Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Spyware removal

  • This topic is locked This topic is locked
2 replies to this topic

#1 dallan


  • Members
  • 4 posts
  • Local time:02:14 AM

Posted 05 January 2009 - 04:41 PM

Hi All,

Firstly, my apologies for posting my logs too hastily last time.. Sorry!

One of the users here got something that I was unable to remove with conventional removal software (Spybot, Adaware, SAV).
Adwatch blocked tons of attempts to change the registry via a couple of dlls. One which I marked down was wefeyubi.dll. Here is my DDS log:

DDS (Version 1.1.0) - NTFSx86  
Run by nfaria at 16:30:45.78 on Mon 01/05/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.958.600 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nfaria\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AWMON] "c:\program files\lavasoft\ad-aware se plus\Ad-Watch.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [cc44d15c] rundll32.exe "c:\windows\system32\vatotosa.dll",b
mRun: [CPMcf77e2c0] Rundll32.exe "c:\windows\system32\wefeyubi.dll",a
mRun: [gipepekuda] Rundll32.exe "c:\windows\system32\dutimode.dll",s
uPolicies-explorer: MaxRecentDocs = 15 (0xf)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: {DEAD235B-A4E8-4534-A5CF-99539B97F0DF} =,
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090104.003\naveng.sys [2009-1-5 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090104.003\navex15.sys [2009-1-5 876112]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R4 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-4-30 6016]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]

=============== Created Last 30 ================

2009-01-05 10:02	<DIR>	a-dshr--	C:\cmdcons
2009-01-05 10:00	161,792	a-------	c:\windows\SWREG.exe
2009-01-05 10:00	98,816	a-------	c:\windows\sed.exe
2009-01-05 10:00	<DIR>	--d-----	C:\ComboFix
2008-12-31 12:27	153	a-------	c:\windows\wininit.ini
2008-12-31 12:00	<DIR>	--d-----	c:\program files\CCleaner
2008-12-31 11:56	<DIR>	--d-----	c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-31 11:56	<DIR>	--d-----	c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-31 11:56	<DIR>	--d-----	c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-31 11:56	<DIR>	--d-----	c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-23 10:52	<DIR>	--d-----	c:\docume~1\nfaria\applic~1\ACD Systems
2008-12-18 12:02	268,648	a-------	c:\windows\system32\mucltui.dll
2008-12-18 12:02	27,496	a-------	c:\windows\system32\mucltui.dll.mui

==================== Find3M  ====================

2008-10-23 07:36	286,720	a-------	c:\windows\system32\gdi32.dll
2008-10-16 14:06	208,744	a-------	c:\windows\system32\muweb.dll
2008-10-15 20:00	666,112	a-------	c:\windows\system32\wininet.dll

============= FINISH: 16:31:04.67 ===============

Attached Files

Edited by dallan, 05 January 2009 - 04:41 PM.

BC AdBot (Login to Remove)


#2 chryssi2001


  • Members
  • 1,930 posts
  • Local time:09:14 AM

Posted 18 January 2009 - 04:47 AM

Hello dallan,

I will be assisting you with your malware issues.
  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
  • If you fail to reply in 5 days period from now, this thread will close, and you will have to open another topic, and wait for another helper.
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Please do not quote your report, just post it normally.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 chryssi2001


  • Members
  • 1,930 posts
  • Local time:09:14 AM

Posted 23 January 2009 - 12:43 PM

Due to the lack of feedback, this Topic is now closed and will not be reopened.
If you still need help, begin a new topic.

Applies only to the original poster, anyone else with similar problems please start a new topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users