Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Winfixer removal issue [resolved]

Started by Kaleido Katie , Nov 06 2005 06:41 PM

This topic is locked

#1
Kaleido Katie

Posted 06 November 2005 - 06:41 PM

Member

Member
12 posts

I thought I had spybot remove it, but it still seems to popup when I load webpages. I just want to get rid of the darn thing! :tazz:

Here's my Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:37:16 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\InstallFiles\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=488
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\gebcb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: gebcb - C:\WINDOWS\system32\gebcb.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#2
g2i2r4

Posted 07 November 2005 - 08:21 AM

retired HiJack Helper

Retired Staff
5,080 posts

Welcome Kaleido Katie to Geeks to Go!

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Reverse the process when you’ve carried out the advise.

***

Please print these instructions out for use in Safe Mode.
Please note: your Antivirus program may prompt you to a malicious script trying to run. Allow the entire script once.

Please download VundoFix.exe by Atribune© to your desktop.

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
At this point press enter one time.
Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:
At this point please type the following file path (make sure to enter it exactly as below!):
- C:\WINDOWS\system32\gebcb.dll
Press Enter to continue with the fix.
Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:
At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\bdbeg.*
Press Enter to continue with the fix.
The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HiJackThis, please place a check next to the following items and click FIX CHECKED:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\gebcb.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe

O20 - Winlogon Notify: gebcb - C:\WINDOWS\system32\gebcb.dll
After you have fixed these items, close Hijackthis.
Press enter to exit the program then manually reboot your computer.
Once your machine reboots please continue with the instructions below.

***

Remove this file:
c:\windows\system32\ShowWnd.exe

***

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Run the Free use Panda Active Scan.

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

#3
Kaleido Katie

Posted 07 November 2005 - 11:58 AM

Member

Topic Starter
Member
12 posts

First off, thanks for helping!

I ran into a little problem though.. I got down to the Panda Scan and tried to use it.. but nothing happened. I loaded the page a few times, but when I click anything under "Select a device to scan..." nothing happens. Down on my browser it says "Error on page" too. So, I took off popups and the only thing that comes up is a blank page. Which would be: http://activescan.pa...ctivescan2/Srv2

Also, where you said to

Remove this file:
c:\windows\system32\ShowWnd.exe

I couldn't seem to find it anywhere in my system32 folder. :tazz:

Edited by Kaleido Katie, 07 November 2005 - 12:11 PM.

#4
g2i2r4

Posted 08 November 2005 - 02:37 PM

retired HiJack Helper

Retired Staff
5,080 posts

No problem, let's see how far we've come.

Can you post me a new HijackThis log and the vundofix.txt file from the vundofix folder.

#5
Kaleido Katie

Posted 08 November 2005 - 02:57 PM

Member

Topic Starter
Member
12 posts

Sure

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:55:12 PM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\InstallFiles\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=488
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\gebcb.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: gebcb - C:\WINDOWS\system32\gebcb.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-------------------------------------------------------------------

vundofix.txt :

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\gebcb.dll

The second filepath entered was C:\WINDOWS\system32\bdbeg.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 128 'smss.exe'

Killing PID 780 'explorer.exe'

Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\gebcb.dll Deleted sucessfully.
C:\WINDOWS\system32\bdbeg.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

#6
g2i2r4

Posted 08 November 2005 - 03:05 PM

retired HiJack Helper

Retired Staff
5,080 posts

Please download, install, and update the free version of Ewido trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT scan yet.

***

Please redo the HijackThis part:

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\gebcb.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe

O20 - Winlogon Notify: gebcb - C:\WINDOWS\system32\gebcb.dll (file missing)

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Reboot the computer to safe mode.

***

Next, run Ewido again.

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

***

Reboot back to normal mode. Post me the HijackThis log and the Ewido log please.

#7
Kaleido Katie

Posted 08 November 2005 - 06:32 PM

Member

Topic Starter
Member
12 posts

New HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 4:29:59 PM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\InstallFiles\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=488
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

----------------

Ewido log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:24:43 PM, 11/8/2005
+ Report-Checksum: 4F22B3F8

+ Scan result:

HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Install.dll\\.Owner -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Install.dll\\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKU\S-1-5-21-2269946479-2150826576-4121270899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000EF1-0786-4633-87C6-1AA7A44296DA} -> Spyware.FavoriteMan : Cleaned with backup
HKU\S-1-5-21-2269946479-2150826576-4121270899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-2269946479-2150826576-4121270899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKU\S-1-5-21-2269946479-2150826576-4121270899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-2269946479-2150826576-4121270899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
HKU\S-1-5-21-2269946479-2150826576-4121270899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2269946479-2150826576-4121270899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{81A99149-F047-4090-8AAD-D11FF4EFB734} -> Spyware.DAE : Cleaned with backup
HKU\S-1-5-21-2269946479-2150826576-4121270899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-2269946479-2150826576-4121270899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
HKU\S-1-5-21-2269946479-2150826576-4121270899-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\user\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\user\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\user\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\system32\ssqrs.dll -> TrojanDownloader.ConHook.l : Cleaned with backup
F:\Program Files\WildTangent\LFS\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
F:\WINDOWS\Temporary Internet Files\Content.IE5\KXMF4PMV\search[1].htm -> Spyware.BookedSpace : Cleaned with backup
F:\WINDOWS\Cookies\holly@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Cqcounter : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
F:\WINDOWS\Cookies\holly@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
F:\WINDOWS\Cookies\holly@hypertracker[3].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
F:\WINDOWS\Cookies\holly@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
F:\WINDOWS\Cookies\holly@adorigin[3].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
F:\WINDOWS\Cookies\holly@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
F:\WINDOWS\Cookies\holly@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][3].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][3].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
F:\WINDOWS\Cookies\holly@com[3].txt -> Spyware.Cookie.Com : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Trafficvenue : Cleaned with backup
F:\WINDOWS\Cookies\holly@adorigin[4].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
F:\WINDOWS\Cookies\holly@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Fastadvert : Cleaned with backup
F:\WINDOWS\Cookies\holly@specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Adition : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wfliuhazwbow2dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][3].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyohdzmaqqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Porntrack : Cleaned with backup
F:\WINDOWS\Cookies\holly@hypertracker[4].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
F:\WINDOWS\Cookies\holly@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
F:\WINDOWS\Cookies\holly@linkbuddies[1].txt -> Spyware.Cookie.Linkbuddies : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
F:\WINDOWS\Cookies\holly@com[4].txt -> Spyware.Cookie.Com : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][4].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
F:\WINDOWS\Cookies\holly@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
F:\WINDOWS\Cookies\holly@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][5].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
F:\WINDOWS\Cookies\holly@specificpop[3].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyulcjsapw6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
F:\WINDOWS\Cookies\holly@a-1shz2prbmdj6wvny-1sez2pra2dj6wjkokodpsdog-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycmdpmgpgqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@a-1shz2prbmdj6wvny-1sez2pra2dj6wfkospcjodpq-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wfliqgcjkcogidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoqicjgkqq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkougajwbogsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloopcpckqqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliuodjobpgwdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4gjdpgepaudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@com[6].txt -> Spyware.Cookie.Com : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlygiczedqq6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlicpdpidpgqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyencjmkqawdj6x9ny-1seq-2-2.stats.esomniture[3].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyeoczgapwqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyqhc5alogydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4skczceqqwdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnywkdzeloaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyencjmkqawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyahd5ifpaydj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1sc5ocpaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
F:\WINDOWS\Cookies\holly@a-1shz2prbmdj6wvny-1sez2pra2dj6wjmickc5ohog-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyuhcjehog2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyamdjklqqidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\WINDOWS\Cookies\holly@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1jdjchoamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4epd5cdqawdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyejajeaqqydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1scpcboqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkycpdpmgoa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycodjidpw2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@a-1shz2prbmdj6wvny-1sez2pra2dj6wjkysodzeaoa-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliwndpobqqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyojcpgdoawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkogjcjmloaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyemcpacpgidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkykkczmbqaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyulczifpgsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkywndjslqasdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4cic5skow2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkosncjmkqaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoald5shqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkychd5aboq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1sdzkaowqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlogpcpmfqqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloepdpcapgwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4kgdjekqqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyqld5gfpgqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\holly@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkygoczgkpwudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][3].txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\WINDOWS\Cookies\[email protected][5].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
F:\WINDOWS\autoload.exe -> Not-A-Virus.Tool.Autoloader : Cleaned with backup
F:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
F:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
F:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
F:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup

::Report End

#8
g2i2r4

Posted 09 November 2005 - 02:07 PM

retired HiJack Helper

Retired Staff
5,080 posts

Weldone,

the logs look good to me.

Is the computer running ok?
If so, shall I post you some tips for the future and close this topic?

#9
Kaleido Katie

Posted 09 November 2005 - 03:51 PM

Member

Topic Starter
Member
12 posts

Thank you! :woot:

And thank you SO much for all your help. You explained everything very well, it was really simple for me to follow. :tazz:

My computer seems to be running just fine! I think it even loads a bit faster after restarting.

I would love some tips on how to keep everything smooth from now on!

Thanks again for everything.. :woot:

#10
g2i2r4

Posted 09 November 2005 - 03:59 PM

retired HiJack Helper

Retired Staff
5,080 posts

Thanks, I just loooooove compliments :tazz:

Good to hear everything is okay now.

Please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Re-enable system restore with the instructions from the tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer always has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & Hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware – Download and install Ad-Aware. You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from your Computer
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

You may want to check this fine article by Tony Klein: How did I get infected in the first place?

Glad I was able to help.