Winfixer
 

hey guys, im another one of the victims of this damn nasty winfixer thing. Ive read a couple of posts like this and tried to see if those items appeared on HJT but it wasnt there, so im going to post mine. o yea this winfixer thing prompts me to install winfixer and after i close that window it forwards me to this winfixer website. heres my log

THANKS!

Logfile of HijackThis v1.99.1
Scan saved at 9:34:10 PM, on 11/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Anthony Espiritu\Desktop\HiJack This.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ATLDistrib Object - {659E147E-BD03-4605-988C-AA6D7EA497CA} - C:\WINNT\System32\ddcaa.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: msnim - 0 - (no file)
O20 - Winlogon Notify: ddcaa - C:\WINNT\System32\ddcaa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

Re: Winfixer
 

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this
  
  Quote:

  VundoFix V2.1 by Atri By pressing enter you agree that you are using this at your own risk.

• At this point press enter one time.
• Next you will see:
  
  Quote:

  Type in the filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):
  
  
  • C:\WINNT\System32\ddcaa.dll
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• Next you will see:
  
  Quote:

  Please type in the second filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):
  
  
  • C:\WINNT\System32\aacdd.*
  
  
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
• The fix will run then HijackThis will open.
• In HijackThis, please place a check next to the following items and click FIX CHECKED:
  
  
  • O2 - BHO: ATLDistrib Object - {659E147E-BD03-4605-988C-AA6D7EA497CA} - C:\WINNT\System32\ddcaa.dll
    
    O18 - Protocol: msnim - 0 - (no file)
    O20 - Winlogon Notify: ddcaa - C:\WINNT\System32\ddcaa.dll
  
  
• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

Re: Winfixer
 

gah.....when i went to safe mode and ran killvundo.bat i had everything going on right except for the part when u said to type in "C:\WINNT\System32\ddcaa.dll" press enter, f6 then enter again, it said a message that said couldnt find hijackthis.exe then it made me boot my computer up again, thanks!

Re: Winfixer
 

Try creating a folder in your Program Files folder and call it 'Hijackthis.' Move hijackthis from the desktop to that folder and run the fix again.
Will look like this;

C:\Program Files\Hijackthis\hijackthis.exe

Re: Winfixer
 

hey, thanks for the reply, i got hijackthis to work

ok so this is the result with the new hijack this LOG
Logfile of HijackThis v1.99.1
Scan saved at 9:52:20 PM, on 11/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Anthony Espiritu\Desktop\HiJack This.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\imapi.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ATLDistrib Object - {659E147E-BD03-4605-988C-AA6D7EA497CA} - C:\WINNT\System32\ddcaa.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164566773725
O20 - Winlogon Notify: ddcaa - C:\WINNT\System32\ddcaa.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

this is the vundofix.txt
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

hijackthis.exe
killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINNT\System32\ddcaa.dll

The second filepath entered was C:\WINNT\System32\aacdd.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 148 'smss.exe'

Killing PID 696 'explorer.exe'


Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINNT\System32\ddcaa.dll Deleted sucessfully.
C:\WINNT\System32\aacdd.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

and this is the result with activescan

Incident Status Location

Spyware:Spyware/New.net Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\SHNT288.exe
Spyware:Spyware/Virtumonde Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\Temporary Internet Files\Content.IE5\JBFGNFGT\w[1].exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\Temporary Internet Files\Content.IE5\XYJ4O2ZE\archive[1].jar[A.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\Temporary Internet Files\Content.IE5\XYJ4O2ZE\archive[1].jar[BlackBox.class]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[whAgent.inf]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[whAgent.exe]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[whInstaller.exe]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[whSurvey.exe]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[webhdll.dll]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[whiehlpr.dll]
THANKS!

Re: Winfixer
 

Can you please do the following.

===============

When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccurring in the future.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:


O2 - BHO: ATLDistrib Object - {659E147E-BD03-4605-988C-AA6D7EA497CA} - C:\WINNT\System32\ddcaa.dll (file missing)

O20 - Winlogon Notify: ddcaa - C:\WINNT\System32\ddcaa.dll (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

==

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.