VNC removal from my PC?

Please download, run and attach these logs from the Read and Run First sticky:

GetRunKeys
ShowNew
HJT

 

READ & RUN ME FIRST. Malware Removal Guide

 

You may run the other scans ...but as you probably are not having malware issues ...just attach the three scans that I requested.

 

I need you to attach the logs from the
ShowNew scan
GetRunKeys scan
HiJackThis scan

HOW TO: Attach Items To Your Post

 

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach a new GetRunKeys log.

 

Next:

Click Start> Run> type in CMD tap enter. Type the following into command prompt:

sc stop winvnc

Hit 'enter' and type the following:

sc delete winvnc

At the command prompt: type exit.

Please run Notepad and paste the following text into a new file:

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".


Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Reboot and see if the WinVNC is gone....!

 

Open notepad and copy and paste the following text in the quote box into the window:

Save this as fix.bat
Choose to save as all files.
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Did you do the regedit?

 

Please rename HJT.exe to analyse.exe ....it is important to do this.

Open notepad and copy and paste the following text in the quote box into the window:

Save this as fix.bat
Choose to save as all files.
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.


Now:
Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking fix. exit HJT.

Attach a new log.

How is the VNC problem?

 

What I need you to do at this point is to run all of the procedures in the Read and Run First sticky!!

And then attach all of the logs!!
Counterspy
BitDefender
Panda
ShowNew
GetRunKeys
HJT ---> again, renamed!

You did not rename HJT:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
It chould be:
C:\Program Files\Trend Micro\HijackThis\Analyse.exe

Open notepad and copy and paste the following text in the quote box into the window:

Save this as fix.bat
Choose to save as all files.
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

 

READ & RUN ME FIRST. Malware Removal Guide

 

No problem ....attach the logs when ready ....it is becoming obvious that you have some other issues other than just the VNC one.

 

I suspect that this is the cause of most of your problems:

You need to get a illegitimate copy of XP.......

Now

1. Download this file - Combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run this Virtumonde aka Trojan Vundo Removal

* Double-click VundoFix.exe to run it.
* When VundoFix opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log in the thread you are working in.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions above, starting from "Click the
Scan for Vundo button" when VundoFix appears at reboot.

Now attach the below logs and tell me how the above steps went.

1. Combofix log
2. VundoFix log
3. new GetRunKey log
4. new ShowNew log
5. new HJT

Once you are stable ...you will need to do a repair install with a legal copy of the OS.

 

The activescan log found the virus/worm in the zip file and removed it.

You should uninstall all of your old Java:
J2SE Runtime Environment 5.0 Update 10"
J2SE Runtime Environment 5.0 Update 6"
J2SE Runtime Environment 5.0 Update 9

You still have this service:
O23 - Service: Systart (Winsys32) - Unknown owner - C:\WINDOWS\winstc.exe (file missing)

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
* On the page that opens, scroll down to Systart
* then right click the entry, select Properties and press Stop Service.
* When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
* Click OK until you get back to Windows.

* Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste Winsys32 into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.

Reboot.

I'm not seeing any other problems.

What issues are you still having and do they occur on each user account?

 

Start / run / services.msc ....look for the VNC service ...tell me if you find it ...also do a search for it.

No other scans are needed as I don't think malware is an issue ....though you may want to consider doing a repair install.

 

Did you do the registry fix in post #11?

Start / run / type "regedit" then scroll down to the key that is showing in the pop up ...delete it.

Wordy xp repair install:
http://www.informationweek.com/windows/showArticle.jhtml?articleID=189400897

 

You need to run counterspy and have it remove/quarantine all that it finds!! You should read it!! You have problems that should have been corrected before we began this.

Please do so and then attach a new counterspy log.

Also run the Bitdefender scan and the Panda scan!!
Attach those logs also!

 

How long have you had Counterspy installed? It is only a 15 day trial and may no longer be effective.

Download and run AVGAnti-spyware.

For Panda:
To start the online scan go here: Panda ActiveScan

1. When the page appears, click the Scan your PC button.
2. In the next window, click the Check Now button
3. You now need to enter some information before you can run a scan
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
4. Click the Scan Now button
5. If you get a prompt about an Active-X component, allow the component to be installed.
6. Now a download to your PC will begin. This is a required component for the scan. It contains detection information. (Note: It may take a while to download based on your connection speed.)
7. When the download has completed, click on Local Disks to start the scan
8. When the scan is finished close the popup window and then click See Report
9. Click Yes to the prompt, then click Save Report
10. The default report name is Activescan.txt. Just save it where you can find it so you can attach to your message when you begin a thread with a request for help.

For BitDefender:
Once Bitdefender completes the scan:

Click-on Click here to view the report

When the window comes up with the report. Click File, Save As.... and then change the Save as type to Text File (*.txt)

Change the file name to something short like bdscan1.txt

Then save it to your Desktop or anywhere else you can find it to upload here as an attachment.

Post the bdscan1.txt file as an ATTACHMENT.

 

You need to uninstall EMule! Then do a search for Emule and delete all associated files.
You also need to remove all of your IE toolbars!
Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Attach a new log from:
Avenger
HJT ---> RENAME THE .EXE to ANALYSE!

 

Are you running all of this from an Administrator account?

And you're still not getting it.

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe ...should be:
C:\Program Files\Trend Micro\HijackThis\Analyse.exe
you need to right click the HijackThis.exe and choose rename.

Attach new logs for:
ShowNew
GetRunkeys
HJT

 

I want to be sure that the fixes and logs are coming from an account that has full privileges, nothing ominous.

No, this is all volunteer.

Open the C:\ Program Files \ Trend Micro \ HijackThis folder and you will see the hijackthis.exe that is what you need to right click and choose rename. Not the log file.

Did you remove :
C:\Program Files\AskTBar?

 

Yes...run the scans and attach the logs ..I hope you didn't rename the folder ...it was the .exe file inside the folder that needed to be renamed.