Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

another winfixer victim


  • Please log in to reply

#1
fuzzybumblebee

fuzzybumblebee

    Member

  • Member
  • PipPip
  • 12 posts
I am yet another victim of winfixer.....darn you winfixer!!!!!! :tazz:

here's my log...I hope you can help!!! It's not too bad, been removing the popup that first comes on when you start up the PC through task manager...doesn't allow for other pop ups or error messages...but it's still annoying just the same.....

Edited by fuzzybumblebee, 30 August 2006 - 09:07 PM.

  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi fuzzybumblebee and Welcome to GeekstoGo!


Copy the text below into a blank notepad page and Save it to the desktop as Clr.bat but dont run it just yet.


attrib -s -h -r C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe
del C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe



Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files

  • This will create a VundoFix folder on your desktop.

  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


  • At this point press enter one time.

  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\geedd.dll

  • Press Enter to continue with the fix.

  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\ddeeg.*
    This will be the vundo filename spelt backwards. For example, if the vundo dll was vundo.dll you would enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: (no name) - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\geedd.dll

    O4 - HKLM\..\Run: [NI.UWFX5_0001_N56M0311] "C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe" -nag

    O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then locate and double click Clr.bat(A dos window will appear and disappear quickly)
  • Reboot your computer back in normal mode.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Edited by Cretemonster, 28 November 2005 - 04:56 PM.

  • 0

#3
fuzzybumblebee

fuzzybumblebee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
here's my ActiveScan results....


Incident Status Location

Dialer:dialer generic Not disinfected HKEY_CLASSES_ROOT\CLSID\{9FF05104-B030-46FC-94B8-81276E4E27DF}
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mljgd.dll
  • 0

#4
fuzzybumblebee

fuzzybumblebee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
my hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 7:46:37 PM, on 11/29/2005

Edited by fuzzybumblebee, 30 August 2006 - 09:08 PM.

  • 0

#5
fuzzybumblebee

fuzzybumblebee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
and my vundofix.txt....

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\geedd.dll

The second filepath entered was C:\WINDOWS\system32\ddeeg.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 132 'smss.exe'

Killing PID 776 'explorer.exe'
Killing PID 776 'explorer.exe'
Killing PID 776 'explorer.exe'


Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\geedd.dll Deleted sucessfully.
C:\WINDOWS\system32\ddeeg.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


let me know what to do next, i'll be waiting patiently :tazz:
thank you for your time and help!! :)

P.S. I love your avatar!! :)
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry it has taken me so long to respond,had a minor issue with the site loading the last 2 days.


Lets see what else is laying around in there.


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and Post the results of the WinPFind Scan.


P.S. Aint Sully just too Cool! :tazz:

Edited by Cretemonster, 30 November 2005 - 05:51 PM.

  • 0

#7
fuzzybumblebee

fuzzybumblebee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
SULLY TOTALLY ROCKS!!! :woot:

Don't apologize for ANYTHING! :) I totally understand, especially that you guys get SUPER busy around here! Lots and Lots of posts....lots and lots of needy people like me needing y'all expertise! Really, totally appreciate the time you take :tazz: especially with these long long posts.. like this one...

here's my winPFind results....brace yourself, it seems to go on forever :)

Edited by fuzzybumblebee, 30 August 2006 - 09:10 PM.

  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please go to Add\Remove Programs and Remove these unless you intentionally installed them

MyWebSearch
WildTangent



Make sure Windows is Showing Hidden Files
http://www.bleepingc...al62.html#winxp

Locate and Delete

C:\WINDOWS\system32\mljgd.dll

C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat

If you choose to Uninstall the 2 apps listed,from Add\Remove Programs,also delete these 2 folders

C:\Program Files\MyWebSearch

C:\Program Files\WildTangent


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

O2 - BHO: (no name) - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\geedd.dll (file missing)

O4 - HKLM\..\Run: [NI.UWFX5_0001_N56M0311] "C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe" -nag

O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


One More Online Scan to see how we have done.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a fresh HijackThs log.

  • 0

#9
fuzzybumblebee

fuzzybumblebee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
when I tried to remove the MyWebSearch, it gave me this:

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll
the specified module could not be found

so I couldn't remove it from the add/remove programs :tazz:

but here's my kaspersky results:



KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 01, 2005 15:02:57
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Edited by fuzzybumblebee, 30 August 2006 - 09:11 PM.

  • 0

#10
fuzzybumblebee

fuzzybumblebee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
and here's my new hijackthis log...



Logfile of HijackThis v1.99.1
Scan saved at 3:09:44 PM, on 12/1/2005

Edited by fuzzybumblebee, 30 August 2006 - 09:12 PM.

  • 0

Advertisements


#11
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Is this PC set up to be accessed Remotly?

C:\Program Files\2Wire\sst\VNC\MotVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b
  • 0

#12
fuzzybumblebee

fuzzybumblebee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I don't know...I don't even know what the means :) sorry for my ignorance... :tazz:
  • 0

#13
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Basically it means,control of the PC can be accessed remotley from anywhere.

If its not a work computer and not networked in any way and you have no idea if that software belongs.

Chances are it doesnt but the software could have also come with the PC.
  • 0

#14
fuzzybumblebee

fuzzybumblebee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
oh okay, well no, I dont' access this PC from anywhere but I think the 2wire was installed when I started subscribing to the internet subscriber I'm using now.
  • 0

#15
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,thats good enough for me.

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back with a fresh HijackThis log and let me know how things are?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP