Virtumonde?? Advice much appreciated

Ruzzock · § #1 01-15-2008, 07:19 PM

My son's PC is an elderly Dell running Windows XP - it has McAfee installed but having run increasingly slowly and as of yesterday McAfee began running so slowly that it couldn't complete the scan, and started producing virus reports.

I thought the problem was in morfinu572.exe, which I found and deleted using advice posted on these forums.

Today I ran Ad-Aware, A-Squared, and Spybot - all of which found more malware. Spybot identified Virtumonde but said it had fixed it.

I didn't believe this as McAfee was still grinding away, and I noticed that it kept coming back on the scan to windows\system32\kjkkj.ini - which I googled and which seems to be associated with Virtumonde. McAfee reported a series of infected files but didn't ask me to clean/delete them - and because it couldn't finish the scan because it was running so slowly I couldn't find out anything more about them.

I have downloaded and run Vundofix.exe - but once this has run for about 15 minutes it then stops with a blank screen, and just sits there. I've tried running it both in normal and in safe mode, but the same thing happens and Windows Task Manager produces a Not Responding report.

Below is the most recent report from HiJack This.

I would very much appreciate any advice - I've learnt a huge amount in the last 24 hours from reading the posts, but I'm still a noob so if I'm doing something stupid, don't hesitate to say.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:46:45, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Cyb2k .exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Cyb2k .exe
C:\Documents and Settings\Benet P\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/advanced_search?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k .exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7154 bytes

**Ned Slider** · § #2 01-15-2008, 07:32 PM

Do you still have this file on your system:

C:\WINDOWS\system32\jkkjk.exe

If so, please upload it to www.virustotal.com and scan it, pasting the results here. Then please delete the file (and any similarly named files such as jkkjk.dll, jkkjk.ini etc).

In your hijackthis log, please also "fix" the entry for:

F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe

Then try running Vundofix again as per these instructions:

Quote:

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

After that, please also run ComboFix as per these instructions:

Quote:

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Ruzzock · § #3 01-15-2008, 07:48 PM

Ned - thank you so much for this amazingly quick reply. It's getting late-ish here so rather than trying doing all this with a muddled head, I'll aim to do it when I get back from work tomorrow.

**Ned Slider** · § #4 01-15-2008, 07:52 PM

You're welcome - let us know how you get on

**Ned Slider** · § #5 01-15-2008, 09:08 PM

Oh, one more thing, before running HiJackThis.exe again, can you please copy the executable to the desktop and rename to anything else (such as foo.exe) before running it. Some Vundo variants are known to detect and hide from HiJackThis and most likely does this by detecting that it's running from it's name - moving it and renaming before running may show otherwise hidden log entries

Ruzzock · § #6 01-16-2008, 03:15 PM

Afraid this wasn't wholly straightforward!

[1] Virus Total: no sign of Windows/System32/jkkjk.exe - but did find jkkjk.dll and uploaded this.

The report was as follows:

File jkkjk.dll received on 01.16.2008 18:24:10 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Antivirus Version Last Update Result
AhnLab-V3 2008.1.16.11 2008.01.16 -
AntiVir 7.6.0.48 2008.01.16 -
Authentium 4.93.8 2008.01.16 -
Avast 4.7.1098.0 2008.01.16 Win32:TratBHO
AVG 7.5.0.516 2008.01.16 -
BitDefender 7.2 2008.01.16 Trojan.Vundo.DVD
CAT-QuickHeal 9.00 2008.01.16 -
ClamAV 0.91.2 2008.01.16 -
DrWeb 4.44.0.09170 2008.01.16 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5462 2008.01.16 -
Ewido 4.0 2008.01.16 -
FileAdvisor 1 2008.01.16 -
Fortinet 3.14.0.0 2008.01.16 -
F-Prot 4.4.2.54 2008.01.15 W32/Virtumonde.G.gen!Eldorado
F-Secure 6.70.13260.0 2008.01.16 Vundo.AL
Ikarus T3.1.1.20 2008.01.16 -
Kaspersky 7.0.0.125 2008.01.16 -
McAfee 5209 2008.01.16 -
Microsoft 1.3109 2008.01.16 Trojan:Win32/Vundo.gen!A
NOD32v2 2798 2008.01.16 -
Norman 5.80.02 2008.01.16 Vundo.AL
Panda 9.0.0.4 2008.01.15 Spyware/Virtumonde
Prevx1 V2 2008.01.16 Trojan.Vundo
Rising 20.27.22.00 2008.01.16 -
Sophos 4.24.0 2008.01.16 W32/VirtInf-B
Sunbelt 2.2.907.0 2008.01.15 -
Symantec 10 2008.01.16 Trojan.Vundo
TheHacker 6.2.9.188 2008.01.16 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.16 Adware.Vundo.V.Gen
Webwasher-Gateway 6.6.2 2008.01.16 Win32.Malware.gen (suspicious)
Additional information
File size: 334336 bytes
MD5: a7c1d2b408f2db542d1eea52575a1695
SHA1: 37abab3c2cb49b3cd54169f656f5dba15fb1c4bd
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramte...D55800EC60B539

[2] HiJack This: you advised to fis for jkkjk.exe - this done.

[3] Then run VundoFix - this was still the same problem as before. It seemed to run successfully, running through various files - then the small Vundo screen would show nothing, and neither the Scan for Vundo or Remove Vundo buttons were available. The cursor showed an egg timer. The whole system started running very slowly. Windows Task Mgr said VF was "not responding". The only way to get out was to re-boot the whole system. [Probably stupid query: could it be McAfee grinding away in the background that is in some way interfering? I'm obviously reluctant to turn it off - but I note that when VF runs it looks as if the same files are running through McAfee as it tries to scan the system?] So VundoFix didn't appear to work.

[4] Combofix: ran this but I wonder if I may have screwed it up - as soon as it started running - and at various points in the process a plethora of warnings from Spybot started appearing saying that something was trying to change Registry entries - particularly "Browser Helper Objects". I wasn't sure if this was spybot responding to combofix - or the virus responding to combofix. Initially I told it not to allow changes - until one window said something about combofix - and thereafter I told Spybot to allow the changes. A similar thing happened on re-boot.

I will put the Combofix log and the HiJack This log in a second post. I have looked at Windows/System32 and note that Jkkjk.dll is still in there and undeletable - but still no sign of jkkjk.exe.

Apologies if I am doing something dumb that has messed up (i) Vundofix or (ii) Combofix - let me know and I'll try to run them again. And please advise - should I isolate the PC from the internet and turn of McAfee (or even uninstall it for now) to see if that enables VundoFix to run?

Ruzzock · § #7 01-16-2008, 03:19 PM

The file for Combofix is too long for one post - I have therefore split it - I hope this doesn't make it impossible to read ....

Combofix:
ComboFix 08-01-16.4 - Benet P 2008-01-16 18:14:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT 0:00]
Running from: C:\Documents and Settings\Benet P\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\Cyb2k .exe
C:\WINDOWS\Cyb2k .exe
C:\WINDOWS\system32\efcaabc.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\SYSTEM32\kjkkj.ini
C:\WINDOWS\SYSTEM32\kjkkj.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\wvusqrp.dll

Code:

 <pre>
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> TeaTimer.exe
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

Ruzzock · § #8 01-16-2008, 03:19 PM

Here is the second part of the Combofix log:

2008-01-16 18:24 . 2008-01-16 18:24 3,140,096 --a------ C:\WINDOWS\Cyb2k .exe
2008-01-16 18:24 . 2008-01-16 18:24 3,140,096 --a------ C:\WINDOWS\Cyb2k .exe
2008-01-16 18:24 . 2008-01-16 18:24 337,920 --a------ C:\WINDOWS\SYSTEM32\jkkjk.exe
2008-01-16 18:24 . 2008-01-16 18:24 334,336 --------- C:\WINDOWS\SYSTEM32\jkkjk.dll
2008-01-16 18:24 . 2008-01-16 18:27 391 --ahs---- C:\WINDOWS\SYSTEM32\kjkkj.ini
2008-01-16 17:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 21:52 . 2008-01-15 21:52 <DIR> d-------- C:\VundoFix Backups
2008-01-15 21:50 . 2008-01-15 21:50 28 --a------ C:\WINDOWS\liccyval.dat
2008-01-15 20:40 . 2008-01-15 20:40 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-15 20:40 . 2008-01-15 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 20:39 . 2008-01-15 20:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-15 19:29 . 2008-01-15 20:34 <DIR> d-------- C:\Program Files\a-squared Free
2008-01-14 23:51 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2008-01-14 23:02 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-01-14 22:37 . 2004-12-07 00:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-01-14 22:37 . 2004-12-07 00:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-14 22:37 . 2004-12-07 00:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-14 22:37 . 2004-12-07 00:47 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-01-14 21:26 . 2008-01-14 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 18:04 . 2008-01-13 18:04 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-01-13 17:56 . 2008-01-14 20:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA01
2008-01-13 17:56 . 2008-01-13 17:56 <DIR> d-------- C:\Temp\Ryuan1
2008-01-13 17:56 . 2008-01-13 17:56 <DIR> d-------- C:\Temp
2008-01-04 00:56 . 2008-01-10 18:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-04 00:56 . 2008-01-04 00:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-03 18:13 . 2008-01-03 18:13 287 --a------ C:\WINDOWS\game.ini
2007-12-27 16:46 . 2007-12-27 16:46 10,240 --a------ C:\Sasso Corvo.wps
2007-12-27 16:20 . 2007-12-27 16:20 210,164 --a------ C:\airfrance.pdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 19:58 --------- d-----w C:\Program Files\Dell Support
2008-01-14 23:56 --------- d-----w C:\Program Files\Google
2008-01-13 18:33 --------- d-----w C:\Documents and Settings\Benet P\Application Data\U3
2008-01-13 18:04 3,480,064 ----a-w C:\WINDOWS\Cyb2k.exe
2008-01-03 18:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-27 16:25 --------- d-----w C:\Documents and Settings\Benet P\Application Data\AdobeUM
2007-12-19 13:23 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-19 13:19 107,832 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2007-12-15 23:39 66,872 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2007-12-15 22:50 --------- d-----w C:\Program Files\EA GAMES
2007-12-02 11:09 --------- d-----w C:\Program Files\PowerPacket
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2006-10-06 22:22 1 -c--a-w C:\Documents and Settings\Benet P\SI.bin
2006-05-11 16:39 35,160 ----a-w C:\Documents and Settings\Benet P\Application Data\GDIPFONTCACHEV1.DAT
2003-06-20 03:05 49,776 ----a-w C:\WINDOWS\INF\usbhub20.sys
2003-06-20 03:05 24,752 ----a-w C:\WINDOWS\INF\hidclass.sys
2003-06-20 03:05 20,688 ----a-w C:\WINDOWS\INF\usbd.sys
2003-06-20 03:05 19,728 ----a-w C:\WINDOWS\INF\usbehci.sys
2003-06-20 03:05 138,288 ----a-w C:\WINDOWS\INF\usbport.sys
.

Code:

<pre>
----a-w         3,140,096 2008-01-16 18:24:53  C:\WINDOWS\Cyb2k  .exe
----a-w         3,140,096 2008-01-16 18:24:45  C:\WINDOWS\Cyb2k .exe
----a-w            15,360 2008-01-13 18:04:49  C:\WINDOWS\SYSTEM32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7AA3DD5B-A2C9-4A06-9493-D4F7BC8D7DD2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4576C73-52BD-4401-B966-5A128C4433D4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFC38657-0FD2-4C9B-935D-4FB1D569CE88}]
2008-01-16 18:24 334336 --------- C:\WINDOWS\system32\jkkjk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-16 18:24 1802240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [ ]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [ ]
"DiTask.exe"="C:\Program Files\Eicon\Diva\DiTask.exe" [ ]
"Divamon.exe"="C:\Program Files\Eicon\Diva\Divamon.exe" [ ]
"Eicon TechnologyLAN_DAEMON"="C:\Program Files\Eicon\Diva\watch.exe" [ ]
"CGServer"="C:\Program Files\Eicon\Diva\cgserver.exe" [ ]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [ ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"C2K"="C:\WINDOWS\Cyb2k .exe" [2008-01-16 18:24 3140096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2004-12-07 00:45:27]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-03-06 17:22:54]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-08-26]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe [2006-01-16 16:55:15]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-26]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\jkkjk.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkkjk

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R0 DiMaint;Eicon Maintenance Driver;C:\WINDOWS\system32\DRIVERS\DISDN\dimaint.sys [2002-12-04 13:49]
R0 NaiFsRec;NaiFsRec;C:\WINDOWS\system32\drivers\NaiFsRec.sys [2001-04-30 04:51]
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe" [2001-04-30 04:51]
R2 DiCapi;Eicon CAPI 2.0 Driver;C:\WINDOWS\system32\DRIVERS\DISDN\capi202k.sys [2001-06-12 13:27]
R2 DiPort;Eicon Port Driver;C:\WINDOWS\system32\DRIVERS\DISDN\diport40.sys [2002-10-16 14:32]
R3 DiWan;Eicon Driver for all Diva Client cards;C:\WINDOWS\system32\DRIVERS\DISDN\Diwan.sys [2002-10-03 15:35]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys [2004-10-15 10:41]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2004-10-14 18:24]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 oflpydin;oflpydin;C:\DOCUME~1\BENETP~1\LOCALS~1\Temp\oflpydin.sys []
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;C:\WINDOWS\system32\PLCMPR5.SYS []
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PLCNDIS5.SYS [2004-04-26 10:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e52c8c7-4b80-11d9-8a2b-806d6172696f}]
\Shell\AutoRun\command - D:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 18:26:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 18:29:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 18:29:40
.
2008-01-09 21:53:15 --- E O F ---

Ruzzock · § #9 01-16-2008, 03:21 PM

And here - final post 4 of 4 [!] is the HiJack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:09:03, on 16/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\Cyb2k .exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Cyb2k .exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Documents and Settings\Benet P\Desktop\Foo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/advanced_search?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FFC38657-0FD2-4C9B-935D-4FB1D569CE88} - C:\WINDOWS\system32\jkkjk.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k .exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7304 bytes

p.s. Did as you advised and renamed the programme.

**Ned Slider** · § #10 01-16-2008, 03:26 PM

Thanks Ruzzock. Give me a moment to look over the logs...

**Ned Slider** · § #11 01-16-2008, 03:44 PM

OK, I'm going to call in some assistance on this one as I'm not 100% sure what we're dealing with, so please bear with me.

In the meantime, maybe we could try running ComboFix again from safe mode. To boot the PC to safe mode, press the F8 key when the system is booting (after bios screen but before Windows starts to load), and select Safe Mode from the list. This will prevent anything but the bare minimum from loading and may help with running ComboFix and/or VundoFix.

Yes, I don't think it's a bad idea to temporarily disable or remove McAfee and SpyBot as these aren't helping or detecting it anyway (especially if you're able to disconnect from the net so the machine doesn't get further infected), and yes if you have another PC to work with then it is certainly advisable to disconnect the infected box from the net until we have it cleaned.

These entries still need fixing in HiJackThis but at ths point I suspect they are simply reinstalling themselves each time you try and fix them:

Quote:

F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O2 - BHO: (no name) - {FFC38657-0FD2-4C9B-935D-4FB1D569CE88} - C:\WINDOWS\system32\jkkjk.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

I am also a little concerned about C:\WINDOWS\Cyb2k .exe mainly because it has a space in it's file name. Could you please upload and scan that file at virustotal aswell. It may belong to a legitimate program called CyberSitter - is this something you have installed?

If you could tackle the above, I'll get us some more expert assistance

Ruzzock · § #12 01-16-2008, 03:48 PM

will do - it'll probably take an hour before I'm back as the PC is now reeeaaally slow for everything.

Thanks again for looking at this..

**Ned Slider** · § #13 01-16-2008, 03:59 PM

No problem - I'll check back later this evening

Ruzzock · § #14 01-16-2008, 04:06 PM

Cyb2.exe - yes I do have Cybersitter installed but I have disabled it while trying to get this sorted out in case it interfered.

Looking in Windows there are three copies of Cyb2.exe. One which looks like Cyb2 [space(s)].exe has a familiar Cybersitter Eye logo next to it. Then below that there is what looks like the same file Cyb2 [space(s)].exe with just a default windows style log icon next to it. Then there is a final Cyb2.exe (no spaces) with the same default windows style log icon next to it.

Rather than putting all three through Virus Total, I have assumed that cyb2.exe (no spaces) is kosher - but I have done Virus Total for the other two (with spaces). VirusTotal is still grinding through the process but already it identifes one of these as W32/Virtumonde on a whole series of checks. Advice? Try to delete? Or do this through HiJack This fix?

dvk01uk · § #15 01-16-2008, 04:08 PM

Open Notepad and copy and paste the text in the code box below into it:

Code:

RenV::
----a-w         3,140,096 2008-01-16 18:24:53  C:\WINDOWS\Cyb2k  .exe
----a-w         3,140,096 2008-01-16 18:24:45  C:\WINDOWS\Cyb2k .exe
----a-w            15,360 2008-01-13 18:04:49  C:\WINDOWS\SYSTEM32\ctfmon .exe

Driver::
oflpydin

File::
C:\WINDOWS\SYSTEM32\jkkjk.exe
C:\WINDOWS\SYSTEM32\jkkjk.dll
C:\WINDOWS\SYSTEM32\kjkkj.ini
C:\WINDOWS\liccyval.dat

Folder::
C:\WINDOWS\SYSTEM32\edcA01
C:\Temp\Ryuan1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7AA3DD5B-A2C9-4A06-9493-D4F7BC8D7DD2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4576C73-52BD-4401-B966-5A128C4433D4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFC38657-0FD2-4C9B-935D-4FB1D569CE88}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

save the notepad file to your desktop & call it CFScript.txt

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

you will still have problesm and it is very possible you will need to reinstall alot of programs to get thiis working properly again