Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinFixer (trying ComboFix and VundoFix)


  • Please log in to reply

#1
findthedivine

findthedivine

    New Member

  • Member
  • Pip
  • 2 posts
After numerous unsuccessful attempt to remove this program, I discovered your site...

I ran VundoFix.exe and it found nothing.

Soon thereafter, I was attacked again by winfixer...
Norton asked if I wanted to remove, Yes i said...
But it is still there...

I ran ComboFix after reading a thread and my results follow...
My initial attack date was 9-23-2006 so the programs below look suspicious...

C:\WINDOWS\SYSTEM32\gebca.exe
C:\WINDOWS\SYSTEM32\dpvLPR.dll

Any suggestions on how to proceed?

Thanks :whistling: , Phil

Phil Stone - 06-09-27 14:10:19.09 Service Pack 2
ComboFix 06.09.27 - Running from: "C:\Documents and Settings\Phil Stone\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-08-27 to 2006-09-27 ))))))))))))))))))))))))))))))))))


2006-09-23 07:22 23,474 --a------ C:\WINDOWS\SYSTEM32\gebca.exe
2006-09-23 07:22 16,934 --a------ C:\WINDOWS\SYSTEM32\dpvLPR.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-27 00:25 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-25 19:06 -------- d-------- C:\Program Files\Norton Internet Security
2006-09-24 09:54 -------- d-------- C:\Program Files\Pure Networks
2006-09-23 10:36 -------- d-------- C:\Program Files\Enigma Software Group
2006-09-23 08:42 28672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2006-09-22 17:51 -------- d-------- C:\Program Files\Symantec
2006-09-22 17:39 -------- d-------- C:\Program Files\Norton SystemWorks
2006-09-15 22:04 48816 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2006-09-15 22:04 109744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2006-09-12 11:04 -------- d-------- C:\Documents and Settings\Phil Stone\Application Data\Google
2006-09-12 08:30 -------- d-------- C:\Program Files\Google
2006-09-05 13:13 -------- d-------- C:\Documents and Settings\Phil Stone\Application Data\Symantec
2006-09-05 13:08 -------- d-------- C:\Program Files\Common Files
2006-09-05 13:07 10344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symlcbrd.sys
2006-09-02 18:06 -------- d-------- C:\Program Files\Java
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-13 03:02 -------- d-------- C:\Program Files\Internet Explorer
2006-08-07 16:02 534208 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll
2006-08-07 16:02 31936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys
2006-08-07 16:02 28352 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys
2006-08-07 16:02 24768 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys
2006-08-07 16:02 195776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys
2006-08-07 16:02 161472 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll
2006-08-07 16:02 110784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys
2006-08-07 16:01 12992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys
2006-07-31 11:20 -------- d-------- C:\Program Files\America Online 9.0a
2006-07-30 15:41 -------- d---s---- C:\Documents and Settings\Phil Stone\Application Data\Microsoft
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"=""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Iomega Automatic Backup Pro"="\"C:\\Program Files\\Iomega\\Automatic Backup Pro\\LiveSystem.exe\" -s"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"EPSON Stylus Photo RX500"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2K1.EXE /P24 \"EPSON Stylus Photo RX500\" /O6 \"USB001\" /M \"Stylus Photo RX500\""
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1135343532\\ee\\AOLSoftware.exe"
"eFax 4.1"="\"C:\\Program Files\\eFax Messenger 4.1\\J2GDllCmd.exe\" /R"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"QD FastAndSafe"=""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dpvLPR

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Phil Stone.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Wed 09/27/2006 14:11:37.25
ComboFix.txt
  • 0

Advertisements


#2
findthedivine

findthedivine

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
This is FindtheDivine again..

This pop up just occurred:

http://www.winantivi...id=http com nav

Can I assume this is Winfixer?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP