08 December 2008

Gameeeee.vbs Windows Script Host Error..........!

This is new variant of the old Chinese virus, If you see file name they using this team looks like gamers team in china. What they looking for? Spoofing your log! get your financial information, get your sensitive information, etc.

Symptoms that your computer is infected with it

->Gettings pops while browsing like windows script host error "gameeeee.vbs" "ags.vbs" and any other ends with vbs extension.
->Presence of "gameeeee.vbs" and "gameeeee.pif" in the "Temp" folder of your computer.
->Presence of "Thunder.cmd" in "Startup" folder of your computer.
->Presense of "ihhh.html" file in the "Temproray internet files"
->Internet browsing gets slow brower seems to hang, in status bar you see going to a particular website like "u.cruze3.cn"

If you observe any of the above mentioned symptoms then your computer seems to be infected with this virus. Actually its not a virus its a spyware which tries to steel information from your computer. This spyware has the capability to spreed itself over the network, if you see any computer infected with this then first step should be to remove this computer from the network else pretty soon all the system in the network will be infected with it.

Now let us start with troubleshooting.......

Step 1

Some of the files which are actually malicious files but would be showing as folders.

=> The folders that were found are as follows:

C:\WINDOWS\System32/{iifgfgf.dll ,vcmgcd32.dll and systems.txt}
C:\WINDOWS\{logo1_.exe, rundl132.dll, rundll16.exe and zts2.exe}

The above files are malicious but they were converted into folders. Deleted the above folders.

C:\WINDOWS\System32 \{spider.exe,winmine.exe and DSndUp.exe}
C:\WINDOWS\System32 or \drivers\{asyncmac.sys,beep.sys,aec.sys and
WDF01000.SYS}
C:\WINDOWS\{Lic.xxx,R.COM and WMSysPr9.prx}

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
\thunder.exe

Apart from the above mentioned files look for these files also which
were used by previous varient of the same spyware.

-system.exe
-HBBO.dll, HBCHIBI.dll, HBQQFFO.dll, HBmhly.dll, HBZHUXIAN.dll,
HBZG.dll,HBSO2.dll, HBQQSG.dll, HBSOUL.dll
-AcSpecf.sdb, AcXtrnel.sdb, AcSpecf.dll
-HBKernel32.sys, eth8023.sys

Delete the all mentioned files & also delete all the files from temp and temporary internet files folder.

You might not be able to delete some of the above file for that use Unlocker.

Step 2

After deleting the above mentioned files next step would be to block the url which you notice in the status bar of your screen. for example in the address bar i write google.com but notice u.cruze3.cn or i try to go to yahoo.com and notise the same url then block this url in the Proxy or in the firewall.

Step 3

Now run norman malware cleaner. This will remove all the infected files from your computer.

Step 4

Now we have to repair winsock for that go to registry.


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

Delete the above mentioned folders then restart your machine.

Now you are free from this spyware enjoy your browsing..............................

I will be looking forward towards your feedback about this post..............



Sphere: Related Content