Jump to content

Desktop infected? themed32.dll missing


Recommended Posts

Open notepad and copy/paste the text in the codebox below into it:

@echo off
for %%g in (
C:\Qoobox\Quarantine\C\Documents and Settings\David\FTWSK32.DLL.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\FTOSUB.EXE.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\FTOINST.EXE.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\FTWWRP32.DLL.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\IMAGING.DLL.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\INFOLINK.DLL.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\IMPLODE.DLL.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\PG30.DLL.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\PGCNTL32.DLL.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\TextEditor.dll.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\FTWSKC32.DLL.vir
C:\Qoobox\Quarantine\C\Documents and Settings\David\FTWTLBR.DLL.vir
C:\Qoobox\Quarantine\C\WINDOWS\desktop\colrpikr.xls.vir
) do zip Files_for_submission %%g
del %0

Save this as grab.bat

Choose to "Save type as - All Files"

Save it on your desktop.

It should look like this: bat_icon.gif

Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop.

Please upload that file here --> http://www.bleepingcomputer.com/submit-mal....php?channel=70

OK I think I did that correctly, but the website returned "Improper usage" Do I need to create an account/log in in order to upload files?

Second try got "Your file was successfully submitted. Please let the user helping you know that you have submitted the file. "

Link to post
Share on other sites

The below is adware from china. Did you install it on your own?

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GMX_GMX File Storage Manager"="c:\program files\GMX\GMX File Storage Manager\DAVSRV.EXE" [2008-07-29 942080]

http://www.threatexpert.com/report.aspx?md...ac86af288ecb7cf

GMX is my online email service. As such it starts to run at startup and checks for updates and then the file storage manager maintains my online storage space as a virtual drive. It is possible that this has provided a breach in the windows firewall and AVG's Resident Shield, but, to answer your question, I have never intentialy loaded adware originating from China.

Link to post
Share on other sites

Please delete grab.bat from your desktop.

I need you to follow the instruction for the batch again because the files weren't uploaded. Thanks

O.K. I followed the instructions again and got "Your file was successfully submitted. Please let the user helping you know that you have submitted the file. " again from the site.

Link to post
Share on other sites

Can you tell me if this file is present?

C:\Qoobox\Quarantine\C\Documents and Settings\David\FTWWRP32.DLL.vir

You might be better off to re-install any programs that are not working. That would be my recommendation. Its weird that those files aren't being uploaded though.

Link to post
Share on other sites

Can you tell me if this file is present?

C:\Qoobox\Quarantine\C\Documents and Settings\David\FTWWRP32.DLL.vir

You might be better off to re-install any programs that are not working. That would be my recommendation. Its weird that those files aren't being uploaded though.

Yes, it's there. Shall I submit just this one for inspection?

Link to post
Share on other sites

Can you tell me if this file is present?

C:\Qoobox\Quarantine\C\Documents and Settings\David\FTWWRP32.DLL.vir

You might be better off to re-install any programs that are not working. That would be my recommendation. Its weird that those files aren't being uploaded though.

Yes, it's there. I'll submit just this one for inspection. If combofix gave a false positive on themed32.dll how likely is it that this is a false positive? If it's clean, wont renaming it make it available to Windows again?

I can't reinstall my genealogy program. It came on a disc from a public libary, years ago, and is almost a historical artifact. If I could access it, I would create a GEDCOM file to migrate the data across to somthing a bit more modern.

I don't understand why the files are not uploaded. The instructions are pretty idiot-proof and I'm fairly sure that I carried them out correctly. ;) After submiting FTWWRP32.DLL.vir, shal I try submitting each of the others, one at a time?

Link to post
Share on other sites

Hello sjpritch25,

I thought that you had gone for good. I think that I have solved my problem. I took a risk that these files were not infected, despite the fact that combofix had quarentined them, and moved them back into place. Once they were renamed,and windows could see them, my programs seem to run fine. AVG reports no infections.

Thank you for your help.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.