Author Topic: WinVirus Pro (Read 8132 times)

Fair9 · « **on:** June 27, 2006, 12:07:17 AM »

For the last few weeks I have been terroized by pop-up ads that slow or crash my computer systems. I have Spysweeper and a leading virus protection program installed and all they do is tell me I have "moonpie" and then they remove it and it come right back. Web pages pop up for porn, vacations and some "geek" site...and Winviruspro- well it's all a mess. I don't have my recovery CD and I am willing to order it but there has to be a way to clean my PC! I have "Hijackthis" if anybody here could help me if I printed the log.
Thank you to anybody who can help.
Anna in Michigan
[email protected]

dl65 · « **Reply #1 on:** June 27, 2006, 12:15:39 AM »

Fair9... If you have a highjackthis log post it and we can have a look......

dl65

Fair9 · « **Reply #2 on:** June 27, 2006, 12:42:26 AM »

I did not scan my PC in safe mode becasue my brain ws too little to figure out how to do it!
Thank you for talking to me tonight!

Fair9 · « **Reply #3 on:** June 27, 2006, 12:46:03 AM »

My Hyjackthis is in notebook- not an allowed file extention to send here.
What can I do?

sorry
Anna

Fed · « **Reply #4 on:** June 27, 2006, 12:59:04 AM »

Just copy & paste the hijackthis log text in here.
You will have to do it over 3 or 4 posts due to the character limitation on posts.

Fair9 · « **Reply #5 on:** June 27, 2006, 01:00:10 AM »

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\windows\system32\lnxspt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\windows\system32\winsys.win
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Documents and Settings\All Users\Application Data\Web\GamBlockUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

Fair9 · « **Reply #6 on:** June 27, 2006, 01:01:14 AM »

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&LogUID=fair9&CurrentPage=MyeBaySelling&ssPageName=STRK:ME:LNLK&PageTime=8906&TimedPage=MyEbaySummary
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\system32\gebyx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [LSupport] c:\windows\system32\lnxspt.exe
O4 - HKLM\..\Run: [WinSys] c:\windows\system32\winsys.win
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

Fair9 · « **Reply #7 on:** June 27, 2006, 01:02:38 AM »

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1081/DownloadManager_release_1.081.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143098535812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147027441687
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab40641.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: gebyx - C:\WINDOWS\system32\gebyx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Fed · « **Reply #8 on:** June 27, 2006, 01:04:30 AM »

Well done.

RapedApe · « **Reply #9 on:** June 27, 2006, 08:58:26 AM »

Alright well first thing you're gonna have to do is download VundoFix. Just save it to you're desktop for now. After you've got that we have to disable the system restore so just right click my computer, go to system restore tab and check the box. Next reboot into safe mode, to do this either hit F8 on system startup and select it from the list or go to the boot.ini tab in the System Configuration Utility (start -> run -> msconfig) and check the /safeboot box. Once in safe mode run hijack this again and fix the following

Code: [Select]

O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\system32\gebyx.dll 
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) 
O4 - HKLM\..\Run: [LSupport] c:\windows\system32\lnxspt.exe
O4 - HKLM\..\Run: [WinSys] c:\windows\system32\winsys.win 
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe 
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1081/Downloa dManager_release_1.081.cab -UNSURE ABOUT THIS ONE
O20 - Winlogon Notify: gebyx - C:\WINDOWS\system32\gebyx.dll

As you can see I was unsure about one of those there so if you know it's fine then just leave it, otherwise go ahead and fix it with the rest. After that's done run system scans with all your antispyware/antivirus programs on you're system one by one. After all that run the vundofix. I save this one for last as it makes you reboot. So just go through the rest before running this one. Just do a scan and remove whatever it finds. After you reboot if you're still having problems post another hijack this log. If not then go ahead and turn system restore back on by unchecking the box.

Fed · « **Reply #10 on:** June 27, 2006, 11:37:49 AM »

I couldn't find any problem with the following entries, what did you find RapedApe?

O4 - HKLM\..\Run: [LSupport] c:\windows\system32\lnxspt.exe
O4 - HKLM\..\Run: [WinSys] c:\windows\system32\winsys.win
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1081/Downloa dManager_release_1.081.cab

Note, BigFix is a resource hog and should be started manually.

RapedApe · « **Reply #11 on:** June 27, 2006, 11:51:36 AM »

The first two simply because I have never seen them before, usually not a good thing. I go through numerous logs daily and I've never seen them. Also found very little when I googled them. So I figure either they're bad or unnecassary. Either way they're good to go, if anyone's got any info on them I'd be happy to hear it though so I know what to do should I see them again.

BigFix for pretty much the same reason you said, resource hog.

The last one seemed a little fishy to me since it starts a download. Don't really need that there as far as I'm concerned but once again, not positive and I could very well be wrong on that one.

Fed · « **Reply #12 on:** June 27, 2006, 12:03:23 PM »

I'll be interested to see what DL65 thinks about them, he may find something.
Fai9 could remove vundo while he's waiting.

dl65 · « **Reply #13 on:** June 27, 2006, 03:42:05 PM »

Since it's a trojan we are dealing with here ..........
I would be turning off system restore as already directed , then for sure ....

O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\system32\gebyx.dll Must be removed

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) Remove

O20 - Winlogon Notify: gebyx - C:\WINDOWS\system32\gebyx.dll Must be removed

[highlight]O4 - HKLM\..\Run: [LSupport] c:\windows\system32\lnxspt.exe [/highlight] This is really suspect

[highlight]O4 - HKLM\..\Run: [WinSys] c:\windows\system32\winsys.win [/highlight] This is also really suspect

The other thing I note is ........

C:\Program Files\BigFix\BigFix.exe ......... This suggests that the posters version of windows may not pass the WGA test ....and for that reason doesnt have SP2 installed ...... BTW , they omitted the version of windows being run ........ it is outdated .

Thats my take on it ...lets see what further info we get back from ..... Fair9

dl65

Fair9 · « **Reply #14 on:** June 27, 2006, 06:56:14 PM »

You guys are really amazing...to take this time to help me is so awesome. Thank You!
I scanned in safe mode and ran all the programs to help me...and still after hours of work
I still get:
O20 - Winlogon Notify: gebyx - C:\WINDOWS\system32\gebyx.dll
I am ready to throw in the towel. My PC is almost unusable. I have to beleive this is more then adware
...it really is like my PC was hijacked.

Big Hugs!
Anna

GX1_Man · « **Reply #15 on:** June 27, 2006, 07:27:22 PM »

Are you doing these repairs in safe mode with system restore turned off?

Do you have a real Windows CD to reinstall if that is necessary?

dl65 · « **Reply #16 on:** June 27, 2006, 07:40:22 PM »

Fair9....... Did you run Vundo fix ?

Please post a fresh hijackthis log and please include the very top part which shows your operating system .

dl65

Fed · « **Reply #17 on:** June 27, 2006, 09:34:22 PM »

Vundo does require 'special' treatment, below is a very helpful link for your viewing pleasure. Don't give up, we like bug hunts.

http://www.bleepingcomputer.com/forums/topic18610.html

RapedApe · « **Reply #18 on:** June 28, 2006, 09:09:00 AM »

If you've already ran the vundo fix and are still having problems with that file then this will take care of it for you. Go to start, run and type cmd then press enter. This will bring up a command prompt in which you can type. What you need to type is....

Code: [Select]

cacls C:\WINDOWS\system32\gebyx.dll /p guest:n
Then press enter. After you reboot that particular file will no longer run. Post another hijack this log afterwards so we can check it and also report any problems that you may still have.

Computer Hope Forum

News:

Author Topic: WinVirus Pro (Read 8132 times)

Fair9

dl65

Fair9

Fair9

Fed

Fair9

Fair9

Fair9

Fed

RapedApe

Fed

RapedApe

Fed

dl65

Fair9

GX1_Man

dl65

Fed

RapedApe