ok, I've been cleaning this up all week at work. first you need to reinstall the microsoft patch
MSO4-011DO NOT REBOOT After applying the patch. I will tell you when to reboot. several times the following apps may prompt you to reboot, but just wait till the end.
Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
First:
Please download
ewido security suite it is a trial version of the program.
- Install ewido security suite
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch ewido, there should be an icon on your desktop double-click it.
- The program will prompt you to update click the OK button
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update
- Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
- Click on scanner
- Make sure the following boxes are checked before scanning:
- Click on Start Scan
- Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click
OKOnce the scan has completed, there will be a button located on the bottom of the screen named
Save report- Click Save report
- Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using
Add ReplyCleanUp!, is a quick and easy way to delete temporary files from your system. Simply deleting these temp files may clear some infections, and will make running the following scans faster.
Install and run. Click on the button labeled CleanUp!.
When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.
download cleanup!now go to your desktop, right click on my computer and go to properties. click on the system restore tab. check the box for "turn off system restore on all drives". after a reboot you may come back to this and deselect it.
Now we need to check for a registry entry. please go to start run and type in REGEDIT. navigate to hkey_local_machine/software/microsoft/windows/CurrentVersion/run and look for "cryptography service" if found then delete it. also look to see if scvhost is listed there. If found then delete it.
now do a through search on the hard drive for bleh.exe and bingoo.exe and delete them. make sure you empty the recyle bin.
ok now you are ready to reboot. for more info on malware please
check here So we can gather a bit more info go ahead and post your HiJackThis log and the eiwido log here. dk10111 I would really prefer if you were the only one to post the logs here. I may have to split/move this topic.
and for the curious this is a new virus that is being identified by symantec as a varient of the w32.gaobot family. All th pc's at work that got infected had previously had the mytob virus (specifically bingoo.exe) and somehow the ms04-011 patch was uninstalled, damaged, not there, or compromised. There was the possiblity of a backdoor virus being installed but symantec was able to clean that one up easily.
Thanks,
Starjax