Spyware attack messed my desktop "Help"

By Candy_girl
Oct 24, 2006
Topic Status:
Not open for further replies.
  1. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Ok I ran the tool but that grom something wasn't found in my system, but it said this at the end of the scan;

    "Scan finished normally
    For a detailed log, please refer to \gromozon_removal.log"

    Shall I run the ccleaner instead?
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Ok, here are the manual removal instructions.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    bravesentry.exe
    vxgamet[X2].exe
    vxh8jkdq[X2].exe

    win32.exe
    xpupdate.exe
    alg.exe

    kerneles8.exe
    maxd64.exe
    taskdir.exe

    voi[X1].exe
    vxgame[X2].exe
    dxvwabxj.exe


    Close task manager.

    Click start/run type regedit into the run box and press the enter key. Maximise the window and navigate and delet the following registry keys in the righthand pane.

    HKEY_CURRENT_USER\software\bravesentry

    HKEY_CURRENT_USER\software\bravesentry\scan

    HKEY_CURRENT_USER\software\bravesentry\systemsecurity

    HKEY_CURRENT_USER\software\bravesentry\updates

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runbravesentry

    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bravesentry
    BraveSentry

    Close regedit.

    Click start/run and type regsvr32 /u bravesentry0.dll and press the enter key. Do this for all the following files.

    bravesentry1.dll
    bravesentry2.dll
    bravesentry3.dll

    comdlg64.dll
    msupdate32.dll
    tio[X1].dll

    winbixnkq32.dll
    zlbw.dll

    Next, locate and delete the following files if found.

    bravesentry.exe
    vxgamet[X2].exe
    vxh8jkdq[X2].exe

    win32.exe
    xpupdate.exe
    bravesentry0.dll

    bravesentry1.dll
    bravesentry2.dll
    bravesentry3.dll

    comdlg64.dll
    msupdate32.dll
    tio[X1].dll

    winbixnkq32.dll
    zlbw.dll

    kerneles8.exe
    maxd64.exe


    taskdir.exe
    voi[X1].exe
    vxgame[X2].exe

    desktop.html
    Explorer 2238
    dxvwabxj.exe

    BraveSentry
    BraveSentry.lnk

    Run Ccleaner after you`re finished and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Ok I did all of that, but when I typed "regsvr32 /u bravesentry0.dll" it said "the specified module couldn't be found"

    then I ran ccleaner I don't quiet get it, especially when I click on "issues" and run scan all I get are unused/deleted extensions and programs , shall I fix the suspcious styff?

    And When I ran the "Cleaner" and scanned some items , this is what I got (example)

    http://www.sendspace.com/file/fa4x1l

    (I had to upload it elsewhere cuz of the attach size limit)

    Finally my new hijackthis log file.
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    It doesn`t matter that some files cannot be found during the manual removal process. In fact this is to be expected. Did you complete the removal instructions? If not, you should do so and don`t worry if you can`t find some of the items listed.

    You need to run Ccleaner as per the instructions, that means let Ccleaner delete everything it finds, both the clean up and the issues.

    Your HJT log is clean.

    How`s your system running?

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Yes I did everything you asked me to, I even ran the system on safe mode to make sure nothing's hiding somewhere!

    As for the ccleaner , it kinda worries me a bit cuz when I check the "windows tab" "advanced" something like " windows size/location cache , it warns me that I might lose some data if I check it! and now you're telling to check everyhting and delete whatever it finds, are you sure I won't damage anything if I take such action?

    My system is running well actually, except for when I check the task manager, there are some weird process are running like;

    "Alg.exe , winlogon.exe , system"

    Are these dangerous? I know alg.exe is but what about the others?

    Also my desktop (icons in particular) is still lookin weird (attachment)!that's all that bothers me right now , but I'm guessing it has something to do with that spyware attack disabling the desktop options I mentioned before, the object policy thing! is there any way I get it back and control my desktop options again?
  6. tomrca

    tomrca Newcomer, in training Posts: 1,051

    i have the same processes running. and by the look of the desktop items, it looks as if they are locked. to unlock right click on a clear space on your desktop, select 'arrange icon by', then untick, 'lock web items on desktop'.
  7. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Really? so they're not dangerous?

    I did that but still nothing, the graphics are a bit weird! (see attachment) see how the name "Shaun Lowe" is too pixalated!

    The desktop is fine when I restart , up until the icons starts to appear everything becomes weird like that! it seems like the desktop can't accept the wallpaper, because before the icons are loaded upon restart the desktop shows the background color then loads the wallaper that's when the desktop well again becomes weird!

    I hope that makes sense.
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Alg.exe and Winlogon.exe are legit files provided they are running from the correct location.

    I`d like you to post fresh AVG Antispyware and HJT logs.

    This is so I can confirm or otherwise that Bravesentry if gone. This is a real nasty infection, that`s based on a rootkit.

    I`ve only just come accross this infection in the last couple of days, so it`s pretty new, hence the difficulty in removing it.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Oh god a new infection huh? should I be worried?

    Ok I ran a new antivirus scan today and this is the result (attachment) I'm not sure what this is exactly!

    Also here are my HJT and Antispyware logs (attachment)

    Lastly As I mentioned before I haven't yet ran ccleaner, which means I haven't removed anything issues or anything, cuz I'm worried about the warnings I got (the previous reply)

    I guess that's it!
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    I can see no more Bravesentry entries.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


    Have HJT fix this inactive entry.

    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

    Close HJT.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    kernels8.exe

    Close task manager.

    Run the Ccleaner programme exactly as per these instructions.

    Download the Ccleaner programme from HERE.

    Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs. Click the run cleaner button with no browsers open. Do this several times. Click on issues, then the scan for issues button. Click the fix selected issues button, followed by the fix all selected issues button. Do this several times, until no more issues are found.


    Locate and delete this bold file/folder(if there).

    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G5U7WXAN\2236[1].htm

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\system32\kernels8.exe

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.


    Post a fresh HJT log and a fresh AVG Antispyware log. Let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Ok I did everything according to instrucitons but still my stupid desktop is the same.

    I give up!

    But anyways here are my results, however both the antivirus scan and spyware scans didn't show anything , the kernel.exe thing was found but it didn't say that's it's a virus!

    See (attachments)
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your HJT log is clean.

    Try this and see if it helps.

    Right click your desktop and select properties. Click on the desktop tab and click the customize desktop button. Click the web tab and uncheck any webpages and the lock desktop box. click ok/apply/ok. Now right click your desktop again and select properties. Click the desktop tab and see if you can change your desktop pic.

    Let me know the results.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. Use Mozilla Firefox, not M$IE, it doesn't tend to have so many problems with software, installing whatever it likes on your machine.

    That wasn't the security center but the program that the ad installed. The icon probably looked similar. It is now a common tactic for spyware to mimic anti spyware programs. Examples being the cursed Winfixer. These types of programs claim to detect several viruses and usually want you to pay to remove them, or a similar scam.

    The spyware may have tried to exploit the active desktop, or changed/disabled it in some way. The active desktop is that particular bit of crapware that lets you display a web page on your desktop.

    It's common for trojans and spyware programs to disable the task manager to prevent you from terminating their processes. Well done to M$ for even allowing this happen. :suspiciou
     
  14. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Ok I did that but nothing happened! the icons still look funny!

    It seems like there's a tranparent layer of infection that covers my active/normal desktop you know! cuz when I click ctl/alt/delete the background or the color I chose from the option you gave me appears, so now I have like 2 background colors/wallpapers running! make sense?
  15. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Ok, try doing a Windows repair as per this thread HERE. It might be that the infections you`ve had may have damaged some of your OS files.

    Please let me know the results.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  16. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    I'm afraid I can't do this procedure cuz I no longer have the windows CD, I'm currently using xp professional and the only CD I have is the home edition! so I don't think I can use it, right?

    Can I live with that messed up desktop, or it could infect or damage other running processes?

    Anyways thank you very much Mr. Howard for everything I don't know how I would've survived this without you! you taught me so much this past week and I greatly appreciate it! so thank you soooo much.

    Take care.
  17. tomrca

    tomrca Newcomer, in training Posts: 1,051

    my view is. you have had problem after problem, and as soon as one is fixed, another reveals itself. its probably best to save what you can onto disc, and format! until you can upgrade to xp pro, i am sure its far better and less stressful to work with home edition. don't you?
  18. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    You`re right, you can`t run a Windows repair of XP pro with a Windows Home cd.

    I must say, I agree with tomrca, maybe you should bite the bullet and after backing up your important data, reformat and reinstall from scratch.

    I`m sorry I wasn`t able to solve your problem.

    Regards Howard :(

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  19. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    I figured formatting was the only way!

    I'll try to though!

    What are you talking about? you saved my computer and my life for that matter! I seriously would've died from panic if it wasn't for you. so I thank you sincerely Mr. Howard.

    Take care.
  20. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Thankyou very much for you kind words.

    I get very disappointed, if I can`t fix a problem and end up having to advise someone to reformat.

    Hopefully once you`re done formatting etc, you won`t have anymore virus/spyware problems. However, if you do, please post in this thread.

    Good luck.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  21. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    You're very welcome! that's the least I could do!

    Don't feel bad, even if we didn't solve the problem you still taught me loads of stuff I never knew before I feel smart because of you, now that's something right?!

    I will don't worry!

    Thank you very much.

    Take care.
  22. tomrca

    tomrca Newcomer, in training Posts: 1,051

    your right there, he's good at what he does, and nice bloke to boot!!
  23. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Hello remember me?

    This time, I don't have a serious problem or anything but I was just scanning with hijackthis and I saw some weird object in the logfile.

    The one that says bonjour something, I don't believe it's a valid program or something, right?

    And as for my weird desktop problem, well it's still there! I'm sorry I couldn't format cause well, it will cost me too much.
  24. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Have HJT fix the following.

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

    Other than the above, your HJT log is clean. However, you`re running an outdated version of HJT, see HERE for the latest version and post a fresh HJT log as per the instructions.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  25. momok

    momok Newcomer, in training Posts: 2,272

    EDIT: whoops howard got to you first. I'll let him deal with this.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.