Can't check any email or use google - Infected w Virtumonde, Winsoftware, Wildtangent

Status
Not open for further replies.
B

blogaibernukas

New member
That's my log. I'm not very computer savvy, please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:18 AM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy2.esade.es:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.esade.com;*esade.es;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10990D5B-D686-4CD2-81EB-C7540450A1BA} - C:\WINDOWS\system32\geBuVPFV.dll (file missing)
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll
O2 - BHO: (no name) - {476BAA09-EEBD-4ABF-8982-BAD2882A71A8} - C:\WINDOWS\system32\wvUllklj.dll (file missing)
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\bgphfbrv.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: {b43edec7-8198-c8fa-7a14-cd3d2cbf8cb6} - {6bc8fbc2-d3dc-41a7-af8c-89187cede34b} - C:\WINDOWS\system32\nvqhof.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar7.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar7.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Disk Knight] C:\WINDOWS\Knight.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [604bfdf7] rundll32.exe "C:\WINDOWS\system32\rhvklffi.dll",b
O4 - HKLM\..\Run: [BM6378ce6b] Rundll32.exe "C:\WINDOWS\system32\eqcysodq.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: geBuVPFV - geBuVPFV.dll (file missing)
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll
O23 - Service: Microsoft DDE+ server (3a8c9531b83b472a) - Unknown owner - C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13148 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
 
Can't run combofix

Hi pskelley, Thank you sooooooooooooo much for helping me, I can't thank you enough!!!

So, here's what happened. I cannot read the website on how to use combofix because Virtumonde or whatever is stopping me from accessing the page. I have tried in several different ways both through Firefox and iExplorer and no luck. If that's the case, can you paste information here on how to use it?

Well, I've downloaded it from the link and put it on my desktop. I tried running it but then it gives me the dark blue windows boot screen saying:

"A problem has been detected and Windows has been shut down to prevent blablabla if it's the first time you see this restart your computer and contact blablabla" and then:

INVALID_KERNEL_HANDLE

***Technical information
*STOP: 0x00000093 (0x000007A8, 0x00000000, 0x00000000, 0x00000000)
"

I have done it twice and get the same response both times. If any other information is needed from the dark blue windows screen please let me know and I'll copy it.

I then re-checked if TeaTimer was disabled in SpyBot and the box was properly unchecked. However the "Resident" icon box inside tools IS CHECKED is that supposed to remain this way?

Then I tried to look for a txt file inside the combofix folder. Did not find a log but found this:

ComboFix 08-08-14.05 - Denise Kenney 2008-08-16 11:03:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.641 [GMT 2:00]
Running from: C:\Documents and Settings\Denise Kenney\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

And then I ran HTJ to post the new log here (below).

Please let me know if there's anything different I can do.

Thank you so much again

L


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:29 AM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [BM6378ce6b] Rundll32.exe "C:\WINDOWS\system32\eqcysodq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} -
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O23 - Service: Microsoft DDE+ server (3a8c9531b83b472a) - Unknown owner - C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 3072 bytes
 
Thanks for the HJT log, it gives me an idea of what combofix did, but I need that log. To explain, combofix has a database that is constantly changing as malware changes. sUBs keys to several common malware issues, but there is no way he can get everything in the database, it would be hugh. I know some stuff was removed, but the log also shows all files installed during the infection period. Hopefully my trained eye can spot bad files not in the database. Here is what the log will look a lot like.
http://forums.spybot.info/showthread.php?t=32556
Look after the HJT log in post#3. I know it ran or would not have received the notification about Recovery Console. Look on the C:\ drive, should be at C:\combofix.txt.
So, here's what happened. I cannot read the website on how to use combofix...etc.
Click to expand...
Not to worry, you got the tool run, we will get to that information later. can you believe how these criminals actually infect you, then block you from the help you need. My suggestion is a firing squad. The computer is your property and these folks would just as likely kick down your front door to gain access to what they want...$$$
INVALID_KERNEL_HANDLE
Click to expand...
http://www.google.com/search?hl=en&q=INVALID_KERNEL_HANDLE&btnG=Google+Search
Keep recording any error messages (windows talking to us) and post the information, but we will likely deal with error messages as we kick this junk off your computer. If they do not stop at that point, we will need the exact messages to research the cause.

TeaTimer <<< not showing in the new HJT log so you disabled it correctly.

It all boils down to the fact that I need that log that combofix provided us with. If it is not on the C:\ then run combofix again. If you do not have combofix on the Desktop (cats head) the download it again from this link.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then follow the directions:
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply (like point and shoot)

Thanks...Phil
 
Don't think it's working :( (combofix)

Hi Phil,

Thank you for your response again. I think it's not working with Combofix, I mean, I think something is stopping it from doing its job. Maybe there's something I need to do to Windows so it will let it run? Or maybe pause a process or something? I'll describe below exactly what happened and then post all the logs I've found.

So I run Combofix. It says "Preparing to run" and then it beeps and I get a window to confirm that I really want to run it. Then it goes to a small blue screen saying
Attempting to create a system restore (then it apparently accomplishes this)
then
- Scanning for infected files, this might take ten minutes but really infected
- systems will take longer (or something like that)
- Combofix has changed your clock settings, do not change it back....
But then it takes ONLY A FEW SECONDS and goes to the boot dark blue screen, shuts down and says the exact same message I've posted before every time. (I've done it three times) And the clock never changes either.

I cannot access the link you posted, just for the record, so I don't know what it says about the INVALID_KERNEL_HANDLE. I DO get to see the other post though inside the spybot forum, so I know now how it looks like. But wasn't the log supposed to come very obvious, like the HJT?

Then, after the dark blue screen I then have to restart the computer and when it comes back it says:
- The system has recovered from a serious error ....
And then you have the option to send or not the report to windows. SO that's why I think there might be some windows security configuration that is stopping me from running combofix? Any ideas?

Anyways, I went to C: and there was no combofix.txt. Ther is a aaw7boot.log and a Installer.log and a LogiSetup.log and there is a combofix folder. Inside the folder there is a combofix.txt but it says just the following:

COMBOFIX.TXT

ComboFix 08-08-14.05 - Denise Kenney 2008-08-16 22:39:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.642 [GMT 2:00]
Running from: C:\Documents and Settings\Denise Kenney\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

That's all :( and then there is a Pend.txt that says

PEND.TXT:

.:\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\\(\\\|0!\|0\\0\)
C:\\WINDOWS\\system32\\config\\\(\\\|0!\|0\\0\)
C:\\WINDOWS\\system32\\csrss.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\drivers\\\(\\\|0!\|0\\0\)
C:\\WINDOWS\\system32\\hal.dll\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\lsass.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\ntdll.dll\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\services.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\smss.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\svchost.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\userinit.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\wbem\\\(\\\|0!\|0\\0\)
C:\\WINDOWS\\system32\\winlogon.exe\\\(0!\|0\\0\)
C:\\boot.ini\\\(0!\|0\\0\)
C:\\ntdetect.com\\\(0!\|0\\0\)
C:\\ntldr\\\(0!\|0\\0\)
C:\\WINDOWS\\\(\\\|0!\|0\\0\)
C:\\WINDOWS\\explorer.exe\\\(0!\|0\\0\)

I went and ran the HTJ just in case so here's the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:42 PM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [BM6378ce6b] Rundll32.exe "C:\WINDOWS\system32\eqcysodq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} -
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O23 - Service: Microsoft DDE+ server (3a8c9531b83b472a) - Unknown owner - C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 3072 bytes


Hope we can find a solution :(

Thanx a bunch!

L
 
Can I just delete the exe file?

Or should I try ctrl+alt+delete and try to find it inside the processes? How do you recommend I stop it?
 
Do you know why that item is on your computer?

C:\Program Files\GbPlugin\GbpSv.exe
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
http://www.gastecnologia.com.br/site/pt/ <<< what it is

It is some kind of security program, I have never seen it before. That is what they do, block stuff, shame it did not block Vundo. The only way I can think to remove all of that is to uninstall it in Add Remove programs and I still don't know if that is the reason combofix does not install properly.

Let's see if we can use another method.

Remove combofix, to be sure it is gone, do this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


1) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [BM6378ce6b] Rundll32.exe "C:\WINDOWS\system32\eqcysodq.dll",s
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} -

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\eqcysodq.dll <<< delete that file...it is Vundo and must be deleted.

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

7) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Thanks
 
Found the answer to what might be gbpsv

I tried deleting and uninstalling and no luck. It just doesn't show on Add/Remove... I also tried to stop the process in Task Manager but it didn't work either. Then since I cannot search with google (bc of my virus) I was trying for answers in the forum and found this
http://forums.spybot.info/showthread.php?t=22881&highlight=gbpsv

It might be from a bank in Brazil but it's controversial (the last person to post thinks there might be a virus version)

Anyway, I'm going to try your new solution now, just wanted to clarify that. will be back soon

L
 
I can show you how to remove it, I just want to be sure it is not something important. If this is your computer and you don't know what it is, I guess not. If you want it gone, let me know.

I will also mention I received a notification from sUBs forum at SWI and another heper asked about an issue where a member only received the header similiar to the way you did, so the glitch may be with combofix. I am tracking that waiting for a response from the creator. In the meantime, let's try to clean the malware from your computer.

Thanks...Phil
 
TeaTimer.bat

Hi Phill,

I'm still stuck in Teatimerbat. I open the link you gave me and come across some text (pasted at the end). How exactly do I use it/save it to my desktop and run it? (sorry about my lack of knowledge)

About reming gbpsv I don't think it would be a problem. It's my sister's computer and she's just a regular internet user.

I'll do the other stuff you mentioned while waiting for the response on the bat

Thank you for your help
 
New logs

When trying the first steps (with HJT fix) I was not able to delete eqcysodq.dll I've tried the "fix" button several times and then tried deleting it from the folder!!! Just says "Access is denied"

Do I have to find the other four files you mentioned too (to delete them)? I don't see a path to which folder contains them and the search won't find them either. (I'm talking about the four other ones HJT fixed-below)

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} -

Just FYI I've uninstalled the AVG anti virus since it was stopping the upgrade for Malwarebytes.

Then everything apparently worked :) At first Malwarebytes said it couldn't delete eqcysodq and asked to restart the computer. When it restarted windows prompted a box that said "eqcysodq.dll cannot be found"

MALWAREBYTES LOG:

Malwarebytes' Anti-Malware 1.24
Database version: 1059
Windows 5.1.2600 Service Pack 2

2:38:19 AM 8/17/2008
mbam-log-8-17-2008 (02-38-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 89329
Time elapsed: 34 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm6378ce6b (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\kBin15 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise Kenney\Application Data\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise Kenney\Application Data\DriveCleaner Freeware\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Denise Kenney\Local Settings\Temp\Temporary Internet Files\Content.IE5\8KVK2Q80\Codec[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080816-032506-292.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gddpinds.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rhvklffi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvqhof.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise Kenney\Application Data\DriveCleaner Freeware\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\scpsssh2.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eqcysodq.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM6378ce6b.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM6378ce6b.txt (Trojan.Vundo) -> Quarantined and deleted successfully.




HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:12 AM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O23 - Service: Microsoft DDE+ server (3a8c9531b83b472a) - Unknown owner - C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 2494 bytes
 
Navigating beautifully! Next step?

I tried navigating this morning (I'm in London) and it's working! I'm starting to feel hopeful and am very thankful for your help!!!!

I ran SpyBot and still shows WinAntivirusPro2007 and WildTangent though, what should I do next?
 
Thanks for returning the log, we seem to be making progress, we will try to work through the issues I see that are left.

1) C:\Program Files\GbPlugin\GbpSv.exe
Could you check with your sister and make sure it is okay to remove that program.

2) I see no antivirus and we need to get one onboard. I see you said this.
Just FYI I've uninstalled the AVG anti virus since it was stopping the upgrade for Malwarebytes.
Click to expand...
Please reinstall the antivirus protection, look at this tutorial before you do to see if you can use it.
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm

3) The item you had trouble deleting was deleted on reboot by MBAM
C:\WINDOWS\system32\eqcysodq.dll (Trojan.Agent) -> Delete on reboot.

4) Issues with Spybot not being able to remove what it finds are often caused by an outdated program. Would you look at this information and make sure you are up to date and fully immunized. Then reboot and run Spybot S&D and run it again removing what it finds.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
Let me know if this takes care of the problem.

5) I am sure this is malware:
O23 - Service: Microsoft DDE+ server (3a8c9531b83b472a) - Unknown owner - C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe (file missing

Let's remove that like this:
Disable the Service
Click Start > Run and type services.msc
Scroll down to Microsoft DDE+ server and right click on it. Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Then navigate to this file C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe <<< and delete it.

Once you have the information from sister, AVG 8 installed and that bad service stopped and the file deleted, then post a new HJT log. Along with that log I would like to see here uninstall list. Get that like this.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
That stuff will go away once Service Pack #3 is installed.

I understand we are five hours in time difference. I am Clearwater, Fl EST

Thanks
 
Latest logs

Hi Phil,

I'm very glad to hear we're making progress and now I'm enjoying my vacation for the first time without that big problem in my mind, all thanks to your help!!!!!!

I think it's important to note that I think I"m not running as an administrator. My sister forgot the pswd for the administrator and actually never even logged on as this. Not sure if this is of relevance. It always logs in automatically so I just realized this when running spybot in safe mode this time.

Please find below the results for your instructions.

1 - When I was running HJT I saw that's for the bank I used to access from this computer. I no longer access it and we can delete the program now. I asked my sister and she agreed

2 - Done sucessfully! Installed AVG without the Link Scanner feature

3 - Very glad to hear that! Thanx for telling me

4 - I just installed Spybot due to this problem so I was pretty sure I had the latest version but in any case I checked the version and did an update plus immunize. Then tried to fix and those two still remained. It asked me to run again after restart but no luck. Then I tried running in safe mode and still no luck. So they're still showing there.

5 - The STOP under Service Startup was greyed out so I didn't do anything. THen the folder was empty so I just deleted the folder

HTJ

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:29 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 2832 bytes



UNINSTALL LIST

Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
AOLIcon
Apple Mobile Device Support
Apple Software Update
Avanquest update
AVG Free 8.0
Broadcom Management Programs
BUM
Conexant HDA D110 MDC V.92 Modem
Corel Photo Album 6
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Support 3.1
DellConnect
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
EphPod
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Logitech QuickCam
Logitech® Camera Driver
Malwarebytes' Anti-Malware
mCore
MCU
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Project MUI (English) 2007 (Beta)
Microsoft Office Project Professional 2007 (Beta)
Microsoft Office Project Professional 2007 (Beta)
Microsoft Office Proof (English) 2007 (Beta)
Microsoft Office Proof (French) 2007 (Beta)
Microsoft Office Proof (Spanish) 2007 (Beta)
Microsoft Office Shared MUI (English) 2007 (Beta)
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
Mixer
mLogView
mMHouse
Modem Helper
Motorola Phone Tools
Mozilla Firefox (3.0.1)
mPfMgr
mPfWiz
mProSafe
MSN
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
mWlsSafe
mWMI
mXML
mZConfig
NetWaiting
NetZeroInstallers
OfotoNow
QuickSet
QuickTime
Real Alternative 1.51
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Search Assist
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Skype 2.5
Sonic Activation Module
Sonic Update Manager
Sound Blaster Audigy ADVANCED MB Demo
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Tiny soft
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URL Assistant
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WordPerfect Office 12
 
Let's see what we can do, looks like you missed this:
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
No biggie, that stuff will all go away when you install SP#3 which your computer is probably asking to do now. Best to wait until we finish if possible. If other criticals come up you can bypass SP#3 by choosing "custom install" and installing all but SP#3.

Uninstall list: Hackers are using out of date programs to exploit and infect, so it is more imporant than ever to keep all programs up to date. This program is freeware and will do that for you if you wish:
https://psi.secunia.com/ <<< for your information, the programs runs in the system tray for instant notification. I prefer to turn it off in System Configuration Utility (MSConfig) and run it manually from All Programs monthly or so to check for updates, your call if you wish to use it.

Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
See this information, this is dangerous, once you have the newest version, uninstall those.
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Viewpoint Media Player <<< suggest you uninstall, see this:
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

I suggest you look at the other programs and uninstall anything no longer needed.

1) Make sure you can view all files and folder:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2) Start > Control Panel > Add Remove programs > Uninstall GbPlugin if there.

3) Disable the Service
Click Start > Run and type services.msc
Scroll down to Gbp Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\Program Files\GbPlugin\ <<< delete that folder and it's contents.

Restart, update and run a System Scan with AVG 8, remove anything it finds (moves it to the Virus Vault where it could be restored if needed) then report back with any issues we need to address.

Thanks...Phil
 
Results

Hi Phil,

So, I tried getting rid of Gbp Service by following your directions but when I try deleting it from the Program Files folder it says it's not possible. I then tried doing it again from the beginning and noticed that when I go to properties and try to disable it from Start up type it won't let me do it. It just goes back to "Automatic" when I click Apply.

Installed the Secunia and updated the suggested programs. However it says

NOTE:
Show only Easy-to-Patch programs is enabled. 18 programs not shown. [?]
If you are technically skilled, we strongly recommend that you disable this feature!

I thought I would post what programs appear when I disable this just in case. They are:

Insecure Programs

This page displays programs that the Secunia PSI has detected on your computer for which there are known security updates available. We recommend, that you update or uninstall all programs listed here. Click any entry on this page to view further details.

Insecure Programs [?] Version Detected [?] Security State [?] Direct [?]

Adobe Flash Player 9.x (General Plug-in) 9.0.16.0 Insecure
Intel PROSet/Wireless Software 10.x 10.1.0.17 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
iTunes 7.x 7.3.2.6 Insecure
Macromedia Flash Player 6.x 6.0.80.0 Insecure
Macromedia Flash Player 6.x 6.0.79.0 Insecure
Microsoft Data Access Components (MDAC) 2.x 2.81.1117.0 Insecure
Microsoft Excel 2003 11.0.5612.0 Insecure
Microsoft Office PowerPoint 2003 Viewer 11.0.5530.0 Insecure
Microsoft Outlook 2003 11.0.5510.0 Insecure
Microsoft Powerpoint 2003 11.0.5529.0 Insecure
Microsoft Word 2003 11.0.5604.0 Insecure

Also, would you teach me how turn the instant notification off? I think I don't know how to do it like you said. What is (MSConfig) and how can I access it?

AVG scan returned no threats, just a couple of warnings that I've fixed.

Thank you for your valuable help!

L
 
1) Gbp Service: Where are you located anyway? UK I think you said, why would you use banking software from Brazil?
I think I mentioned I have never seen this before.
http://www.gastecnologia.com.br/site/pt/ contact them for information about removing their junk.
http://www.gastecnologia.com.br/site/pt/Contact.aspx

2) Secunia PSI <<< I am sorry, I just do not have the time to conduct a tutorial on using this program. If you take the time to look at it, follow the directions, It is far from being difficult.

3) System Configuration Utility (MSConfig)
http://www.netsquirrel.com/msconfig/msconfig_xp.html

Thanks
 
Trying to remove G-Buster

Hi Phil,

You are right, sorry, I'll look for the instructions on Secunia myself.

I am Brazillian but am in London right now. I live abroad so I access my bank from this computer. I used to live with my sister so I used to access it from her computer. I no longer access it from here.

I wrote their makers (Gas Tecnologia) and ask them how to remove it. Meanwhile I have been looking in websites in Portuguese for some advice and am trying a couple of things. Should we try combofix again? Is there anything else I can do while we wait for a response on that?

Please let me know.

L
 
Status
Not open for further replies.
Back
Top