Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

pauley813

10 Posts

625

January 20th, 2006 01:00

Help! Winfixer taking over my computer

​ I downloaded hijack this and here's what I copied ​
​ ​
​ ​
​ Logfile of HijackThis v1.99.1 ​
​Scan saved at 10:25:58 PM, on 1/19/2006 ​
​Platform: Windows XP SP2 (WinNT 5.01.2600) ​
​MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) ​
​ Running processes: ​
​C:\WINDOWS\System32\smss.exe ​
​C:\WINDOWS\system32\winlogon.exe ​
​C:\WINDOWS\system32\services.exe ​
​C:\WINDOWS\system32\lsass.exe ​
​C:\WINDOWS\system32\svchost.exe ​
​C:\WINDOWS\System32\svchost.exe ​
​C:\WINDOWS\Explorer.EXE ​
​C:\WINDOWS\system32\LEXBCES.EXE ​
​C:\WINDOWS\system32\spoolsv.exe ​
​C:\WINDOWS\system32\LEXPPS.EXE ​
​c:\program files\mcafee.com\agent\mcdetect.exe ​
​c:\PROGRA~1\mcafee.com\agent\mctskshd.exe ​
​c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe ​
​C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe ​
​C:\WINDOWS\system32\svchost.exe ​
​C:\WINDOWS\system32\fxssvc.exe ​
​C:\WINDOWS\AGRSMMSG.exe ​
​C:\Program Files\Apoint\Apoint.exe ​
​C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ​
​C:\WINDOWS\system32\keyhook.exe ​
​C:\WINDOWS\system32\dla\tfswctrl.exe ​
​C:\Program Files\Dell\Media Experience\PCMService.exe ​
​C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe ​
​C:\Program Files\Real\RealPlayer\RealPlay.exe ​
​C:\PROGRA~1\mcafee.com\agent\mcagent.exe ​
​C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe ​
​C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe ​
​C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe ​
​C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe ​
​C:\Program Files\Messenger\msmsgs.exe ​
​C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe ​
​C:\Program Files\Common Files\GMT\GMT.exe ​
​C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe ​
​C:\Program Files\Nikon\NkView5\NkvMon.exe ​
​C:\WINDOWS\SYSTEM32\sistray.exe ​
​C:\Program Files\Apoint\Apntex.exe ​
​C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe ​
​c:\progra~1\mcafee.com\vso\mcvsftsn.exe ​
​c:\PROGRA~1\mcafee.com\vso\mcshield.exe ​
​C:\Program Files\Internet Explorer\iexplore.exe ​
​C:\HJT.exe ​
​ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ​​http://www.dell4me.com/myway​​ ​
​R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ​​http://www.wvu.edu/​​ ​
​R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ​​http://www.dell4me.com/myway​​ ​
​R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = ​​http://www.dell4me.com/myway​​ ​
​R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ​​http://www.dell4me.com/myway​​ ​
​O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll ​
​O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll ​
​O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\opnkl.dll ​
​O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL ​
​O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll ​
​O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll ​
​O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll ​
​O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe ​
​O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe ​
​O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ​
​O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe ​
​O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe ​
​O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r ​
​O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" ​
​O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" ​
​O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER ​
​O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime ​
​O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask ​
​O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe ​
​O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe ​
​O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe ​
​O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" ​
​O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe ​
​O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe ​
​O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe" ​
​O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s ​
​O4 - HKLM\..\Run: [McafDellTag] C:\Program Files\McAfee.com\Agent\mcdeltag.exe ​
​O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\mcregwiz.exe /autorun ​
​O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding ​
​O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background ​
​O4 - HKCU\..\Run: [WinFixer2006] "C:\Program Files\WinFixer_2006\uwfx6.exe" /scan ​
​O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe ​
​O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe ​
​O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe ​
​O8 - Extra context menu item: &Search - ​​http://ka.bar.need2find.com/KA/menusearch.html?p=KA​ ​
​O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll ​
​O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll ​
​O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe ​
​O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll ​
​O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - ​​http://wwws.musicmatch.com/mmz/openWebRadio.html​​ (file missing) ​
​O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe ​
​O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe ​
​O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - ​​http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab​​ ​
​O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - ​​http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab​​ ​
​O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC9D79E-F8EB-45E1-973C-FA98009BC7EB}: NameServer = 69.43.32.27 66.118.64.1 ​
​O20 - Winlogon Notify: opnkl - C:\WINDOWS\system32\opnkl.dll ​
​O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE ​
​O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe ​
​O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe ​
​O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe ​
​O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe ​
​O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe ​
​O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe ​
​ ​
​ ​
​ I know NOTHING about computers. I'm just following a forum. Also, I keep having these messages pop up and taking over my computer. Please tell me what I should do next. I searched for all files and folders containing winfixer and deleted them all only one file will NOT delete. Also, I have done a virus scan and it says no viruses detected. ​
​ Please help. ​

ky331

3 Apprentice

 • 

15.2K Posts

January 20th, 2006 13:00

First, you should move HJT from your root directory     C:\   into a separate folder of its own... We recommend using folder  C:\HJT , so that it will then appear in your log under running processes as C:\HJT\HijackThis.exe

This is important because HJT generates log files, and backup files, in the folder from which it is run. So at present, all these logs/backups will just "clutter-up" your Desktop. And if you simply delete them from there, you'll lose the important backup information, which may be needed in case you have to "undo" [restore] some of the things you "FIX" incorrectly.

****************************

you have TWO separate WinFixer infections:  an installer, and a vundo trojan:

first, a comment:   You have a "Browser Helper Object" called  Need2Find Bar ;  as a rule, this is considered a bad/ADWARE-MWSearch item.   However, this toolbar is now "owned" by AskJeeves ; which many people want, and consider reputable.   So, if you have knowingly/intentionally installed the Need2Find bar, and really want to keep it, then you should NOT "check it" with the items in my list... however, if you don't know anything about this, or no longer want/need it, i suggest we get rid of it.   

We're also gonna remove the RXToolbar (Adware).

Please note how I've "color-coded" this for your convenience, if you decide not to remove some items:

WinFixer RED                   Need2Find BLUE                    RXToolbar BLACK

 

for the installer:

close your internet browser.

Run HJT. click on DO A SYSTEM SCAN ONLY

Place a check-mark in the box in front of each of  the lines:

 

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL

O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll

O4 - HKCU\..\Run: [WinFixer2006] "C:\Program Files\WinFixer_2006\uwfx6.exe" /scan


 

Click on FIX CHECKED. Close HJT. Reboot. And see if this WinFixer installer comes back or not.

[If this WinFixer is still there... i.e., if this particular O4-line still appears in your log after rebooting... then you should reboot your system into SAFE MODE (by tapping the F8-key during the boot-up process, and selecting SAFE MODE), and try this FIX again while running HJT in SAFE MODE; and then, reboot into NORMAL mode.]

Note:  if for any reason, you can't delete this [even in SAFE mode], then just let me know, as there's an alternate procedure we can try instead.

 

****************************

for the vundo trojan:

download VirtumundoBeGone from:

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

 just reboot if your system "jams"

*********************

It's now time to report back to us:

VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.

 

Message Edited by ky331 on 01-20-2006 10:31 AM

pauley813

10 Posts

January 20th, 2006 14:00

First, thank you SO much for helping me. I know nothing about computers and either does my husband. Ok I went ahead and did the first two steps. I'm pretty sure I did them right. Here's my log view thing
 
 
Logfile of HijackThis v1.99.1
Scan saved at 11:18:51 AM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Apoint\Apntex.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\HJT\HJT.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wvu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\opnkl.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC9D79E-F8EB-45E1-973C-FA98009BC7EB}: NameServer = 69.43.32.27 66.118.64.1
O20 - Winlogon Notify: opnkl - C:\WINDOWS\system32\opnkl.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
 
I removed all 3. Now I'm going to reboot and then go to the virtumundobegone link, download, open, and hope for the best

pauley813

10 Posts

January 20th, 2006 14:00

Thank you so much. Here are my VBG results.
Also, do I just delet the two items that were created on my desktop?
 

[01/20/2006, 11:38:49] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Maranda\Desktop\VirtumundoBeGone.exe" )
[01/20/2006, 11:38:53] - Detected System Information:
[01/20/2006, 11:38:53] -  Windows Version: 5.1.2600, Service Pack 2
[01/20/2006, 11:38:53] -  Current Username: Maranda (Admin)
[01/20/2006, 11:38:53] -  Windows is in NORMAL mode.
[01/20/2006, 11:38:53] - Searching for Browser Helper Objects:
[01/20/2006, 11:38:53] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/20/2006, 11:38:53] -  BHO 2: {2353FCBC-012D-487B-8BF3-865C0929FBEB} (ATLDistrib Object)
[01/20/2006, 11:38:53] - ALERT: Found ATLDistrib Object!
[01/20/2006, 11:38:53] -  BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/20/2006, 11:38:53] - Finished Searching Browser Helper Objects
[01/20/2006, 11:38:53] - *** Detected ATLDistrib Object
[01/20/2006, 11:38:53] - Trying to remove ATLDistrib Object...
[01/20/2006, 11:38:54] -    Terminating Process: IEXPLORE.EXE
[01/20/2006, 11:38:54] -    Terminating Process: RUNDLL32.EXE
[01/20/2006, 11:38:55] -    Disabling Automatic Shell Restart
[01/20/2006, 11:38:55] -    Terminating Process: EXPLORER.EXE
[01/20/2006, 11:38:55] -    Suspending the NT Session Manager System Service
[01/20/2006, 11:38:55] -    Terminating Windows NT Logon/Logoff Manager
[01/20/2006, 11:38:56] -    Re-enabling Automatic Shell Restart
[01/20/2006, 11:38:56] -   File to disable: C:\WINDOWS\system32\opnkl.dll
[01/20/2006, 11:38:56] -  Renaming C:\WINDOWS\system32\opnkl.dll -> C:\WINDOWS\system32\opnkl.dll.vir
[01/20/2006, 11:38:56] -  File successfully renamed!
[01/20/2006, 11:38:56] -   Removing HKLM\...\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[01/20/2006, 11:38:56] -   Removing HKCR\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[01/20/2006, 11:38:56] -   Adding Kill Bit for ActiveX for GUID: {2353FCBC-012D-487B-8BF3-865C0929FBEB}
[01/20/2006, 11:38:56] -   Deleting ATLEvents/MSEvents Registry entries
[01/20/2006, 11:38:56] -   Removing HKLM\...\Winlogon\Notify\opnkl
[01/20/2006, 11:38:56] - Searching for Browser Helper Objects:
[01/20/2006, 11:38:56] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/20/2006, 11:38:56] -  BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/20/2006, 11:38:56] - Finished Searching Browser Helper Objects
[01/20/2006, 11:38:56] - Finishing up...
[01/20/2006, 11:38:56] - A restart is needed.
[01/20/2006, 11:38:56] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[01/20/2006, 11:39:05] - Attempting to Restart via STOP error (Blue Screen!)

ky331

3 Apprentice

 • 

15.2K Posts

January 20th, 2006 14:00

so far, so good...  you may not know much about computers, but it seems you're good at following directions.    you've moved HJT nicely; and removed the 3 bad items (WinFixer installer, the Browser Helper, and the toolbar).

waiting for your post VBG results....

ky331

3 Apprentice

 • 

15.2K Posts

January 20th, 2006 15:00

what icons are we talking about?   the log file (VBG.txt) can certainly be removed.   if you're talking about the VBG program itself, that's an optional removal... wouldn't hurt to keep it around, just in case you ever need it again.  [of course, if you get another infection, you could always download it again when you actually need it...]

**************

Nice work. Looks like VirtumundoBeGone successfully deactivated the bad WinFixer-trojan  file. Have you noticed any difference, in terms of WinFixer popups, warnings about trojan vundo/virtumundo, and/or overall system speed/performance?

******************

it appears you're running Sun Java j2re1.4.2_03 .   there is much speculation that a "hole" in this particular version is being exploited by WinFixer.   so we should upgrade to the latest version, 1.5.0_06 from http://www.java.com/en/download/manual.jsp
my personal preference is to download the MANUAL (OFFline) installation version (16 MB).  but if you prefer the online installation, that choice is yours.
 
AFTER you successfully install the new java, go to your control panel, ADD/REMOVE programs, and UNinstall all older versions of Java (if any) that still show up there.... especially the 1.4.2_03.
 
when you're done, REPLY here, and post an updated/revised HJT log.

At that point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when  the next helper will arrive.

 

Good luck.

 

View More

View All

No Events found!

Top