Tech Support Forum - View Single Post

Shoqer · 02-21-2007, 11:02 AM

I think foofoo.exe is Hijackthis, And this is why we can also see the Vundo.

---------------------------------------------------------------------------------------------

Hello Steve and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

---------------------------------------------------------------------------------------------

Please download Cleanup! and install it. You will use this later.

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware
Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

---------------------------------------------------------------------------------------------

Once VundoFix has completed it's routine, Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Viewpoint / Viewpoint Manager / Or anything similar

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: SDWin32 Class - {5DC7D247-7BF8-4804-BDD9-EC3A103695B6} - (no file)
O4 - HKLM\..\Run: [gfvfpc] C:\WINDOWS\System32\gfvfpc.exe
O4 - HKLM\..\Run: [tcjyh] C:\WINDOWS\tcjyh.exe
O4 - HKLM\..\Run: [zhgwvpjasouz] C:\WINDOWS\System32\zbkyybvo.exe
O4 - HKLM\..\Run: [psoj39W] sbeodemx.exe
O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E147QLU5\WinFixer2005ScannerInstall[1].exe"
O4 - HKCU\..\Run: [YB7tRVa4V] rshcntra.exe
O16 - DPF: {ED2E4BB5-60EA-4624-9DE2-998E441C699B} (OpenSiteInstall.opensite_install) - http://www.zuvio.com/OpenSiteInstall.CAB
O20 - Winlogon Notify: jkklk - C:\WINDOWS\system32\jkklk.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

---------------------------------------------------------------------------------------------

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

---------------------------------------------------------------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\System32\gfvfpc.exe
C:\WINDOWS\tcjyh.exe
C:\WINDOWS\System32\zbkyybvo.exe
sbeodemx.exe >> Find via Start>Search
rshcntra.exe >> Find via Start>Search
C:\Program Files\Viewpoint

---------------------------------------------------------------------------------------------

Clean out your Temporary Internet files.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Once it's finished Cleanup will ask you to logoff/reboot. Please select No as we will do this later.

---------------------------------------------------------------------------------------------

Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, **Please ensure it is set to Quarantine
then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware.

---------------------------------------------------------------------------------------------

Reboot your system in Normal Mode.

---------------------------------------------------------------------------------------------

I see that you've run Panda and Kaspersky online scans just recently. If you saved the reports, please post them in your next reply.

If you did not save the report from Panda, please run it again using these instructions:
Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Download ComboScan to your Desktop.

Close all applications and windows.
Double-click on comboscan.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - ComboScan.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread in the HijackThis Log Help Forum.
A folder, C:ComboScan, will also open. In it will be another text file, Supplementary.txt.
Please attach Supplementary.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

---------------------------------------------------------------------------------------------

Paste here the c:\vundofix.txt log from the tool, and the Panda Scan report here together with Comboscan log.
Please also tell me if you have renamed hijackthis.

02-21-2007, 11:02 AM	#3 (permalink)
Shoqer Registered User Join Date: Jun 2005 Posts: 215 OS: WinXP	I think foofoo.exe is Hijackthis, And this is why we can also see the Vundo. --------------------------------------------------------------------------------------------- Hello Steve and welcome to TSF Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. --------------------------------------------------------------------------------------------- Please download Cleanup! and install it. You will use this later. --------------------------------------------------------------------------------------------- Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly. --------------------------------------------------------------------------------------------- Please download VundoFix.exe to your desktop Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. --------------------------------------------------------------------------------------------- Once VundoFix has completed it's routine, Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Viewpoint / Viewpoint Manager / Or anything similar --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) O2 - BHO: SDWin32 Class - {5DC7D247-7BF8-4804-BDD9-EC3A103695B6} - (no file) O4 - HKLM\..\Run: [gfvfpc] C:\WINDOWS\System32\gfvfpc.exe O4 - HKLM\..\Run: [tcjyh] C:\WINDOWS\tcjyh.exe O4 - HKLM\..\Run: [zhgwvpjasouz] C:\WINDOWS\System32\zbkyybvo.exe O4 - HKLM\..\Run: [psoj39W] sbeodemx.exe O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E147QLU5\WinFixer2005ScannerInstall[1].exe" O4 - HKCU\..\Run: [YB7tRVa4V] rshcntra.exe O16 - DPF: {ED2E4BB5-60EA-4624-9DE2-998E441C699B} (OpenSiteInstall.opensite_install) - http://www.zuvio.com/OpenSiteInstall.CAB O20 - Winlogon Notify: jkklk - C:\WINDOWS\system32\jkklk.dll (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* --------------------------------------------------------------------------------------------- Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. --------------------------------------------------------------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\System32\gfvfpc.exe C:\WINDOWS\tcjyh.exe C:\WINDOWS\System32\zbkyybvo.exe sbeodemx.exe >> Find via Start>Search rshcntra.exe >> Find via Start>Search C:\Program Files\Viewpoint --------------------------------------------------------------------------------------------- Clean out your Temporary Internet files. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program.. Once it's finished Cleanup will ask you to logoff/reboot. Please select No as we will do this later. --------------------------------------------------------------------------------------------- Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Lauch AVG Anti-Spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, *Please ensure it is set to Quarantine then* select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close AVG Anti-Spyware. --------------------------------------------------------------------------------------------- Reboot your system in Normal Mode. --------------------------------------------------------------------------------------------- I see that you've run Panda and Kaspersky online scans just recently. If you saved the reports, please post them in your next reply. If you did not save the report from Panda, please run it again using these instructions: Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Download ComboScan to your Desktop. Close all applications and windows. Double-click on comboscan.exe to run it, and follow the prompts. When the scan is complete, a text file will open - ComboScan.txt Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread in the HijackThis Log Help Forum. A folder, C:ComboScan, will also open. In it will be another text file, Supplementary.txt. Please attach Supplementary.txt to your post. Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. --------------------------------------------------------------------------------------------- Paste here the c:\vundofix.txt log from the tool, and the Panda Scan report here together with Comboscan log. Please also tell me if you have renamed hijackthis.