Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

WinFixer and other popups

Started by MorganGH , Aug 17 2005 06:31 PM

  • Please log in to reply

#1
MorganGH
Posted 17 August 2005 - 06:31 PM

MorganGH

    New Member

  • Member
  • Pip
  • 4 posts
I keep getting this WinFixer popup and it leads to tons of other popups on my client's computer. Any help would be appreciated!

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:22:50 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\mfjrar.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Jack\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maine.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.aroundmaine.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: SDWin32 Class - {0337F556-BC61-4D24-B151-ACB056BBFAA1} - C:\WINDOWS\system32\oosgr.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &WebSearch Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kpdl4p.exe reg_run
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [twzandw] C:\WINDOWS\system32\mfjrar.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...10.8/ttinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...264/mcfscan.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\kndhela2.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\system32\angelex.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - WebSearch - C:\PROGRA~1\Toolbar\TBPSSvc.exe
  • 0

Advertisements

#2
Wizard
Posted 17 August 2005 - 08:23 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi MorganGH and Welcome to GeekstoGo!

That appears to be the Look2me Infection,so please download the l2mfix from here
http://www.atribune....oads/l2mfix.exe
or
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its predetermined System32 folder!
  • 0

#3
MorganGH
Posted 18 August 2005 - 04:13 PM

MorganGH

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Locate .tmp files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 0C2B-1517

Directory of C:\WINDOWS\System32

08/18/2005 06:09p 417,792 ATDCXC32.DLL
08/18/2005 04:55p <DIR> dllcache
08/18/2005 02:59p 417,792 mcl_qic.dll
08/17/2005 07:49p 417,792 QDSF.DLL
08/17/2005 06:31p 82,432 eswt.exe
08/17/2005 06:26p 417,792 SNRT01.dll
08/13/2005 01:52p 417,792 ITLOADER.DLL
08/09/2005 08:27a 417,792 WNN32SPL.DLL
08/06/2005 11:17a 417,792 axtapi.dll
08/03/2005 12:11p 417,792 kjdgae.dll
07/30/2005 08:38a 417,792 wdcdlg.dll
07/29/2005 07:07a 417,792 rrgwizc.dll
07/29/2005 07:04a 417,792 fNxtiff.dll
07/29/2005 07:04a 417,792 edpsrv.dll
07/29/2005 07:04a 417,792 dbdmo.dll
07/29/2005 06:59a 417,792 ksdru.dll
07/29/2005 06:59a 417,792 kndhela2.dll
07/21/2005 09:54a 401,408 m?hta.exe
07/15/2005 08:02a 417,792 DOCPSAPI.DLL
07/13/2005 04:05p 401,408 w?wexec.exe
06/27/2005 06:41p 417,792 guard.tmp
06/25/2005 11:34a 417,792 ddskperf.dll
04/21/2004 10:55p 32 {702EE00A-92B7-4C8C-8CBE-04CC1B154568}.dat
04/21/2004 10:54p 32 {F4552BB5-EEA7-42E1-886E-E6CDC424D25C}.dat
04/21/2004 10:54p 32 {D06AF57B-E0A9-4759-B136-C67EC708661E}.dat
04/21/2004 10:52p 32 {4504522A-C46F-49B7-B09D-8D8E7980331F}.dat
04/21/2004 10:52p 32 {B9A0D286-FA82-408F-B886-3D918EC57EA0}.dat
04/21/2004 10:52p 32 {0BA8AFB1-0F97-4F1C-9A27-7516BAA05A31}.dat
04/21/2004 10:50p 32 {21C8EA3D-7D25-408B-935C-9267B4433CD0}.dat
11/13/2003 02:08p 0 insqcb.ins
29 File(s) 8,405,728 bytes
1 Dir(s) 21,019,864,064 bytes free



THANKS!
  • 0

#4
Wizard
Posted 18 August 2005 - 04:48 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Well that didnt go very well! :tazz:

Did you reieve any errors or have any problems with the Directions?
  • 0

#5
MorganGH
Posted 18 August 2005 - 05:10 PM

MorganGH

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Haha whoops! Yeah, I kept getting this message that said something about not being able to run a DOS/WIN32 application in this window. I really forget what it said, but it was something like that...
  • 0

#6
Wizard
Posted 18 August 2005 - 05:24 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Go to the Site below
http://www.tech-foru...opic/29806.html

Click the link that applies to your operating system!

Download the file!

Double Click the file and when the small window pops up,select Unzip!

Restart and Try Option 1 of the l2mfix again!
  • 0

#7
MorganGH
Posted 18 August 2005 - 05:32 PM

MorganGH

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks! I will go back to that house tomorrow morning, do the fix, and post the log-- then I'll head out to the bank, and hopefully a response will be awaiting me when I come back! Thanks again!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP