Jump to content


i have spyware!

Started by L0seR, Dec 30 2005 05:48 PM

  • You cannot reply to this topic
2 replies to this topic

#1 OFFLINE   L0seR

    Member

  • Members
  • PipPip
  • 17 posts

Posted 30 December 2005 - 05:48 PM

my dad's computer seemed to have a lot of spyware and popups. i did the scan and here's the hijackthis log! thanks in advance guys.

Logfile of HijackThis v1.99.1
Scan saved at 9:46:41 AM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\L0seR\Desktop\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigguy.co...tml?
O2 - BHO: Bho - {04657A04-5A3B-40ec-95BF-2A50F0E069BD} - C:\WINDOWS\system32\veeriltv.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\geebx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Bho - {A4A50EF9-4852-4781-9140-AF685290764F} - C:\WINDOWS\system32\pexxgcsl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ΢Èí£­ÖÐÐÇ΢ÁªºÏʵÑéÊÒÌṩ
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [XingtoneUpdate] °ÿ\Updater.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LimeWire 4.2.5.lnk = C:\Program Files\LimeWire\LimeWire 4.2.5\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...571/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51ED2166-88B0-4708-9DA4-2803CD4DF912}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: awtss - awtss.dll (file missing)
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll
O23 - Service: CWShredder Service - Trend Micro Incorporated - C:\Documents and Settings\L0seR\Desktop\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

#2 OFFLINE   L0seR

    Member

  • Members
  • PipPip
  • 17 posts

Posted 31 December 2005 - 09:05 AM

bump

#3 OFFLINE   crunchie

    Advanced Member

  • Members
  • PipPipPip
  • 67 posts
  • Location:Oztralya

Posted 31 December 2005 - 12:54 PM

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    Quote

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk.

  • At this point press enter one time.

  • Next you will see:

    Quote

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):


      C:\WINDOWS\system32\geebx.dll


  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

  • Next you will see:

    Quote

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.
  • At this point please type the following file path (make sure to enter it exactly as below!):

      C:\WINDOWS\system32\xbeeg.*

  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

  • The fix will run then HijackThis will open.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:

      O2 - BHO: Bho - {04657A04-5A3B-40ec-95BF-2A50F0E069BD} - C:\WINDOWS\system32\veeriltv.dll (file missing)
      O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\geebx.dll
      O2 - BHO: Bho - {A4A50EF9-4852-4781-9140-AF685290764F} - C:\WINDOWS\system32\pexxgcsl.dll

      O20 - Winlogon Notify: awtss - awtss.dll (file missing)
      O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll

  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

==

There seems to be a problem with some of the characters in your log. Can you confirm the legitimacy of the following;

O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ΢Èí£ÖÐÐÇ΢ÁªºÏʵÑéÊÒÌṩ

O4 - HKCU\..\Run: [XingtoneUpdate] °ÿ\Updater.exe
Try Opera Hijackthis. How you got infected ie-spyad. AVPE anti-virus Sygate free firewall. Spywareblaster Browser settings for increased security.

user posted image
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell