Ok, here they are:
the combofix was done in safe mode, and the hjt after the computer was back in normal mode.
Junior Member
Ok, here they are:
the combofix was done in safe mode, and the hjt after the computer was back in normal mode.
High-Voltage Messiah
Great! Almost done - For some reason the fix scripts are only partially taking.Originally Posted by Tirhakah
Let's do this by hand:
-- Completely Uninstall Kaspersky (via Add/Remove Programs, if possible) and then DELETE this folder if it remains: C:\Program Files\Kaspersky Lab
-- Download the attached Zip. Please extract Fixit.reg to the desktop and DoubleClick on it and allow it to merge into the registry. Let me know if there are any problems with that.
-- Boot to Safe Mode with the Viewing of Hidden Files Enabled and see if you can locate C:\WINDOWS\system32\wowfx.dll
RightClick on it and Rename it to wowfx.BAD
Then, please upload it here for analysis and let me know what you find ---> http://virusscan.jotti.org/
If the above goes well, reinstall or re-enable your Resident Anti-virus program. Also, I would suggest installing Zone Alarm Firewall from my linky below as well.
Best luck
PP
Junior Member
Sorry, I haven't been home for a couple of days.
Anyway, I removed kaspersky, and the online filescanner portion, but when I tried to merge fixit with the registry editor, I got an error saying "Cannot import C:\Documents and Settings\User\Desktop\Fixit.reg: The specified file is not a registry script.
You can only import binary registry files from within the registry editor."
Assuming that this stage was required, I therefore haven't done anything about wowfx.dll.
High-Voltage Messiah
No worries!
Let's try that again - I need to get on of our admins to allow the uploading of .reg extensions so I don't need to zip them. Always causes headaches.
Anyhoo, please download the attached FIXME.txt to the Desktop.
--- You will need to change the extension to FIXME.reg and allow that change.
Then, DoubleClick on FIXME.reg and allow it to merge into the registry.
Also, please finish the rest of the previous steps concerning wowfx.dll.
And, how about a fresh ComboFix log as well, please.
Cheers
PP
Junior Member
I still get the same error when trying to allow it to merge.
Also, even on safe mode with hidden files enabled, I can't find wowfx.dll
There's a wowfax.dll, though...
And the combofix log is attached:
High-Voltage Messiah
Well . . .crap! I have attached a tiny batch file to have a look at the registry policy.
-- Please download the attached Looky.bat and DoubleClick it to run it.
A log will pop up in Notepad - please post the contents for me.
wowfax.dll is legit. Often malware will have similarly named .exes.
I think most of the actual malware files have been cleaned along the way and we are just dealing with remnants. But, just to be certain, I have attached a fresh CFScript.txt.
-- Please DL the latest version of ComboFix.exe and delete any older versions and then drag and drop this new CFScript over ComboFix.exe to run it.
--Also, since you have StartupCPL onboard, I am going to remove most of those MSConfig keys.
Please post the new Combofix log along with the log from my batch file.
As I mentioned, we are probably dealing with remnants and they ought not to cause any problems. But, I'd like to try to be as thorough as possible.
PP
Last edited by PhilliePhan; 02-01-2008 at 05:23 PM. Reason: Removed used attachments
Junior Member
Here they are, i think combofix appears to have found wowfx somehow
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
