Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer Popup [RESOLVED]


  • This topic is locked This topic is locked

#1
mpcontrols

mpcontrols

    Member

  • Member
  • PipPip
  • 13 posts
I've read many of the topics in the forum here to try and remove this problem by myself, but I can't get rid of it. Thank you in advance for any help to remove the Winfixer Popups.


Logfile of HijackThis v1.99.1
Scan saved at 8:20:48 PM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Norton Internet Security\ISSVC.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - D:\WINDOWS\system32\qomlj.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.righ...l/java/RntX.cab
O20 - Winlogon Notify: cbxvu - D:\WINDOWS\system32\cbxvu.dll (file missing)
O20 - Winlogon Notify: qomlj - D:\WINDOWS\system32\qomlj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - D:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by mpcontrols, 08 November 2005 - 08:02 PM.

  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi mpcontrols and welcome to GeeksToGo! My name is Excal and I will be helping you.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • D:\WINDOWS\system32\qomlj.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):D:\WINDOWS\system32\jlmoq.*


    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - D:\WINDOWS\system32\qomlj.dll
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O20 - Winlogon Notify: cbxvu - D:\WINDOWS\system32\cbxvu.dll (file missing)
    O20 - Winlogon Notify: qomlj - D:\WINDOWS\system32\qomlj.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
mpcontrols

mpcontrols

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Dear Excal,

Thank you for getting back to me and offering your help. I couldn't get back to you sooner because the geekstogo site was down this morning.

I followed the instructions and did everything you suggested. I haven't seen the Winfixer Popups (I hate to say or even think about those words) since executing your instructions. I hope and pray that it's gone.

My PC seems to be okay now and my CPU usage is back down too. The high CPU (%) usage was also a problem along with the Winfixer Popups. It was staying at 100% almost constantly before I executed your suggestions.

I wanted to let you know this about the Online Scan results. Everything "it" found is on my secondary drive and not on the primary where my OS is installed. It was my original drive and is used as a file saving backup only. I wasn't using any Internet Security or Spyware scans on a day to day basis when that drive was primary. However, Spybot, Ad-Aware and MS AntiSpyware haven't found them and they scan both drives every few days. Also, Norton scans both drives on a weekly basis.

Here are the results you requested.

Logfile of HijackThis v1.99.1
Scan saved at 3:41:35 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Norton Internet Security\ISSVC.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - D:\WINDOWS\system32\qomlj.dll (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.righ...l/java/RntX.cab
O20 - Winlogon Notify: cbxvu - D:\WINDOWS\system32\cbxvu.dll (file missing)
O20 - Winlogon Notify: qomlj - D:\WINDOWS\system32\qomlj.dll (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - D:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was D:\WINDOWS\system32\qomlj.dll

The second filepath entered was D:\WINDOWS\system32\jlmoq.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 136 'smss.exe'

Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'


Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------

D:\WINDOWS\system32\qomlj.dll Deleted sucessfully.
D:\WINDOWS\system32\jlmoq.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


ActiveScan Results

Incident Status Location

Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\KaZaA Lite\bdcore.dll
Hacktool:Hacktool/Hammer No disinfected C:\WINDOWS\TEMP\HLC_V_1\HLC.EXE
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\mscjjn.dll
Adware:Adware/WurldMedia No disinfected C:\WINDOWS\SYSTEM32\winbpupd.exe
Adware:Adware/WurldMedia No disinfected C:\WINDOWS\SYSTEM32\ditjoawo.dll
Adware:Adware/NetPals No disinfected C:\WINDOWS\SYSTEM32\n3tpa1i.dll
Virus:Trj/Downloader.L Disinfected C:\WINDOWS\inf\susp.inf
Hacktool:Hacktool/Hammer No disinfected C:\Cory\Robster Productions\Halflife Logo Creator\HLC.EXE
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\pkbates\Local Settings\Temp\cacp.dat
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\pkbates\Local Settings\Temp\dmcevaw.dat
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\pkbates\Local Settings\Temp\3pmcp.dat
Virus:W32/Disemboweler Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[CLSPACK.EXE]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[Fruit Form.xls.bat]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[Band Trailer Issue.doc.com]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[NORTHWEST GUILFORD HIGH SCHOOL.doc.bat]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[Menu.doc.com]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[Menu.doc.pif]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[band letter for packets.doc.lnk]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[FMR Assistants.doc.lnk]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[to do list.doc.lnk]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[~0008047.~]
Virus:W32/Badtrans.B Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Inbox[README.MP3.scr]
Virus:W32/Disemboweler Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[CLSPACK.EXE]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[Fruit Form.xls.bat]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[Menu.doc.pif]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[Fruit Form.xls.bat]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[Band Trailer Issue.doc.com]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[NORTHWEST GUILFORD HIGH SCHOOL.doc.bat]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[Menu.doc.com]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[band letter for packets.doc.lnk]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[FMR Assistants.doc.lnk]
Virus:W32/Sircam Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[to do list.doc.lnk]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[~0009056.~]
Virus:W32/Badtrans.B Disinfected C:\Documents and Settings\pkbates\Application Data\Mozilla\Profiles\susieq27\ir4dgmkk.slt\Mail\mail.lig.bellsouth.net\Trash[README.MP3.scr]
Virus:Trj/Downloader.L Disinfected C:\System Volume Information\_restore{75F844C2-5476-4FD9-86F3-F75B3B4B4566}\RP381\A0026584.inf
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Right click on the Microsoft/Giant AntiSpyware icon (looks like a target) and click on Security Agents Status (Enabled) and click on Disable Real-time Protection. To re enable it after the fix, you follow the same steps but click on Enable Real-time Protection.

If you use Windows XP, Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

open Hijackthis and do a scan. Please check off the following items:

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - D:\WINDOWS\system32\qomlj.dll (file missing)
O20 - Winlogon Notify: cbxvu - D:\WINDOWS\system32\cbxvu.dll (file missing)
O20 - Winlogon Notify: qomlj - D:\WINDOWS\system32\qomlj.dll (file missing)


click FIX CHECKED then close Hijackthis


Just a few random bad files and folders to clean up.

Please remove the following folders using Windows Explorer (if present):

C:\Program Files\KaZaA Lite
C:\WINDOWS\TEMP\HLC_V_1

  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\SYSTEM32\mscjjn.dll
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "no".

    Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.
C:\WINDOWS\SYSTEM32\winbpupd.exe
C:\WINDOWS\SYSTEM32\ditjoawo.dll
C:\WINDOWS\SYSTEM32\n3tpa1i.dll
C:\Documents and Settings\pkbates\Local Settings\Temp\cacp.dat
C:\Documents and Settings\pkbates\Local Settings\Temp\dmcevaw.dat
C:\Documents and Settings\pkbates\Local Settings\Temp\3pmcp.dat


Post back when you finish and tell me how your computer is running :tazz:
  • 0

#5
mpcontrols

mpcontrols

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Excal,

Thanks again for your help. I did everything you asked, but the following files weren't in the location you listed. Do I need to look somewhere else for these?

C:\Documents and Settings\pkbates\Local Settings\Temp\cacp.dat
C:\Documents and Settings\pkbates\Local Settings\Temp\dmcevaw.dat
C:\Documents and Settings\pkbates\Local Settings\Temp\3pmcp.dat

My computer seems to be running good as far as I can tell. Again, I haven't had anymore Winfixer Popups since the first fix and it's not sluggish anymore.
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

I recommend that you Defrag your computer before setting your Restore points:

Go to start>all programs>accessories>system tools>Disk Defragmentor Make sure it set to the proper drive (default should be your main driver) and click on defragment


Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read So how did I get infected in the first place?
  • 0

#7
mpcontrols

mpcontrols

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Excal,

Thank you again for all of your help and the Geekstogo Site. This is a fantastic site and is greatly appreciated by myself and I'm sure everyone else who uses it. Also, I made a donation and hope it helps to keep individuals like you available to help non-geeks like me.

Mpcontrols
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Thanks very much, and your welcome :)

:tazz:

Excal
  • 0

#9
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP