Jump to content
Sign in to follow this  
dublon

Winfixer 2005 - Please help[resolved]

Recommended Posts

Hi all... First off I appreciate all the help that you guys/gals are giving all of us!! :)

 

Ok.. I redownloaded and ran both Ad Aware SE and Spybot 1.4 both updated last night... They didn't find much. I also have the Microsoft Spyware... plus NAV..

 

I have these Winfixer 2005 pop ups that hit my screen everytime I boot up and log on to the internet.. Please help me get rid of them.. and any other problems that you might see.

 

Here is my Hijack this log:

 

Logfile of HijackThis v1.99.1

Scan saved at 8:38:12 PM, on 28/07/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Hijack this\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pub37.ezboard.com/bthesettlersgang

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.spmmicro.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://pub37.ezboard.com/bthesettlersgang

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: MSEvents Object - {7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC} - C:\WINDOWS\assembly\GAC\System.Management\acdisk.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: Pense-bête.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE

O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.spmmicro.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/dev/packages/GSManager.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122504877149

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.co.uk/asfiles/file...ll/MFImgVwr.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O20 - Winlogon Notify: acdisk - C:\WINDOWS\assembly\GAC\System.Management\acdisk.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

Hi dublon

 

Please read through the instructions before you start (you may want to print this out).

 

Please set your system to show all files; please see here if you're unsure how to do this.

 

Please download and install AD-Aware se.

Click Here on how setup and use it - please make sure you update it first. Don't run yet.

 

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

 

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/

This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.

Ewido will auto-udate. Don't run yet

 

Reboot into Safe Mode: please see here if you are not sure how to do this.

 

Run Ewido full scan. Save the scan.log.

 

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

 

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an check in the boxes, only next to these following items:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: MSEvents Object - {7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC} - C:\WINDOWS\assembly\GAC\System.Management\acdisk.dll

O20 - Winlogon Notify: acdisk - C:\WINDOWS\assembly\GAC\System.Management\acdisk.dll

Click on Fix Checked when finished and exit HijackThis.

 

Run Ad-aware se let it remove all it finds

 

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

 

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer (Yes.)

C:\WINDOWS\assembly\GAC\System.Management\acdisk.dll

 

Let the system reboot as normal.

 

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.stevengould.org/cleanup/CleanUp40.exe

It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingcomputer.com/forums/tutorial93.html

Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button

When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

 

Please run the following free, online virus scans.

http://www.pandasoftware.com/activescan/co...n_principal.htm

Please post the logs From Panda, Ewido and HJT.log. We will need them to remove previous infections that have left files on your system.

 

Kc :tup:

Share this post


Link to post
Share on other sites

Thank you so much for your reply.... I have to go to work now, but I will take care of this tonight... and repost requested logs....

 

This sounds complicated .. but I will get through this....I think.. I hope... :woot:

Share this post


Link to post
Share on other sites

Excuse me in advance for the stupidist question yet...... How the heck do I know I'm in safe mode?????????????????

 

I've done the F8 key.. hit safe mode, and it seems to have started up normally... although some of my favorites are not showing up... Am I in safe mode???

Again I apologize for this stupid question.... :help:

Share this post


Link to post
Share on other sites

This is totally ridiculous!!! Long story short (as I had edited my previous post and my damn computer froze) :angry:

 

After pressing F8 on startup... I get a window saying Please select boot device:

Removable Dev. Hard Drive or ATAPI CD-Rom. I chose Hard Drive then hit F8 again... finally got the screen with the safe mode choices... Hit Safe Mode... Fine I said...Then I got a log on screen Administrator or myself.. I'm both.. but either one I chose I get this black screen with Safe Mode written in all 4 corners and it stalls.. Nothing.. what the heck am I doing wrong?????????????????? :help: :help: :help:

Share this post


Link to post
Share on other sites

Hi dublon

 

Safe Mode written in all 4 corners, yes you are in safemode it does take some time to run?

 

If you suspect it has hung > Click on start > Then run > now type into the box explorer

 

Let me know if that works.

 

Kc :beer:

Share this post


Link to post
Share on other sites

Well... I have come a very long way since Friday night... but to answer your question.. I wasn't going into safe mode properly.. As I had never gone there before I had no idea what I was doing. I can build websites and do stuff like that but the "inner" functions of the pc... I'm null! I was just getting the black screen with Safe mode in the 4 corners.... I wasn't seeing my task bar on the bottom...My F8 key was not working properly. I finally got into safe mode through Run... using MSconfig, then going into the boot.ini......then I clicked on safeboot... (I found that on another site...) :blushing:

Anyway my problem is now solved. Long story short:

 

I ran the programs that you suggested... the scans... finally got rid of the winfixer screen... so I thank you very much for that but.. and this is where I ran into very serious problems.... when I ran the cleanup! program... I ran it on Standard settings... It saved me 187 MB of space... Super I said, then I logged off then tried to log back on again.... and that was it!

It cleaned so well that it cleaned all of my boot files, so Windows would not boot up!!!!!!!!!!!!!!!!!!!!!! :blink: Sooooooooooooo the next morning we went down to the PC technician... who in turn got me back up and running...checked for any left over bugs... downloaded all of the security files including the both service packs... so I'm up to date and secure.. I hope... I also took advantage and bought myself 512 of SDram... so I now have 768 MB of ram... and WOW.... very cool!! (One of the suggestions made by the Pitstop scan...

 

I would just like to warn people though, to be very, very careful running that Cleanup program!!!! Read the instructions properly and slowly, and don't do it when you are tired!!!

 

Now... I have Ad aware SE running, Spybot running, Microsoft antispy ware running. and NAV... Is there anything else I can do to insure that I don't get another bug??? The pc technician was telling about a new anti virus program from Russia..... Kaspersky and apparently its cheaper than Norton and way way better.... Does anyone here know anything about this program... Is it really that good?

 

Again thanks for helping me get rid of the Winfixer problem!! Much appreciated!!! :)

Share this post


Link to post
Share on other sites

Hi dublon

 

Congratulations! Your system is CLEAN

 

Microsoft® Windows AntiSpyware (Beta) 2000 and XP ONLY.

Please download SpyBot V1.4 http://www.majorgeeks.com/download2471.html

Spybot Tutorial

Disable Spybot Tutorial

 

Winpatrol Free

 

Ad-Aware SE Personal Edition Free

AdAware Tutorial

 

Turn of system restore

Disabling or enabling Windows XP System Restore

WIndows ME

Defrag your hard drive. Turn system restore back on and create a new restore point.

 

Tony Klien: So how did I get infected in the first place

 

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here

 

It Prevent's the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.

Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.

Restrict the actions of potentially dangerous sites in Internet Explorer.

Consumes no system resources.

 

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

 

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

 

These next two steps are optional, but will provide the greatest protection.

1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.

http://www.mozilla.org/products/firefox/

 

2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.

http://www.java.com/en/download/manual.jsp Windows (Offline Installation)

 

After doing all these, your system will be thoroughly protected from future threats.

 

Have a nice Day.

 

Kc :beer:

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...