Help me get rid of winfixer please - Free Antivirus Forum

Help me get rid of winfixer please

BullGuard Antivirus Forum > Virus Removal > Removal Help > Help me get rid of winfixer please

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

love420-13
New Member

Date Joined Jan 2006
Total Posts : 1

Posted 1-30-2006 6:36 (GMT +1)

Hi,

Winfixer is driveing me MAD! please help me get rid of it before I pull all of my hair out. Here is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 12:18:52 PM, on 1/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NoAdware4\NoAdware4.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dlbtcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\vturr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NoAdware4] "C:\Program Files\NoAdware4\NoAdware4.exe" :Min:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120152800421
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://gamesoduser.comcast.net/classes/exentCtl.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138638423985
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D3E33EA6-92BF-444E-9DF3-E7F879F2006F} (TSRFileManagerXControl Control) - http://thesimsresource.com/TSRInstallationWizard.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F992FDC0-DAA7-4774-B01C-E9DFF19FE0FE} (Invoke Solutions MILive Participant Control(MR)) - http://online.invokesolutions.com/events/bin/media/4.1.0.1414-3.0.0.7206/MILive.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/comcast/TrueInstallComcast.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkklm - C:\WINDOWS\System32\jkklm.dll (file missing)
O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

*Cookie
Junior Member

Date Joined Oct 2005
Total Posts : 79

Posted 2-1-2006 11:40 (GMT +1)

Hi love420-13,

Your log is a bit dirty so I suggest you follow below procedure. It might seem a bit overwhelming but just take one step at a time ;-)

1. Download these programmes in their own folders (i.e. on your Desktop or a permanent drive), but do not run them till I ask you to:

Ewido

CCleaner

VundoFix.exe

2. Uninstall NoAdware4 via Control Panel -> Add/Remove Programmes

3. Reboot PC into Safe Mode (tap the F8 key repeatedly at bootup – or click here).

4. Run HijackThis (HJT) again and place a check mark in the box next to the entries listed below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\vturr.dll

O4 - HKCU\..\Run: [NoAdware4] "C:\Program Files\NoAdware4\NoAdware4.exe" :Min:

O16 - DPF: {F992FDC0-DAA7-4774-B01C-E9DFF19FE0FE} (Invoke Solutions MILive Participant Control(MR)) - http://online.invokesolutions.com/events/bin/media/4.1.0.1414-3.0.0.7206/MILive. cab

O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/comcast/TrueInstallComcast.exe

O20 - Winlogon Notify: jkklm - C:\WINDOWS\System32\jkklm.dll (file missing)

O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll

Close all browser and explorer windows, and click "Fix checked".

5. Enable “show all files” (if you don’t know how, click here).

6. Search & delete the files/folders marked in red if still present:

C:\Program Files\NoAdware4\ <<< Delete folder

7. Run CCleaner

8. Run a full scan with Ewido:

Click on scanner. Click on Complete System Scan and the scan will begin.

While the scan is in progress, you will be prompted to clean files, click OK

When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report. Save the report .txt file to your desktop. Close ewido security.

9. Run VundoFix:

· Double-click VundoFix.exe to run it

· Click the Scan for Vundo button

· Once it is done scanning, click the Remove Vundo button

· You will receive a prompt asking if you want to remove the files, click YES

· Once you click yes, your desktop will go blank as it starts removing Vundo

· When completed, it will prompt that it will shutdown your computer, click OK

10. Reboot PC into Normal mode.

11. Run HJT again and post the new log together with the log from Ewido and the contents of C:\vundofix.txt in this thread for another check, please.

How is the PC behaving now?

//*Cookie

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make somebody else's day - commit an act of kindness ... TODAY :o)!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Forum Information

Currently it is Friday, January 09, 2009 11:35 PM (GMT +1)
There are a total of 66.009 posts in 16.187 threads.
In the last 3 days there were 18 new threads and 109 reply posts. View Active Threads