Gedza Virus?


Recommended Posts

I found this virus on my computer thru an AVG scan, I did print screen to get an image of exactly what it said. How can I remove this? I'm not familiar too much yet with XP so I'm not comfortable messing with the files just yet ;) Thanks :)virus.jpg

Link to post
Share on other sites

Ok, first thing we should do is disable system restore. To do that follow this:

Right click My Computer

Choose Properties

Go to the System Restore tab

Check Turn off System Restore

Apply/Ok

Next, reboot. After you reboot run an AVG scan, see if it finds anything and if it does let me know. Then after you reboot and run the AVG scan post a HijackThis log. Follow the directions here:

http://www.besttechie.net/forums/index.php?showtopic=1455

Note: After we clean out the virus we will re-enable system restore. B)

B

Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 11:12:30 AM, on 18/10/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\carpserv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Xerox\NWWia\XrxFTPLt.exe

C:\WINDOWS\system32\Drivers\XWMSAPI.EXE

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe

O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe

O4 - HKLM\..\Run: [XWMSUSBAPI] C:\WINDOWS\system32\Drivers\XWMSAPI.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Startup: PowerReg Scheduler V3.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylomgames.com/activex/zylomgamesplayer.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Link to post
Share on other sites

Ok, please boot to safe mode, and run AVG from there, have it clean what it can.

http://www.computerhope.com/issues/chsafe.htm

Follow the Windows XP directions.

Then reboot into normal mode, and run this scan.

http://www.pandasoftware.com/activescan/

Click "Scan your PC" then "Check Now" in the popup window, fill out the info and scan. Make sure to include your Panda log in your next reply.

Good luck! :thumbsup:

B

Link to post
Share on other sites

I'm having a problem with pandascan. I can scan the computer and it says 17 viruses, but the box that pops up with the scan in it is cut off on the right side and I can't enlarge it???? so I can't see what to do or how to save the scan -- any ideas? I tried running it again and the popup box is still cut off the one side :(

Link to post
Share on other sites

I'm a little confused.....when I was having the screen problems with panda, it was showing 17 viruses, but when I was able to view the whole screen and scanned there were no viruses, completely clean. Then I did trend micro one too, also clean. So now what?

Link to post
Share on other sites

Ok, lets just clean out your temp internet files.

In IE

Tools

Internet Options

Delete Files

Apply/Ok

Also, your hjt log looks ok. What you can do is go to the location that those virus files are located and see if they're still there. If so, try to delete the files from normal mode regualarly if you can't boot to safe mode and delete them. After that you should be ok. Then you can re-enable system restore if you would like to. The same way you disabled it just uncheck it to turn it back on and apply/ok. B)

You can fix this with HJT:

O4 - Startup: PowerReg Scheduler V3.exe

Good luck! :thumbsup:

B

Link to post
Share on other sites

Alright, thank you. I've done what you suggested and I am running AVG again. Those files *were* still there so I've deleted them :) hopefully AVG will come up clean. Thank you so much for taking the time to help me today :)

Link to post
Share on other sites
  • 1 month later...
Guest
This topic is now closed to further replies.