[fuzzybumblebee]

I am yet another victim of winfixer.....darn you winfixer!!!!!!

here's my log...I hope you can help!!! It's not too bad, been removing the popup that first comes on when you start up the PC through task manager...doesn't allow for other pop ups or error messages...but it's still annoying just the same.....

Edited by fuzzybumblebee, 30 August 2006 - 09:07 PM.

[Advertisements]

Hi fuzzybumblebee and Welcome to GeekstoGo!


Copy the text below into a blank notepad page and Save it to the desktop as Clr.bat but dont run it just yet.

attrib -s -h -r C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe
del C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
  
  
• This will create a VundoFix folder on your desktop.
  
  
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  
  
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  
  
• You will first be presented with a warning.
  It should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

  
  
• At this point press enter one time.
  
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\system32\geedd.dll
  
  
• Press Enter to continue with the fix.
  
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum
  staff then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\ddeeg.*
  This will be the vundo filename spelt backwards. For example, if the vundo dll was vundo.dll you would enter odnuv.*
• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: (no name) - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\geedd.dll
  
  O4 - HKLM\..\Run: [NI.UWFX5_0001_N56M0311] "C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe" -nag
  
  O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then locate and double click Clr.bat(A dos window will appear and disappear quickly)
• Reboot your computer back in normal mode.
• Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Edited by Cretemonster, 28 November 2005 - 04:56 PM.

[Wizard]

Hi fuzzybumblebee and Welcome to GeekstoGo!


Copy the text below into a blank notepad page and Save it to the desktop as Clr.bat but dont run it just yet.

attrib -s -h -r C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe
del C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
  
  
• This will create a VundoFix folder on your desktop.
  
  
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  
  
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  
  
• You will first be presented with a warning.
  It should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

  
  
• At this point press enter one time.
  
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\system32\geedd.dll
  
  
• Press Enter to continue with the fix.
  
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum
  staff then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\ddeeg.*
  This will be the vundo filename spelt backwards. For example, if the vundo dll was vundo.dll you would enter odnuv.*
• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: (no name) - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\geedd.dll
  
  O4 - HKLM\..\Run: [NI.UWFX5_0001_N56M0311] "C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe" -nag
  
  O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then locate and double click Clr.bat(A dos window will appear and disappear quickly)
• Reboot your computer back in normal mode.
• Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Edited by Cretemonster, 28 November 2005 - 04:56 PM.

[fuzzybumblebee]

here's my ActiveScan results....


Incident Status Location

Dialer:dialer generic Not disinfected HKEY_CLASSES_ROOT\CLSID\{9FF05104-B030-46FC-94B8-81276E4E27DF}
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mljgd.dll

[fuzzybumblebee]

my hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 7:46:37 PM, on 11/29/2005

Edited by fuzzybumblebee, 30 August 2006 - 09:08 PM.

[fuzzybumblebee]

and my vundofix.txt....

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\geedd.dll

The second filepath entered was C:\WINDOWS\system32\ddeeg.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 132 'smss.exe'

Killing PID 776 'explorer.exe'
Killing PID 776 'explorer.exe'
Killing PID 776 'explorer.exe'


Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\geedd.dll Deleted sucessfully.
C:\WINDOWS\system32\ddeeg.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


let me know what to do next, i'll be waiting patiently
thank you for your time and help!!

P.S. I love your avatar!!

[Wizard]

Sorry it has taken me so long to respond,had a minor issue with the site loading the last 2 days.


Lets see what else is laying around in there.


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and Post the results of the WinPFind Scan.


P.S. Aint Sully just too Cool!

Edited by Cretemonster, 30 November 2005 - 05:51 PM.

[fuzzybumblebee]

SULLY TOTALLY ROCKS!!!

Don't apologize for ANYTHING! I totally understand, especially that you guys get SUPER busy around here! Lots and Lots of posts....lots and lots of needy people like me needing y'all expertise! Really, totally appreciate the time you take especially with these long long posts.. like this one...

here's my winPFind results....brace yourself, it seems to go on forever

Edited by fuzzybumblebee, 30 August 2006 - 09:10 PM.

[Wizard]

Please go to Add\Remove Programs and Remove these unless you intentionally installed them

MyWebSearch
WildTangent


Make sure Windows is Showing Hidden Files
http://www.bleepingc...al62.html#winxp

Locate and Delete

C:\WINDOWS\system32\mljgd.dll

C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat

If you choose to Uninstall the 2 apps listed,from Add\Remove Programs,also delete these 2 folders

C:\Program Files\MyWebSearch

C:\Program Files\WildTangent


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

O2 - BHO: (no name) - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\geedd.dll (file missing)

O4 - HKLM\..\Run: [NI.UWFX5_0001_N56M0311] "C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe" -nag

O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


One More Online Scan to see how we have done.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post along with a fresh HijackThs log.

[fuzzybumblebee]

when I tried to remove the MyWebSearch, it gave me this:

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll
the specified module could not be found

so I couldn't remove it from the add/remove programs

but here's my kaspersky results:



KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 01, 2005 15:02:57
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Edited by fuzzybumblebee, 30 August 2006 - 09:11 PM.

[fuzzybumblebee]

and here's my new hijackthis log...



Logfile of HijackThis v1.99.1
Scan saved at 3:09:44 PM, on 12/1/2005

Edited by fuzzybumblebee, 30 August 2006 - 09:12 PM.

[Wizard]

Is this PC set up to be accessed Remotly?

C:\Program Files\2Wire\sst\VNC\MotVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b

[fuzzybumblebee]

I don't know...I don't even know what the means sorry for my ignorance...

[Wizard]

Basically it means,control of the PC can be accessed remotley from anywhere.

If its not a work computer and not networked in any way and you have no idea if that software belongs.

Chances are it doesnt but the software could have also come with the PC.

[fuzzybumblebee]

oh okay, well no, I dont' access this PC from anywhere but I think the 2wire was installed when I started subscribing to the internet subscriber I'm using now.

[Wizard]

OK,thats good enough for me.

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back with a fresh HijackThis log and let me know how things are?