Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan horse small.fht


  • This topic is locked This topic is locked
46 replies to this topic

#31 samymaarten

samymaarten
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 22 June 2015 - 05:34 AM

it started today in startup my computer froze and was beeping continuesly till startup wizard came and finally after it finished i think it did system restore bcos i see the old icon on my desktop

 

i hope i making sense i mean i will try find a way to put boot.ini in notepad



BC AdBot (Login to Remove)

 


#32 samymaarten

samymaarten
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 22 June 2015 - 05:54 AM

Log Name:      Application
Source:        VSS
Date:          6/22/2015 5:58:50 AM
Event ID:      12348
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      sam-PC
Description:
Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{045d77f5-5669-11e0-b883-88ae1da27aad}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly.  Check security on the volume, and try the operation again.

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="VSS" />
    <EventID Qualifiers="0">12348</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-06-22T09:58:50.000000000Z" />
    <EventRecordID>219223</EventRecordID>
    <Channel>Application</Channel>
    <Computer>sam-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>\\?\Volume{045d77f5-5669-11e0-b883-88ae1da27aad}\</Data>
    <Data>

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider</Data>
    <Binary>2D20436F64653A2053505250524F564330303030323333312D2043616C6C3A2053505250524F564330303030323237332D205049443A202030303030333730302D205449443A202030303030323631362D20434D443A2020433A5C57696E646F77735C53797374656D33325C737663686F73742E657865202D6B2073777072762D20557365723A204E616D653A204E5420415554484F524954595C53595354454D2C205349443A532D312D352D313820</Binary>
  </EventData>
</Event>



Log Name:      Application
Source:        CVHSVC
Date:          6/22/2015 5:57:53 AM
Event ID:      100
Task Category: Client Virtualization Handler
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      sam-PC
Description:
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="CVHSVC" />
    <EventID Qualifiers="16384">100</EventID>
    <Level>3</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-06-22T09:57:53.000000000Z" />
    <EventRecordID>219222</EventRecordID>
    <Channel>Application</Channel>
    <Computer>sam-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.</Data>
  </EventData>
</Event>



Log Name:      Application
Source:        CVHSVC
Date:          6/22/2015 5:57:53 AM
Event ID:      100
Task Category: Client Virtualization Handler
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      sam-PC
Description:
Information only. CurrentSoftGridPrereq: Click2Run installation (version = 14.0.4763.1000) is found on the machine; skipping installation...
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="CVHSVC" />
    <EventID Qualifiers="16384">100</EventID>
    <Level>3</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-06-22T09:57:53.000000000Z" />
    <EventRecordID>219221</EventRecordID>
    <Channel>Application</Channel>
    <Computer>sam-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>CurrentSoftGridPrereq: Click2Run installation (version = 14.0.4763.1000) is found on the machine; skipping installation...</Data>
  </EventData>
</Event>


Log Name:      Application
Source:        CVHSVC
Date:          6/22/2015 5:57:53 AM
Event ID:      100
Task Category: Client Virtualization Handler
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      sam-PC
Description:
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="CVHSVC" />
    <EventID Qualifiers="16384">100</EventID>
    <Level>3</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-06-22T09:57:53.000000000Z" />
    <EventRecordID>219220</EventRecordID>
    <Channel>Application</Channel>
    <Computer>sam-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.</Data>
  </EventData>
</Event>  



#33 samymaarten

samymaarten
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 22 June 2015 - 06:07 AM

after  opening  notepad and selecting open from    file  menu it  says file not found  .

everytime  i press space key   my cursor keep going backward i guess the malware is back



#34 samymaarten

samymaarten
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 22 June 2015 - 07:51 AM

after lot of difficulty i managed to download program by using chrome , and run it in safe mode , i got option to save scan report but not fix report it just gave me option to reboot.

 

i wished we had select task host option too number , i think #11 , as i had problem with it earlier everytime i would shut down it would show me this program running.

 

i am using firefox for our communication as i fell chrome is hacked even though i had it reset.

 

now the cursor going back automatically while typing is gone hence i could type free also windows menu at start to select windows as operating system is gone for now , it had surfaced after 4 days of last resolve.

 

please guide me in boot.ini option as i cannot excute it as you had stated it tell me file not found.

 

please find the report below

 

Tweaking.com - Windows Repair v3.2.2 - Pre-Scan
Computer: SAM-PC (Windows 7 Home Premium 6.1.7601 Service Pack 1) (64-bit)
Started at (6/22/2015 8:05:36 AM)
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Scanning Windows Packages Files.
Started at (6/22/2015 8:05:36 AM)

No problems were found with the Packages Files.

Files Checked & Verified: 8,713

Done (6/22/2015 8:09:27 AM)
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Scanning Reparse Points.
Started at (6/22/2015 8:09:27 AM)

No problems were found with the Reparse Points.

Files & Folders Searched: 237,670
Reparse Points Found: 47

Done (6/22/2015 8:17:00 AM)
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Checking Environment Variables.
Started at (6/22/2015 8:17:00 AM)

No problems were found with the Environment Variables.

Done (6/22/2015 8:17:00 AM)
--------------------------------------------------------------------------------

Done (6/22/2015 8:17:00 AM)
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Done (6/22/2015 8:17:00 AM)
Scan Complete - No Problems Found!



#35 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:50 PM

Posted 22 June 2015 - 08:17 AM

the boot menu is again giving me windows 7 to select from menu


I did not realized that there is no boot.ini file in Windows 7.

Read this.
http://windows.microsoft.com/en-ca/windows/what-happened-boot-ini-file#1TC=windows-7

The instructions on the page are not quite the same as my Windows 7.

in item 3
There is no Advance tab, under Startup and Recovery, click Settings.

The Default Operating system should be Windows 7

If you have something else click the Down arrow Select Windows 7 and click the OK button.
===

i am using firefox for our communication as i fell chrome is hacked even though i had it reset.


It's nice to have an other browser.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

If you want to save your passwords as well see here: http://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Re-install Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
===

i wished we had select task host option too number , i think #11 , as i had problem with it earlier everytime i would shut down it would show me this program running.


This item 09 - Repair HOSTS File will reset you HOSTS file.
This is not a program.

If you wish to reset your host file follow the instructions on the this page.
https://support.microsoft.com/en-us/kb/972034
Select the Windows 7 option and click the fix it button.

===

Any remaining issues?

#36 samymaarten

samymaarten
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 22 June 2015 - 09:49 AM

Hello Nasdaq

 

Thanks for all the laptop is running fine for now

 

i am not getting the menu to select windows 7 from boot menu.

 

I dont understand why i was getting it today and not last 4 days since you fixed my laptop but i had this problem earlier it had started since 11/june/2015

 

this problem of selecting windows 7 from startup menu has come occasionally over last 2 week.

 

i hope it is gone so are all malware , virus , spyware.

 

i have already taken the step mentioned by you google on 20/june/2015 , right now it is running fine but i still have low confidence on chrome even though i use it for my personal use as i love chrome.

 

Microsoft fixit does not work from some funny reason on laptop and since taskhost was step #9 and since we had excuted it i dont want to do any new.

 

Thanks for all the help



#37 samymaarten

samymaarten
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 22 June 2015 - 12:19 PM

Hi Nasdaq

 

Again i got boot menu and selected windows 7 at startup , i never used to get this before could this be bcos of windows X upgrade that i have selected.

 

Also i have program in my system Nymgo , which i cannot unistall it as i dont have system admin rights , i used to use to international to India few years ago not anymore it is VOIP , can you suggest me solution for this.

 

and finally why zoek.exe and reimagerepaire.com is quartined by bitdfender



#38 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:50 PM

Posted 22 June 2015 - 01:25 PM

Again i got boot menu and selected windows 7 at startup , i never used to get this before could this be bcos of windows X upgrade that i have selected.


You are probably correct.

I do not subscribe to install Windows 10 immediately.
I always wait a few months to make sure all the bugs have been fixed.
If you have registered to get it you might consider restoring your system to a date prior the date you registered.
Your call.

p.s.
This Windows 10 will be available as an optional updates in the future.

WINDOWS 10 UPDATE.
http://www.zdnet.com/article/get-windows-10-microsofts-hidden-roadmap-for-the-biggest-software-upgrade-in-history/

===

Also i have program in my system Nymgo , which i cannot unistall it as i dont have system admin rights , i used to use to international to India few years ago not anymore it is VOIP , can you suggest me solution for this.

Try this uninstaller. It's very good.
http://www.bleepingcomputer.com/download/revo-uninstaller/

---

and finally why zoek.exe and reimagerepaire.com is quartined by bitdfender

If all is well I would forget about it.

Bid defender must place these in a quarantine folder.
Check the options.

Edited by nasdaq, 22 June 2015 - 01:25 PM.


#39 samymaarten

samymaarten
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 23 June 2015 - 03:04 AM

hello Nasdaq

 

I agree with you that going for windows x is bad idea especially so early.

 

right now i cannot restore to date i had selected as it will bring all my problems and malware too , so i will have just leave with it.

 

my cursor problem got solved by updating my driver for synaptics pointing deivce from gateway updates.

 

yes bit defender had quartined both the softwares.

 

revo unistaller did find nymgo in my system but it shows up in control task option.

 

my laptop is running fine now , thanks for all the help

 

what was excatly problem in system can you give me more tips on it



#40 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:50 PM

Posted 23 June 2015 - 08:14 AM

Let me check further on nymgo

Please run the Farbar Recovery Scan Tool. Enter nymgo in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>


Lets look also in the Registry.

Please run the Farbar Recovery Scan Tool. Enter nymgo/b] in the Search Box.
Click the Search Registry button, post the content of the [b]Search.txt
file in your next reply.

==

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#41 samymaarten

samymaarten
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 23 June 2015 - 12:32 PM

Farbar Recovery Scan Tool (x64) Version:13-06-2015
Ran by sam at 2015-06-23 13:25:24
Running from C:\Users\sam\Desktop
Boot Mode: Normal

================== Search Files: "nymgo" =============

====== End of Search ======



#42 samymaarten

samymaarten
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 23 June 2015 - 12:35 PM

Farbar Recovery Scan Tool (x64) Version:13-06-2015
Ran by sam at 2015-06-23 13:34:21
Running from C:\Users\sam\Desktop
Boot Mode: Normal

================== Search Registry: "nymgo/b]" ===========


====== End of Search ======



#43 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:50 PM

Posted 23 June 2015 - 01:00 PM

nymgo is not causing any problems, let it go.

#44 samymaarten

samymaarten
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 24 June 2015 - 12:11 PM

Okay Nasdaq

 

Thanks for all the help

 

Have a Nice Day



#45 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:50 PM

Posted 25 June 2015 - 06:33 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users