Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

i have look2me topconverting on my comp [RESOLVED]

Started by Cherie01 , Oct 13 2006 12:21 PM

  • This topic is locked This topic is locked

#1
Cherie01
Posted 13 October 2006 - 12:21 PM

Cherie01

    Member

  • Member
  • PipPip
  • 73 posts
Hiya all,
well my neice sent me or a file thru msn or should i say her comp sent me a file & like an idiot i opened it & that's where the story begins, ive got many things on my comp & cant get rid of them, ive done a full system restore on my comp & have downloaded the follwing AVG,ANTIVIR PE CLASSIC,AD-WARE SE PERSONAL,SPYBOT S&D,CCLEANER,HIJACK THIS,BFU,KILLBOX,COMBOFIX, & SMITREM, but have had no luck with getting all the crap off my comp below is a log off hijack this im not to sure if this will help but ive read a few other topic's & i think thats what ppl post. :blink:

Logfile of HijackThis v1.99.1
Scan saved at 19:19:00, on 13/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Mr & Mrs Montana\Desktop\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D98AC03D-F460-48BC-853E-927A79F6F32D}: NameServer = 80.225.248.50 80.225.253.50
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\q668lgju16o8.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)







& BELOW IS MY AVG REPORT

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:33:27 13/10/2006

+ Scan result:



C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4XAJO9S3\Installer[1].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fp8q03l5e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lvjs0917e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[1132] C:\WINDOWS\system32\wehip6.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[1620] C:\WINDOWS\system32\wehip6.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4XAJO9S3\wack[1].exe/rmsyrup.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\wacky32.exe/rmsyrup.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lviss.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\WINDOWS\system32\setup_06172.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\WINDOWS\system32\setup_60733.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs montana@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs montana@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs montana@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end




Any replies will be grately appriceated ( however u spell that lol)

thanks guys xxxx :whistling:
  • 0

Advertisements

#2
stonangel
Posted 13 October 2006 - 01:40 PM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Welcome to Geeks To Go, Cherie01.

* Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX
  • 0

#3
Cherie01
Posted 14 October 2006 - 08:08 AM

Cherie01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Hiya thanks for that below is the log for the look2me removal


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 14/10/2006 15:01:01

Infected! C:\WINDOWS\system32\s088lalu1dq8.dll
Infected! C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000028.dll
Infected! C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000039.dll
Infected! C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000053.dll
Infected! C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000056.dll
Infected! C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000061.dll
Infected! C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000068.dll
Infected! C:\WINDOWS\system32\dwnet.dll
Infected! C:\WINDOWS\system32\fprm0391e.dll
Infected! C:\WINDOWS\system32\iFspolcy.dll
Infected! C:\WINDOWS\system32\mkw3prt.dll
Infected! C:\WINDOWS\system32\r0r6la9s1d.dll
Infected! C:\WINDOWS\system32\s088lalu1dq8.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\s088lalu1dq8.dll
C:\WINDOWS\system32\s088lalu1dq8.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000028.dll
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000028.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000039.dll
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000039.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000053.dll
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000053.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000056.dll
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000056.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000061.dll
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000061.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000068.dll
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000068.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dwnet.dll
C:\WINDOWS\system32\dwnet.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fprm0391e.dll
C:\WINDOWS\system32\fprm0391e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\iFspolcy.dll
C:\WINDOWS\system32\iFspolcy.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mkw3prt.dll
C:\WINDOWS\system32\mkw3prt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\r0r6la9s1d.dll
C:\WINDOWS\system32\r0r6la9s1d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\s088lalu1dq8.dll
C:\WINDOWS\system32\s088lalu1dq8.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CCF7FF12-64AC-4A45-956E-D5EB028D8965}"
HKCR\Clsid\{CCF7FF12-64AC-4A45-956E-D5EB028D8965}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3E3CFFE5-535F-419B-B726-0E9B66F26EB0}"
HKCR\Clsid\{3E3CFFE5-535F-419B-B726-0E9B66F26EB0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{59C0F9A2-BA08-40AB-9834-0AE041E9C66C}"
HKCR\Clsid\{59C0F9A2-BA08-40AB-9834-0AE041E9C66C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{92CDF257-B429-4307-AFA9-BC46FDE45F83}"
HKCR\Clsid\{92CDF257-B429-4307-AFA9-BC46FDE45F83}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7614E8B9-828C-4711-805A-2DCD85957E49}"
HKCR\Clsid\{7614E8B9-828C-4711-805A-2DCD85957E49}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{40983E54-9E5E-4A2E-AA15-A81CCA426F8B}"
HKCR\Clsid\{40983E54-9E5E-4A2E-AA15-A81CCA426F8B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7858FF26-5088-43DF-9451-82D52E2A2933}"
HKCR\Clsid\{7858FF26-5088-43DF-9451-82D52E2A2933}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{30818641-76AD-45F2-ACAF-6265451D8FD3}"
HKCR\Clsid\{30818641-76AD-45F2-ACAF-6265451D8FD3}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{42982DD4-2CC8-4B79-BDC9-913B74DFB2B2}"
HKCR\Clsid\{42982DD4-2CC8-4B79-BDC9-913B74DFB2B2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{69F41977-B71C-4A91-AD54-3D975CDB5776}"
HKCR\Clsid\{69F41977-B71C-4A91-AD54-3D975CDB5776}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{80C85884-04E3-4C29-94E1-774CC1970D50}"
HKCR\Clsid\{80C85884-04E3-4C29-94E1-774CC1970D50}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5FD55804-F997-46EE-B67A-D32257EE0714}"
HKCR\Clsid\{5FD55804-F997-46EE-B67A-D32257EE0714}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file




& here's the log for hijack this

Logfile of HijackThis v1.99.1
Scan saved at 15:03:46, on 14/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\dfndrff_e29.exe
C:\kybrdff_e29.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Mr & Mrs Montana\Desktop\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: (no name) - {7D00738B-6974-4794-98D4-DE79A07ECD81} - C:\WINDOWS\System32\yaywvtu.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e29.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e29.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: yaywvtu - C:\WINDOWS\SYSTEM32\yaywvtu.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)



thanks for all you help with this :whistling: Cherie
  • 0

#4
stonangel
Posted 14 October 2006 - 08:47 AM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Hi Cherie,

There are a few new badies shown on your computer...

* It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these free products: Zone Alarm or Sygate
or Kerio
It is important to note that you should only have one firewall installed at a time.

* Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

* If it doesn't find anything, right-click in the main program window, choose "Add more files?".
Type the following file names into the box exactly as shown:

C:\WINDOWS\System32\yaywvtu.dll

Click Close Window, then Remove Vundo.

You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

* Post a new hijackthis log along with the contents of this file: C:\vundofix.txt into this thread.
  • 0

#5
Cherie01
Posted 15 October 2006 - 05:59 AM

Cherie01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Hiya again, Thanks so much for all you help with sorting out my computer :whistling:

I did as you said but when i first ran the vundo fix it came up with nothing but i notcied my antivir pe classic kept comming up with warning saying would i like to block tr/vundo.gen so i selected yes but then turned the antivir classic off \& re-did the vundo fix programm & then it did find something but after rebooted my comp 2 times it still said it was unable to remove some of it below is the log

VundoFix V6.2.2

Checking Java version...

Sun Java not detected
Scan started at 12:35:41 15/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\cdpipthv.dll
C:\WINDOWS\system32\yaywvtu.dll
C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\cdeeg.ini
C:\WINDOWS\System32\cdeeg.bak1
C:\WINDOWS\System32\cdeeg.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cdpipthv.dll
C:\WINDOWS\system32\cdpipthv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yaywvtu.dll
C:\WINDOWS\system32\yaywvtu.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\geedc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\cdeeg.ini
C:\WINDOWS\System32\cdeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\cdeeg.bak1
C:\WINDOWS\System32\cdeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\cdeeg.bak2
C:\WINDOWS\System32\cdeeg.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.2

Checking Java version...

Sun Java not detected
Scan started at 12:40:21 15/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\cdpipthv.dll
C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\cdeeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cdpipthv.dll
C:\WINDOWS\system32\cdpipthv.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\geedc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\cdeeg.ini
C:\WINDOWS\System32\cdeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\geedc.dll Could not be deleted.

Performing Repairs to the registry.
Done!




& i have done a new hijack log which is also below


Logfile of HijackThis v1.99.1
Scan saved at 12:54:59, on 15/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\lsscs.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mr & Mrs Montana\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Sunbelt Software\Personal Firewall\assist.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\cdpipthv.dll (file missing)
O2 - BHO: (no name) - {87142EF8-CCDE-4ED5-A1FC-81EA0D950EC7} - C:\WINDOWS\System32\geedc.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D98AC03D-F460-48BC-853E-927A79F6F32D}: NameServer = 80.225.248.50 80.225.253.50
O20 - Winlogon Notify: geedc - C:\WINDOWS\System32\geedc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Remote Reader Machine - Unknown owner - C:\WINDOWS\system32\ssmc.exe (file missing)
O23 - Service: Window Plugin Service - Unknown owner - C:\WINDOWS\system32\lsscs.exe



& dowloaded the zonealarm but it completely disabled my computer i was unable to do anything so had to unistall it & i then installed kiero, & myself have a windows firewall but when i last ran a spybot check it came up with a thing that said windows firewall disable & various other apllicatons which seem to be blocing my windows updates ect.... when i first opened this virus i did have an anti virus runnin which it also disabled, im quite worried about this virus as it dosnt seem to want to go away :blink:(

but im sure commin on here is the right medicine for it lol thanks again 4 all ur time & effort ur putting into helping Cherie XXXXXXXXXXXX :help:
  • 0

#6
stonangel
Posted 15 October 2006 - 06:17 AM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Hi Cherie01,

* Please run VundoFix again.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#7
Cherie01
Posted 15 October 2006 - 07:51 AM

Cherie01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Hiya heres the logs

this is the vundo fix

VundoFix V6.2.2

Checking Java version...

Sun Java not detected
Scan started at 14:33:09 15/10/2006

Listing files found while scanning....


VundoFix V6.2.2

Checking Java version...

Sun Java not detected
Scan started at 14:34:08 15/10/2006

Listing files found while scanning....

C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\cdeeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\geedc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\cdeeg.ini
C:\WINDOWS\System32\cdeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\geedc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\cdeeg.ini
C:\WINDOWS\System32\cdeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.2.2

Checking Java version...

Sun Java not detected
Scan started at 14:40:30 15/10/2006

Listing files found while scanning....

C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\cdeeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\geedc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\cdeeg.ini
C:\WINDOWS\System32\cdeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\geedc.dll
C:\WINDOWS\System32\geedc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\cdeeg.ini
C:\WINDOWS\System32\cdeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...



& below is a fresh hijack log

Logfile of HijackThis v1.99.1
Scan saved at 14:51:11, on 15/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\lsscs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\windows\pwr.exe
c:\nwnmff_e30.exe
c:\dfndrff_e30.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\kybrdff_e30.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\explorer.exe
c:\windows\pwr.exe
C:\Documents and Settings\Mr & Mrs Montana\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Sunbelt Software\Personal Firewall\assist.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\cdpipthv.dll (file missing)
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
O2 - BHO: (no name) - {CC6C36B7-C2F7-4A7E-BB2F-8FE3A3DE4D2C} - C:\WINDOWS\System32\geedc.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e30.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e30.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e30.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D98AC03D-F460-48BC-853E-927A79F6F32D}: NameServer = 80.225.248.50 80.225.253.50
O20 - Winlogon Notify: geedc - C:\WINDOWS\System32\geedc.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\axdiosrv.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Remote Reader Machine - Unknown owner - C:\WINDOWS\system32\ssmc.exe (file missing)
O23 - Service: Window Plugin Service - Unknown owner - C:\WINDOWS\system32\lsscs.exe



thanks Cherie
  • 0

#8
stonangel
Posted 15 October 2006 - 08:12 AM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Well...

Hi Cherie,

* Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning .
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\geedc.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\cdeeg.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: (no name) - {CC6C36B7-C2F7-4A7E-BB2F-8FE3A3DE4D2C} - C:\WINDOWS\System32\geedc.dll
    O20 - Winlogon Notify: geedc - C:\WINDOWS\System32\geedc.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Please post a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#9
Cherie01
Posted 15 October 2006 - 09:03 AM

Cherie01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Hiya, i did as you said everything went to plan except when hijack started in safemode the 2 files that you name were not there??
see below
O2 - BHO: (no name) - {CC6C36B7-C2F7-4A7E-BB2F-8FE3A3DE4D2C} - C:\WINDOWS\System32\geedc.dll
O20 - Winlogon Notify: geedc - C:\WINDOWS\System32\geedc.dll

Anyways here are the logs below

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\geedc.dll

The second filepath entered was C:\WINDOWS\System32\cdeeg.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 156 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 788 'explorer.exe'

Killing PID 656 'rundll32.exe'
Killing PID 656 'rundll32.exe'

Killing PID 232 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\System32\geedc.dll.
C:\WINDOWS\System32\cdeeg.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------



& here's the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 15:53:07, on 15/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\cmd.exe
C:\Documents and Settings\Mr & Mrs Montana\Desktop\HijackThis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e30.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e30.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e30.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Remote Reader Machine - Unknown owner - C:\WINDOWS\system32\ssmc.exe (file missing)
O23 - Service: Window Plugin Service - Unknown owner - C:\WINDOWS\system32\lsscs.exe




Thanks Cherie :whistling:
  • 0

#10
stonangel
Posted 15 October 2006 - 09:28 AM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Hi Cherie,

Could you enable your antivirus, please?

I dont see it running...
  • 0

Advertisements

#11
Cherie01
Posted 15 October 2006 - 09:54 AM

Cherie01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Sorry about that is back on now :whistling: Cherie
  • 0

#12
stonangel
Posted 15 October 2006 - 09:57 AM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Could you post back a new hijackthis log, please?
  • 0

#13
Cherie01
Posted 15 October 2006 - 10:01 AM

Cherie01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Logfile of HijackThis v1.99.1
Scan saved at 16:59:53, on 15/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\lsscs.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\nwnmff_e30.exe
C:\dfndrff_e30.exe
C:\kybrdff_e30.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\windows\pwr.exe
c:\windows\pwr.exe
C:\WINDOWS\system32\rundll32.exe
c:\windows\pwr.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\pwr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\windows\pwr.exe
C:\WINDOWS\explorer.exe
c:\windows\pwr.exe
c:\windows\pwr.exe
c:\windows\pwr.exe
c:\windows\pwr.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\pwr.exe
c:\windows\pwr.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\AntiVir PersonalEdition Classic\update.exe
C:\Documents and Settings\Mr & Mrs Montana\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Sunbelt Software\Personal Firewall\assist.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
O2 - BHO: (no name) - {DD1A097B-7117-44F4-BA88-DDE7B32E20DB} - C:\WINDOWS\System32\geedc.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e30.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e30.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e30.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D98AC03D-F460-48BC-853E-927A79F6F32D}: NameServer = 80.225.248.50 80.225.253.50
O20 - Winlogon Notify: geedc - C:\WINDOWS\System32\geedc.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\fp4603hse.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Remote Reader Machine - Unknown owner - C:\WINDOWS\system32\ssmc.exe (file missing)
O23 - Service: Window Plugin Service - Unknown owner - C:\WINDOWS\system32\lsscs.exe
  • 0

#14
stonangel
Posted 15 October 2006 - 10:08 AM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Thanks Cherie. Lets go ahead :whistling:

1. Locate the icon of AVG Anti-Spyware on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • 2. Please download Brute Force Uninstaller to your desktop.[list]
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

5. IMPORTANT: Do not open any other windows or programs while AVG Anti-spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of the AVG Anti-Spyware text report that you saved and a new HiJackThis log.

Edited by stonangel, 15 October 2006 - 10:08 AM.

  • 0

#15
Cherie01
Posted 15 October 2006 - 11:51 AM

Cherie01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Hiya below is the avg log


VG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:38:34 15/10/2006

+ Scan result:



C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP3\A0005332.exe -> Adware.CommAd : No action taken.
C:\WINDOWS\TXIgJiBNcnMgTW9udGFuYQ\asappsrv.dll -> Adware.CommAd : No action taken.
C:\WINDOWS\TXIgJiBNcnMgTW9udGFuYQ\command.exe -> Adware.CommAd : No action taken.
C:\Installer4.exe -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000069.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000071.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000072.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP3\A0005349.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP3\A0007362.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP3\A0008370.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\cuetcfg.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\dOvclnt.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\dckquoui.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\g6lm0g31e6.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\ir0ol5d31.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\jtproxy.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\k8260ifse8260.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\kxdusx.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\miscp.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\nntshell.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\t88ulil918q.dll -> Adware.Look2Me : No action taken.
[660] C:\WINDOWS\system32\mtglibnt.dll -> Adware.Look2Me : No action taken.
[788] C:\WINDOWS\system32\mtglibnt.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP3\A0005329.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0003109.exe/rmsyrup.exe -> Adware.Virtumonde : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP3\A0005179.dll -> Adware.Virtumonde : No action taken.
C:\VundoFix Backups\yaywvtu.dll.bad -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__M_s_c_f_g_._e_x_e_ -> Backdoor.SdBot.avr : No action taken.
C:\WINDOWS\system32\wu.exe -> Downloader.Adload.fu : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0000030.exe -> Downloader.Adload.gp : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0003111.exe -> Downloader.Adload.gq : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0003110.exe -> Downloader.VB.anb : No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MJOHW6ZI\school[1].exe -> Downloader.VB.anb : No action taken.
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : No action taken.
C:\System Volume Information\_restore{2CC87726-9A25-4786-B1AD-23A92148BBE4}\RP1\A0004108.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : No action taken.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs [email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs montana@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs montana@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs [email protected][1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs montana@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs montana@overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs montana@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs montana@trafic[1].txt -> TrackingCookie.Trafic : No action taken.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs montana@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Mr & Mrs Montana\Cookies\mr & mrs [email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end









Here's the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 18:49:28, on 15/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mr & Mrs Montana\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Sunbelt Software\Personal Firewall\assist.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {251DA269-19B2-40E6-B423-911EFA95BAAA} - C:\WINDOWS\System32\geedc.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D98AC03D-F460-48BC-853E-927A79F6F32D}: NameServer = 80.225.248.50 80.225.253.50
O20 - Winlogon Notify: geedc - C:\WINDOWS\System32\geedc.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\k880lilm18qa.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Remote Reader Machine - Unknown owner - C:\WINDOWS\system32\ssmc.exe (file missing)
O23 - Service: Window Plugin Service - Unknown owner - C:\WINDOWS\system32\lsscs.exe (file missing)



Thanks Cherie
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP