[Fixed] Erratic Behavior and other problems.

Obsidian · 09-10-2006

So I did everything in your "prework" section so my main problem is I have this error where my it pop-ups randomyly. I will get a ss when it pop-ups again. What happens is it will ask me if I want to debug or terminate the program. I have clicked debug, terminate and exited out of the error message, with all having the same affect resulting my start/thing at the bottom of your screen result to the old Win95 appearence. This also happens to like the top of screens. See picutre. I have collected all the logs, hope you can help.

joe5 · 09-11-2006

Hya Obsidian, welcome to PCHF.

I don't see any problems in your HJT log, but I also don't see any 02 and 020 entry's in there wich means you have (atleast) a Vundo infection wich hides those entry's when it sees HijackThis.exe running.

Can you rename your HijackThis.exe to whatever.exe , and then make and post a new log?

Obsidian · 09-11-2006

Did as you said and here it is.

joe5 · 09-11-2006

OK, now we can see what is going on.

First look in add/remove programs for ICOO Loader and uninstall it if present.

Please download VundoFix.exe
to your desktop.

Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click *OK*.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Also download KillBox by Option^Explicit from HERE.

Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode. (hit f8 before Windows loads when booting up)

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP

Run HijackThis , select to do a "system scan only" and then place a check beside each of the following:
(if still present)

O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll
O2 - BHO: (no name) - {5E078D29-14D1-4CF8-BF4A-200BF298DF6A} - C:\WINDOWS\system32\gebyw.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - (no file)
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\ddccded.dll
O20 - Winlogon Notify: ddccded - C:\WINDOWS\SYSTEM32\ddccded.dll
O20 - Winlogon Notify: gebyw - C:\WINDOWS\system32\gebyw.dll
O20 - Winlogon Notify: h618 - C:\WINDOWS\g16294984.dll (file missing)
O20 - Winlogon Notify: wingob32 - C:\WINDOWS\SYSTEM32\wingob32.dll
O21 - SSODL: ************ - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)

Now first close all windows and browsers other then HijackThis , then click Fix checked and close HijackThis.

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box:

C:\Program Files\ICOO Loader
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\ixt1.dll
C:\WINDOWS\system32\ddccded.dll
C:\WINDOWS\g16294984.dll
C:\WINDOWS\SYSTEM32\wingob32.dll
C:\WINDOWS\system32\urroxtl.dll

Click the red circle with the white x and allow your computer to reboot.
(if killbox doesn't reboot on its own then please reboot manually)

When done, please post the contents of C:\*vundofix.txt* , the SmitFraudFix log and a new HiJackThis log.

Obsidian · 09-12-2006

I think I might have messed up. Vundo wasn't working ot good it wouldn't restart itself however it seems that I did remove some of the files. I was kind of confused on how to put in multiple files for the KillBox, I'm sure if I actually got rid of any files. So you might have to ask me to do some stuff again.

Sorry. Anyways here are the logs you requested. I coukldn't find the Vundo log at the place you said it would be.

Pancake · 09-12-2006

Its ok.Vundo is dead...

Just so to be sure the files have gone try these intructions...

Run Killbox, left click and drag you mouse over all the highlighted files below (including filepath) right click and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", right click again and choose File > Paste from Clipboard. All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there). If each file exists, it will appear in blue under that window when you click on it. Click on Delete on Reboot. Next click on > "Delete on Reboot" and click on "All Files". Please do this even if this option is already checked. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot

C:\Program Files\ICOO Loader
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\ixt1.dll
C:\WINDOWS\system32\ddccded.dll
C:\WINDOWS\g16294984.dll
C:\WINDOWS\SYSTEM32\wingob32.dll
C:\WINDOWS\system32\urroxtl.dll

joe5 · 09-12-2006

Originally Posted by Obsidian

I was kind of confused on how to put in multiple files for the KillBox, I'm sure if I actually got rid of any files.

Oops.. that is my mistake. I accidentally gave Killbox instructions for a single file deletion instead of deleting a list..

Please follow Pancake's instructions to make sure they are deleted.

Please copy the text in the code box below, and paste it into a blank notepad window.
Save it as Fix.reg and in the "save as" type box choose "all files".
Once you have saved it, double click it, and allow it to merge with the registry.

Code:

REGEDIT4 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00618}"=-
 
[HKEY_CLASSES_ROOT\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32]
@=-
 
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32]
@=-
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"=-

And run HijackThis again, select to do a "system scan only" and then place a check beside the following:

O2 - BHO: (no name) - {C89F291A-DC7C-4B6D-9EB5-957A77C2E7CA} - C:\WINDOWS\system32\gebyw.dll (file missing)

Now first close all windows and browsers other then HijackThis , then click Fix checked and close HijackThis.

Please post a new HJT log when done, and let us know how your pc is running please.

09-11-2006	#4
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,025	OK, now we can see what is going on. First look in add/remove programs for ICOO Loader and uninstall it if present. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Also download KillBox by Option^Explicit from HERE. Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode. (hit f8 before Windows loads when booting up) Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP Run HijackThis , select to do a "system scan only" and then place a check beside each of the following: (if still present) O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll O2 - BHO: (no name) - {5E078D29-14D1-4CF8-BF4A-200BF298DF6A} - C:\WINDOWS\system32\gebyw.dll O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - (no file) O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\ddccded.dll O20 - Winlogon Notify: ddccded - C:\WINDOWS\SYSTEM32\ddccded.dll O20 - Winlogon Notify: gebyw - C:\WINDOWS\system32\gebyw.dll O20 - Winlogon Notify: h618 - C:\WINDOWS\g16294984.dll (file missing) O20 - Winlogon Notify: wingob32 - C:\WINDOWS\SYSTEM32\wingob32.dll O21 - SSODL: ********** - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing) Now first close all windows and browsers other then HijackThis , then click Fix checked and close HijackThis. Double click on Killbox.exe and then check the delete on reboot button. Enter the following filepath and filename into the Full path of file to delete box: C:\Program Files\ICOO Loader C:\WINDOWS\system32\gebyw.dll C:\WINDOWS\system32\ixt1.dll C:\WINDOWS\system32\ddccded.dll C:\WINDOWS\g16294984.dll C:\WINDOWS\SYSTEM32\wingob32.dll C:\WINDOWS\system32\urroxtl.dll Click the red circle with the white x** and allow your computer to reboot. (if killbox doesn't reboot on its own then please reboot manually) When done, please post the contents of C:\vundofix.txt , the SmitFraudFix log and a new HiJackThis log. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

09-12-2006	#6
Pancake Senior Security Analyst Join Date: Jun 2006 Location: Victoria, Australia Posts: 6,865 PC Experience: Elite PC Guru	Its ok.Vundo is dead... Just so to be sure the files have gone try these intructions... Run Killbox, left click and drag you mouse over all the highlighted files below (including filepath) right click and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", right click again and choose File > Paste from Clipboard. All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there). If each file exists, it will appear in blue under that window when you click on it. Click on Delete on Reboot. Next click on > "Delete on Reboot" and click on "All Files". Please do this even if this option is already checked. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot C:\Program Files\ICOO Loader C:\WINDOWS\system32\gebyw.dll C:\WINDOWS\system32\ixt1.dll C:\WINDOWS\system32\ddccded.dll C:\WINDOWS\g16294984.dll C:\WINDOWS\SYSTEM32\wingob32.dll C:\WINDOWS\system32\urroxtl.dll __________________ An Australian Member of and My real name is Eddy Last edited by Pancake; 09-12-2006 at 09:22 AM.

09-12-2006	#7
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,025	Originally Posted by Obsidian I was kind of confused on how to put in multiple files for the KillBox, I'm sure if I actually got rid of any files. Oops.. that is my mistake. I accidentally gave Killbox instructions for a single file deletion instead of deleting a list.. Please follow Pancake's instructions to make sure they are deleted. Please copy the text in the code box below, and paste it into a blank notepad window. Save it as Fix.reg and in the "save as" type box choose "all files". Once you have saved it, double click it, and allow it to merge with the registry. Code: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{259BA022-2005-45E9-A965-10EDB9C00618}"=- [HKEY_CLASSES_ROOT\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32] @=- [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32] @=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"=- And run HijackThis again, select to do a "system scan only" and then place a check beside the following: O2 - BHO: (no name) - {C89F291A-DC7C-4B6D-9EB5-957A77C2E7CA} - C:\WINDOWS\system32\gebyw.dll (file missing) Now first close all windows and browsers other then HijackThis , then click Fix checked and close HijackThis. Please post a new HJT log when done, and let us know how your pc is running please. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode