Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Need help w/smitfraud-c.toolbar888

  1. 2007-05-24, 23:44 #1
    couchflyer
    couchflyer is offline
    Junior Member
    Join Date
    May 2007
    Posts
    11

    Default Need help w/smitfraud-c.toolbar888

    Spybot found it, I ran AVG, VundoFix, HiJackThis. I apprecaite your help.


    Logfile of HijackThis v1.99.1
    Scan saved at 1:53:10 PM, on 5/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Software\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...://www.msn.com
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\jhmywpqm.dll",realset
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/.../PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1179456788843
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lowrance.com/Automotive/S...yer/isetup.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsija.exe (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe



    VundoFix V6.3.23
    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 11:53:43 PM 5/19/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\ihhkj.bak2
    C:\WINDOWS\system32\ihhkj.ini
    C:\WINDOWS\system32\jkhhi.dll
    C:\WINDOWS\system32\mirfxfxt.dll
    C:\WINDOWS\system32\txfxfrim.ini
    C:\WINDOWS\system32\unlgnnov.dll
    C:\WINDOWS\system32\vonnglnu.ini

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ihhkj.bak2
    C:\WINDOWS\system32\ihhkj.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ihhkj.ini
    C:\WINDOWS\system32\ihhkj.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\jkhhi.dll
    C:\WINDOWS\system32\jkhhi.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\mirfxfxt.dll
    C:\WINDOWS\system32\mirfxfxt.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\txfxfrim.ini
    C:\WINDOWS\system32\txfxfrim.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\unlgnnov.dll
    C:\WINDOWS\system32\unlgnnov.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\vonnglnu.ini
    C:\WINDOWS\system32\vonnglnu.ini Has been deleted!

    Performing Repairs to the registry.
    Done!
  2. 2007-05-25, 08:39 #2
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi couchflyer

    You have an old version of vundofix, please delete it.

    Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  3. 2007-05-26, 03:15 #3
    couchflyer
    couchflyer is offline
    Junior Member
    Join Date
    May 2007
    Posts
    11

    Default

    Here you go. I got the version of 6.4.1 of VundoFix


    Logfile of HijackThis v1.99.1
    Scan saved at 8:10:35 PM, on 5/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Juno\bin\juno.exe
    C:\Software\Hijack This\scanner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...://www.msn.com
    O2 - BHO: (no name) - {0474C782-28A2-4D9A-A783-0FFFF5AA7699} - C:\WINDOWS\system32\gebywtu.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0C6BDF17-1C3E-4DD6-9DD1-D5EF5C718DFF} - C:\WINDOWS\system32\gebcy.dll
    O2 - BHO: (no name) - {3F5BC854-730A-475F-AFFE-12925B0C8D5E} - C:\WINDOWS\system32\gebya.dll (file missing)
    O2 - BHO: (no name) - {457E69FB-6EA1-4D2E-9CEA-06D4C98791FE} - C:\WINDOWS\system32\vtsqr.dll (file missing)
    O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\gtcfbdse.dll (file missing)
    O2 - BHO: PsapiAnalyzer Object - {6D7D5679-4E81-430C-9C18-75FE169F1D07} - c:\windows\microsoft.net\iptcp.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {844E01DD-0E71-42FC-9786-13E4E375EFA1} - C:\WINDOWS\system32\jkklk.dll (file missing)
    O2 - BHO: (no name) - {846E106A-F0A1-4089-BE20-D6898DEB1981} - (no file)
    O2 - BHO: (no name) - {A9309675-AE98-48AE-8133-D444B4DCA939} - (no file)
    O2 - BHO: (no name) - {DDD63699-4F33-4215-BF4A-B56DDB7B9A6E} - (no file)
    O2 - BHO: (no name) - {E9E75A6F-AA57-46EF-A322-1D30AD9C200b} - (no file)
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\jhmywpqm.dll",realset
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/.../PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1179456788843
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lowrance.com/Automotive/S...yer/isetup.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
    O20 - Winlogon Notify: gebcy - C:\WINDOWS\system32\gebcy.dll
    O20 - Winlogon Notify: gebywtu - C:\WINDOWS\SYSTEM32\gebywtu.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsija.exe (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  4. 2007-05-26, 04:50 #4
    couchflyer
    couchflyer is offline
    Junior Member
    Join Date
    May 2007
    Posts
    11

    Default

    Here is the VundoFix log.

    VundoFix V6.4.1

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 9:15:43 PM 5/25/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\ddcyy.dll
    C:\WINDOWS\system32\ewbqjjil.dll
    C:\WINDOWS\system32\gebcy.dll
    C:\WINDOWS\system32\gebywtu.dll
    C:\WINDOWS\system32\gtcfbdse.dll
    C:\WINDOWS\system32\iheewdbg.dll
    C:\WINDOWS\system32\jhmywpqm.dll
    C:\WINDOWS\system32\ycbeg.bak1
    C:\WINDOWS\system32\ycbeg.bak2
    C:\WINDOWS\system32\ycbeg.ini
    C:\WINDOWS\system32\yycdd.ini

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ddcyy.dll
    C:\WINDOWS\system32\ddcyy.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ewbqjjil.dll
    C:\WINDOWS\system32\ewbqjjil.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\gebcy.dll
    C:\WINDOWS\system32\gebcy.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\gebywtu.dll
    C:\WINDOWS\system32\gebywtu.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\iheewdbg.dll
    C:\WINDOWS\system32\iheewdbg.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ycbeg.bak1
    C:\WINDOWS\system32\ycbeg.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ycbeg.bak2
    C:\WINDOWS\system32\ycbeg.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ycbeg.ini
    C:\WINDOWS\system32\ycbeg.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\yycdd.ini
    C:\WINDOWS\system32\yycdd.ini Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.4.1

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 9:32:14 PM 5/25/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    Performing Repairs to the registry.
    Done!
  5. 2007-05-26, 11:17 #5
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Please post a fresh HijackThis log, that one is created before VundoFix
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  6. 2007-05-27, 02:00 #6
    couchflyer
    couchflyer is offline
    Junior Member
    Join Date
    May 2007
    Posts
    11

    Default

    Yea sorry, wasn't thinking.

    Logfile of HijackThis v1.99.1
    Scan saved at 6:58:17 PM, on 5/26/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Software\Hijack This\scanner.exe
    C:\WINDOWS\System32\svchost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...://www.msn.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3F5BC854-730A-475F-AFFE-12925B0C8D5E} - C:\WINDOWS\system32\gebya.dll (file missing)
    O2 - BHO: (no name) - {457E69FB-6EA1-4D2E-9CEA-06D4C98791FE} - C:\WINDOWS\system32\vtsqr.dll (file missing)
    O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\vtknrpkd.dll
    O2 - BHO: PsapiAnalyzer Object - {6D7D5679-4E81-430C-9C18-75FE169F1D07} - c:\windows\microsoft.net\iptcp.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {844E01DD-0E71-42FC-9786-13E4E375EFA1} - C:\WINDOWS\system32\jkklk.dll (file missing)
    O2 - BHO: (no name) - {846E106A-F0A1-4089-BE20-D6898DEB1981} - (no file)
    O2 - BHO: (no name) - {A9309675-AE98-48AE-8133-D444B4DCA939} - (no file)
    O2 - BHO: (no name) - {DDD63699-4F33-4215-BF4A-B56DDB7B9A6E} - (no file)
    O2 - BHO: (no name) - {E7EF472D-8C77-454C-8A67-B7671FF6C9A9} - C:\WINDOWS\system32\gebcy.dll (file missing)
    O2 - BHO: (no name) - {E9E75A6F-AA57-46EF-A322-1D30AD9C200b} - (no file)
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/.../PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1179456788843
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lowrance.com/Automotive/S...yer/isetup.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsija.exe (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  7. 2007-05-27, 11:04 #7
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Open HijackThis,click do a system scan only and checkmark these:

    O2 - BHO: (no name) - {3F5BC854-730A-475F-AFFE-12925B0C8D5E} - C:\WINDOWS\system32\gebya.dll (file missing)
    O2 - BHO: (no name) - {457E69FB-6EA1-4D2E-9CEA-06D4C98791FE} - C:\WINDOWS\system32\vtsqr.dll (file missing)
    O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\vtknrpkd.dll
    O2 - BHO: PsapiAnalyzer Object - {6D7D5679-4E81-430C-9C18-75FE169F1D07} - c:\windows\microsoft.net\iptcp.dll (file missing)
    O2 - BHO: (no name) - {844E01DD-0E71-42FC-9786-13E4E375EFA1} - C:\WINDOWS\system32\jkklk.dll (file missing)
    O2 - BHO: (no name) - {846E106A-F0A1-4089-BE20-D6898DEB1981} - (no file)
    O2 - BHO: (no name) - {A9309675-AE98-48AE-8133-D444B4DCA939} - (no file)
    O2 - BHO: (no name) - {DDD63699-4F33-4215-BF4A-B56DDB7B9A6E} - (no file)
    O2 - BHO: (no name) - {E7EF472D-8C77-454C-8A67-B7671FF6C9A9} - C:\WINDOWS\system32\gebcy.dll (file missing)
    O2 - BHO: (no name) - {E9E75A6F-AA57-46EF-A322-1D30AD9C200b} - (no file)
    O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll (file missing)
    O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsija.exe (file missing)

    Close all windows including browser and press fix checked.

    Reboot

    Delete if present:

    C:\WINDOWS\system32\vtknrpkd.dll

    Empty Recycle Bin


    Looking over your log, it seems you don't have any evidence of an anti-virus software.

    Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

    1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
    2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
    3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

    It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

    Post a fresh HijackThis log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  8. 2007-05-27, 19:43 #8
    couchflyer
    couchflyer is offline
    Junior Member
    Join Date
    May 2007
    Posts
    11

    Default

    Hi Shaba,

    You know after I ran the current version of VundoFix in safe mode I haven't had any problems . I'm going to run the scan as you suggested and I have installed a good firewall.

    Thank you
  9. 2007-05-27, 19:51 #9
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Please post a fresh HijackThis log after that scan
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  10. 2007-05-28, 05:54 #10
    couchflyer
    couchflyer is offline
    Junior Member
    Join Date
    May 2007
    Posts
    11

    Default

    I added an anti-virus program.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:53:34 PM, on 5/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Zune\Zune.exe
    C:\WINDOWS\system32\imapi.exe
    C:\Software\Hijack This\scanner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...://www.msn.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/.../PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1179456788843
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lowrance.com/Automotive/S...yer/isetup.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules