Results 1 to 6 of 6
  1. #1
    Member
    Join Date
    Jun 2006
    Posts
    3
    Points
    0

    Default Cannot get rid of Winfixer, errorsafe and other malware

    Hi there,

    I've tried many methods to remove these programs, including the one you describe in section "Get Rid of Spyware, Adware, and Web Browser Hijackers"
    I also tried using Panda/Housecall + VundoFix + ewido/spybot/adaware in safe mode, but the pop-ups always come back.

    I use a Sony Vaio with Windows XP sp2 (all updates OK) + Kaspersky 6.0.
    Browsers are IE 6.0 and Firefox - both seem to be affected.
    I'd really appreciate your help :-)

    Here is my HJT log :

    Logfile of HijackThis v1.99.1
    Scan saved at 20:05:06, on 30/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    D:\Seb\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    F2 - REG:system.ini: UserInit=userinit.exe
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: Ajouter * Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Antivirus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: EvtEng - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: RegSrvc - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe

  2. #2
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    Stay tuned others may see something I am missing. I see no problems looking at the HJT log.

    Errorsafe should have been removed using updated spybot program.

    No sign of winfixer.

    Other Malware, none showing.

    We would like to see the vundofix.txt file, and the Ewido log, assuming that you ran Ewido scan in the safe mode. If you don't have the logs, let us know and we will give you instructions on how run them again.

    BG

  3. #3
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    AS Basementgeek says ... an updated spybot & ewido ... run in safemode should remove the problems you mention....

    update both programs again ... run them in safemode & post the ewido log, post any logs from any of the scans you have run ( if they show anything which cannot be removed)

    Also run this program...

    Download CCleaner from :-

    http://www.filehippo.com/download_ccleaner/ (click the download tab)

    During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

    doubleclick the ccsetup.exe file and install the program...

    After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

    Make sure the "windows" tab is selected

    Under "internet explorer" tick...

    Temporary internet files
    Cookies* > see Note below
    History
    Recently typed URL's
    (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
    Delete index.dat files
    Last download location
    Autocomplete form history


    under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

    Other explorer MRU's
    (leave this unticked if you DON'T want to clear lists such as the start\run list)

    under "System"

    Tick ALL these ...


    under "Advanced"

    no need to tick any of these (but you can if you want, and realise what they do)


    Applications tab...

    These will mostly clean out old log files for these applications...

    Clean:- (if you use them)

    Firefox/Mozilla (optional - leave the cookies - see note)
    Opera
    Sun Java
    ZoneAlarm

    ...
    Personally I clean everything in the applications tab... but you tick what you want...

    Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

    click "analyse" if you want to see a list of what is going to be removed, before it is removed.

    Or

    click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

    "This process will permanently delete files from your system. Are you sure you wish to proceed?"

    click OK.

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  4. #4
    Member
    Join Date
    Jun 2006
    Posts
    3
    Points
    0

    Default

    Thanks for your replies.
    I've run updated versions of Spybot and Ewido but I confirm the Winfixer pop-ups are still there :-(

    Apparently Vundofix couldn't remove gebcy.dll
    Here are the logs from Vundofix and Ewido :

    VundoFix V4.2.84

    Running as SYSTEM
    from c:\windows\system32\VundoFix.exe

    Checking Java version...

    Java version is 1.5.0.3

    Java version is 1.5.0.7

    Scan started at 19:43:09 30/06/2006

    Listing files found while scanning....


    C:\WINDOWS\system32\ycbeg.bak1
    C:\WINDOWS\system32\ycbeg.ini
    C:\WINDOWS\system32\gebcy.dll
    Attempting to delete C:\WINDOWS\system32\ycbeg.bak1
    C:\WINDOWS\system32\ycbeg.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ycbeg.ini
    C:\WINDOWS\system32\ycbeg.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\gebcy.dll
    C:\WINDOWS\system32\gebcy.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!
    ---
    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 19:17:13 26/06/2006

    + Scan result:



    :mozilla.17:C:\Documents and Settings\pad\Application Data\Mozilla\Firefox\Profiles\sup3nml7.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
    :mozilla.16:C:\Documents and Settings\pad\Application Data\Mozilla\Firefox\Profiles\sup3nml7.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
    :mozilla.46:C:\Documents and Settings\pad\Application Data\Mozilla\Firefox\Profiles\sup3nml7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.47:C:\Documents and Settings\pad\Application Data\Mozilla\Firefox\Profiles\sup3nml7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.48:C:\Documents and Settings\pad\Application Data\Mozilla\Firefox\Profiles\sup3nml7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.49:C:\Documents and Settings\pad\Application Data\Mozilla\Firefox\Profiles\sup3nml7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.10:C:\Documents and Settings\pad\Application Data\Mozilla\Firefox\Profiles\sup3nml7.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
    :mozilla.8:C:\Documents and Settings\pad\Application Data\Mozilla\Firefox\Profiles\sup3nml7.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
    :mozilla.9:C:\Documents and Settings\pad\Application Data\Mozilla\Firefox\Profiles\sup3nml7.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.


    ::Report end

  5. #5
    Member
    Join Date
    Jun 2006
    Posts
    3
    Points
    0

    Default

    Finally I tried the beta version of Virtumonde remover by Lavasoft, which completely removed gebcy.dll. Now my system seems to be clean !

    Thanks for your help guys

  6. #6
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi bozao

    Sorry your post got missed

    Thanks for letting us know that you resolved it and how :wink:

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -