1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I have spyware infection on my desktop and I need help

Discussion in 'Virus & Other Malware Removal' started by lflowers, Jan 2, 2006.

Thread Status:
Not open for further replies.
  1. lflowers

    lflowers Thread Starter

    Joined:
    Jan 2, 2006
    Messages:
    1
    I have the log for hijack and I don't know what to do with it.

    Here is the log, can someone help me.

    Logfile of HijackThis v1.99.1
    Scan saved at 6:31:15 PM, on 1/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\system32\javasr.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\2C.tmp.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\WINDOWS\crvf32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yuxef.dll/sp.html#28129%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yuxef.dll/sp.html#28129%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yuxef.dll/sp.html#28129%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yuxef.dll/sp.html#28129%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yuxef.dll/sp.html#28129%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yuxef.dll/sp.html#28129%resultposition.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yuxef.dll/sp.html#28129%resultposition.net
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {0E5EA4C0-B875-E8EB-6346-37389658CBB1} - C:\WINDOWS\atlxh32.dll
    O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\gebyw.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [links] links.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [javasr.exe] C:\WINDOWS\system32\javasr.exe
    O4 - HKLM\..\Run: [2B.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\2B.tmp.exe
    O4 - HKLM\..\Run: [2C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\2C.tmp.exe
    O4 - HKLM\..\Run: [2C.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\2C.tmp.exe
    O4 - HKLM\..\Run: [2B.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\2B.tmp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.billingnow.com
    O15 - Trusted Zone: http://*.reliablestats.com
    O15 - Trusted Zone: http://*.winantispyware.com
    O15 - Trusted Zone: http://*.winantivirus.com
    O15 - Trusted Zone: http://*.winantiviruspro.com
    O15 - Trusted Zone: http://*.winfixer.com
    O15 - Trusted Zone: http://*.winnanny.com
    O15 - Trusted Zone: http://*.winsoftware.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132082759796
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EEA02EF6-F047-4795-A0D6-BE254282560E}: NameServer = 206.141.193.55 66.73.20.40
    O20 - Winlogon Notify: gebyw - C:\WINDOWS\system32\gebyw.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crvf32.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi there iflowers, you have a few nasties on here!


    Download DelDomains.inf from here:

    http://www.mvps.org/winhelp2002/DelDomains.inf

    Rightclick DelDomains.inf and choose install.


    Please download VundoFix.exe to your desktop.


    http://www.atribune.org/downloads/VundoFix.exe



    * Double-click VundoFix.exe to extract the files
    * This will create a VundoFix folder on your desktop.
    * After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    * Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    * You will first be presented with a warning and a list of forums to seek help at.
    it should look like this


    * At this point press enter one time.
    * Next you will see:


    * At this point please type the following file path (make sure to enter it exactly as below!):
    o C:\WINDOWS\system32\gebyw.dll
    * Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    * Next you will see:

    * At this point please type the following file path (make sure to enter it exactly as below!):

    o C:\WINDOWS\system32\wybeg.*

    * Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    * If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.
    * The fix will run then HijackThis will open.
    * In HiJackThis, please place a check next to the following items and click FIX CHECKED:


    o O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\gebyw.dll
    o O20 - Winlogon Notify: gebyw - C:\WINDOWS\system32\gebyw.dll


    * After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
    * Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
    * Once your machine reboots please continue with the instructions below.

    Download and install CleanUp!

    http://www.stevengould.org/software...p/download.html



    Open Cleanup! by double-clicking the icon on your desktop (or from the Start >
    All Programs menu).
    Set the program up as follows:
    Click "Options..."
    Move the arrow down to "Custom CleanUp!"
    Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

    Click OK
    Press the CleanUp! button to start the program.

    It may ask you to reboot at the end, click NO.



    Run an online antivirus check from

    http://www.kaspersky.com/virusscanner



    Then, please run this online virus scan: ActiveScan

    http://www.pandasoftware.com/products/activescan.htm


    Copy the results of the ActiveScan and paste them here along with a new
    HiJackThis log and the vundofix.txt file from the vundofix folder into this
    topic.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/430494

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice