VB.ckt

[pechribo]

My Antivirus shows me the VB.CKT worm!

The startpage of my IE was changed and i can not enter another one!
When my Yahoo-Mess is open the persons in my adressbook become messages ....

My taskmanager was deactivated ......

What can I do?

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of pechribo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[pechribo]

Combofix

Where can i find this tool ..... i mean ComboFix?

 

[howard_hopkinso]

All programmes/tools etc, are clearly linked to in the instructions.

Regards Howard

This thread is for the use of pechribo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[pechribo]

I have done what you wrote me ..... no changes! Everything like yesterday!

 

[howard_hopkinso]

Run Panda Antirootkit and have it fix all those entries it found. They are all dangerous.

You haven`t attached an AVG Antispyware log, please do so in your next reply.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\ntos.exe,
C:\WINDOWS\system\svchost32.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system\svchost32.exe
C:\WINDOWS\system32\conf.dat
C:\wndxkef.exe
C:\WINDOWS\system\cmd.exe
C:\WINDOWS\ShowBmp.exe
C:\WINDOWS\system32\uaD6OIO8.dll
C:\WINDOWS\system32\cSdjS18l.dll
C:\WINDOWS\system32\i4Ow80f0.dll
C:\WINDOWS\system32\r0kw74WI.dll
C:\WINDOWS\system32\pNmN6HAd.dll
C:\WINDOWS\system32\BnuyTyUP.dll
C:\WINDOWS\system32\3GKLMQi2.dll
C:\WINDOWS\system32\0PnGQ35r.dll
C:\WINDOWS\system32\bhc65CXL.dll
C:\WINDOWS\system32\B1JbnEw4.dll
C:\WINDOWS\system32\cLFwCpxJ.dll
C:\WINDOWS\system32\midimapd.dll

Folder::
C:\VundoFix Backups
C:\qoobox

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1285AE1E-4ED2-435B-B54A-0D730470251D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669CFA6D-450B-4d88-A9D7-D2371E845370}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messenger"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Don`t forget to attach an AVG Antispyware log.

Regards Howard

This thread is for the use of pechribo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[pechribo]

I run Panda Antirootkit again and i fixed all the entries it found!
Now i can not start my system!!

 

[howard_hopkinso]

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

Try doing a system restore.

Let me know the outcome.

Regards Howard

This thread is for the use of pechribo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.