trojan horse in write protected file

[Iceman]

my security system has identified the gebyy.dll file to contain a trojan
horse. The system will not clean, quarantine or delete the file as is it is
in the Windows\system32 directory and is write protected. How can I correct?

This is likely the Vundo trojan, which appeared last August. I suggest you
get HijackThis 1.99 (freeware) from:
http://www.spywareinfo.com/~merijn/downloads.html

Run it and then post the logfile it creates to:
http://forums.tomcoyote.org/index.php?showforum=27

 

[Guest]

my security system has identified the gebyy.dll file to contain a trojan
horse. The system will not clean, quarantine or delete the file as is it is
in the Windows\system32 directory and is write protected. How can I correct?

 

[David H. Lipman]

From: "RMG" <[email protected]>

| my security system has identified the gebyy.dll file to contain a trojan
| horse. The system will not clean, quarantine or delete the file as is it is
| in the Windows\system32 directory and is write protected. How can I correct?
| --
| RMG

That DLL is assocaitaed with Trojan Vundo

The following tool shoould remove it.

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.

* * * Please report back your results * * *

 

[David H. Lipman]

Sorry my winfixer tool does not work, I cant help you anymore.

 

[David H. Lipman]

Sorry my winfixer tool does not work, I cant help you anymore.

 

[Deebsat]

Send me an email at (e-mail address removed) and I will send you a fix
tool that will remove that pest. Remove the XXX to make the email valid. Oh
BTW ignore the response you will get from David or Leythos he is a sick
obsessed stalker who cannot fix your problem. He would rather have you
suffer with this issue then to receive help from me.

 

[Leythos]

Send me an email at (e-mail address removed) and I will send you a fix
tool that will remove that pest. Remove the XXX to make the email valid. Oh
BTW ignore the response you will get from David or Leythos he is a sick
obsessed stalker who cannot fix your problem. He would rather have you
suffer with this issue then to receive help from me.

NNTP-Posting-Host: adsl-69-226-169-240.dsl.bkfd14.pacbell.net
69.226.169.240

Yea, Yea, Yea, anyone that offers to help you, but only through private
email should not be trusted - they are hiding something.

In the case of PCBUTTS1, he's hiding that he's stolen the code to fix a
large number of malware problems, that he doesn't have permission to
distribute the files he claims the vendors gave him explicit permission
to host.

Ask yourself why you would want to trust someone like the above
described PCBUTTS1 person, why he hides under different identities, why
he has never fixed anything with his own tools.

Oh, and ask yourself if you would trust files/help from someone that
works to discredit people that do help others without any thought of
financial gain or other personal gain (like butts getting paid for
generating traffic to his sites).

 

[David H. Lipman]

I am obsessed with him too Leythos.

--

Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm