Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Winfixer pop-up unremovable [CLOSED]

Started by Jujugygy , Dec 13 2005 03:42 AM

  • This topic is locked This topic is locked

#1
Jujugygy
Posted 13 December 2005 - 03:42 AM

Jujugygy

    New Member

  • Member
  • Pip
  • 3 posts
Dear experts,


I have done all the pre-requirements. Downloaded the cleaners and malware-spyware removers as indicated in your forum, but I still get those Winfixer pop-ups. It seems that they are unremovable. Can you please help me to point me in the right direction? I know it's probably the 1000st time that you've been asked for this problem, but it would really mean a lot if you could try and help me out.

Below you can find my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:42:34 AM, on 12/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\WinPwdHelper.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Sametime Client\CONNECT.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\winfast.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Plextor\PlexTool.exe
C:\Program Files\Sametime Client\activmon.srv
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Notes5\pgNotes5.exe
C:\Program Files\Notes5\nlnotes.exe
C:\Program Files\Notes5\naldaemn.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Notes5\nwrdaemn.EXE
C:\Program Files\Notes5\nupdate.EXE
C:\Program Files\Notes5\namgr.EXE
C:\Program Files\Notes5\nhldaemn.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SAP6\SAPgui\saplogon.exe
C:\Program Files\SAP6\SAPgui\sapfewgsrv.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\Documents and Settings\tt4428\My Documents\snagit32.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\tt4428\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.pg.com/rgs.../pg/default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.pg.com/rgs.../pg/default.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.pg.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.pg.com;<local>
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ssqqr.dll
O2 - BHO: APHelper Class - {08C63920-DC18-11D2-9E1E-00A0247061AB} - C:\PROGRAM FILES\INTERNET EXPLORER\AUTOPASS\APHELPER.DLL
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\System32\tuvut.dll
O2 - BHO: (no name) - {B313D637-F405-4052-AC37-E2119AB3C8F8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ESD3Agent] C:\Program Files\Marimba\Addons\EsdAgent.exe
O4 - HKLM\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - HKLM\..\Run: [Sametime Connect] C:\Program Files\Sametime Client\CONNECT.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [_WinProc] C:\WINDOWS\winfast.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKCU\..\Run: [WBPCache] WBPCache.exe
O4 - HKCU\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - Startup: SEWP Username.lnk = C:\WINDOWS\system32\UserName.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = C:\Program Files\Plextor\PlexTool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{426EAD51-E0F4-4BA1-AA7B-9F7DDC558662}: Domain = eu.pg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eu.pg.com,pg.com,na.pg.com,la.pg.com,ap.pg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = eu.pg.com,pg.com,na.pg.com,la.pg.com,ap.pg.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eu.pg.com,pg.com,na.pg.com,la.pg.com,ap.pg.com
O20 - AppInit_DLLs: AeXPrcssAppInitNT.dll cahooknt.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rqrsr - C:\WINDOWS\System32\rqrsr.dll (file missing)
O20 - Winlogon Notify: ssqqr - C:\WINDOWS\SYSTEM32\ssqqr.dll
O20 - Winlogon Notify: tuvut - C:\WINDOWS\System32\tuvut.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\Program Files\Iomega\System32\ActivityDisk.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WinPwdReset - Unknown owner - C:\WINDOWS\System32\WinPwdHelper.exe
O23 - Service: workspace - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
  • 0

Advertisements

#2
greyknight17
Posted 17 December 2005 - 10:33 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\system32\ssqqr.dll
C:\PROGRAM FILES\INTERNET EXPLORER\AUTOPASS\APHELPER.DLL
C:\WINDOWS\System32\rqqss.*
C:\WINDOWS\winfast.exe
C:\WINDOWS\System32\rqrsr.dll
C:\WINDOWS\SYSTEM32\rsrqr.*
C:\PROGRAM FILES\INTERNET EXPLORER\AUTOPASS\

If you get a PendingOperations message, just close it and restart your computer manually.

Restart...

Delete this folder if found -> C:\PROGRAM FILES\INTERNET EXPLORER\AUTOPASS\

Please download VundoFix.exe at http://www.atribune....ds/VundoFix.exe to your desktop.

* Double-click VundoFix.exe to extract the files.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key (or F5 in some machines) until a menu appears. Use your up arrow key to highlight Safe Mode then hit Enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* Hit Enter key once...
* Please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\tuvut.dll

* Press Enter after you did that.
* When asked for a second path, enter -> C:\WINDOWS\System32\tuvut.*
* Press Enter to continue with the remaining fix.
* The fix will then run HijackThis. If it doesn't open, then run HijackThis manually.
* In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ssqqr.dll
O2 - BHO: APHelper Class - {08C63920-DC18-11D2-9E1E-00A0247061AB} - C:\PROGRAM FILES\INTERNET EXPLORER\AUTOPASS\APHELPER.DLL
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\System32\tuvut.dll
O2 - BHO: (no name) - {B313D637-F405-4052-AC37-E2119AB3C8F8} - (no file)
O4 - HKLM\..\Run: [_WinProc] C:\WINDOWS\winfast.exe
O20 - Winlogon Notify: rqrsr - C:\WINDOWS\System32\rqrsr.dll (file missing)
O20 - Winlogon Notify: ssqqr - C:\WINDOWS\SYSTEM32\ssqqr.dll
O20 - Winlogon Notify: tuvut - C:\WINDOWS\System32\tuvut.dll

* After you have fixed these items, close HijackThis.
* Press Enter key to exit the program.
* Once your machine reboots please continue with the instructions below.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose NO when asked if you want to logoff.

Run an online virus scan at ActiveScan http://www.pandasoft.../activescan.htm

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
greyknight17
Posted 31 December 2005 - 08:49 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP