Please help: winfixer popup problem, VUNDO TROJAN Options

[Delboy56]

Hello,
I'm hoping someone can tell me what needs to be done to clean up this computer (my teen daughter's). She said she's run all her security scans, and is still having problems with pop-ups. Thank you very much for your help!

Logfile of HijackThis v1.99.1
Scan saved at 12:03:35 AM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Sam\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\gebcc.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O20 - Winlogon Notify: gebcc - C:\WINDOWS\system32\gebcc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

This post has been edited by Delboy56: Dec 28 2005, 06:06 PM

[LoPhatPhuud]

First:
You are currently using hijackthis from a temporary directory, or from the Desktop.
This can cause problems and will leave backups scattered.

Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory.
Run the program from that directory from now on.

It is essential that you follow these steps or certain important features of the program will not function correctly.


Second:
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  

  
  
• At this point press enter one time.
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  C:\WINDOWS\system32\gebcc.dll
  
  
  
• Press Enter to continue with the fix.
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum
  staff then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):
  C:\WINDOWS\system32\ccbeg.*
  This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\gebcc.dll
  
  O15 - Trusted Zone: *.musicmatch.com (HKLM)
  
  O20 - Winlogon Notify: gebcc - C:\WINDOWS\system32\gebcc.dll
  
• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.
• Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topi

[Delboy56]

Thank you for your reply. I am having difficulty trying to get the desktop open in safe mode, and therefore cannot run KillVundo.bat as indicated. All I get is a blank screen with safe mode in the corners. I tried this multiple times, and the last time I tried I got a blue screen warning, with a message that filled the entire page, which I can't even begin to duplicate here. No cut & paste available at that point. Something to the effect that the computer was being shut down as a file error was detected that may cause damage to the computer, and then something about a physical dump at the bottom???? Help!

[LoPhatPhuud]

Was there any indication of the file that caused the error. We need Safe Mode to correctly remove the infection.

[Delboy56]

I went ahead and took the chance to run the VundoFix in regular mode, as there was no success getting into safe mode. Here are the requested results:




VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\gebcc.dll

The second filepath entered was C:\WINDOWS\system32\ccbeg.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 560 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 1508 'explorer.exe'


Killing PID 648 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

C:\WINDOWS\system32\gebcc.dll Deleted sucessfully.
C:\WINDOWS\system32\ccbeg.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------



Logfile of HijackThis v1.99.1
Scan saved at 7:17:07 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ActiveScan report:


Incident Status Location

Adware:adware/delfinmedia Not disinfected C:\PROGRAM FILES\COMMON FILES\remove_tools.html
Adware:adware/browseraid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\kyf.dat
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Sam\Application Data\tvmcwrd.dll
Adware:adware/ipinsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:adware/twain-tech Not disinfected C:\WINDOWS\INF\multimpp.inf
Adware:adware/ncase Not disinfected C:\WINDOWS\180ax.log
Adware:adware/effectivebrandtoolbarNot disinfected C:\WINDOWS\games.exe
Adware:adware/topconvert Not disinfected C:\PROGRAM FILES\TopConverting
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows SyncroAd
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Sam\Application Data\Lycos
Adware:adware/sqwire Not disinfected Windows Registry
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-748615b1.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-748615b1.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-796badb3.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-796badb3.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[Installer.class]
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Sam\My Documents\sinstaller.exe
Adware:Adware/nCase Not disinfected C:\Program Files\backups\backup-20051216-163636-611.dll
Adware:Adware/nCase Not disinfected C:\Program Files\backups\backup-20051216-163638-413.dll
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/Comet Not disinfected C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll
Adware:Adware/Ucmore Not disinfected C:\WINDOWS\games.exe[IUCMORE.DLL]
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:Adware/MultiMPP Not disinfected C:\WINDOWS\INF\multimpp.inf
Virus:Trj/Qhost.Y Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
Adware:Adware/BrowserAid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Adware:Adware/nCase Not disinfected C:\WINDOWS\SYSTEM32\mscjjn.dll
Adware:Adware/eZula Not disinfected C:\WINDOWS\SYSTEM32\msefoi.dll
Spyware:Spyware/ClientMan Not disinfected C:\WINDOWS\SYSTEM32\msiaih.dll
Adware:Adware/Ipend Not disinfected C:\WINDOWS\SYSTEM32\mskplb.dll
Virus:W32/Sdbot.ftp Not disinfected C:\WINDOWS\SYSTEM32\O
Virus:Trojan Horse Not disinfected C:\WINDOWS\SYSTEM32\O.BAT

[LoPhatPhuud]

Some progress seems to have been made but the active scan report shows a lot of infecitons still there...

Please download, install, and update the free version of Ewido Security Suite:
http://www.ewido.net/en/download/

[1]From the main ewido screen, click on update in the left menu, then click the Start update button.

[2]After the update finishes (the status bar at the bottom will display "Update successful")


Copy the following instructions to have handy as you will need to be offline, in SAFE MODE and with IE closed so you will not be able to view this page during the process.

Next, run a scan with Ewido.

[3]Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so please be patient

[4]If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

[5]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Copy and paste the results from that scan back here please for review :)

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button :)

[Delboy56]

Hi,
Once again, no luck getting computer into safe mode, so I ran it in regular mode, with IE closed. here is the ewido scan results:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:01:36 PM, 12/23/2005
+ Report-Checksum: A2E5D65A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0F2A4ADC-DABF-4980-8DB4-19F67D7B1F95} -> Spyware.ClearSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\ToolBar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99410CDE-6F16-42CE-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\ToolBar -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Sam\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\backups\backup-20051216-163636-611.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\backups\backup-20051216-163638-413.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll -> Spyware.Comet : Cleaned with backup
C:\setup304.exe -> Downloader.Agent.ac : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP582\A0057633.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP582\A0057635.exe -> Spyware.WinShow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP582\A0057636.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0057643.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\snapshot\MFEX-21.DAT -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP589\A0058831.dll -> Spyware.Comet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP589\A0058998.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP589\A0059004.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP590\A0059047.dll -> Spyware.Comet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP590\A0059207.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP590\A0059213.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP591\A0062383.dll -> Spyware.Comet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP591\A0062539.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP591\A0062545.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP592\A0062653.dll -> Spyware.Comet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP592\A0062809.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP592\A0062815.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\SYSTEM32\mscjjn.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\SYSTEM32\msiaih.dll -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\SYSTEM32\mskplb.dll -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End

[LoPhatPhuud]

OK, please run HiJackThis again and post a new log in this thread.

[Delboy56]

Thanks for replying so quickly. I just got a 'winfixer' pop-up so not sure everything is clean. Here's the log you requested:


Logfile of HijackThis v1.99.1
Scan saved at 11:48:37 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[LoPhatPhuud]

Before we go any further, we need to resolve the Safe Mode issue. If we cannot fix the problem, then trying to remove the more difficult infections is like putting a bandaid on a severed artery.

See if you can reboot in Safe Mode with Command Prompt or Safe Mode with Networking and let me know.

I am checking MS to see if I can find any more information. Final stop is to do restore installation.

[Delboy56]

I managed to get into safe mode with networking! What is the next step?

[LoPhatPhuud]

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  

  
  
  
• At this point press enter one time.
  
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

  
  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  C:\WINDOWS\system32\gebcc.dll
  
  
  
• Press Enter to continue with the fix.
  
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum
  staff then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):
  C:\WINDOWS\system32\ccbeg.*
  This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  (There are no items to remove in HJT at this time
• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.
• Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topi

[Delboy56]

Greetings of the Season!


Here are the results after running VundoFix in Safe Mode:


ActiveScan results:


Incident Status Location

Adware:adware/delfinmedia Not disinfected C:\PROGRAM FILES\COMMON FILES\remove_tools.html
Adware:adware/browseraid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\kyf.dat
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Sam\Application Data\tvmcwrd.dll
Adware:adware/ipinsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:adware/twain-tech Not disinfected C:\WINDOWS\INF\multimpp.inf
Adware:adware/ncase Not disinfected C:\WINDOWS\180ax.log
Adware:adware/effectivebrandtoolbarNot disinfected C:\WINDOWS\games.exe
Adware:adware/topconvert Not disinfected C:\PROGRAM FILES\TopConverting
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows SyncroAd
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Sam\Application Data\Lycos
Adware:adware/sqwire Not disinfected Windows Registry
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-748615b1.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-748615b1.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-796badb3.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-796badb3.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[Installer.class]
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Sam\My Documents\sinstaller.exe
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/Ucmore Not disinfected C:\WINDOWS\games.exe[IUCMORE.DLL]
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:Adware/MultiMPP Not disinfected C:\WINDOWS\INF\multimpp.inf
Virus:Trj/Qhost.Y Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
Adware:Adware/BrowserAid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Adware:Adware/eZula Not disinfected C:\WINDOWS\SYSTEM32\msefoi.dll
Virus:W32/Sdbot.ftp Not disinfected C:\WINDOWS\SYSTEM32\O
Virus:Trojan Horse Not disinfected C:\WINDOWS\SYSTEM32\O.BAT



Logfile of HijackThis v1.99.1
Scan saved at 11:40:21 AM, on 12/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: (no name) - Software - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\gebcc.dll

The second filepath entered was C:\WINDOWS\system32\ccbeg*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 500 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 1408 'explorer.exe'
Killing PID 1408 'explorer.exe'


Killing PID 576 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\system32\gebcc.dll.
C:\WINDOWS\system32\ccbeg* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

This post has been edited by Delboy56: Dec 26 2005, 05:58 AM

[Delboy56]

(message edited in error, and deleted)

This post has been edited by Delboy56: Dec 26 2005, 05:57 AM

[LoPhatPhuud]

Thati s looking much better! Just a few more things to do.

First:
1.Download the Hoster from here: www.funkytoad.com/download/hoster.zip
2. Install the program and run it.
3. Press 'Restore Original Hosts' and press 'OK'
4. Exit Program.

Note: This program also has a Hosts file backup facility that may want to use if you have added custom entries to the Hosts file.


Second:
Run AVG and do a full system scan, letting it remove all it finds.


Last:
Run HiJackThis again and post a new log in this thread.