Jon Posted December 29, 2005 Share Posted December 29, 2005 To the people saying they had this occur months ago, please realise that an exploit is just an entry point for malware. The malware itself may well have existed for a long time, making use of other vulnerabilities. Link to comment Share on other sites More sharing options...
Chosen One Posted December 29, 2005 Share Posted December 29, 2005 hmm might explain why I for no reason got a bunch of virus stuff or malware, my mom and sister's comp has it too Link to comment Share on other sites More sharing options...
Banzai Posted December 29, 2005 Share Posted December 29, 2005 wow this looks like fun im going to run this baby in vmware and have some fun with it, when i get round to it would anyone find it useful if i wrote up some really basic removal instructions? Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted December 29, 2005 MVC Share Posted December 29, 2005 All the Icons on my desktop have a dark blue background round them does this mean Im Infected? Link to comment Share on other sites More sharing options...
goheels681 Posted December 29, 2005 Share Posted December 29, 2005 Mine do too, but I'm not infected. Did you run regsvr32 /u shimgvw.dll too? I think that might be it. Link to comment Share on other sites More sharing options...
tomcat68 Posted December 29, 2005 Share Posted December 29, 2005 Yeah, i got this b!tch yesterday. It fricken sucks... also... it disables your task manager so you can't run it. Tried logging into safemode as admin. I couldn't log in as I think it changed my password, and yes.. i did type it correctly. Its a nasty one!! And that video doesn't say enough. When you get it, you WILL know about it. I tried cleaning with ms antispyware, for some reason it kept shutting down!?!?! Also, i was unable to shutdown my pc unless i held my power button for 5 seconds. Needless to say, i formated and started over as i had a battlefield 2 match to attend to lastnight. I would have like to see more of what it did. Also, i was not running any antivirus and i got it from IE. Typically, all my machines have AV and i run firefox, but this was my gaming computer, so i tend not to load misc stuff... As you can guess... that will be changing. Tomcat Link to comment Share on other sites More sharing options...
Daylene Posted December 29, 2005 Share Posted December 29, 2005 Is it just me, or are all the sites that carry the exploit down? I've tried accessing the links that F-secure posted here: http://www.f-secure.com/weblog/ but they seem all down. Link to comment Share on other sites More sharing options...
canadian397 Posted December 29, 2005 Share Posted December 29, 2005 Hey Guys, Is there any way you could just block it in Tools>Folder Options>File Types? Like here's a screenshot: Only thing is, what program should I register .WMF to? Help? - Barret Link to comment Share on other sites More sharing options...
goheels681 Posted December 29, 2005 Share Posted December 29, 2005 Nope, evidentally that does nothing. I'm still wondering about why my icons backgrounds turned blue on my desktop...I'm not infected, so I don't know what it could be Link to comment Share on other sites More sharing options...
Ap0x Posted December 29, 2005 Share Posted December 29, 2005 w00t...a friend of mine had this virus.. God its really a pain in th as* It disables task manager, deleting suspect .exe files doesnt work, trie to disable spy sheriff in msconfig and STILL booted somehow......well a quick format solved the case.. :crazy: Hope it doesnt get to Neowin images...lol :shiftyninja: and hopefully MS will work fast to patch this.. Link to comment Share on other sites More sharing options...
Mr. Dick C. Normous Posted December 29, 2005 Share Posted December 29, 2005 (edited) Hey Guys, Is there any way you could just block it in Tools>Folder Options>File Types? Like here's a screenshot: Only thing is, what program should I register .WMF to? Help? - Barret Deleting the association will not protect you. Changing it doesn't work completely either. It was one of the first things I tried. For some reason even without the association the file still runs and will recreate the association. That's actually what I meant in my last post where I said "deleting the extension". Sorry for miswording that. It was late and I was getting tired. It would be great if a mod could change the first line of post #47 to read "file association" instead of "file extension". @ Sawyer12 & Psgamer0921 Unregistering shimgvw.dll did not cause that problem on my system. Edited December 29, 2005 by Mr. Dick C. Normous Link to comment Share on other sites More sharing options...
canadian397 Posted December 29, 2005 Share Posted December 29, 2005 okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it. Link to comment Share on other sites More sharing options...
TimRogers Posted December 29, 2005 Share Posted December 29, 2005 I'm making a virtual PC to test this virus out :) Link to comment Share on other sites More sharing options...
tomcat68 Posted December 29, 2005 Share Posted December 29, 2005 anyone have a working link... PM me if need be... i want to play with it again... i can't seem to find it. Tomcat Link to comment Share on other sites More sharing options...
Mr. Dick C. Normous Posted December 29, 2005 Share Posted December 29, 2005 okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it. For now this is the only known effective way. I don't really like it either. It took me more than a year to switch from viewing my images in IE lol. If you're careful and use a firewall you should be okay. Just don't allow internet access to anything you are not familiar with. DO NOT RELY ON WINDOWS FIREWALL!!! It will not protect you from this. Link to comment Share on other sites More sharing options...
+Troll Subscriber¹ Posted December 29, 2005 Subscriber¹ Share Posted December 29, 2005 Fixed a computer with this over Christmas... They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!! I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed. Hopefully nobody will pay to get this off of their machine :) Link to comment Share on other sites More sharing options...
madnuke Posted December 29, 2005 Share Posted December 29, 2005 Had the first one in today, god knows whats going to happen seeing as its new year. :no: Link to comment Share on other sites More sharing options...
tomcat68 Posted December 29, 2005 Share Posted December 29, 2005 Fixed a computer with this over Christmas... They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!! I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed. Hopefully nobody will pay to get this off of their machine :) How is this free?? Don't you have to pay for NOD32 and SpySweeper? Also, I doubt everything is removed. I bet the taskmanager is still disabled among other things. Tomcat Link to comment Share on other sites More sharing options...
goheels681 Posted December 29, 2005 Share Posted December 29, 2005 Well somehow, the blue text went away for me. The only thing I can think of that I did was after I reregistered it this morning, was to unregister and reregister again. But I'm not totally sure if that fixed it Link to comment Share on other sites More sharing options...
Mr. Dick C. Normous Posted December 29, 2005 Share Posted December 29, 2005 Here is a registry file that will re-enable the task manager. The change should be immediate and not require a reboot. enabletaskmanager.zip Link to comment Share on other sites More sharing options...
Banzai Posted December 29, 2005 Share Posted December 29, 2005 How to clean a computer infected by the wnf exploit Right By now you should know if your infected, your know because your have a cross down by your clock telling you that you have been infected by spy ware, plus your wallpaper will be changed to tell you so. OK so what to do, 1) Click: Run, and type msconfig then hit enter. Under the startup tab ? you should find a few entry?s for winlogon.exe located in the folder inet20099, unchecked all of them. ? You will a entry for efsdfgxg.exe located in c:/windows/system32/ unchecked this. ? There should be an entry for cmd.exe something, ensure this entry is unchecked. ? There will also be an entry for wininstall.exe located in c:/ uncheck this 2) For this I used a bartpe cd, but you should be able to use safemode but some have said that you cant enter safemode if infected. Anyway boot into safemode by rebooting your system and keep pressing F8 on most systems until you get the prompt where you can chose to enter safemode. In safemode remove the following files/folders Remove folder c:\inet20099 Remove file c:\windows\system32\efsdfgxg.exe Remove file c:\wininstall.exe Reboot! 3) you will find your system isn?t totally fixed the virus is uninstalled but aspects like not being able to use task manger still persists. Unless you want to spend hours trying to fix this I suggest creating a new windows profile and using that instead. Because there?s so many little things the thing does to your system. If you need any more help PM me. However one last thing, people are blowing this out of proportion unless you use doggy sites anyways like illegal downloads and software cracks you should be ok, this thing has the potential to be dangerous but unless you go looking for this thing at the moment you wont get it. Also my advice is to do as Microsoft have said and run regsvr32 -u %windir%\system32\shimgvw.dll it will save you allot of hassle, for the sake of using this work around until ms patch this problem. And they will patch it soon. Hope this helps Link to comment Share on other sites More sharing options...
tkyoshi Posted December 29, 2005 Share Posted December 29, 2005 According to Microsoft, apparently enabling full DEP/EVP will prevent this from executing as well. Do this if your computer has hardware DEP (Athlon 64/Sempron, Pentium 4 5XXJ/6XX series). The default is essential services only as not all computers have hardware DEP/EVP built in. Link to comment Share on other sites More sharing options...
DrIndianaJones Posted December 29, 2005 Share Posted December 29, 2005 I stumbled across this nasty little bugger last night, hidden in an ad I assume. DEP indeed does prevent the virus/malware from running. Link to comment Share on other sites More sharing options...
DarkSim905 Posted December 29, 2005 Share Posted December 29, 2005 With this exploit, along with some spyware yields this: http://jacksonfools.com/aim_tmp/WindowsSucks.jpg Took me a while to remove it. This one in particular in addition to removing ability to use Taskman disables your desktop properties so you cannot change the background. Quite interesting, but I'm not into testing how viruses / spyware / adware works. But if there are people there, I wouldn't mind learning a thing or two . Relatively easy to remove (Atelast the spyware / infection in question) But is there a way to tell if any immediate damage has been done to my system? Link to comment Share on other sites More sharing options...
madnuke Posted December 29, 2005 Share Posted December 29, 2005 I'm advising reinstalls all round! Its going to be the only way god knows how many varients out and I was also wondering if DEP works? Link to comment Share on other sites More sharing options...
Recommended Posts