someone else with Gff6.exe xD

hey guys

I read the other thread about Gff6.exe by vaidyaas, i could not reply so i had to make a new thread.

okay, this nasty virus hit my pc three days ago, only now I have kinda fixed it. but i think im still having a problem. here's how to keep it "dormant"

Its a cloaked malware that can modify, create and delete files, it kinda takes over your browser, you will see next to your url a red circle symbol. you cant do system restore, so disable it, it help it regenerate so better off than on in this case, i also could not enter in Safe mode...nasty nasty one this is, but iv got solutions to solve some of the problems, apparently it only appeared in june for the first time.

Thats how genericWin 32 pops up, it actually corrupted a file. to fix genericWin32 is actually a few commands in command prompt. win32 is an overall microsoft problem with networking, so it is not only caused by the maleware, just when one of the files gets corrupted

go to start then run
type cmd in the box
in command prompt type netsh, press enter
then type winsock,press enter
then type reset, press enter
Restart your pc. it should look like this:

c:\documents and setting\user name>netsh
netsh>winsock
netsh winsock>reset

you have successfully reset the winsock catalog

hope this helps
only problem is you might have to get a programme to check you LSP's are not damaged... try lspfix Its free, but PLEASE read the readme's. mine were fine so it should be alright

 

sorry to double post, but im using the infected Pc.
so my internet has a lifespan lol
you may need to run safe mode to get rid of gff6.exe

to do this go run, msconfig. Then go to the BOOT.INI tab and check the safeboot box in the bottom left, then apply. restart your PC, it will reboot in Safemode, but you will have to uncheck it when you want to reboot normally.

when you are in Safe mode, go to run then type regedit. In regedit just go ctrl+F or the edit tab then find type gff6.exe

It will be under hkey users then search assistant somewhere, but the find will take you strait to it. I deleted the folder with it in, then when it came back i was fed up so i deleted the whole AMcd folder underneath search assistant
and it has prevented the file from appearing in my registry at least... im still checking lol but after 2 reboots, so far so good

sorry guys one more thread and i will be done

 

The Last part im not too sure

Go to folder options and make hidden files viewable, also make operating system files viewable, you will get a warning message, but you need to because the actual exe file is hidden under an operating system log, just dont delete anything else.
then go under search and type gff6.exe scan through all files and folders and hidden ones, and the exe file will be in your temporary docs.

since my system restore is disabled i was too scared to run it, ecspecially with that gruesome warning message, but i believe it is actually installed on your PC, and you need to uninstall it, since i dont have a windows Cd i cant risk running it... or formatting.

has anyone got extra advice on this deadly threat? virus scans and maleware cleaners cant pick it up, they only pick up the file it creates or tries to modify.

thanks guys

By the way i got it through downloading dvd writing programmes, beware of anydvd and clonedvd2 downloads and cracks...

 

ok, I think I solved the problem. my pc is working properly and better

been on the net the whole day without any interuptions...so far
Iv enabled system restore, have not checked if it works yet, only want to reboot tomorrow.

I disabled my webclient, this seemed to solve alot of problems
The discription windows gives for a Webclient:

Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.

Thats kinda exactly what the virus does, so i figured i will try and disable it. After i disabled it, gff6.exe stopped popping up. Depending on what you use your Webclient for, you might not need it at all, Generally it helps with risk protection and internet performance if you disable it. you can see what programmes are used by web client.

To disable webclient type the following in run

services.msc
Scroll down until you reach webclient
right click properties
By Startup type, click on the down arrow and select disable
click apply

you can view what files are used by webclient by selecting the Dependencies tab at the far right.

afterwards Gff6.exe was nowere to be found but i had a whole lot of other problems popping up now including generic host Win32 again. I run SP3 on WinXP and im not supposed to be getting this error, so it is probably files still getting corrupted

Another way to solve this problem other than winsock is to go into your registry

Run
Regedit
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole
If you struggle ctrl+F and type ole
look at the right for EnableDCOM
and make sure data is on N

also find HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Browser > Parameters
look on the right for IsDomainMaster
and make sure the data is False
Reboot Your PC

After I rebooted I looked for an update for my windows
and found one at:
http://support.microsoft.com/kb/958644

It was tricky to navigate to the update i wanted, so here some guidelines:

click on the link underneath "skip the details'
in the top right box underneath Search Microsoft.com for:
type: 958644 click go
on the right underneath related downloads click on the second one labled:
"Security Update for Windows XP (KB958644)"
of course, this only works on windows XP

after I restarted I ran ccleaner, did a virus scan(im using AVG 9)
Enabled my system restore and made a restore point after awhile of freedom. I have been good for basically the whole day. I have not rebooted to see how long i can be on the net, and its been a good few hours...

gff6.exe is under my registry again, but its not duplicating or trying to modify my files, so i will leave it there for now, prehaps my system restore still wont work because of this.

it appears under the followingin the registry:

HKEY_USERS>S-1-5-21-796845957-1177238915-725345543-1003>software>microsoft>search Assistant>ACMru>5603

To correct a typo in th previous post, it was The ACMru folder i deleted, not AMcd.

Well my PC works, and im pleased to see it Works like I just formatted it!
its never been faster with its current ram.

Thanks guys for CCleaner, a programme i recommand for anyone, i feel it had a part to play in making my pc run smoother.:-D

I will post a summary tomorrow if the mods dont mind, and hope gff6.exe stays away till then.

 

Gff6.exe RESOLVED AND REMOVED!!!

Im pleased to announce that i successfully removed Gff6.exe. My PC ran the whole night, also completed a biggish download, watched some media on the net, and not one single problem.

Also pleased to state that system restore is running properly and works again

here is a quick summary, step by step method on how to remove Gff6.exe without virus scans and malware programs

1. Disable System Restore
#start>all programs>accessories>system tools>system restore

2. Make all hidden files viewable, all operating system files viewable,and show all known extensions

3. Reboot into safe mode(if you cant through restarting and pressing F8 refer back to post #2 in this thread)

4. Disable your Webclient(recommended if NOT being used by your system)
# run>services.msc>scroll down to webclient> right click properties>Select disable in startup type. you can refer to Post #4 for more elaborate details.
To see what services are used by webclient, click the Dependencies tab.


5. Search regedit for gff6.exe
#run>regedit>CTRL+ F> type gff6.exe
Delete all files in the folder:
HKEY_USERS>S-1-5-21-796845957-1177238915-725345543-1003>software>microsoft>search Assistant>ACMru>5603

6. Search system32 folders for gff6.exe

7. Search C:\Documents and Settings\user name\Local Settings\Temp
#manually delete all gff6.exe files, dont clean history in internet options
Search the history folder too.(they are hidden folders)

8.Reboot normally, for a saftey precaution do a virus scan, without connecting to the net yet other problems may have occured. !CRITICAL! dont be connected to the net at ALL.

9. Repeat step 5; 6 and 7 dont connect yet

10. look for a file in Local Settings\Temp labled:
#navcancl res://ieframe.dll/navcancl.htm, If it is there delete it.

11. Connect to the internet and update your security with the following link:
http://support.microsoft.com/kb/958644

Then follow these instructions:

Click on the link underneath "skip the details'
In the top right box underneath Search Microsoft.com for:
Type: 958644 click go
On the right underneath related downloads click on the second one labled:
"Security Update for Windows XP (KB958644)"
Note this is only for xp users.
Save the file if your using a diffrent PC and transfer it to yours by any means
the file is small and takes quick(600kb) so try navigate at your fastest if using the infected PC.

12. If genericWin32 is appearing(without gff6.exe like with mine) refer to post #1 and #4 in this thread. of course on a diffrent pc this wont happen.

13.Install the update and reboot(Im using SP3 and not sure if this works on 2)

14. Repeat step 5, and search for any gff6.exe in your folders. delete them

15. After awhile if your connected to the net without hassle enable your system restore. make a restore point.

At this point I stopped having trouble. If issues still proceeds after these steps, it is probably another problem on your computer. i suggest you run ccleaner with your virus scan in step 8, but then repeat the steps thereof.

This morning when my internet was still running, I made another restore point
then rebooted, then I did system restore and it worked!:major

I really hope this helps others if they come across the same problem, also step 12 helps with all problems revolving around WIN32 generic host problem
and step 4 makes your internet safer and perform better if you are not using the webclient.

 

hi kestrel

nope, you are the first mod to respond, i resolved the issue and posted a step by step summary, changed the tiltle to gff6.exe RESOLVED and REMOVED!!! i think it needs approval first before it appears

i see you dont approve, thats why i want expert advice for other users.
luckily I know what im doing and unfortunatly you have to go through these procedures to remove gff6.exe. reread the post by vaidyaas, your methods did not work and he had to format

 

Saftey precautions

Thanks to TIMW once again for making this thread enabled

PLEASE READ BEFORE PROCCEDING with the step by step summary

Attempting to follow these steps without reading may cause damage or be harmful to your operating System. only proceed with these steps if you have done the following:

#1. Have run through the forum read and run me.
#2. Have been helped already by an MAJORGEEKS.com moderator or administrator and is your last resort
#3. Have backed up your system
#4. ONLY if you are running a Windows XP operating system with service pack 3