Question

It's Baaack, Winfixer

Asked by: bremsech

Its BACK.  A few months ago you folks helped me get rid of Winfixer, but it is back and the old solution no longer works or at least I can't find the same files to uninherit.  In addition to winfixer popups I am getting tribalfusion and winantispyware popups.  

I have run adaware, spybot, cwshredder and I tried a new one "spy subtract" that works temporarily but the popups return when the computer is rebooted.  

Here is my current hijack this log.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\geebx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Start EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} - C:\PROGRA~1\EASYWE~1\easywebcam.exe
O9 - Extra 'Tools' menuitem: &EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} - C:\PROGRA~1\EASYWE~1\easywebcam.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120570489421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124661751625
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\David\My Documents\Weekly Computer Maintenance\Mom's virus fix folder\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Any help is as always appreciated.

Thank you,

Charlotte

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2005-12-30 at 14:24:46ID21679767
Topic

Windows Network Security

Participating Experts
2
Points
250
Comments
9

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Malware removal - am I done? What next?
    I have been running antispyware programs like Housecall, Bitdefender, Eido security suite, and I followed the suggestions in www.hijackthis.de. I still get the aurora popup. Here is the latest hijack this - (run in safe mode) log... Logfile of HijackThis v1.99.1 Scan saved a...
  2. What is the difference  starting in Startup (user), (com…
    I have been having some problems with my many startup programs. I 've used a utility from PCMag called Statup Cop, which disapeared and seemed to affect my starups which are freqnetly not present in the taskbar or even visible at all, but are ruinning. It would be a great ass...
  3. Allow users to write to HKCU?
    Hi Experts! I run a Windows Server 2003 domain with AD, and some terminals using Microsoft Terminal Server. Our POS software has just been updated to store user specific settings (such as printer, since the program must have one selected and will not simply take the default...
  4. malware problem
    Got some spyware aboard this laptop, Ran bitdefender and took out some things, then ran spybot and found some things but I am still getting a warning about spyware when conected to internet. Here is the hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 10:20:29 P...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: blue_zeePosted on 2005-12-30 at 14:29:42ID: 15580944


See this on how to cleanup:

http://www.bleepingcomputer.com/forums/topic18610.html

Good luck,

Zee

 

by: rpggamergirlPosted on 2005-12-30 at 15:38:33ID: 15581351

Follow blue_zee's advice,
Or you could just do this.

Please print these instructions out for use in Safe Mode.(If you can't enter Safe Mode the do the fix in normal mode)

Please download VundoFix.exe to your desktop.
http://www.atribune.org/downloads/VundoFix.exe
[*]Double-click VundoFix.exe to extract the files
[*]This will create a folder on your desktop.
[*]After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

[*]Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning.
It should look like this:
"VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue...."
[*] At this point press Enter one time.
[*] Next you will see:
"Please Type in the filepath as instructed by the forum staff
and then press enter:"
[*]At this point please type/paste the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\geebx.dll

[*]Press Enter to continue with the fix.
[*] Next you will see:
"Please type in the second filepath as instructed by the forum
staff then press enter:"
[*]At this point please type/paste the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\xbeeg.*

[*]Press Enter to continue with the fix.
[*]The fix will run then HijackThis will open, if it does not open automatically please open it manually.
[*]In HiJackThis, please place a check next to the following items and click "FIX CHECKED":

O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\geebx.dll
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll


[*]After you have fixed these items, close Hijackthis.
[*]Press enter to exit the program then manually reboot your computer.
[*]Once your machine reboots please continue with the instructions below.

Download and install CleanUp!
http://www.stevengould.org/downloads/cleanup/CleanUp40.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
[*]Empty Recycle Bins
[*]Delete Cookies
[*]Delete Prefetch files
[*]Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Or do this:
Download VirtumundoBegone from here:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
 and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot. If you like, post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.

 

by: bremsechPosted on 2005-12-30 at 16:44:25ID: 15581590

Blue Zee,

I started to follow the directions you sent me to and it did delete O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll.  The virtumundobegone seems to have worked so I have gone no further.  

I noticed though that the other O2O file still shows up in the hijack this log, should this one be deleted also?  I have no idea what it is.  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
Is this file related to my problem?  or something totally unrelated?

I'm going to reboot and do some more surfing to see if any of the popups return.  I'll keep you posted

Thanks,

Charlotte

 

by: blue_zeePosted on 2005-12-30 at 16:48:41ID: 15581607

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

It's safe: Intel Graphics Startup Utility

Don't fix.

Logging off for today, nearly 1 AM around here.

I know you are on your way out of trouble, and I know Rpggamergirl will be around to help furthe if needed.

Hope to read the good news tomorrow morning.

Good luck,

Zee

 

by: rpggamergirlPosted on 2005-12-30 at 16:56:22ID: 15581636

>>O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll<<
that entry is legit, a dll belonging to Intel(R)Graphics Accelerator Helper.

What you had was a Vundo trojan.
So if you used the virtumundobegone that I suggested, you will find this file below that you can delete.
virtumondobegone, rename the vundo trojan with a .vir extension, while using Atribune's tool clears all the vundo trojan files including all the backwards file with different extensions. Whichever one you used  will stop the problem.

C:\WINDOWS\system32\geebx.dll.vir <-- you can find and delete this file if still present)

 

by: rpggamergirlPosted on 2005-12-30 at 16:59:56ID: 15581644

there I go again, keep forgetting to refreshed before posting.

See you around next time Zee!

 

by: rpggamergirlPosted on 2005-12-30 at 17:32:53ID: 15581774

Ooops! didn't realize Grinler had ALL possible fixes for vundo trojan covered including virtumondobegone, :)

 

by: bremsechPosted on 2006-01-01 at 12:35:17ID: 15588138

Thank you!  I even used virtumundobegone to clean winfixer off my nephews computer too and it seems to work.  

 

by: blue_zeePosted on 2006-01-01 at 12:59:01ID: 15588201


Charlotte,

Great news!

Thank you.

Zee

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...