Spyware attack messed my desktop "Help"

Ah dammit! inorder to remove the infections I have to purchase the program!

Shall I run CCleaner instead?

Oh btw I didn't remove the items found from the earlier AVG antispyware scan, shall I now?

Bugger, in that case you need to follow the manual removal instructions.

This is a relatively new infection and I`m currently researching to find an easier fix.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Try this tool HERE. Follow the instructions exactly.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

The manual way? ok! where do I find those extensions/dll's and such? in the registry? and once done that, I begin running that tool thing?

Try running the tool in my post above, if that doesn`t help, I`ll give you manual removal instructions.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Ok I ran the tool but that grom something wasn't found in my system, but it said this at the end of the scan;

"Scan finished normally
For a detailed log, please refer to \gromozon_removal.log"

Shall I run the ccleaner instead?

Ok, here are the manual removal instructions.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

bravesentry.exe
vxgamet[X2].exe
vxh8jkdq[X2].exe

win32.exe
xpupdate.exe
alg.exe

kerneles8.exe
maxd64.exe
taskdir.exe

voi[X1].exe
vxgame[X2].exe
dxvwabxj.exe


Close task manager.

Click start/run type regedit into the run box and press the enter key. Maximise the window and navigate and delet the following registry keys in the righthand pane.

HKEY_CURRENT_USER\software\bravesentry

HKEY_CURRENT_USER\software\bravesentry\scan

HKEY_CURRENT_USER\software\bravesentry\systemsecurity

HKEY_CURRENT_USER\software\bravesentry\updates

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runbravesentry

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bravesentry
BraveSentry

Close regedit.

Click start/run and type regsvr32 /u bravesentry0.dll and press the enter key. Do this for all the following files.

bravesentry1.dll
bravesentry2.dll
bravesentry3.dll

comdlg64.dll
msupdate32.dll
tio[X1].dll

winbixnkq32.dll
zlbw.dll

Next, locate and delete the following files if found.

bravesentry.exe
vxgamet[X2].exe
vxh8jkdq[X2].exe

win32.exe
xpupdate.exe
bravesentry0.dll

bravesentry1.dll
bravesentry2.dll
bravesentry3.dll

comdlg64.dll
msupdate32.dll
tio[X1].dll

winbixnkq32.dll
zlbw.dll

kerneles8.exe
maxd64.exe


taskdir.exe
voi[X1].exe
vxgame[X2].exe

desktop.html
Explorer 2238
dxvwabxj.exe

BraveSentry
BraveSentry.lnk

Run Ccleaner after you`re finished and post a fresh HJT log.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Ok I did all of that, but when I typed "regsvr32 /u bravesentry0.dll" it said "the specified module couldn't be found"

then I ran ccleaner I don't quiet get it, especially when I click on "issues" and run scan all I get are unused/deleted extensions and programs , shall I fix the suspcious styff?

And When I ran the "Cleaner" and scanned some items , this is what I got (example)

http://www.sendspace.com/file/fa4x1l

(I had to upload it elsewhere cuz of the attach size limit)

Finally my new hijackthis log file.

It doesn`t matter that some files cannot be found during the manual removal process. In fact this is to be expected. Did you complete the removal instructions? If not, you should do so and don`t worry if you can`t find some of the items listed.

You need to run Ccleaner as per the instructions, that means let Ccleaner delete everything it finds, both the clean up and the issues.

Your HJT log is clean.

How`s your system running?

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Yes I did everything you asked me to, I even ran the system on safe mode to make sure nothing's hiding somewhere!

As for the ccleaner , it kinda worries me a bit cuz when I check the "windows tab" "advanced" something like " windows size/location cache , it warns me that I might lose some data if I check it! and now you're telling to check everyhting and delete whatever it finds, are you sure I won't damage anything if I take such action?

My system is running well actually, except for when I check the task manager, there are some weird process are running like;

"Alg.exe , winlogon.exe , system"

Are these dangerous? I know alg.exe is but what about the others?

Also my desktop (icons in particular) is still lookin weird (attachment)!that's all that bothers me right now , but I'm guessing it has something to do with that spyware attack disabling the desktop options I mentioned before, the object policy thing! is there any way I get it back and control my desktop options again?

i have the same processes running. and by the look of the desktop items, it looks as if they are locked. to unlock right click on a clear space on your desktop, select 'arrange icon by', then untick, 'lock web items on desktop'.

Really? so they're not dangerous?

I did that but still nothing, the graphics are a bit weird! (see attachment) see how the name "Shaun Lowe" is too pixalated!

The desktop is fine when I restart , up until the icons starts to appear everything becomes weird like that! it seems like the desktop can't accept the wallpaper, because before the icons are loaded upon restart the desktop shows the background color then loads the wallaper that's when the desktop well again becomes weird!

I hope that makes sense.

Alg.exe and Winlogon.exe are legit files provided they are running from the correct location.

I`d like you to post fresh AVG Antispyware and HJT logs.

This is so I can confirm or otherwise that Bravesentry if gone. This is a real nasty infection, that`s based on a rootkit.

I`ve only just come accross this infection in the last couple of days, so it`s pretty new, hence the difficulty in removing it.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Oh god a new infection huh? should I be worried?

Ok I ran a new antivirus scan today and this is the result (attachment) I'm not sure what this is exactly!

Also here are my HJT and Antispyware logs (attachment)

Lastly As I mentioned before I haven't yet ran ccleaner, which means I haven't removed anything issues or anything, cuz I'm worried about the warnings I got (the previous reply)

I guess that's it!

I can see no more Bravesentry entries.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


Have HJT fix this inactive entry.

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

Close HJT.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

kernels8.exe

Close task manager.

Run the Ccleaner programme exactly as per these instructions.

Download the Ccleaner programme from HERE.

Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs. Click the run cleaner button with no browsers open. Do this several times. Click on issues, then the scan for issues button. Click the fix selected issues button, followed by the fix all selected issues button. Do this several times, until no more issues are found.


Locate and delete this bold file/folder(if there).

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G5U7WXAN\2236[1].htm

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\kernels8.exe

Once your system has rebooted, turn system restore back on and rehide your protected OS files.


Post a fresh HJT log and a fresh AVG Antispyware log. Let me know if you`re still having problems.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Ok I did everything according to instrucitons but still my stupid desktop is the same.

I give up!

But anyways here are my results, however both the antivirus scan and spyware scans didn't show anything , the kernel.exe thing was found but it didn't say that's it's a virus!

See (attachments)

Your HJT log is clean.

Try this and see if it helps.

Right click your desktop and select properties. Click on the desktop tab and click the customize desktop button. Click the web tab and uncheck any webpages and the lock desktop box. click ok/apply/ok. Now right click your desktop again and select properties. Click the desktop tab and see if you can change your desktop pic.

Let me know the results.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Use Mozilla Firefox, not M$IE, it doesn't tend to have so many problems with software, installing whatever it likes on your machine.

That wasn't the security center but the program that the ad installed. The icon probably looked similar. It is now a common tactic for spyware to mimic anti spyware programs. Examples being the cursed Winfixer. These types of programs claim to detect several viruses and usually want you to pay to remove them, or a similar scam.

The spyware may have tried to exploit the active desktop, or changed/disabled it in some way. The active desktop is that particular bit of crapware that lets you display a web page on your desktop.

It's common for trojans and spyware programs to disable the task manager to prevent you from terminating their processes. Well done to M$ for even allowing this happen. :suspiciou

Ok I did that but nothing happened! the icons still look funny!

It seems like there's a tranparent layer of infection that covers my active/normal desktop you know! cuz when I click ctl/alt/delete the background or the color I chose from the option you gave me appears, so now I have like 2 background colors/wallpapers running! make sense?

Ok, try doing a Windows repair as per this thread HERE. It might be that the infections you`ve had may have damaged some of your OS files.

Please let me know the results.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.