Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus!


  • This topic is locked This topic is locked
4 replies to this topic

#1 rachelatjmu

rachelatjmu

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 15 October 2005 - 01:02 AM

My computer has a virus and I have anti-virus software (Symantec). There is a notification that pop-ups and it says I have a trojan virus. It says DANGER!!! DANGER WILL ROBINSON!!!. My mom is an IT Analyst and told me to download "hijackthis" and post the log. The log is....

Logfile of HijackThis v1.99.1
Scan saved at 1:49:04 AM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\gebyw.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O20 - Winlogon Notify: gebyw - C:\WINDOWS\system32\gebyw.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

I really hope someone can help me and I'm not sure if this is the right place to post this. I know the virus is this file - "O20 - Winlogon Notify: gebyw - C:\WINDOWS\system32\gebyw.dll" If you need additional information please let me know. Thanks so much!

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:07 AM

Posted 15 October 2005 - 10:35 AM

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.14 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\gebyw.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    C:\WINDOWS\system32\wybeg.dll.*

    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click
    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\gebyw.dll
    O20 - Winlogon Notify: gebyw - C:\WINDOWS\system32\gebyw.dll
    :enter hjt items here
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! If you do not receive the "Blue Screen of Death", please manually reboot the computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#3 rachelatjmu

rachelatjmu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 15 October 2005 - 07:53 PM

Thank you sooo much for your help. I think the virus is gone, but here is the log file from the Active Scan.


Incident Status Location
Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\polall1r.inf
Adware:adware/twain-tech No disinfected C:\WINDOWS\satmat.ini Spyware:spyware/betterinet No disinfected Windows Registry Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\SYSTEM32\ssttt.dll Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM32\c53bFs.dll Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\eZsz4.exe Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM32\BO2804040113.exe Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\polall1r.inf Adware:Adware/SAHAgent No disinfectedC:\WINDOWS\INF\biF.infSpyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\satmat.inf Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\mmaker2.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Spyware:Spyware/ClearSearch No disinfected C:\SPYWARE REMOVAL\backup-20040609-103613-518.dll
Spyware:Spyware/BetterInet No disinfected C:\SPYWARE REMOVAL\backup-20040609-103614-531.inf
Adware:Adware/IST.ISTBar No disinfected C:\SPYWARE REMOVAL\backup-20040609-103615-966.inf
Adware:Adware/MediaTickets No disinfected C:\SPYWARE REMOVAL\backup-20040609-103615-522
Adware:Adware/KeenValue No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP520\A0065132.exe
Adware:Adware/IST.ISTBar No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP520\A0065133.dll

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:07 AM

Posted 16 October 2005 - 03:38 PM

Lets see a brand new hjt log

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:07 AM

Posted 14 November 2005 - 10:46 AM

Due to inactivity this topic is closed. If you need to reopen this topic, please contact a moderator and they will do so.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users