Apparently stuck with geeda.dll & xxyxww.dll - Safer-Networking Forums

roboknight · 2007-05-30, 19:46

Hello,

First, a brief (hopefully) rundown of what happened, what I've done and where I am at now. To start with, everything was running smoothly with my machine until I started seeing random processes trying to access the internet through ZoneAlarm. That is usually my first tip-off that some variety of malware has penetrated my resolve (I never click yes to a pop, open files... nothing). I began to look into the matter with some virus scans using AVG. It turned out AVG had been compromised (I can't say for how long) so I uninstalled. At this point I started fresh with Norton 360. I completed a full virus and spyware scan using Norton 360. It found a FEW things, but nothing major. My machine was starting to bog down considerably, so I turned back to AVG and reinstalled it. After disabling Norton's resident scanning I proceeded with a full AVG scan. AVG found 13 separate things. One key logger and one password scarfer. After removing those my machine was STILL sluggish. I proceeded with a Spybot scan. I ran a spybot scan and found several more things. I then ran AVG a few more times. Upon reboot however, the machine was still sluggish. Then I decided to check into a few things. I located this .DLL file geeda.dll and another xxyxww.dll ... I searched for information on those. I attempted to run vundofix. It didn't find the vundo virus. I could not remove it. I then decided to switch tacks and try some things from Safe Mode (I had already run a few AVG scans from safe mode, but I wanted to get rid of these two files)... There is ALWAYS some process that has a hold of these things... even in Safe mode. That is when I switched to trying BitDefender. However, I can't get captive to work properly so I cannot remove the offending DLLs. So now I'm at the point where I don't know how to boot my machine and have an NTFS driver running so that I can actually interact with the drive to remove these suckers. I thought that was the purpose of VundoFix, but it apparently couldn't find what it was looking for. I'll post some HJT logs if I can, however, the machine is thoroughly hijacked and runs so slow when the internet is connected (I have been trying to keep it disconnected due to the keyloggers and password snatchers... it appears that whatever this version of geeda.dll & xxyxww.dll is, it keeps downloading new virusware for me to remove) that I can barely use it. The infection couldn't have been too long ago, and I think it must have occurred because I clicked the "X" box to that stupid "Warning: Your computer may be running slower that usual..." virusware that installs itself no matter what you do

. I only recently learned that you really should just use Alt-F4 with that thing or kill its process instead. Anyway, I hope someone has some suggestions that work. Nothing I've been able to do has rid me of these files. They are apparently in with the winlogon process now. Oh, one more thing, it keeps writing .tmp files of the form winXXX.tmp to the WINNT\temp directory. Sometimes it has some other files there, but it basically looks like it is trying to put together parts of another virus/spyware/malware. I keep deleting them, but they just reappear. I've even tried to correct the registry, but with the virus running, it just repairs the registry. I wish you could lock a process out of the registry for a bit... that would make this virus removal stuff easier. Anyway, one of my AVG scans indicated that one of the files in there contained a virus at one point. So I don't know if those files are trying to log keystrokes, are a convenient download area or what. They are usually zero bytes long, but every once in a while, there is something in them. And if I scan it, at least a couple of times, I've found a new virus.

pskelley · 2007-05-31, 14:56

Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.

This sounds like a Vundo infection at least, please use this version of HJT:
Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en...?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply

along with the HJT log post the uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Thanks

roboknight · 2007-06-05, 05:53

Here are the HJT logs

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:50:28 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINNT\system32\cmd.exe
D:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\WINNT\system32\svchost.exe
D:\Program Files\Firefox\firefox.exe
C:\Program Files\ZipCentral\ZCentral.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ZCTmp.Dir\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {42B033A5-3C08-46D5-86BF-66E4B6A5CE7C} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot1_4\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {827E1A3E-E660-433E-9895-E99BA474BBDC} - C:\WINNT\system32\geeda.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINNT\system32\tbaogoqb.dll (file missing)
O2 - BHO: (no name) - {E499607A-AF7C-41E9-828E-3A6B6F2E985B} - C:\WINNT\system32\xxyxwxx.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SpybotSnD] "\\Meteorblast\d$\Program Files\Spybot1_2\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore
O4 - HKLM\..\Run: [avp] C:\WINNT\system32\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
O4 - HKLM\..\Run: [claruxeb.exe] C:\Documents and Settings\All Users\Application Data\claruxeb.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINNT\system32\outuulki.dll",realset
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {31564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {32564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_11) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - Winlogon Notify: cbxxwxx - cbxxwxx.dll (file missing)
O20 - Winlogon Notify: expps - c:\winnt\microsoft.net\framework\expps.dll
O20 - Winlogon Notify: geeda - C:\WINNT\
O20 - Winlogon Notify: NoWgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: winbjv32 - C:\WINNT\SYSTEM32\winbjv32.dll
O20 - Winlogon Notify: xxyxwxx - C:\WINNT\
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - N:\Program Files\InCD\InCDsrv.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: Ethernet Packet Service (npacketservice) - Nokia - C:\WINNT\system32\npacketsvc.exe
O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

roboknight · 2007-06-05, 05:59

Jesus, Joseph and Mary... I removed geeda.dll and others from registry and they are back. I've since went to recovery console and searched for .dlls and .exes and other files created 05/18/07 - 06/04/07 I didn't recognize and removed them. Its still here. It must be part of explorer, svchost, or something. Winlogon keeps writing winxxx.tmp files to the c:\winnt\temp directory. So it must all still be there.

I've run the Vundo.exe from symantec already 4 times to no avail (never detects anything). I've run AVG several times. It never tagged any of the dlls that I found (including geeda and xxyxxwx.dll)...

The other files I've run across were:

mcrh.tmp
mit.bat
pmnnl.dll
tbaogoqb.dll
ujewmanq.exe
uepsjnhw.dll
whnjspeu.ini
xnjutjpe.exe

Of course they rename themselves at will it appears, so I don't know if you'll recognize any of these guys. AVG 7.5 is up to date. Spybot is up to date, zone alarm is up to date. I've been keeping the machine off the net because of the keyloggers and password snatchers that I did catch early on. But it appears that things keep getting dropped and reinfected, so I've obviously not found the source. Hopefully you'll recognzie it.

pskelley · 2007-06-05, 15:00

Listen, if you want to do this, I will be glad to get out of your way, if not, wait for my instructions and follow them, which you have NOT done so far.

Thanks for returning your information but...you did not follow directions. You have place HJT in a TEMP folder where it can not safely store backups if needed.
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ZCTmp.Dir\HiJackThis_v2.exe
If you can do it, move it here: C:\HJT\HiJackThis_v2.exe Move the log into that folder also. If you cannot, then delete it and download it again and read and follow the directions this time.

Follow these instructions in the numbered order.

1) Please read this: http://forums.spybot.info/showpost.p...80&postcount=2
C:\Program Files\Java\jre1.5.0_11\ <<< out of date, download the newest version and uninstall all old versions in Add Remove Programs.

Let me give you a little information about this junk:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/200...-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks...q=winfixer+msn
http://www.revenews.com/wayneporter/...l_network_now/

It looks like you have been trying to remove Vundo. If you have Vundofix, delete it and download it fresh from the link I provide. I am going to give you a lot of instructions at once, I am in no way asking you to rush. I suggest you take your tim and READ then FOLLOW the directions carefylly, those who do have few problems removing this junk.

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

4) Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

(hold that report and log until you finish)

5) How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tuto...42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\winbjv32.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some items may be gone, removed by Vundofix, not to be concerned)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {42B033A5-3C08-46D5-86BF-66E4B6A5CE7C} - (no file)
O2 - BHO: (no name) - {827E1A3E-E660-433E-9895-E99BA474BBDC} - C:\WINNT\system32\geeda.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINNT\system32\tbaogoqb.dll (file missing)
O2 - BHO: (no name) - {E499607A-AF7C-41E9-828E-3A6B6F2E985B} - C:\WINNT\system32\xxyxwxx.dll (file missing)
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [claruxeb.exe] C:\Documents and Settings\All Users\Application Data\claruxeb.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINNT\system32\outuulki.dll",realset
O16 - DPF: {31564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {32564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O20 - Winlogon Notify: cbxxwxx - cbxxwxx.dll (file missing)
O20 - Winlogon Notify: expps - c:\winnt\microsoft.net\framework\expps.dll
O20 - Winlogon Notify: geeda - C:\WINNT\
O20 - Winlogon Notify: winbjv32 - C:\WINNT\SYSTEM32\winbjv32.dll
O20 - Winlogon Notify: xxyxwxx - C:\WINNT\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

smanager.7.exe <<< search for that file and delete it. Probably in the System32 folder

C:\Documents and Settings\All Users\Application Data\claruxeb.exe <<< delete that file

C:\WINNT\system32\outuulki.dll <<< delete that file

(any of those files gives you trouble use this tool again)
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tuto...42.html#delreb

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the Vundofix report and a new HJT log.

Thanks

roboknight · 2007-06-06, 01:15

Quote:

Listen, if you want to do this, I will be glad to get out of your way, if not, wait for my instructions and follow them, which you have NOT done so far.

Thanks for returning your information but...you did not follow directions. You have place HJT in a TEMP folder where it can not safely store backups if needed.

*Sorry*. You'll have to forgive me if I've been a little in a hurry to get rid of this stuff. I've been dealing with this thing since at least 05/15/07 before I even started this thread, and have probably mangled my registry already after reading several things about vundo and other viruses, mostly here in these forums (as well as reading the forum posting instructions twice before I started this thread). Plus finding out that both a password stealer and a key logger were installed on my system, not knowing how much info was released, if any. I'm a computer professional, and despite having kept my system up to date with Zone Alarm and AVG and spybot I still got this severe an infection, so my curiosity about which files, and what was infected, was peaked, hence all the manual effort. Plus I was hoping the extra info would help an expert like yourself help me track it down faster to limit the damage. No slight was intended. Don't be frustrated. I'll gladly follow your directions.

pskelley · 2007-06-06, 01:42

I understand, here is some information about Vundo:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/200...-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks...q=winfixer+msn
http://www.revenews.com/wayneporter/...l_network_now/

It is generally about fraud, trying to get folks to purchase worthless malware removers like Winfixer, but you do have other trojans onboard.

This one: smanager.7.exe
http://www.sophos.com/security/analy...dwnldrgui.html

You may want to read this information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Some of the backdoor trojans and rootkit infections are about stealing information for $$$ gain and we can't guarantee cleaning will make the computer safe. In your case, I would unplug it except when troubleshooting, change all of the passwords from another computer you know is clean and then keep a close eye on anything dealing with security on this computer, but that should be done anyway.

Thanks

**tashi** · 2007-06-11, 23:16

This topic has been moved to archives to prevent others with similar issues posting to it.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.

**tashi** · 2007-06-13, 16:53

Re-opened upon request.

roboknight · 2007-06-15, 15:06

I noticed that even though I've been trying to keep up-to-date that smanger.7.exe wasn't ever spotted by AVG 7.5, or even Norton 360 (which I've read isn't terribly good). So what are some of the better AV software packages?

2007-05-30, 19:46	#1
roboknight Junior Member Join Date: May 2007 Posts: 5	Apparently stuck with geeda.dll & xxyxww.dll Hello, First, a brief (hopefully) rundown of what happened, what I've done and where I am at now. To start with, everything was running smoothly with my machine until I started seeing random processes trying to access the internet through ZoneAlarm. That is usually my first tip-off that some variety of malware has penetrated my resolve (I never click yes to a pop, open files... nothing). I began to look into the matter with some virus scans using AVG. It turned out AVG had been compromised (I can't say for how long) so I uninstalled. At this point I started fresh with Norton 360. I completed a full virus and spyware scan using Norton 360. It found a FEW things, but nothing major. My machine was starting to bog down considerably, so I turned back to AVG and reinstalled it. After disabling Norton's resident scanning I proceeded with a full AVG scan. AVG found 13 separate things. One key logger and one password scarfer. After removing those my machine was STILL sluggish. I proceeded with a Spybot scan. I ran a spybot scan and found several more things. I then ran AVG a few more times. Upon reboot however, the machine was still sluggish. Then I decided to check into a few things. I located this .DLL file geeda.dll and another xxyxww.dll ... I searched for information on those. I attempted to run vundofix. It didn't find the vundo virus. I could not remove it. I then decided to switch tacks and try some things from Safe Mode (I had already run a few AVG scans from safe mode, but I wanted to get rid of these two files)... There is ALWAYS some process that has a hold of these things... even in Safe mode. That is when I switched to trying BitDefender. However, I can't get captive to work properly so I cannot remove the offending DLLs. So now I'm at the point where I don't know how to boot my machine and have an NTFS driver running so that I can actually interact with the drive to remove these suckers. I thought that was the purpose of VundoFix, but it apparently couldn't find what it was looking for. I'll post some HJT logs if I can, however, the machine is thoroughly hijacked and runs so slow when the internet is connected (I have been trying to keep it disconnected due to the keyloggers and password snatchers... it appears that whatever this version of geeda.dll & xxyxww.dll is, it keeps downloading new virusware for me to remove) that I can barely use it. The infection couldn't have been too long ago, and I think it must have occurred because I clicked the "X" box to that stupid "Warning: Your computer may be running slower that usual..." virusware that installs itself no matter what you do . I only recently learned that you really should just use Alt-F4 with that thing or kill its process instead. Anyway, I hope someone has some suggestions that work. Nothing I've been able to do has rid me of these files. They are apparently in with the winlogon process now. Oh, one more thing, it keeps writing .tmp files of the form winXXX.tmp to the WINNT\temp directory. Sometimes it has some other files there, but it basically looks like it is trying to put together parts of another virus/spyware/malware. I keep deleting them, but they just reappear. I've even tried to correct the registry, but with the virus running, it just repairs the registry. I wish you could lock a process out of the registry for a bit... that would make this virus removal stuff easier. Anyway, one of my AVG scans indicated that one of the files in there contained a virus at one point. So I don't know if those files are trying to log keystrokes, are a convenient download area or what. They are usually zero bytes long, but every once in a while, there is something in them. And if I scan it, at least a couple of times, I've found a new virus.

2007-05-31, 14:56	#2
pskelley In Memoriam -Always in our heart Join Date: Oct 2005 Location: Clearwater, Florida Posts: 20,558	Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288 All advice given is taken at your own risk. Please read and follow all instructions and post all required logs or reports, anything less will slow your process. Use "Post Reply" to post the information in the instructions and stay in the same topic. This sounds like a Vundo infection at least, please use this version of HJT: Download Trend Micro Hijack This™ http://www.trendsecure.com/portal/en...?page=download Download it to your Program Files folder. Doubleclick the HijackThis_V2.exe to start it. Click "Do a System Scan and save a logfile" This will create a HijackThislog. Copy and paste the contents of the log in your next reply along with the HJT log post the uninstall list: Open Hijackthis. Click the "Open the Misc Tools" section Button. Click the "Open Uninstall Manager" Button. Click the "Save list..." Button. Save it to your desktop. Copy and paste the contents into your reply. Thanks __________________ MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006

2007-06-05, 05:53	#3
roboknight Junior Member Join Date: May 2007 Posts: 5	Hijack this logs Here are the HJT logs Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:50:28 PM, on 6/4/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe D:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe C:\WINNT\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe D:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\ZoneAlarm\zlclient.exe C:\WINNT\system32\sistray.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINNT\system32\cmd.exe D:\PROGRA~1\Grisoft\AVG7\avgwb.dat C:\WINNT\system32\svchost.exe D:\Program Files\Firefox\firefox.exe C:\Program Files\ZipCentral\ZCentral.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ZCTmp.Dir\HiJackThis_v2.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {42B033A5-3C08-46D5-86BF-66E4B6A5CE7C} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot1_4\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {827E1A3E-E660-433E-9895-E99BA474BBDC} - C:\WINNT\system32\geeda.dll (file missing) O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINNT\system32\tbaogoqb.dll (file missing) O2 - BHO: (no name) - {E499607A-AF7C-41E9-828E-3A6B6F2E985B} - C:\WINNT\system32\xxyxwxx.dll (file missing) O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [SpybotSnD] "\\Meteorblast\d$\Program Files\Spybot1_2\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore O4 - HKLM\..\Run: [avp] C:\WINNT\system32\avp.exe O4 - HKLM\..\Run: [SManager] smanager.7.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config O4 - HKLM\..\Run: [claruxeb.exe] C:\Documents and Settings\All Users\Application Data\claruxeb.exe O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINNT\system32\outuulki.dll",realset O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - O16 - DPF: {31564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {32564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_11) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) - O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O20 - Winlogon Notify: cbxxwxx - cbxxwxx.dll (file missing) O20 - Winlogon Notify: expps - c:\winnt\microsoft.net\framework\expps.dll O20 - Winlogon Notify: geeda - C:\WINNT\ O20 - Winlogon Notify: NoWgaLogon - WgaLogon.dll (file missing) O20 - Winlogon Notify: winbjv32 - C:\WINNT\SYSTEM32\winbjv32.dll O20 - Winlogon Notify: xxyxwxx - C:\WINNT\ O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe (file missing) O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Unknown owner - N:\Program Files\InCD\InCDsrv.exe (file missing) O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (file missing) O23 - Service: Ethernet Packet Service (npacketservice) - Nokia - C:\WINNT\system32\npacketsvc.exe O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

2007-06-05, 15:00	#5
pskelley In Memoriam -Always in our heart Join Date: Oct 2005 Location: Clearwater, Florida Posts: 20,558	Listen, if you want to do this, I will be glad to get out of your way, if not, wait for my instructions and follow them, which you have NOT done so far. Thanks for returning your information but...you did not follow directions. You have place HJT in a TEMP folder where it can not safely store backups if needed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ZCTmp.Dir\HiJackThis_v2.exe If you can do it, move it here: C:\HJT\HiJackThis_v2.exe Move the log into that folder also. If you cannot, then delete it and download it again and read and follow the directions this time. Follow these instructions in the numbered order. 1) Please read this: http://forums.spybot.info/showpost.p...80&postcount=2 C:\Program Files\Java\jre1.5.0_11\ <<< out of date, download the newest version and uninstall all old versions in Add Remove Programs. Let me give you a little information about this junk: Since there is a class action involving this one, you may want to view this information: http://www.networkworld.com/news/200...-unravels.html http://www.youtube.com/watch?v=zBUZHiKhsog http://msmvps.com/blogs/spywaresucks...q=winfixer+msn http://www.revenews.com/wayneporter/...l_network_now/ It looks like you have been trying to remove Vundo. If you have Vundofix, delete it and download it fresh from the link I provide. I am going to give you a lot of instructions at once, I am in no way asking you to rush. I suggest you take your tim and READ then FOLLOW the directions carefylly, those who do have few problems removing this junk. 2) How to make files and folders visible: Click Start > Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. You may reverse this for safety when we are finished. 3) Please download ATF Cleaner by Atribune http://www.atribune.org/content/view/25/2/ Save it to your Desktop. We will use this later. Thanks to Atribune and any others who helped with this fix. Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted" 4) Please download VundoFix.exe to your desktop Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. If there is a file VundoFix doesn't find we need it submitted. Please submit the files to upload malware http://www.uploadmalware.com (hold that report and log until you finish) 5) How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tuto...42.html#delreb Start Hijackthis Click on the Config button Click on the Misc Tools button Click on the button labeled Delete a file on reboot... A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\winbjv32.dll and click on it once, and then click on the Open button. You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now. 6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: (some items may be gone, removed by Vundofix, not to be concerned) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: (no name) - {42B033A5-3C08-46D5-86BF-66E4B6A5CE7C} - (no file) O2 - BHO: (no name) - {827E1A3E-E660-433E-9895-E99BA474BBDC} - C:\WINNT\system32\geeda.dll (file missing) O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINNT\system32\tbaogoqb.dll (file missing) O2 - BHO: (no name) - {E499607A-AF7C-41E9-828E-3A6B6F2E985B} - C:\WINNT\system32\xxyxwxx.dll (file missing) O4 - HKLM\..\Run: [SManager] smanager.7.exe O4 - HKLM\..\Run: [claruxeb.exe] C:\Documents and Settings\All Users\Application Data\claruxeb.exe O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINNT\system32\outuulki.dll",realset O16 - DPF: {31564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {32564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_11) - O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) - O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) - O20 - Winlogon Notify: cbxxwxx - cbxxwxx.dll (file missing) O20 - Winlogon Notify: expps - c:\winnt\microsoft.net\framework\expps.dll O20 - Winlogon Notify: geeda - C:\WINNT\ O20 - Winlogon Notify: winbjv32 - C:\WINNT\SYSTEM32\winbjv32.dll O20 - Winlogon Notify: xxyxwxx - C:\WINNT\ Close all programs but HJT and all browser windows, then click on "Fix Checked" 7) RIGHT Click on Start then click on Explore. Locate and delete these items: smanager.7.exe <<< search for that file and delete it. Probably in the System32 folder C:\Documents and Settings\All Users\Application Data\claruxeb.exe <<< delete that file C:\WINNT\system32\outuulki.dll <<< delete that file (any of those files gives you trouble use this tool again) How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tuto...42.html#delreb 8) Run ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Click Select All found at the bottom of the list. Click the Empty Selected button. Click Exit on the Main menu to close the program. Restart the computer and post the Vundofix report and a new HJT log. Thanks __________________ MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006

2007-06-06, 01:42	#7
pskelley In Memoriam -Always in our heart Join Date: Oct 2005 Location: Clearwater, Florida Posts: 20,558	I understand, here is some information about Vundo: Since there is a class action involving this one, you may want to view this information: http://www.networkworld.com/news/200...-unravels.html http://www.youtube.com/watch?v=zBUZHiKhsog http://msmvps.com/blogs/spywaresucks...q=winfixer+msn http://www.revenews.com/wayneporter/...l_network_now/ It is generally about fraud, trying to get folks to purchase worthless malware removers like Winfixer, but you do have other trojans onboard. This one: smanager.7.exe http://www.sophos.com/security/analy...dwnldrgui.html You may want to read this information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451 When Should I Format, How Should I Reinstall http://www.dslreports.com/faq/10063 Some of the backdoor trojans and rootkit infections are about stealing information for $$$ gain and we can't guarantee cleaning will make the computer safe. In your case, I would unplug it except when troubleshooting, change all of the passwords from another computer you know is clean and then keep a close eye on anything dealing with security on this computer, but that should be done anyway. Thanks __________________ MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006

2007-06-05, 05:59	#4
roboknight Junior Member Join Date: May 2007 Posts: 5	Jesus, Joseph and Mary... I removed geeda.dll and others from registry and they are back. I've since went to recovery console and searched for .dlls and .exes and other files created 05/18/07 - 06/04/07 I didn't recognize and removed them. Its still here. It must be part of explorer, svchost, or something. Winlogon keeps writing winxxx.tmp files to the c:\winnt\temp directory. So it must all still be there. I've run the Vundo.exe from symantec already 4 times to no avail (never detects anything). I've run AVG several times. It never tagged any of the dlls that I found (including geeda and xxyxxwx.dll)... The other files I've run across were: mcrh.tmp mit.bat pmnnl.dll tbaogoqb.dll ujewmanq.exe uepsjnhw.dll whnjspeu.ini xnjutjpe.exe Of course they rename themselves at will it appears, so I don't know if you'll recognize any of these guys. AVG 7.5 is up to date. Spybot is up to date, zone alarm is up to date. I've been keeping the machine off the net because of the keyloggers and password snatchers that I did catch early on. But it appears that things keep getting dropped and reinfected, so I've obviously not found the source. Hopefully you'll recognzie it.

2007-06-11, 23:16	#8
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,455 Rated LASSHes: 16	This topic has been moved to archives to prevent others with similar issues posting to it. If you need the thread re-opened, please send me a private message (pm) and provide a link. Applies only to the original poster, anyone else with similar problems please start your own topic. __________________ UNITE-ASAP Microsoft MVP. Consumer Security 2006-2010 Please help us improve Spybot, download our distributed testing client

2007-06-13, 16:53	#9
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,455 Rated LASSHes: 16	Re-opened upon request. __________________ UNITE-ASAP Microsoft MVP. Consumer Security 2006-2010 Please help us improve Spybot, download our distributed testing client

2007-06-15, 15:06	#10
roboknight Junior Member Join Date: May 2007 Posts: 5	A quick question on Anti-virus software I noticed that even though I've been trying to keep up-to-date that smanger.7.exe wasn't ever spotted by AVG 7.5, or even Norton 360 (which I've read isn't terribly good). So what are some of the better AV software packages?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode