Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I repeatedly get a virus warning indicating that I have a "Trojan Virus Generic DVE" this appears while clicking on "MY Computer". It indicates that the virus is found while opening C:\Windows\System32\9ru.dll. I use AVG and all scans indicate that I do not have a virus. I have run CW Shredder, Spybot and Ad-Aware and still get this warning. My system has become extremely slow, even after all the poroper tweaks, scan disk, defragging etc.
I have read Post #17242 and read the instructions from Jabuck and am wondering if this is the cure for me.
Please advise and thank you.
Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders
0 
Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.
Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
0
Hopefully this is what you requested/need.
Logfile of HijackThis v1.99.1
Scan saved at 3:17:09 PM, on 12/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\9ru.dll (file missing)
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\System32\gebyy.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\RunOnce: [jfva5vv.exe] C:\WINDOWS\System32\jfva5vv.exe /k
O4 - HKCU\..\RunOnce: [jfva5vv.exe] C:\WINDOWS\System32\jfva5vv.exe /k
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134771642181
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} (AOL YGP Screensaver) - http://pak01.pictures.aol.com/ygp/aol/plugin/screensaver/YGPPicScreensaver.en-US.9.1.6.20.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8143948-B775-4DF3-827D-43D2F49E5E43}: NameServer = 205.188.146.145
O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
0
Download Ewido Security Suite then set it up this way Ewido Setup Instructions but do not run it yet.
You have a winfixer infection.Please download http://www.atribune.org/downloads/VundoFix.exe to your desktop.
Double-click VundoFix.exe to extract the files This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this:VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....At this point press enter one time.
Next you will see:
Please Type in the filepath as instructed by the forum staff
and then press enter:At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\System32\gebyy.dll
Press Enter to continue with the fix.
Next you will see:At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\System32\yybeg.*
Press Enter to continue with the fix. The fix will run then HijackThis will open, if it does not open automatically please open it manually. In HiJackThis, please place a check next to the following items and click FIX CHECKED:R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\9ru.dll (file missing)
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\System32\gebyy.dll
O4 - HKLM\..\RunOnce: [jfva5vv.exe] C:\WINDOWS\System32\jfva5vv.exe /k
O4 - HKCU\..\RunOnce: [jfva5vv.exe] C:\WINDOWS\System32\jfva5vv.exe /k
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing).
Next set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
Then navigate to and delete these files if found:
C:\WINDOWS\SYSTEM32\9ru.dll
C:\WINDOWS\System32\jfva5vv.exe /k.
Now run Ewido and when the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop in case you need it later.
Please reboot into normal mode and post the ewido log and a new HT log
0
Thanks Jabuck for all the trouble you have gone to. I will follow your directions. I think I was lucky to get a "Hijack" log. It was a problem opening it and AVG kept saying that the program/file contained a virus. I'll get back to you ASAP.
0
Jabuck, I'm running into a slight problem. I downloaded the utilities and followed the instructions to the "T", however, when I attempt to go into the Safe Mode I get a single "beep" and before I can click the "Yes", button indicating that the PC is in the safe mode, it freezes. I've made several attempts to get past this problem with negative results,I have even allowed the PC to sit in that state for several minutes to no avail.
Can this procedure be done not in safe mode? Please advise. Again, thanks for your time and efforts.
0
Try booting into safe mode this way.Go to start>run>type "msconfig" without the quotes>ok>boot.ini tab>check the box beside "/safeboot>apply>ok. Then restart the computer.
To undo this go back to msconfig>tick"normal startup">apply>ok.
0
Okay Jabuck, I got by the safe mode issue. Attached are the logs. I tried to run a new HT log but could not. I keep getting a virus detected error message in the HJT program. I tried downloading a new one and got the same results.
+ Created on: 10:55:01 AM, 12/19/2005
+ Report-Checksum: 2440DFF
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{0026AD90-C86F-4269-97F3-DAB4897C6D06} -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Incredifind -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-3137538504-2516946064-3512696295-1007\Software\Toolbar -> Spyware.WebSearch : Error during cleaning
HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Verna Herman\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Verna Herman\Local Settings\Temp\5z68lu.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\Documents and Settings\Verna Herman\Start Menu\Programs\WhenU -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\Verna Herman\Start Menu\Programs\WhenU\Learn More About Save!.url -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\Verna Herman\Start Menu\Programs\WhenU\Learn More About SaveNow.url -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\Verna Herman\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\Verna Herman\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\Verna Herman\Start Menu\Programs\WhenU\WhenU.com Website.url -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\Aprps\ace.dll -> Trojan.Crypt.t : Cleaned with backup
C:\Program Files\Aprps\libexpat.dll -> Trojan.Crypt.t : Cleaned with backup
C:\Program Files\Aprps\ProxyStub.dll -> Trojan.Crypt.t : Cleaned with backup
C:\Program Files\Aprps\uninstaller.exe -> Trojan.Crypt.t : Cleaned with backup
C:\Program Files\Aprps\WinGenerics.dll -> Trojan.Crypt.t : Cleaned with backup
C:\Program Files\Save -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\Save\ACM.dll -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\Save\store.db -> Spyware.SaveNow : Cleaned with backup
C:\RECYCLER\S-1-5-21-3137538504-2516946064-3512696295-1007\Dc4.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP595\A0057690.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\5z68lu.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\ptcpbiv.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\5z68lu.sys -> Trojan.Kolweb.g : Cleaned with backup
::Report End
Please advise if anything further is needed.
0
Go to start>control panel>add/remove programs>click on Hijack This 1.99>click remove.
Reinstall HT and post a new log. The Ewido scan looks good.
0
okay, moving right along. Let me know how we make out. And again, many thanks.
Logfile of HijackThis v1.99.1
Scan saved at 3:09:20 PM, on 12/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Verna Herman\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\9ru.dll (file missing)
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\System32\gebyy.dll (file missing)
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\VERNAH~1\LOCALS~1\Temp\2005121915436_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\VERNAH~1\LOCALS~1\Temp\2005121915441_mcappins.exe /v=3 /cleanup
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134771642181
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} (AOL YGP Screensaver) - http://pak01.pictures.aol.com/ygp/aol/plugin/screensaver/YGPPicScreensaver.en-US.9.1.6.20.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8143948-B775-4DF3-827D-43D2F49E5E43}: NameServer = 205.188.146.145
O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
0
Run Hijack This again,close all windows and browsers except HT,Place a check to the left of these items and press "fix checked".
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\9ru.dll (file missing)
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\System32\gebyy.dll (file missing)
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\VERNAH~1\LOCALS~1\Temp\2005121915436_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\VERNAH~1\LOCALS~1\Temp\2005121915441_mcappins.exe /v=3 /cleanup
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
0
Okay, I ran HJT twice and below are the results.
First Scan Report
Logfile of HijackThis v1.99.1
Scan saved at 6:54:06 PM, on 12/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\9ru.dll (file missing)
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\System32\gebyy.dll (file missing)
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\VERNAH~1\LOCALS~1\Temp\2005121915436_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\VERNAH~1\LOCALS~1\Temp\2005121915441_mcappins.exe /v=3 /cleanup
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134771642181
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} (AOL YGP Screensaver) - http://pak01.pictures.aol.com/ygp/aol/plugin/screensaver/YGPPicScreensaver.en-US.9.1.6.20.cab
O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeSecond Scan Report
Logfile of HijackThis v1.99.1
Scan saved at 7:04:18 PM, on 12/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134771642181
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} (AOL YGP Screensaver) - http://pak01.pictures.aol.com/ygp/aol/plugin/screensaver/YGPPicScreensaver.en-US.9.1.6.20.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
0
Jabuck, I can't thank you enough. This Forum, and the people that are so willing to help, is the greatest. Again, thank you so much.
I do still have one question, when I run Ewido it still indicates that there are three infected files. These files are cured/deleted at the end of the scan, however, each and every scan indicates that they are still there. Any thoughts on this?
The PC does run like it should now.Thank you,
0
Ewido log as requested, performed in Safe Mode.
ewido anti-malware - Scan report
+ Created on: 9:17:17 AM, 12/20/2005
+ Report-Checksum: F77AC558
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKU\S-1-5-21-3137538504-2516946064-3512696295-1007\Software\Toolbar -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\Verna Herman\Cookies\verna herman@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
::Report End
0
Go to start>control panel>add/remove programs and uninstall these items if found:
SaveNow
WhenUsave
Webhancer
WebSearch
If you see something similar write it down and post it.
Run HT again and delete this item:
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
In case ewido did not complete remove "AproposMedia" download aproposfix.exe at this link http://swandog46.geekstogo.com/aproposfix.exe to your desktop.
Reboot into safe mode, double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished,run Ewido then reboot back into normal mode, and post a new Ewido log along with the entire contents of the log.txt file in the aproposfix folder.
0
Okay Jabuck as requested. Are you getting tired of hearing from me yet? What's the record for the most posts? lol.
+ Created on: 3:10:11 PM, 12/20/2005
+ Report-Checksum: CE88AD92
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKU\S-1-5-21-3137538504-2516946064-3512696295-1007\Software\Toolbar -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\Verna Herman\Cookies\verna herman@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
::Report End
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\Verna Herman\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\Aprps][HKEY_LOCAL_MACHINE\Software\Aprps\Client]
"ProxyStub"="C:\\Program Files\\Aprps\\proxystub.dll"
"Plugin"="C:\\Program Files\\Aprps\\cxtpls.dll"
"ClientName"="C:\\Program Files\\Aprps\\CxtPls.exe"
"LegalNote"="nonbranded"
"InstallationId"="{H300405e-794b-4361-abfd-e93cbefff752}"
"PartnerId"="CP.IST"
"ServerAddress"="adchannel.contextplus.net"REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Aprps]
[HKEY_LOCAL_MACHINE\Software\Aprps\Client]
"ProxyStub"="C:\\Program Files\\Aprps\\proxystub.dll"
"Plugin"="C:\\Program Files\\Aprps\\cxtpls.dll"
"ClientName"="C:\\Program Files\\Aprps\\CxtPls.exe"
"LegalNote"="nonbranded"
"InstallationId"="{H300405e-794b-4361-abfd-e93cbefff752}"
"PartnerId"="CP.IST"
"ServerAddress"="adchannel.contextplus.net"
************
No service found!
Removing hidden folder:
Deletion of folder Aprps succeeded!
Deleting files:
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\Aprps]
[-HKEY_CURRENT_USER\Software\Aprps]
[-HKEY_LOCAL_MACHINE\Software\Aprps]
[-HKEY_LOCAL_MACHINE\Software\Aprps]
Done!
Finished!
0
Good,apropos was still there, but no longer.
Websearch is still present to some degree.I don't suppose you found anything in add/remove programs
Reboot into safe mode and make sure the computer is set up to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
Then navigate to and delete this folder if found:
C:\Program Files\Toolbar
0
No I didn't find anything in the add/remove program with WebSearch or anything similar. I did find a toolbar utility that I removed, not sure it was related but, it was not necessary. I included one more Ewido scan for your scrutiny.
One question, where do you get the information, or know what is to be deleted after these scans etc? I would like to be able to do this myself without a lot of bother to people.
---------------------------
ewido anti-malware - Scan report
+ Created on: 8:04:38 AM, 12/21/2005
+ Report-Checksum: 51AA871F
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKU\S-1-5-21-3137538504-2516946064-3512696295-1007\Software\Toolbar -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\Verna Herman\Cookies\verna herman@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Verna Herman\Cookies\verna herman@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
::Report End
0
Many can be found by a google search on each hit that you get with a spyware scanner other than cookies.
Also doing searches on HT sites will help, but it take a lot of practice to do the HT logs.There is new stuff everyday.
Did you find a folder named Toolbar in Program Files?
0
Did you find a folder named Toolbar in Program Files?
No, I didn't. The PC is much better now and me much more the wiser. I took it back to my daughter.
I want to thank you so very much for your time and efforts. I'm sure we will come in contact again in the near future these PC's being what they are.
Have yourself some great holidays. Again, Thanks.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
