Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijackthis log , Help removing Win Fixer 2005 and Trojan.vundo

Started by ns0622 , Oct 14 2005 08:50 AM

  • Please log in to reply

#1
ns0622
Posted 14 October 2005 - 08:50 AM

ns0622

    New Member

  • Member
  • Pip
  • 4 posts
Hi everyone, I am new here. I have been having problems with removing Winfixer 2005, and Norton is telling me that c:/windows/system32/gebyw.dll is infected with trojan.vundo, it cant remove it though. I tried to remove that virus, and it never let's me delete the file. Upon doing numerous google searches on in Fixer 2005, and trojan.vundo and alot of the results bring me back to your site. I have been reading through some of the other posts and solutions to problems, and I have tried some of them. I have already
installed Ewido and used it to scan, I will post that log after my Hijack this log. I also used the CleanUp! Utility people on here have been reffering to. I also wanted to try using Killbox, but it specifically state's to enter in the file path specified by people in the forum, and so since I didnt have that, I didnt try it. I have also tried to boot into dos and remove that dll file, but it said it couldnt do it, so I tried to unregister the DLL file but that failed also.

I am not sure what else to do, so I have decided to post my Hijack this log, along with my Ewido log, and hopefully someone here can help me.

I am at a loss b/c I need to have this machine up and running by like 4pm b/c someone in my house needs it for there business. Hopefully it's possible to do.

Thanks in advance for all of your help. I appreciate it. Oh btw, I am currently running all of these scan's in safemode, b/c the computer is too slow to use in regular mode. It is a windows xp home machine with Service pack 2.



Hijackthis Log:--------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:45:45 AM, on 10/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\gebyw.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddabx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: ddabx - C:\WINDOWS\system32\ddabx.dll
O20 - Winlogon Notify: gebyw - C:\WINDOWS\SYSTEM32\gebyw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe






Ewido Log : Scan was done before the Hijackthis scan------------------------------------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:41:37 AM, 10/14/2005
+ Report-Checksum: EEB8022C

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5RS_0001_0808NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\system32\ddabx.dll -> Trojan.Crypt.o : Cleaned with backup
C:\WINDOWS\system32\gebyw.dll -> TrojanDownloader.Small.bpk : Cleaned with backup


::Report End


Thanks again,
Nick

Edited by ns0622, 14 October 2005 - 11:54 AM.

  • 0

Advertisements

#2
ns0622
Posted 14 October 2005 - 09:57 AM

ns0622

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Okay, So I did some more searching in google, and I found a site that was telling me how to remove winfixer 2005, So I followed there instructions to look for the line in hijack this that says O2 - BHS: MSEvents Object - (ranodm numbers and letters} - C:\windows\system32\ddabx.dll.

So I used VundoFix, and entered the first file path as c:\windows\system32\ddabx.dll and the second path as c\windows\system32\xbadd.*.

The hijack this log after that happend looks like this:

Logfile of HijackThis v1.99.1
Scan saved at 11:59:30 AM, on 10/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\gebyw.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: gebyw - C:\WINDOWS\SYSTEM32\gebyw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Oh and my Vundo Fix Log looks like this:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 496 'smss.exe'
Threads [500][504][508]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1356 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 572 'winlogon.exe'
Killing PID 572 'winlogon.exe'
Killing PID 572 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.

Edited by ns0622, 14 October 2005 - 10:31 AM.

  • 0

#3
ns0622
Posted 14 October 2005 - 11:02 AM

ns0622

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Okay, so I know that Norton was telling me the virus was in gebyw.dll, but I am not sure if when I ran Vundo Fix, if after it ran and opend up Hijackthis if I should of also told HJT to fix the winlogin - c:/windows/system32/gebyw.dll line also?

I am thinking that I should of, but I am not sure.

Also I have been reading up alot more on WinFixer 2005, it's all very confusing. Would running these programs, and spyware scanners, and removing those DLL files with Hijack this, and the Vundo fix actually uninstall WinFixer 2005 so that it doesnt come back? Or will I still have a problem with it?


Thanks again,
Nick
  • 0

#4
ns0622
Posted 14 October 2005 - 12:02 PM

ns0622

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Okay, so I decided to run ewido in various different ways a few more times, along with spy sweeper. It removed a few things, but kept finding the trojan file gebyw.dll. So I decided to run hijack this again,and look at the log. After I did that I ran Vundo Fix again, and told it to go after gebyw.dll and wybeg.*, and after that when hijack this opened i had it fix 2 things, 1 being that dll file the other being another random winlogon dll file. After that I restarted into regular mode, and I havent seen any problems yet. The computer isnt running slow anymore, and I dont see winfixer at the moment, and I dont see norton popping up telling me I have a virus.

Could someone please check these logs and make sure I am clean though??
Thanks again for your help.


Ewido Log -------- before running hijack this and vundo fix for the last time ----------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:53:22 PM, 10/14/2005
+ Report-Checksum: F7FC2BAE

+ Scan result:

HKU\S-1-5-21-1724617393-3661440306-1321000789-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
C:\WINDOWS\system32\gebyw.dll -> TrojanDownloader.Small.bpk : Cleaned with backup


::Report End




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:05:37 PM, 10/14/2005
+ Report-Checksum: 3EFF8157

+ Scan result:

C:\WINDOWS\system32\gebyw.dll -> TrojanDownloader.Small.bpk : Cleaned with backup


::Report End




Spyware Sweeper Log: -----------------------------------------------------------------------------------

10/14/2005 12:09:49 AM::------------------------------------------------------------------
10/14/2005 12:09:49 AM::Initializing Clean - (ScanID: 07CD50A0-4AC9-4034-AF28-A4488B)
10/14/2005 12:09:49 AM::Remove Threat (ID:16573)
10/14/2005 12:09:49 AM::Clean Threat Trojan.Downloader.AdMSI (ID:16573)
10/14/2005 12:09:50 AM::Terminating IE
10/14/2005 12:09:51 AM::Removing file c:\documents and settings\marion\local settings\temp\is-63k9f.tmp\_shfoldr.dll
10/14/2005 12:09:51 AM::RemoveProviderByPath-FilePath=c:\documents and settings\marion\local settings\temp\is-63k9f.tmp\_shfoldr.dll,RC=0,ThreatID=16573
10/14/2005 12:09:51 AM::Removed all related Winsock LSP handler for c:\documents and settings\marion\local settings\temp\is-63k9f.tmp\_shfoldr.dll
10/14/2005 12:10:12 AM::Disable file c:\documents and settings\marion\local settings\temp\is-63k9f.tmp\_shfoldr.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\6DB8A5D9-3747-40E2-B72D-33ACD3\570E010F-48E1-4BB5-B20B-CF0770
10/14/2005 12:10:13 AM::Clean Threat Trojan.Downloader.AdMSI (ID:16573) Complete
10/14/2005 12:10:13 AM::Remove Threat (ID:16573) Complete
10/14/2005 12:10:13 AM::Remove Threat (ID:16556)
10/14/2005 12:10:13 AM::Clean Threat Winfixer (ID:16556)
10/14/2005 12:10:13 AM::Removing file c:\windows\system32\df_kme.exe
10/14/2005 12:10:14 AM::Disable file c:\windows\system32\df_kme.exe and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\22F97A85-A345-4144-8DB7-74C837
10/14/2005 12:10:14 AM::Removing file c:\program files\common files\winsoftware\crxml.dll
10/14/2005 12:10:14 AM::RemoveProviderByPath-FilePath=c:\program files\common files\winsoftware\crxml.dll,RC=0,ThreatID=16556
10/14/2005 12:10:14 AM::Removed all related Winsock LSP handler for c:\program files\common files\winsoftware\crxml.dll
10/14/2005 12:10:22 AM::Removing shared dll registry entry for c:\program files\common files\winsoftware\crxml.dll
10/14/2005 12:10:22 AM::Disable file c:\program files\common files\winsoftware\crxml.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\D12F8523-214D-4546-823B-2DDE89
10/14/2005 12:10:22 AM::Removing file c:\documents and settings\all users\start menu\programs\winfixer 2005\contact customer support.lnk
10/14/2005 12:10:22 AM::Disable file c:\documents and settings\all users\start menu\programs\winfixer 2005\contact customer support.lnk and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\4990E3A4-AFF6-4C53-85AC-A13D62
10/14/2005 12:10:22 AM::Removing file c:\documents and settings\all users\start menu\programs\winfixer 2005\uninstall winfixer 2005.lnk
10/14/2005 12:10:22 AM::Disable file c:\documents and settings\all users\start menu\programs\winfixer 2005\uninstall winfixer 2005.lnk and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\49C99AE3-4261-4CCD-A7DD-5EFD6D
10/14/2005 12:10:22 AM::Removing file c:\documents and settings\all users\start menu\programs\winfixer 2005\winfixer 2005 on the web.lnk
10/14/2005 12:10:22 AM::Disable file c:\documents and settings\all users\start menu\programs\winfixer 2005\winfixer 2005 on the web.lnk and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\FAAFD19B-BA99-417C-90EF-C490F1
10/14/2005 12:10:22 AM::Removing file c:\documents and settings\all users\start menu\programs\winfixer 2005\winfixer 2005.lnk
10/14/2005 12:10:22 AM::Disable file c:\documents and settings\all users\start menu\programs\winfixer 2005\winfixer 2005.lnk and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\419233CB-5231-45EE-BBE1-F2F40E
10/14/2005 12:10:22 AM::Delete folder c:\documents and settings\all users\start menu\programs\winfixer 2005\
10/14/2005 12:10:22 AM::Removing registry value HKEY_CURRENT_USER\Software\WinSoftware\WinFixer 2005\Settings [TARGET_TIME_LOW=819807920
10/14/2005 12:10:22 AM::Removing registry value HKEY_CURRENT_USER\Software\WinSoftware\WinFixer 2005\Settings [TARGET_TIME_HIGH=29741105
10/14/2005 12:10:22 AM::Removing registry value HKEY_CURRENT_USER\Software\WinSoftware\WinFixer 2005\Settings
10/14/2005 12:10:22 AM::Removing registry value HKEY_CURRENT_USER\Software\WinSoftware\WinFixer 2005
10/14/2005 12:10:22 AM::Removing registry value HKEY_CURRENT_USER\Software\WinSoftware
10/14/2005 12:10:22 AM::Removing registry key HKEY_CURRENT_USER\Software\WinSoftware
10/14/2005 12:10:22 AM::Clean Threat Winfixer (ID:16556) Complete
10/14/2005 12:10:22 AM::Remove Threat (ID:16556) Complete
10/14/2005 12:10:22 AM::Remove Threat (ID:15196)
10/14/2005 12:10:22 AM::Clean Threat Virtumondo (ID:15196)
10/14/2005 12:10:23 AM::Removing file c:\windows\system32\ddabx.dll
10/14/2005 12:10:23 AM::RemoveProviderByPath-FilePath=c:\windows\system32\ddabx.dll,RC=0,ThreatID=15196
10/14/2005 12:10:23 AM::Removed all related Winsock LSP handler for c:\windows\system32\ddabx.dll
10/14/2005 12:10:27 AM::Removing BHO {52B1DFC7-AAFC-4362-B103-868B0683C697} for file c:\windows\system32\ddabx.dll
10/14/2005 12:10:27 AM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 12:10:27 AM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 12:10:29 AM::Unregistering COM entry points for file c:\windows\system32\ddabx.dll
10/14/2005 12:10:31 AM::Disable file c:\windows\system32\ddabx.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\7F476BDB-D3B1-48D0-8B68-9A829A\80D218CD-14C4-4F6F-857B-CABBC1
10/14/2005 12:10:31 AM::Delete file c:\windows\system32\ddabx.dll failed, adding to FileDeleteReboot
10/14/2005 12:10:31 AM::Disable file c:\windows\system32\ddabx.dll failed, file locked or in memory
10/14/2005 12:10:31 AM::Special cleaner required to remove threat on restart, reason: Could not quarantine file c:\windows\system32\ddabx.dll, unknown error moving file.
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32 [=C:\WINDOWS\system32\ddabx.dll
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32 [ThreadingModel=apartment
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\ProgID [=MSEvents.MSEvents.1
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\ProgID
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\Programmable
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\TypeLib [={BAD59A24-6891-417D-A041-C8FD495B77F1}
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\TypeLib
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\VersionIndependentProgID [=MSEvents.MSEvents
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\VersionIndependentProgID
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697} [=MSEvents Object
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697} [AppID=
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 12:10:31 AM::Removing registry key HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 12:10:33 AM::Clean Threat Virtumondo (ID:15196) Complete
10/14/2005 12:10:34 AM::Remove Threat (ID:13117)
10/14/2005 12:10:34 AM::Clean Threat Altnet (ID:13117)
10/14/2005 12:10:34 AM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard\Settings
10/14/2005 12:10:34 AM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard
10/14/2005 12:10:34 AM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
10/14/2005 12:10:34 AM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
10/14/2005 12:10:34 AM::Clean Threat Altnet (ID:13117) Complete
10/14/2005 12:10:34 AM::Remove Threat (ID:13117) Complete
10/14/2005 12:12:14 AM::Unititializing Clean
10/14/2005 12:12:14 AM::------------------------------------------------------------------
10/14/2005 7:52:15 AM::------------------------------------------------
10/14/2005 7:52:15 AM::Starting GIANT AS Cleaner
10/14/2005 7:52:15 AM::Running all Cleaner deletes
10/14/2005 7:52:15 AM::---Starting Quick Cleaner DelFiles
10/14/2005 7:52:15 AM::File delete failed for c:\windows\system32\ddabx.dll
10/14/2005 7:52:15 AM::---Starting Quick Cleaner DelFolders
10/14/2005 7:52:16 AM::---Starting Quick Cleaner DelRegKeys
10/14/2005 7:52:16 AM::Registry key delete complete for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 7:52:16 AM::Checking threats to clean
10/14/2005 7:52:18 AM::------------------------------------------------------------------
10/14/2005 7:52:18 AM::Initializing Clean - (ScanID: 07CD50A0-4AC9-4034-AF28-A4488B)
10/14/2005 7:52:18 AM::Cleaning threat 15196 ScanID: 07CD50A0-4AC9-4034-AF28-A4488B
10/14/2005 7:52:18 AM::Clean Threat Virtumondo (ID:15196)
10/14/2005 7:52:19 AM::Generating threat
10/14/2005 7:52:21 AM::Removing file c:\windows\system32\ddabx.dll
10/14/2005 7:52:22 AM::RemoveProviderByPath-FilePath=c:\windows\system32\ddabx.dll,RC=0,ThreatID=15196
10/14/2005 7:52:22 AM::Removed all related Winsock LSP handler for c:\windows\system32\ddabx.dll
10/14/2005 7:55:36 AM::------------------------------------------------
10/14/2005 7:55:36 AM::Starting GIANT AS Cleaner
10/14/2005 7:55:36 AM::Running all Cleaner deletes
10/14/2005 7:55:36 AM::Checking threats to clean
10/14/2005 7:55:37 AM::------------------------------------------------------------------
10/14/2005 7:55:37 AM::Initializing Clean - (ScanID: 07CD50A0-4AC9-4034-AF28-A4488B)
10/14/2005 7:55:37 AM::Cleaning threat 15196 ScanID: 07CD50A0-4AC9-4034-AF28-A4488B
10/14/2005 7:55:37 AM::Clean Threat Virtumondo (ID:15196)
10/14/2005 7:55:38 AM::Generating threat
10/14/2005 7:55:41 AM::Removing file c:\windows\system32\ddabx.dll
10/14/2005 7:55:41 AM::RemoveProviderByPath-FilePath=c:\windows\system32\ddabx.dll,RC=0,ThreatID=15196
10/14/2005 7:55:41 AM::Removed all related Winsock LSP handler for c:\windows\system32\ddabx.dll
10/14/2005 7:56:30 AM::Removing BHO {52B1DFC7-AAFC-4362-B103-868B0683C697} for file c:\windows\system32\ddabx.dll
10/14/2005 7:56:30 AM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 7:56:30 AM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 7:56:32 AM::Unregistering COM entry points for file c:\windows\system32\ddabx.dll
10/14/2005 7:56:33 AM::Disable file c:\windows\system32\ddabx.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\BF7CDCDB-02D4-43F9-BADC-B87C1D\A41F74E8-79DC-440C-BEF7-C222B7
10/14/2005 7:56:33 AM::Delete file c:\windows\system32\ddabx.dll failed, adding to FileDeleteReboot
10/14/2005 7:56:33 AM::Disable file c:\windows\system32\ddabx.dll failed, file locked or in memory
10/14/2005 7:56:33 AM::Special cleaner required to remove threat on restart, reason: Could not quarantine file c:\windows\system32\ddabx.dll, unknown error moving file. (CLEANER RUNNING)
10/14/2005 7:56:33 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32 [=C:\WINDOWS\system32\ddabx.dll
10/14/2005 7:56:33 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32 [ThreadingModel=apartment
10/14/2005 7:56:33 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\ProgID [=MSEvents.MSEvents.1
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\ProgID
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\Programmable
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\TypeLib [={BAD59A24-6891-417D-A041-C8FD495B77F1}
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\TypeLib
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\VersionIndependentProgID [=MSEvents.MSEvents
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\VersionIndependentProgID
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697} [=MSEvents Object
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697} [AppID=
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 7:56:35 AM::Removing registry key HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 7:56:36 AM::Clean Threat Virtumondo (ID:15196) Complete
10/14/2005 7:56:36 AM::Unititializing Clean
10/14/2005 7:56:36 AM::------------------------------------------------------------------
10/14/2005 7:56:36 AM::Ending GIANT AS Cleaner
10/14/2005 7:56:36 AM::------------------------------------------------
10/14/2005 8:19:27 AM::------------------------------------------------
10/14/2005 8:19:27 AM::Starting GIANT AS Cleaner
10/14/2005 8:19:27 AM::Running all Cleaner deletes
10/14/2005 8:19:27 AM::---Starting Quick Cleaner DelFiles
10/14/2005 8:19:27 AM::File delete failed for c:\windows\system32\ddabx.dll
10/14/2005 8:19:27 AM::---Starting Quick Cleaner DelRegKeys
10/14/2005 8:19:28 AM::Registry key delete complete for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 8:19:28 AM::Checking threats to clean
10/14/2005 8:19:28 AM::Ending GIANT AS Cleaner
10/14/2005 8:19:28 AM::------------------------------------------------





Vundo Fix Log --------------------------------------


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 500 'smss.exe'
Threads [504][508][512]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1548 'explorer.exe'
Killing PID 1548 'explorer.exe'
Killing PID 1548 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 572 'winlogon.exe'
Killing PID 572 'winlogon.exe'
Killing PID 572 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.




Hijackthis Log - After running Ewido , spysweeper, and vundo fix. -------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:43:49 PM, on 10/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\CounterSpy.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServer.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\gebyw.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: gebyw - C:\WINDOWS\SYSTEM32\gebyw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





I provided the other logs as a reference, but does my HiJackThis log look clean???

Thanks for your help,
Nick

Edited by ns0622, 14 October 2005 - 12:13 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP