bremsech
asked on
It's Baaack, Winfixer
Its BACK. A few months ago you folks helped me get rid of Winfixer, but it is back and the old solution no longer works or at least I can't find the same files to uninherit. In addition to winfixer popups I am getting tribalfusion and winantispyware popups.
I have run adaware, spybot, cwshredder and I tried a new one "spy subtract" that works temporarily but the popups return when the computer is rebooted.
Here is my current hijack this log.
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = Google.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://google.com/
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-8 5C0E3F75B6 A} - C:\WINDOWS\system32\geebx. dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT PLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NC S\PROSet\P RONoMgr.ex e
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks et.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\ drivers\w3 2x86\3\hpz tsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon 03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtrac t\SpySub.e xe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~4\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\system32\Shdocv w.dll
O9 - Extra button: Start EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-8 1F134789E8 B} - C:\PROGRA~1\EASYWE~1\easyw ebcam.exe
O9 - Extra 'Tools' menuitem: &EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-8 1F134789E8 B} - C:\PROGRA~1\EASYWE~1\easyw ebcam.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120570489421
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124661751625
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7 3DB16A1543 A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx. dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\David\My Documents\Weekly Computer Maintenance\Mom's virus fix folder\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC S\Sync\Net Svc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm 09.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLa bs\vsmon.e xe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYS VC.EXE
Any help is as always appreciated.
Thank you,
Charlotte
I have run adaware, spybot, cwshredder and I tried a new one "spy subtract" that works temporarily but the popups return when the computer is rebooted.
Here is my current hijack this log.
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-8
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NC
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtrac
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Start EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-8
O9 - Extra 'Tools' menuitem: &EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-8
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\David\My Documents\Weekly Computer Maintenance\Mom's virus fix folder\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLa
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYS
Any help is as always appreciated.
Thank you,
Charlotte
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Blue Zee,
I started to follow the directions you sent me to and it did delete O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx. dll. The virtumundobegone seems to have worked so I have gone no further.
I noticed though that the other O2O file still shows up in the hijack this log, should this one be deleted also? I have no idea what it is. O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
Is this file related to my problem? or something totally unrelated?
I'm going to reboot and do some more surfing to see if any of the popups return. I'll keep you posted
Thanks,
Charlotte
I started to follow the directions you sent me to and it did delete O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.
I noticed though that the other O2O file still shows up in the hijack this log, should this one be deleted also? I have no idea what it is. O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
Is this file related to my problem? or something totally unrelated?
I'm going to reboot and do some more surfing to see if any of the popups return. I'll keep you posted
Thanks,
Charlotte
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
It's safe: Intel Graphics Startup Utility
Don't fix.
Logging off for today, nearly 1 AM around here.
I know you are on your way out of trouble, and I know Rpggamergirl will be around to help furthe if needed.
Hope to read the good news tomorrow morning.
Good luck,
Zee
It's safe: Intel Graphics Startup Utility
Don't fix.
Logging off for today, nearly 1 AM around here.
I know you are on your way out of trouble, and I know Rpggamergirl will be around to help furthe if needed.
Hope to read the good news tomorrow morning.
Good luck,
Zee
>>O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll<<
that entry is legit, a dll belonging to Intel(R)Graphics Accelerator Helper.
What you had was a Vundo trojan.
So if you used the virtumundobegone that I suggested, you will find this file below that you can delete.
virtumondobegone, rename the vundo trojan with a .vir extension, while using Atribune's tool clears all the vundo trojan files including all the backwards file with different extensions. Whichever one you used will stop the problem.
C:\WINDOWS\system32\geebx. dll.vir <-- you can find and delete this file if still present)
that entry is legit, a dll belonging to Intel(R)Graphics Accelerator Helper.
What you had was a Vundo trojan.
So if you used the virtumundobegone that I suggested, you will find this file below that you can delete.
virtumondobegone, rename the vundo trojan with a .vir extension, while using Atribune's tool clears all the vundo trojan files including all the backwards file with different extensions. Whichever one you used will stop the problem.
C:\WINDOWS\system32\geebx.
there I go again, keep forgetting to refreshed before posting.
See you around next time Zee!
See you around next time Zee!
Ooops! didn't realize Grinler had ALL possible fixes for vundo trojan covered including virtumondobegone, :)
ASKER
Thank you! I even used virtumundobegone to clean winfixer off my nephews computer too and it seems to work.
Charlotte,
Great news!
Thank you.
Zee
Or you could just do this.
Please print these instructions out for use in Safe Mode.(If you can't enter Safe Mode the do the fix in normal mode)
Please download VundoFix.exe to your desktop.
http://www.atribune.org/downloads/VundoFix.exe
[*]Double-click VundoFix.exe to extract the files
[*]This will create a folder on your desktop.
[*]After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning.
It should look like this:
"VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue...."
[*] At this point press Enter one time.
[*] Next you will see:
"Please Type in the filepath as instructed by the forum staff
and then press enter:"
[*]At this point please type/paste the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\geebx.
[*]Press Enter to continue with the fix.
[*] Next you will see:
"Please type in the second filepath as instructed by the forum
staff then press enter:"
[*]At this point please type/paste the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\xbeeg.
[*]Press Enter to continue with the fix.
[*]The fix will run then HijackThis will open, if it does not open automatically please open it manually.
[*]In HiJackThis, please place a check next to the following items and click "FIX CHECKED":
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-8
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.
[*]After you have fixed these items, close Hijackthis.
[*]Press enter to exit the program then manually reboot your computer.
[*]Once your machine reboots please continue with the instructions below.
Download and install CleanUp!
http://www.stevengould.org/downloads/cleanup/CleanUp40.exe
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
[*]Empty Recycle Bins
[*]Delete Cookies
[*]Delete Prefetch files
[*]Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.
Then, please run this online virus scan:
http://www.pandasoftware.com/products/activescan.htm
Or do this:
Download VirtumundoBegone from here:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot. If you like, post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.