Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown, Possibly Winfixer/Vundo or Smitfraud

Started by Freeze , Feb 05 2007 02:49 PM

  • This topic is locked This topic is locked

#1
Freeze
Posted 05 February 2007 - 02:49 PM

Freeze

    New Member

  • Member
  • Pip
  • 4 posts
Evening,

All, i hope there is someone out there that can help recitify my current problem, major influx of pop-ups when browsing the internet. I have XP Pro SP2 installed with the built-in pop-up blocker but this isn't helping and i have constant re-directions when browsing to the usual spamming sites. The last time i experienced such a problem was a very very long time ago when i first initially installed my OS.

I have identifed 1 particular folder :-

C:\Program Files\VSAdd-in

Containing the file :-

VSAdd-in.dll

This is certainly something that hasn't been there in the past!

Likewise, with the ActiveX Controls, as soon as i disable the following ActiveX Controls in IE then my problem immediately goes away :-

gebyxyx.dll
geebx.dll

What are these files?

I have completed a full AVG scan which found and apparently 'deleted' the folder, however on every reboot the file restores itself and re-enables the aforementioned ActiveX controls causing the issue all over again.

Please see below for my HJT log :-

Logfile of HijackThis v1.99.1
Scan saved at 20:47:00, on 05/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Razer\razerhid.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\AVG\avgcc.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.evga.com/...can/Default.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Danny's Internet
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\jfyhxcos.dll",setvm
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Windows] taskmngr.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgfwsrv.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero Ultra\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Pro Home\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Pro Home\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Any help would be very much appreciated.

Cheers, Freeze

Edited by Freeze, 05 February 2007 - 02:53 PM.

  • 0

Advertisements

#2
Crustyoldbloke
Posted 06 February 2007 - 10:41 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello and welcome to Geeks To Go

Some malware has the ability to hide when interrogated by HijackThis; I believe this may be true in your case. Please right click on hijackthis.exe and rename it to crusty.exe

Now please rescan with the newly named file and post the log into this thread by using the ADD REPLY button on the bottom right of this post, and I'll have a fresh look.

From now on, you will have to use crusty.exe to produce a HJT log.

Please ensure that you post logs created in normal mode only.
  • 0

#3
Freeze
Posted 06 February 2007 - 12:18 PM

Freeze

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hey there, many many thanks for looking into this for me ...

New HJT log as requested using the renamed .exe :-

Logfile of HijackThis v1.99.1
Scan saved at 18:16:34, on 06/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Razer\razerhid.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\crusty.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.evga.com/...can/Default.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Danny's Internet
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe Acrobat\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08EF841B-4C82-40F2-85C8-A3F44BCE62E5} - C:\WINDOWS\system32\gebyxyx.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - blank (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {8D32EDCE-9ADB-4C55-B682-37160F839B0B} - C:\WINDOWS\system32\geebx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ueukkdum.dll",setvm
O4 - HKLM\..\RunServices: [Windows] taskmngr.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebyxyx - C:\WINDOWS\SYSTEM32\gebyxyx.dll
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgfwsrv.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero Ultra\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Pro Home\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Pro Home\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Again, any help is much appreciated! :whistling:

Freeze
  • 0

#4
Crustyoldbloke
Posted 06 February 2007 - 12:57 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Freeze and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

ALL staff here at Geeks To Go are volunteers, please bear that in mind if I don’t answer your post quickly; I give what time I can.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

Renaming was a good call; have a look at the new 02 and 020 entries.

You have quite a mixture of malware and Virtumonde (Vundo) infection. Let’s see what we can do. I’ll hit the vundo first and then the rest later.


Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log, from normal mode, in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If Vundofix does not find and delete the files, please try running it bit differently:
  • Double-click VundoFix.exe to run it.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files?
  • Copy & paste the 2 entries below into the top 2 boxes:
    • C:\WINDOWS\system32\gebyxyx.dll
    • C:\WINDOWS\system32\xyxybeg.*
    • C:\WINDOWS\system32\geebx.dll
    • C:\WINDOWS\system32\xbeeg.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log, from normal mode.

  • 0

#5
Freeze
Posted 06 February 2007 - 01:38 PM

Freeze

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
As requested (any better?) ...



VundoFix V6.3.5

Checking Java version...

Java version is 1.5.0.8

Scan started at 19:21:46 06/02/2007

Listing files found while scanning....

blank
C:\WINDOWS\system32\gebyxyx.dll
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.bak2
C:\WINDOWS\system32\xbeeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebyxyx.dll
C:\WINDOWS\system32\gebyxyx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbeeg.bak2
C:\WINDOWS\system32\xbeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebyxyx.dll
C:\WINDOWS\system32\gebyxyx.dll Has been deleted!

Performing Repairs to the registry.
Done!




Logfile of HijackThis v1.99.1
Scan saved at 19:36:38, on 06/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Razer\razerhid.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\crusty.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.evga.com/...can/Default.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Danny's Internet
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe Acrobat\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08EF841B-4C82-40F2-85C8-A3F44BCE62E5} - C:\WINDOWS\system32\gebyxyx.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - blank (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {8D32EDCE-9ADB-4C55-B682-37160F839B0B} - C:\WINDOWS\system32\geebx.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Windows] taskmngr.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgfwsrv.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero Ultra\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Pro Home\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Pro Home\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



Thanks, Freeze
  • 0

#6
Crustyoldbloke
Posted 06 February 2007 - 03:33 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

That looks better.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
AVG AntiSpyware
combofix.exe

Please install, and update AVG Anti Spyware
  • Load AVGas and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Deselect "Only if threats were found"
  • Close AVGas. Do not run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode
  • In Safe Mode, load AVGas and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • AVGas will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVGas will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
  • Please ensure you post that log in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {08EF841B-4C82-40F2-85C8-A3F44BCE62E5} - C:\WINDOWS\system32\gebyxyx.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - blank (file missing)
O2 - BHO: (no name) - {8D32EDCE-9ADB-4C55-B682-37160F839B0B} - C:\WINDOWS\system32\geebx.dll (file missing)
O4 - HKLM\..\RunServices: [Windows] taskmngr.exe
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into normal mode.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, and under the heading of Applications, Utilities uncheck AVGas Anti-Spyware then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look. (3 logs in total please). How's the PC running now?
  • 0

#7
Freeze
Posted 07 February 2007 - 12:14 PM

Freeze

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hey there :blink:

The AVG Anti Spyware Scan

I downloaded this and obviously installed without any problems, however it would not connect to Ewido to update so i could therefore not carry out an up to date Virus check using this method. However, i use AVG anyway as both my Anti Spyware and Firewall precautions so as instructed i ran a FULL System Scan in Safe Mode with AVG. No Errors were found.

ComboFix

"Danny" - 07-02-07 18:01:43 Service Pack 2
ComboFix 07-02-06.3 - Running from: "C:\Documents and Settings\Danny.DANNYW\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-07 to 2007-02-07 ))))))))))))))))))))))))))))))))))


2007-02-07 17:54 <DIR> d-------- C:\Program Files\CCleaner
2007-02-06 19:21 <DIR> d-------- C:\VundoFix Backups
2007-02-06 08:51 12,244,685 --------- C:\AVG7QT.DAT
2007-02-05 21:18 262,144 --a------ C:\DOCUME~1\ALLUSE~1.WIN\ntuser.dat
2007-02-05 21:18 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-02-05 20:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\SUPERAntiSpyware.com
2007-02-05 20:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-05 20:03 <DIR> d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\SUPERAntiSpyware.com
2007-02-05 18:59 <DIR> dr-h----- C:\$VAULT$.AVG
2007-02-05 17:55 <DIR> d-------- C:\DOCUME~1\LOCALS~1.000\Application Data\AVG7
2007-02-05 17:48 839,936 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-05 17:48 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-05 17:48 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-05 17:48 27,776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-05 17:48 18,432 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-05 17:48 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-02-05 17:48 <DIR> d-------- C:\Program Files\AVG
2007-02-05 17:48 <DIR> d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\AVG7
2007-02-05 17:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Grisoft
2007-02-05 17:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\avg7
2007-02-04 12:17 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-02-04 12:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Spybot - Search & Destroy
2007-02-03 22:02 <DIR> d-------- C:\Program Files\HiJackThis
2007-01-30 18:14 <DIR> d-------- C:\Program Files\Vodei
2007-01-28 19:43 <DIR> d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\uTorrent
2007-01-27 17:48 <DIR> d-------- C:\Program Files\ClubDJ Pro
2007-01-27 17:27 89,360 --a------ C:\WINDOWS\system32\Vb5db.dll
2007-01-27 17:27 37,136 --a------ C:\WINDOWS\system32\MSJINT35.DLL
2007-01-27 17:27 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-01-27 17:27 24,336 --a------ C:\WINDOWS\system32\MSJTER35.DLL
2007-01-27 17:27 1,046,288 --a------ C:\WINDOWS\system32\msjet35.dll
2007-01-27 13:28 <DIR> d-------- C:\Program Files\Razer
2007-01-27 13:24 <DIR> d-------- C:\Program Files\Saitek
2007-01-26 17:49 <DIR> d-------- C:\Program Files\iTunes
2007-01-26 17:49 <DIR> d-------- C:\Program Files\iPod
2007-01-26 17:48 <DIR> d-------- C:\Program Files\QuickTime
2007-01-21 11:44 <DIR> d-------- C:\Program Files\BitComet
2007-01-19 18:55 <DIR> d-------- C:\Program Files\DFX
2007-01-15 21:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-01-14 22:32 <DIR> d-------- C:\Program Files\Real Alternative
2007-01-14 22:32 <DIR> d-------- C:\Program Files\Media Player Classic
2007-01-14 22:32 <DIR> d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\Media Player Classic
2007-01-14 22:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Real
2007-01-14 20:47 28,672 --a------ C:\WINDOWS\system32\bsqt.dll
2007-01-14 20:47 <DIR> d-------- C:\Program Files\MOV
2007-01-14 20:29 <DIR> d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\River Past G4
2007-01-14 20:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\River Past G4
2007-01-14 19:48 <DIR> d-------- C:\Program Files\XviD
2007-01-14 19:26 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll
2007-01-14 19:26 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll
2007-01-14 19:26 65,536 --a------ C:\WINDOWS\system32\mplapx.dll
2007-01-14 19:26 65,536 --a------ C:\WINDOWS\system32\mplam6.dll
2007-01-14 19:26 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-01-14 19:26 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll
2007-01-14 19:26 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll
2007-01-14 19:26 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll
2007-01-14 19:26 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll
2007-01-14 18:50 <DIR> d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\DivX
2007-01-14 18:48 <DIR> d-------- C:\Program Files\DivX


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-07 17:53 -------- d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\dmcache
2007-02-06 20:43 -------- d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\xfire
2007-02-06 19:17 -------- d-------- C:\Program Files\hlsw
2007-02-05 21:29 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-02-05 21:04 -------- d-------- C:\Program Files\registry mechanic
2007-02-05 20:21 -------- d-------- C:\Program Files\tuneup utilities
2007-02-05 20:21 -------- d-------- C:\Program Files\internet download manager
2007-02-05 18:59 -------- d-------- C:\Program Files\daemon tools
2007-02-04 02:40 -------- d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\limewire
2007-02-03 14:31 -------- d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\teamspeak2
2007-02-01 22:25 -------- d-------- C:\Program Files\mirc
2007-01-31 21:59 -------- d-------- C:\Program Files\ad-aware professional
2007-01-30 22:08 345 --a------ C:\DOCUME~1\DANNY~1.DAN\Application Data\autogk.ini
2007-01-30 20:12 -------- d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\azureus
2007-01-30 18:12 -------- d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\apple computer
2007-01-29 21:11 -------- d-------- C:\Program Files\sisoftware sandra pro home
2007-01-28 19:21 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-01-27 13:28 -------- d--h----- C:\Program Files\installshield installation information
2007-01-26 17:46 -------- d-------- C:\Program Files\apple software update
2007-01-21 11:44 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-01-19 19:00 -------- d---s---- C:\Program Files\xfire
2007-01-14 19:26 -------- d-------- C:\Program Files\ace mega codecs pack
2007-01-12 19:02 -------- d-------- C:\Program Files\fr33ze
2007-01-07 19:06 -------- d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\dvdcss
2007-01-01 15:48 -------- d-------- C:\Program Files\speed fan
2006-12-29 20:33 -------- d-------- C:\Program Files\iso buster
2006-12-27 23:21 -------- d-------- C:\Program Files\the all-seeing eye
2006-12-27 23:21 -------- d-------- C:\Program Files\sony vegas
2006-12-27 23:21 -------- d-------- C:\Program Files\clone cd
2006-12-27 23:21 -------- d-------- C:\Program Files\auto gordian knot
2006-12-27 23:17 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-12-27 17:26 -------- d-------- C:\Program Files\azureus
2006-12-27 13:35 -------- d-------- C:\Program Files\teamspeak
2006-12-26 23:52 -------- d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\vlc
2006-12-26 23:50 -------- d-------- C:\Program Files\videolan
2006-12-19 16:53 24072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2006-12-17 22:09 -------- d-------- C:\Program Files\msn messenger
2006-12-16 13:23 -------- d-------- C:\Program Files\xilisoft avi to dvd converter
2006-12-16 11:29 -------- d-------- C:\Program Files\winavi video converter
2006-12-15 19:33 4 --a------ C:\WINDOWS\bytespersecond.dat
2006-12-13 18:30 -------- d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\real
2006-12-13 17:50 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll
2006-12-12 19:08 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-12-12 18:41 -------- dr-h----- C:\DOCUME~1\DANNY~1.DAN\Application Data\securom
2006-12-12 18:18 -------- d-------- C:\DOCUME~1\DANNY~1.DAN\Application Data\installshield
2006-12-10 18:29 -------- d-------- C:\Program Files\asus life frame
2006-12-09 18:26 -------- d-------- C:\Program Files\seismovision
2006-11-22 01:04 98304 --a------ C:\WINDOWS\system32\qttask.exe
2006-11-18 01:25 86016 --a------ C:\WINDOWS\system32\openal32.dll
2006-11-18 01:25 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 22:28 43668 --a------ C:\WINDOWS\system32\xvid-uninstall.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"IDMan"="C:\\Program Files\\Internet Download Manager\\IDMan.exe /onboot"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VolPanel"="\"C:\\Program Files\\Sound Blaster X-Fi\\Volume Panel\\VolPanel.exe\" /r"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"razer"="C:\\Program Files\\Razer\\razerhid.exe"
"AVG7_CC"="C:\\PROGRA~1\\AVG\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"Flag"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"inimapping"="0"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"inimapping"="0"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{08EF841B-4C82-40F2-85C8-A3F44BCE62E5}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\AVG\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\AVG\\avgw.exe /RUNONCE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 120 bytes
C:\WINDOWS\WindowsShell.Manifest 4096 bytes
C:\WINDOWS\WindowsUpdate.log 1114112 bytes
C:\WINDOWS\winhelp.exe 188416 bytes
C:\WINDOWS\winhlp32.exe 286720 bytes
C:\WINDOWS\winnt.bmp 12288 bytes
C:\WINDOWS\winnt256.bmp 12288 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\WinSxS\InstallTemp
C:\WINDOWS\WinSxS\Manifests
C:\WINDOWS\WinSxS\Policies
C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a
C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213
C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.26_x-ww_0dde6a53
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.1_x-ww_468466a5
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.1_x-ww_d6bd8b93
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0
C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
C:\WINDOWS\WMSysPr9.prx 319488 bytes
C:\WINDOWS\YJ2RCQSH.ocx 4096 bytes
C:\WINDOWS\Zapotec.bmp 8192 bytes
C:\WINDOWS\zipinst.exe 40960 bytes
C:\WINDOWS\_default.pif 712 bytes
C:\WINDOWS\_delis32.ini 568 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 36

********************************************************************

Completion time: 07-02-07 18:03:43

HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 18:12:33, on 07/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Razer\razerhid.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\AVG\avgcc.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\crusty.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.evga.com/...can/Default.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Danny's Internet
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe Acrobat\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgfwsrv.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero Ultra\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Pro Home\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware Sandra Pro Home\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


Looking good now? I can feel the difference already, PC feeling perky and snappy like it used to be :whistling:

Cheers, Freeze
  • 0

#8
Crustyoldbloke
Posted 07 February 2007 - 02:25 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Please refer to the instructions for AVGas 7.5 again. The servers are often busy so be patient, it will update. Please do the scan as instructed in safe mode, I must point out that AVG fee is antivirus and AVG 7.5 antispyware deals with non virus malware. You need both.

Please delete this folder: C:\Program Files\Enigma Software Group\

I don't recognise this folder: C:\Program Files\fr33ze\ Do you? If not please report on its content.

I don't need to see a further HJT log, but I do need that AVGas log before giving you the all clear and final clean up instructions.
  • 0

#9
Crustyoldbloke
Posted 17 February 2007 - 04:39 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP