Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer pop ups [RESOLVED]


  • Please log in to reply

#16
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Sorry I almost forgot about you :tazz:

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\awvtt.dll

  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\ttvwa.*

    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\awvtt.dll
    O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll

  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Please run this online virus scan:
Panda Active Scan You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Thanks :)
  • 0

Advertisements


#17
andrez132

andrez132

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
active scan:


Incident Status Location

Virus:Trj/ShellHook.E Disinfected C:\!Submit\ddccb.dll
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2565ac17-1a46e36c.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2565ac17-1a46e36c.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2565ac17-1a46e36c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2565ac17-1a46e36c.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6a20f08d-1b229ebb.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6a20f08d-1b229ebb.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6a20f08d-1b229ebb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6a20f08d-1b229ebb.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-201ebb2d-122f97ea.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-201ebb2d-122f97ea.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-201ebb2d-122f97ea.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-201ebb2d-122f97ea.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-543d9588-27133300.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-543d9588-27133300.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-543d9588-27133300.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-543d9588-27133300.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-2b3fd1e-6531d11e.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-2b3fd1e-6531d11e.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-2b3fd1e-6531d11e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mifon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-2b3fd1e-6531d11e.zip[Parser.class]
Virus:Trj/ShellHook.E Disinfected C:\hjt\backups\backup-20050905-030757-170.dll
Virus:Trj/ShellHook.E Disinfected C:\hjt\backups\backup-20050905-111036-838.dll
Virus:Trj/ShellHook.E Disinfected C:\WINDOWS\SYSTEM32\awvvv.dll
Virus:Trj/ShellHook.E Disinfected C:\WINDOWS\SYSTEM32\geeby.dll

hjt:
Logfile of HijackThis v1.99.1
Scan saved at 9:37:03 AM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnnsi.com/
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {87BF5318-D5F0-41F4-9D14-47967FA8C12B} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://lopes.armstro...timage40803.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

vundofix:


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 152 'smss.exe'
Threads [156][160][164]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 916 'explorer.exe'
Killing PID 916 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 224 'winlogon.exe'
Killing PID 224 'winlogon.exe'
File Deleted sucessfully.

The day i wrote that message to you telling you that i was getting the winfixer popups again i ran a virus scan and did find some viruses on the computer. After i got rid of those i really haven't been getting the pop ups. So i guess lets just see if there is anything else that i should be worried about.
  • 0

#18
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Can you check and see if these files actually got deleted

C:\WINDOWS\SYSTEM32\awvvv.dll
C:\WINDOWS\SYSTEM32\geeby.dll

And please do this

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel

Please let me know about those two files

Thanks
  • 0

#19
andrez132

andrez132

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I couldn't find those two files and i also updated the java
  • 0

#20
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
You should be fine , any problems?
  • 0

#21
andrez132

andrez132

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks alot once again, i guess i just reacted too soon because last time i couldn't get rid of the winfixer the last time. This time i haven't seen it since i did the virus scan after i messaged you. Thanks again
  • 0

#22
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Nope you didnt overeact. This infection did comeback. Not sure why you didn't get the normal popups though. I will leave this thread open for a few days just in case :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP