I have a machine I'm trying to rid of a nasty

I have a machine I'm trying to rid of a nasty and so far not having any luck. There is something called 'gebyw.exe' and gebyw.dll in my System32 folder. Machine takes forever to boot - and has killed eTrust AV from starting, along with Windows Defender, a time-sync program, and a program for the the HP combo printer/fax/copy machine.

I have done a re-install of windows and reupdated all the updates. I have run Vundo fix programs as what I found on the net led me to believe that the file was related to that, but the scanners/fix programs says its not on my system.

I tried to run CureIT and got an instant reboot of the system. I had just downloaded the program, so I'm pretty sure its not relevant to the initial issues with crashes, but does anyone have any hints ?

I'll be going to work around 2PM, and will have access to the machine to work on it some more.

Thanks

PS: I have ran KAV online scanner and it says it found 2 files infected, but didn't offer to clean them ?

 

Have you tried booting the computer from a boot disk and then running CureIt?

 

Or a reboot to safe mode

 

Hi!

Try to use UnDLL => http://secit.sk/content/view/28/1/

 

Go to the techsupportforum.com help forum and start where it says "Having problems with spyware and pop-ups? First Steps"

Run through and follow the steps and do the DSS scan for em,then get into the HijackThis section and hope someone sees your logs and can help,sounds alot like the vundo fileinfector thats making rounds and thats why I suggest this forum first.

The author of vundofix also has a forum at atribune.org

 

Unlucky freind,you have more than likely been infected with the latest strain of Vundo(mass file infector) which can be royal PITA to nuke.

The trojan in <WinDir> will have been patching/renaming executable's that load at system startup inorder to reinfect apon reboot.This is probaly why those softwares that load at startup are borking and the trojan keeps reappearing in system32 folder.

You will need expert help at a HiJackThis/malware removal forum inorder to sort this one out.
http://www.castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

All the best!

 

Hi C

Can Vundofix take down this particular evo as when i had the infection loaded earliar i did'nt test any onefix solutions

Do you know what is the canned fix,if any yet?

Ade

 

Thanks for the suggestions guys. I got CureIT to run, in fact still running, and so far has found a couple of things, but not at all sure that will fix the issues.

Thanks for the heads-up that I'm in for a long battle - sigh

EDIT: CureIT found a trojan dropper - trojan.muldrip.9785 and a hacker tool: tool.prockill - both were deleted, and startup error I was seeing is now gone. Currently running a scan with NOD32.

I removed eTrust from the system - (no confidence at this point)

 

I had a recent Vundo infection, and none of the single-fix tools came close. Vundofix didn't even see it. A combination of Trojan Remover and SuperAntiSpyware eventually sorted it, but only after a day or two (when they'd presumably updated.)

 

Well, I thought I was making progress when NOD32 found a couple of items, and put those in quarantine.

Then downloaded superantispyware and it found 42 more items, and several items of Vundo, and Vundo smart-a ? (left list at work)
All those items were supposedly removed, or quarantined and I thought all was getting well.

Rebooted the system and both NOD32 and SAS and Windows Defender were once again rendered unable to start up... Sigh - will continue more later in a couple of days when I go back to work.

I did neglect to try running SAS and NOD32 in Safe-Mode - will try that next I guess..

Thanks all for the ideas.

 

That will make no difference on this occaision.....unless your defenders(AV/AT/ASW) can affect a cleanup on all the infection(Principal .exe+.dll) and all the patched software load exe's in one logon session then the infection will respawn at the next reboot

As advised earliar visit an expert help forum to get assistance with this one because even savvy tech guys are finding this one a nightmare to manually disinfect

http://www.dslreports.com/forum/r19702820-Virtumonde-would-someone-please-shoot-these-guys
http://forums.superantispyware.com/viewtopic.php?t=1076

All the best!

 

Best hopes at the moment lay at techsupportforum,thats where subs calls home and so far, CF + RenV switch he built are the only tool working.

 

Thanks MJ,so onestopfix is out there for assistance by the malware removal experts

FYI I allowed myself my first full blown infection from the new strain last Sunday,up until now i was allowing system32 trojan to drop and deploy but blocked any patching activities via HIBS

So i finally bit the bullet and took one for teh hometeam....curious y'know!

Surprisingly it was quite easy to manually remove as it only affected all my 04's in a HJT log.Inspection of relevent programme folders revealed tainted load exe(larger file) and renamed original with " " gap in the file name(smaller exe)present.So with use of IceSword(file delete) on the system32 Vundo(DLL+exe) and the nobbled exe's ,followed by renaming of the original executables in one session said goodnight to this badboy and restored software integrity on reboot