[Sumita]

Hi

I have run haxfix and log's below.....have a good weekend

Thanks
Sumita

checking for matching notify keys
no matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found

--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected

Finished!

Edited by Sumita, 23 February 2007 - 04:03 PM.

[Advertisements]

Do the same keys that you have found using Icesword - Legacy_AVPU32 and AVPU64 - appear when using regedit?

[Noviciate]

Do the same keys that you have found using Icesword - Legacy_AVPU32 and AVPU64 - appear when using regedit?

[Sumita]

Hi

To be honest I don't know....I ran Regsearch again with the strings and got an error message 'integer overflow', whatever that means. I have attached a screen print below

Thanks
Sumita

Attached Files

•  RegSearch_Screen_Print_23_Feb_07.doc   115.5KB   5 downloads

[Noviciate]

Forget Regsearch, it's having a few problems - it should be tweaked to perfection in a day or two though.
Go to Start > Run, enter regedit and click OK.
Navigate in the same way as you did using Icesword and see if the two keys exist, just as they appeared when you took the first screenshot.
If you can't see them, something is hiding them. If you can, then it may be that you need to change a Permission in order to delete them.

[Sumita]

Hi

Went into the registry and AVPU 32 and 64 are both there. I have deleted things from the registry before, last time I switched off system restore, went into safe mode and did it like that. Would that be the right thing to do (that was what I did for new.net or some virus or other, looked up how to do it on the net).

Thanks
Sumita

[Noviciate]

That's good - nothing's hiding them. We'll leave System Restore on as we want to keep it's safety net active. The only danger that it poses is if you use a Restore Point to reset your PC which includes these keys.
If there is a problem once you have edited the registry, an infected Restore Point is better than none at all!

To begin, create a new Restore Point - always do this before any visit into the registry. You will probably have one handy, but another won't matter.
Then navigate to the keys again, right click each and from the menu that appears, select Permissions...
Under "Group or user names:" select your username.
Under "Permissions for your username", see if there is a checkmark in the "Allow" box to the right of "Full Control".
If there isn't a checkmark there, click the box and then OK.
Then right click each key and select Delete.

Close regedit and then reopen it and check to see that the keys have gone - if so, you're done. Let me know how you get on.

[Sumita]

Hi

I have (very nervously) deleted Legacy_AVPU32 and 64 and I'm guessing that as nothing terrible has happened to my PC it must be okay. I'm going to reboot now just to make sure. Hope everything is okay now?

Many thanks
Sumita

[Noviciate]

If I don't hear from you shortly, I guess you'll be running System Restore while cursing me unto the deepest pit of H ell - which could be better, admittedly. (space included to get around the forum "naughty word" software)
Let me know how you get on.

[Sumita]

Hi there

No, haven't cursed you to the deepest bowels of H ell! As you can see I'm still up and running so guess it worked. Thanks so much for helping me out I really, really appreciate it. Just such a relief to use the internet without having to worry. I'm going to run another Panda Scan though, just to be a 100% sure...

Sumita x

[Noviciate]

As long as the Panda scan comes back clean, you're almost done. You are running an old version of Sun Java which needs updating:

• Go here and click on the Download button to the right of Java Runtime Environment (JRE) 6.0.
• Accept the license agreement by clicking the appropriate radio button and then continue.
• Under Windows Platform - Java™ SE Runtime Environment 6, click the Windows Offline Installation, Multi-language link.
• Go to Add/Remove Programs and remove any entries that refer to Java 2 Runtime Enviroment and then reboot your PC.
• Navigate to and delete the following folder, if it exists: C:\Program Files\Java.
• Finally double click the installation file that you downloaded earlier.

Then I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Update your anti-virus program,
Disable System Restore,
Boot into Safe Mode,
Scan your computer for viruses.
When you get the all clear, reboot into Normal Mode.
Re-enable System Restore,
Create a Restore Point.
This will give a clean Restore Point should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

Obviously if all isn't well, don't do the above and we'll come up with another plan.

[Sumita]

Hi there

I've installed java 6 and will now wait till Sunday and hope that all is okay....will let you know

Thanks so much
Sumita x

[Noviciate]

I'll be in the vicinity.

[Sumita]

Hi there

I have run anti-virus and it didn't find anything (except haxfix in the registry, but I guessed that was okay) and I have created a restore point. Thankfully, everything seems to be working fine. Thank you so, so much for helping me get this fixed....

Sumita xxx

[Noviciate]

You can uninstall Haxfix via Add/Remove Programs if you wish.

Edited by Noviciate, 04 March 2007 - 02:39 PM.

[Sumita]

Hi there

Thank you I will...and thanks again for everything

Sumita x