver.exe\","

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programmi\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmi\SUPERAntiSpyware\SASWINLO.dll

 

R1 cdrbsdrv;cdrbsdrv;C:\WINDOWS\system32\drivers\cdrbsdrv.sys

R1 SASDIFSV;SASDIFSV;\??\C:\Programmi\SUPERAntiSpyware\SASDIFSV.SYS

R1 SASKUTIL;SASKUTIL;\??\C:\Programmi\SUPERAntiSpyware\SASKUTIL.sys

R2 MaVctrl;MaVctrl;C:\WINDOWS\system32\DRIVERS\MaVc2K.sys

R3 E100B;Intel® PRO Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys

R3 hidusb;Driver di classe HID Microsoft;C:\WINDOWS\system32\DRIVERS\hidusb.sys

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys

R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys

R3 pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\pcouffin.sys

R3 SASENUM;SASENUM;\??\C:\Programmi\SUPERAntiSpyware\SASENUM.SYS

R3 usbccgp;Driver principale generico USB Microsoft;C:\WINDOWS\system32\DRIVERS\usbccgp.sys

R3 usbehci;Driver Miniport controller enhanced host USB 2.0 Microsoft;C:\WINDOWS\system32\DRIVERS\usbehci.sys

R3 usbhub;Driver hub USB standard Microsoft;C:\WINDOWS\system32\DRIVERS\usbhub.sys

R3 usbprint;Classe stampanti USB Microsoft;C:\WINDOWS\system32\DRIVERS\usbprint.sys

R3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys

R3 usbstor;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

R3 usbuhci;Driver Miniport Controller Universal Host USB Microsoft;C:\WINDOWS\system32\DRIVERS\usbuhci.sys

R3 vaxscsi;vaxscsi;C:\WINDOWS\system32\Drivers\vaxscsi.sys

R3 WLAN FVNETusb®;WLAN FVNETusb® Service for ATMEL USB FastVNET (AR);C:\WINDOWS\system32\DRIVERS\vnetusbr.sys

S0 cercsr6;cercsr6;C:\WINDOWS\system32\drivers\cercsr6.sys

S0 OCDE;ZTekWare Original CD Emulator Service;C:\WINDOWS\system32\Drivers\OCDE.sys

S3 bvrp_pci;bvrp_pci;\??\C:\WINDOWS\system32\drivers\bvrp_pci.sys

S3 D-Link FVNETusb (AR)®;D-Link FVNETusb (AR)® Service for D-Link DWL-120 Wireless USB Adapter;C:\WINDOWS\system32\DRIVERS\vnetusbr.sys

S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\C:\DOCUME~1\MAURAA~1\IMPOST~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys

S3 MA8630C;MA8630C;C:\WINDOWS\system32\DRIVERS\MA8630C.sys

S3 MA8630M;MA8630M;C:\WINDOWS\system32\DRIVERS\MA8630M.sys

S3 MA8630U;MA8630U;C:\WINDOWS\system32\DRIVERS\MA8630U.sys

S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys

S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys

S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys

S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys

S3 pohci13F;pohci13F;\??\C:\DOCUME~1\MAURAA~1\IMPOST~1\Temp\pohci13F.sys

S3 SNTNLUSB;Rainbow USB SuperPro;C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS

S3 STHDA;High Definition Audio Driver (WDM) - SigmaTel CODEC;C:\WINDOWS\system32\drivers\sthda.sys

S3 TSP;TSP;\??\C:\WINDOWS\system32\drivers\klif.sys

S3 WpdUsb;WpdUsb;C:\WINDOWS\system32\Drivers\wpdusb.sys

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Usnsvc usnsvc

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

AutoRun\command- J:\Setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a3e04c2-3299-11db-8a24-00909652e259}]

AutoRun\command- J:\Setup.exe

 

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-26 19:14:45

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

 

scan completed successfully

hidden files: 1

 

**************************************************************************

 

Completion time: 2007-07-26 19.15.45

 

--- E O F ---

 

Share this post


Link to post
Share on other sites
try performing a scan with gmer: http://www.majorgeeks.com/GMER_d5198.html and remove the detected hidden files

 

delete the following files:

C:\armada.bat

C:\DOCUME~1\MAURAA~1\IMPOST~1\Temp\45064859.exe (empty the whole temp folder)

 

open regedit, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and in the right side change: the Userinit value to: "c:\windows\system32\userinit.exe," (without the ")

405880[/snapback]

 

 

Hi,

I performed the scan but It doesn't ask me to delete something...

If you want I can send you the log..as PVM

Note that I've had to stop many services in order to download the utility..trying to download explorer suddenly crash ..

 

THANX

 

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now