PDA

View Full Version : Smithfraud-C Problems Please Help.



Fryguy
2006-11-22, 16:18
I guess I'm one of many with this problem...here's my text file from the online Pandascan and following it is the hijackthis log fil: any help is greatly appreciated

PandaScan log
Incident Status Location
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Krazy\Application Data\Mozilla\Firefox\Profiles\poo40li8.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Krazy\Application Data\Mozilla\Firefox\Profiles\poo40li8.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Krazy\Application Data\Mozilla\Firefox\Profiles\poo40li8.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Krazy\Application Data\Mozilla\Firefox\Profiles\poo40li8.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Krazy\Application Data\Mozilla\Firefox\Profiles\poo40li8.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Krazy\Cookies\krazy@a.as-us.falkag[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Krazy\Cookies\krazy@advertising[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Krazy\Cookies\krazy@as-us.falkag[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Krazy\Cookies\krazy@mediaplex[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Krazy\Cookies\krazy@zedo[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Krazy\Desktop\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Krazy\Local Settings\Application Data\Mozilla\Firefox\Profiles\poo40li8.default\Cache\633285D9d01[SmitfraudFix/Process.exe]
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\Krazy\Local Settings\Temp\nsmAE.tmp\nsRandom.dll Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Krazy\Local Settings\Temporary Internet Files\Content.IE5\23PGZK0K\anti4[1].exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Krazy\Local Settings\Temporary Internet Files\Content.IE5\23PGZK0K\mulbin32[1].exe
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Krazy\Local Settings\Temporary Internet Files\Content.IE5\23PGZK0K\wlzip32[1].exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Krazy\Local Settings\Temporary Internet Files\Content.IE5\KXMJKLA3\122[1].net
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Krazy\Local Settings\Temporary Internet Files\Content.IE5\KXMJKLA3\antzom[1].exe
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Krazy\Local Settings\Temporary Internet Files\Content.IE5\KXMJKLA3\wlzip32[1].exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Krazy\Local Settings\Temporary Internet Files\Content.IE5\SVKZA3YX\antzom[1].exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Krazy\Local Settings\Temporary Internet Files\Content.IE5\T2CLDNPW\anti4[1].exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Krazy\Local Settings\Temporary Internet Files\Content.IE5\T2CLDNPW\antzom[1].exe
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\Krazy\Start Menu\Programs\UCmore XP - The Search Accelerator\How To Unistall.lnk
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\Krazy\Start Menu\Programs\UCmore XP - The Search Accelerator\UCmore Tour.lnk
Possible Virus. Not disinfected C:\Downloads\645bd14c5858214eb7f17dc016f40751d64.zip[another.world.high.resolution.collectors.edition.v1.0/patch.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\SmitfraudFix.zip[SmitfraudFix/Process.exe] Possible Virus. Not disinfected C:\Program Files\Another World\another.world.high.resolution.collectors.edition.v1.0\patch.exe
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.041 Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Common Files\{105175AB-0898-1033-0114-040312180001}\system.dll
Adware:Adware/Mytoolbar Not disinfected C:\Program Files\Common Files\{105175AB-0898-1033-0114-040312180001}\Update.exe
Adware:Adware/Mytoolbar Not disinfected C:\Program Files\Common Files\{305175AB-0898-1033-0114-040312180001}\888.dll
Adware:Adware/Mytoolbar Not disinfected C:\Program Files\Common Files\{305175AB-0898-1033-0114-040312180001}\Uninstall.exe
Adware:Adware/BaiduBar Not disinfected C:\Program Files\EasyUO\scripts\as_setup.exe[setup_aspeedercb.exe] Adware:Adware/PurityScan Not disinfected C:\Program Files\?ystem32\chkntfs.exe Possible Virus. Not disinfected C:\VundoFix Backups\geebx.dll.bad

Adware:adware/pesttrap Not disinfected C:\WINDOWS\soft.exe Possible Virus. Not disinfected C:\WINDOWS\system32\cfpg.dll Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\drvhab.dll Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\drvpuv.dll Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\fcccaax.dll Possible Virus. Not disinfected C:\WINDOWS\system32\geebx.dll Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\qomkjjk.dll Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\qomlkif.dll Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\ssqrqpo.dll Possible Virus. Not disinfected C:\WINDOWS\system32\sstqr.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\uqtfwnkx.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wahqmnje.dll Adware:Adware/SuperSpider Not disinfected C:\WINDOWS\system32\winuqw32.dll Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\wvurrpp.dll Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\wvusrsp.dll Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Temp\mshtml2.exe Adware:Adware/Adservice Not disinfected C:\WINDOWS\Temp\mst13A.tmp Adware:Adware/Adservice Not disinfected C:\WINDOWS\Temp\mst75.tmp Adware:Adware/Adservice Not disinfected C:\WINDOWS\Temp\mst81.tmp Adware:Adware/Adservice Not disinfected C:\WINDOWS\Temp\mstB3.tmp Adware:Adware/ActiveSearch Not disinfected C:\WINDOWS\Temp\nsr136.tmp\DetectionProcessus.dll Adware:Adware/Mytoolbar Not disinfected C:\WINDOWS\Temp\win132.tmp.exe Adware:Adware/Mytoolbar Not disinfected C:\WINDOWS\Temp\win53.tmp.exe Adware:Adware/Yazzle Not disinfected C:\WINDOWS\Temp\win58.tmp Adware:Adware/Mytoolbar Not disinfected C:\WINDOWS\Temp\win67.tmp.exe Adware:Adware/Mytoolbar Not disinfected C:\WINDOWS\Temp\win79.tmp.exe Adware:Adware/Yazzle Not disinfected C:\WINDOWS\Temp\win80.tmp.exe Adware:Adware/Mytoolbar Not disinfected C:\WINDOWS\Temp\winAC.tmp.exe Possible Virus. Renamed C:\WINDOWS\??mantec\d?xplore.exe couldnt fit it all in....
HIJACKTHIS LOG
on next post :
----------------------------------------

Fryguy
2006-11-22, 16:19
heres the hijackthis log file

Logfile of HijackThis v1.99.1
Scan saved at 8:01:42 AM, on 11/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RunDll32.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\{105175AB-0898-1033-0114-040312180001}\Update.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webteh\BSplayer\bsplayer.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Startup: UCmore XP - The Search Accelerator.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109491304906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124143573594
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

LonnyRJones
2006-11-26, 13:56
Hello

Please disable SpybotSD TeaTimer for now
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
We will remind you to turn it on later

Post another new hijackthis log

In another reply:
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

Fryguy
2006-11-28, 15:40
Here is the combofix log you requested.

Krazy - 06-11-28 7:30:55.27 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wtssu.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{105175AB-0898-1033-0114-040312180001}
C:\Program Files\Common Files\{305175AB-0898-1033-0114-040312180001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Krazy\My Documents\SEMBLY~1
C:\QooBox\Purity\Program Files\YSTEM3~1
C:\QooBox\Purity\Program Files\YSTEM3~1\?ystem32
C:\QooBox\Purity\WINDOWS\MANTEC~1
C:\QooBox\Purity\WINDOWS\MANTEC~1\d?xplore_exe.vir


((((((((((((((((((((((((((((((( Files Created from 2006-10-28 to 2006-11-28 ))))))))))))))))))))))))))))))))))


2006-11-28 07:17 88,340 --a------ C:\WINDOWS\system32\qqcgfipm.exe
2006-11-28 07:17 42,516 --a------ C:\WINDOWS\system32\qjjyjmvt.dll
2006-11-28 07:17 <DIR> d-------- C:\Program Files\VSAdd-in
2006-11-28 07:17 <DIR> d-------- C:\Documents and Settings\Krazy\Application Data\SearchToolbarCorp
2006-11-27 07:17 38,420 --a------ C:\WINDOWS\system32\uhidkgfw.dll
2006-11-26 07:17 38,420 --a------ C:\WINDOWS\system32\tkqtxqha.dll
2006-11-25 07:17 38,420 --a------ C:\WINDOWS\system32\sylbnlqs.dll
2006-11-24 07:16 736,383 ---hs---- C:\WINDOWS\system32\xbeeg.bak1
2006-11-24 07:16 38,420 --a------ C:\WINDOWS\system32\whrcrnto.dll
2006-11-23 08:21 <DIR> d-------- C:\Program Files\Final Draft Tagger
2006-11-23 07:16 38,420 --a------ C:\WINDOWS\system32\yompgwtj.dll
2006-11-23 07:16 126,996 --a------ C:\WINDOWS\system32\toxoepqd.dll
2006-11-23 05:47 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-22 22:55 <DIR> d-------- C:\SWARS
2006-11-22 08:29 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-22 08:29 <DIR> d-------- C:\Program Files\Grisoft
2006-11-22 07:16 758,937 ---hs---- C:\WINDOWS\system32\xbeeg.bak2
2006-11-22 07:16 126,996 --a------ C:\WINDOWS\system32\uqtfwnkx.dll
2006-11-22 06:23 <DIR> d-------- C:\hijackthis
2006-11-22 06:16 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-22 03:45 3,830 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-22 03:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-22 03:19 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-22 03:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-22 03:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-21 17:32 88,064 --a------ C:\VundoFix.exe
2006-11-21 17:09 <DIR> d-------- C:\VundoFix Backups
2006-11-21 16:45 <DIR> d-------- C:\WINDOWS\pss
2006-11-21 14:44 <DIR> d-------- C:\Program Files\Safer Networking
2006-11-21 07:53 <DIR> d-------- C:\WINDOWS\oiik
2006-11-21 07:16 126,996 --a------ C:\WINDOWS\system32\wahqmnje.dll
2006-11-21 07:15 692,276 --------- C:\WINDOWS\system32\geebx.dll
2006-11-21 06:54 692,276 ---hs---- C:\WINDOWS\system32\sstqr.dll
2006-11-21 06:46 34,308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-11-21 06:25 <DIR> d-------- C:\Program Files\Another World
2006-11-21 01:47 <DIR> d-------- C:\Program Files\DOSBox-0.65
2006-11-21 00:32 <DIR> d-------- C:\NETHERW
2006-11-20 05:13 15,440 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-11-20 05:13 <DIR> d-------- C:\Program Files\Hamachi
2006-11-20 05:13 <DIR> d-------- C:\Documents and Settings\Krazy\Application Data\Hamachi
2006-11-20 04:58 <DIR> d-------- C:\Program Files\GTA2 Game Hunter
2006-11-20 04:30 <DIR> d-------- C:\Program Files\directx
2006-11-20 04:29 <DIR> d-------- C:\Program Files\Rockstar Games
2006-11-17 04:03 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-11-17 04:03 <DIR> d-------- C:\WINDOWS\WBEM
2006-11-17 04:03 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-11-17 04:01 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-11-17 04:01 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-17 02:44 <DIR> d-------- C:\Program Files\Uniblue
2006-11-17 02:44 <DIR> d-------- C:\Documents and Settings\Krazy\Application Data\Uniblue
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-28 07:34 -------- d-------- C:\Program Files\Common Files
2006-11-28 07:26 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-23 08:21 -------- d-------- C:\Program Files\Final Draft 7
2006-11-23 08:21 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-23 08:09 -------- d-------- C:\Program Files\Agent
2006-11-23 08:06 -------- d-------- C:\Program Files\Trillian
2006-11-23 05:47 -------- d-------- C:\Program Files\Java
2006-11-23 00:54 -------- d-------- C:\Program Files\World of Warcraft
2006-11-22 10:21 40 ---hs---- C:\Documents and Settings\Krazy\Application Data\.zreglib
2006-11-22 10:20 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-11-22 07:13 -------- d-------- C:\Program Files\WinRAR
2006-11-22 07:13 -------- d-------- C:\Program Files\WinAce
2006-11-22 07:11 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-22 07:11 -------- d-------- C:\Program Files\SmartFTP Client 2.0
2006-11-22 07:02 -------- d-------- C:\Program Files\Microsoft IntelliPoint
2006-11-22 06:58 -------- d-------- C:\Program Files\JetAudio
2006-11-22 06:58 -------- d-------- C:\Program Files\Internet Explorer
2006-11-22 06:57 -------- d-------- C:\Program Files\EZ-DUB
2006-11-22 06:50 -------- d-------- C:\Program Files\Common Files\Webroot Shared
2006-11-22 06:50 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-22 06:48 -------- d-------- C:\Program Files\blstoolbar
2006-11-22 06:47 -------- d-------- C:\Program Files\ATI Multimedia
2006-11-20 04:29 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-03 17:22 -------- d-------- C:\Program Files\Microsoft Games
2006-11-03 11:41 -------- d-------- C:\Program Files\UOAssist
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-15 02:02 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 04:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-12 17:12 -------- d-------- C:\Documents and Settings\Krazy\Application Data\uTorrent
2006-10-12 01:02 -------- d-------- C:\Program Files\Electronic Arts
2006-09-30 02:30 -------- d-------- C:\Program Files\Activision
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 17:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-22 23:28 121826 --a------ C:\Documents and Settings\Krazy\Application Data\Cosmos Prefs


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"AnyDVD"="\"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe\""
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"ATI Launchpad"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PtiuPbmd"="Rundll32.exe ptipbm.dll,SetWriteBack"
"MPFTray"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"AudCtrl"="RunDll32 AudCtrl.dll,RCMonitor"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"McRegWiz"="C:\\PROGRA~1\\McAfee.com\\Agent\\McRegWiz.exe /autorun"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NWEReboot"=""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDriveAutoRun"=dword:ffffffff

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
@=""
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"Steam"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomkjjk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuqw32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (KRAZY-02HHICHUR-Krazy).job

Completion time: 06-11-28 7:36:48.22
C:\ComboFix.txt ... 06-11-28 07:36

LonnyRJones
2006-11-29, 04:06
Hi

Turn off tea timer , dont turn it back on untill we finished.

delete these three folders
C:\Documents and Settings\Krazy\Application Data\SearchToolbarCorp
C:\Program Files\VSAdd-in
C:\Documents and Settings\Krazy\Start Menu\Programs\UCmore XP - The Search Accelerator
I see you have vundofix and smithfraudfix, re-download smithfraudfix since it is changed almost daily.

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
alternate download
http://www.geekstogo.com/modules.php?modid=5&action=download&id=80
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Fryguy
2006-11-29, 15:33
Alrighty, Teatimer off. Redownloaded SmithFraudFix, scanned and here is the log file. I've also got AVG Anti Spyware running in the back ground, should I disable that or leave it on?

Rapport.txt from SmitFraudFix
--------------------------------

SmitFraudFix v2.125

Scan done at 7:30:22.14, Wed 11/29/2006
Run from C:\Documents and Settings\Krazy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Krazy


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Krazy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Krazy\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

LonnyRJones
2006-11-29, 15:45
Good, delete smithfraudfix
Please RE-download VundoFix.exe (http://www.atribune.org/content/view/24/2/)
to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
Double-click VundoFix.exe to run it.
Click scan for vundo, when it is finished scanning if this file isnt detected add it >
Right click the list box then select add files and add
C:\WINDOWS\System32\geebx.dll
add these also
C:\WINDOWS\System32\qomkjjk.dll
C:\WINDOWS\System32\winuqw32.dll

Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Wait two mimutes then turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Fryguy
2006-11-29, 18:06
Ok here is the VundoFix log


VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.2

Java version is 1.5.0.4

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 5:09:38 PM 11/21/2006

Listing files found while scanning....

C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.2

Java version is 1.5.0.4

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 5:19:22 PM 11/21/2006

Listing files found while scanning....

C:\WINDOWS\system32\xbeeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.2

Java version is 1.5.0.4

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 5:32:46 PM 11/21/2006

Listing files found while scanning....

C:\WINDOWS\system32\xbeeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 9:41:12 AM 11/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.bak2
C:\WINDOWS\system32\xbeeg.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbeeg.bak2
C:\WINDOWS\system32\xbeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\geebx.dll
C:\WINDOWS\System32\geebx.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\geebx.dll
C:\WINDOWS\System32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\geebx.dll
C:\WINDOWS\System32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\geebx.dll
C:\WINDOWS\System32\geebx.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 9:57:23 AM 11/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\xbeeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!




will post hijack this next

Fryguy
2006-11-29, 18:08
Logfile of HijackThis v1.99.1
Scan saved at 10:07:27 AM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Krazy\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ewribxrd.dll
O2 - BHO: (no name) - {394721CF-549B-456E-9997-14709780A22F} - (no file)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {A716CFD3-321D-4115-BA3D-D9CC538AC0D6} - C:\WINDOWS\system32\geebx.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\qomkjjk.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Startup: UCmore XP - The Search Accelerator.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109491304906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124143573594
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: qomkjjk - qomkjjk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Fryguy
2006-11-29, 18:14
When I did the vundofix...I would scan, it would find...then I would attempt to remove but it would be unable to remove that geebx.dll one and then it would say...shutdown computer...so I would...but instead of shutting down it would reboot and attempt to clean again. But even on a reboot it wouldnt be able to remove that file..and it would try to reboot again...like an endless cycle of trying to remove the dll on reboot. But I think that dll is somehow getting turned on BEFORE vundofix can remove it...?

LonnyRJones
2006-11-29, 18:23
Is your PC XP home or XP pro ?

Fryguy
2006-11-29, 18:27
Xp Pro .

LonnyRJones
2006-11-29, 18:58
I was thinking to use file permisions to deny access since your on XP Pro but
there can be problems if the infection fights back.

Lets do this, delete the vundofix report.

You have norton and mcafee installed. Uninstall one, reboot when prompted.
After the restart

You have an old version of vundofix, thats why i suggested to redownload it , current version is 6.2.0.13
Run vundofix again and add these to files if they arent already there.
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\ewribxrd.dll

Let vundofix reboot the pc and post its report

Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ewribxrd.dll
O2 - BHO: (no name) - {394721CF-549B-456E-9997-14709780A22F} - (no file)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {A716CFD3-321D-4115-BA3D-D9CC538AC0D6} - C:\WINDOWS\system32\geebx.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\qomkjjk.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - Startup: UCmore XP - The Search Accelerator.lnk = ?
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll
O20 - Winlogon Notify: qomkjjk - qomkjjk.dll (file missing)
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fryguy
2006-11-29, 19:09
on laptop while i do what you said to fix the pc...but I did download the new version of vundofix from the link you had put in a previous post...said it was last updated in august

Fryguy
2006-11-29, 19:18
ok i found the 6.2.13 version...which is wierd the regular link on atribune site must not have been updated cuz it kept downloaded the .11 version

Fryguy
2006-11-29, 20:11
Here's the new VundoFix log. Encountered same problem as before where it could'nt get rid of geebx.dll
----------------------------


VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 11:18:20 AM 11/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\sstqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ewribxrd.dll
C:\WINDOWS\system32\ewribxrd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Could not be deleted.

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ewribxrd.dll
C:\WINDOWS\system32\ewribxrd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 11:46:11 AM 11/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini2
C:\WINDOWS\system32\xbeeg.tmp
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini2
C:\WINDOWS\system32\xbeeg.tmp
C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini2
C:\WINDOWS\system32\xbeeg.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbeeg.ini2
C:\WINDOWS\system32\xbeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbeeg.tmp
C:\WINDOWS\system32\xbeeg.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini2
C:\WINDOWS\system32\xbeeg.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbeeg.ini2
C:\WINDOWS\system32\xbeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Fryguy
2006-11-29, 20:17
Here's the HiJackThis log.
---------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:12:11 PM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Krazy\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ewribxrd.dll (file missing)
O2 - BHO: (no name) - {394721CF-549B-456E-9997-14709780A22F} - (no file)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {810597FF-2E74-42DB-B4BD-8BFC2BD1FE2F} - C:\WINDOWS\system32\geebx.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\qomkjjk.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Startup: UCmore XP - The Search Accelerator.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109491304906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124143573594
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: qomkjjk - qomkjjk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe



-----After removing the ones you told me to removed I got this message:

Unexpected error occurred!
Error #52 (Bad file name or number) in Sub GetLongPath(?.exe).

Please send a report to merijn@spywareinfo.com, mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard.


Now resetting PC...

LonnyRJones
2006-11-30, 02:41
That Hijackthis error happens sometimes, go ahead run it again scan and fix those items, afterwards reboot your PC.
If you get the same error scan and fix one or two item's at a time.

One thats done post a new log , we can deal with vundo.

tashi
2006-12-06, 22:11
How is it going Fryguy?

tashi
2006-12-11, 19:03
This topic is closed due to lack of a response.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.