Winfixer

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this

  VundoFix V2.1 by Atri
  By pressing enter you agree that you are using this at your own risk.

• At this point press enter one time.
• Next you will see:

  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):

  C:\WINNT\System32\ddcaa.dll

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINNT\System32\aacdd.*

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: ATLDistrib Object - {659E147E-BD03-4605-988C-AA6D7EA497CA} - C:\WINNT\System32\ddcaa.dll

O18 - Protocol: msnim - 0 - (no file)
O20 - Winlogon Notify: ddcaa - C:\WINNT\System32\ddcaa.dll

[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

gah.....when i went to safe mode and ran killvundo.bat i had everything going on right except for the part when u said to type in "C:\WINNT\System32\ddcaa.dll" press enter, f6 then enter again, it said a message that said couldnt find hijackthis.exe then it made me boot my computer up again, thanks!

Try creating a folder in your Program Files folder and call it 'Hijackthis.' Move hijackthis from the desktop to that folder and run the fix again.
Will look like this;

C:\Program Files\Hijackthis\hijackthis.exe

Try creating a folder in your Program Files folder and call it 'Hijackthis.' Move hijackthis from the desktop to that folder and run the fix again.
Will look like this;

C:\Program Files\Hijackthis\hijackthis.exe

Try creating a folder in your Program Files folder and call it 'Hijackthis.' Move hijackthis from the desktop to that folder and run the fix again.
Will look like this;

C:\Program Files\Hijackthis\hijackthis.exe

hey, thanks for the reply, i got hijackthis to work

ok so this is the result with the new hijack this LOG
Logfile of HijackThis v1.99.1
Scan saved at 9:52:20 PM, on 11/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Anthony Espiritu\Desktop\HiJack This.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\imapi.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ATLDistrib Object - {659E147E-BD03-4605-988C-AA6D7EA497CA} - C:\WINNT\System32\ddcaa.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164566773725
O20 - Winlogon Notify: ddcaa - C:\WINNT\System32\ddcaa.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

this is the vundofix.txt
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

hijackthis.exe
killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINNT\System32\ddcaa.dll

The second filepath entered was C:\WINNT\System32\aacdd.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 148 'smss.exe'

Killing PID 696 'explorer.exe'

Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINNT\System32\ddcaa.dll Deleted sucessfully.
C:\WINNT\System32\aacdd.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

and this is the result with activescan

Incident Status Location

Spyware:Spyware/New.net Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\SHNT288.exe
Spyware:Spyware/Virtumonde Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\Temporary Internet Files\Content.IE5\JBFGNFGT\w[1].exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\Temporary Internet Files\Content.IE5\XYJ4O2ZE\archive[1].jar[A.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\Temporary Internet Files\Content.IE5\XYJ4O2ZE\archive[1].jar[BlackBox.class]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[whAgent.inf]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[whAgent.exe]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[whInstaller.exe]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[whSurvey.exe]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[webhdll.dll]
Adware:Adware/WebHancer Not desinfected C:\Documents and Settings\Anthony Espiritu\Local Settings\Temp\wh.exe[whiehlpr.dll]
THANKS!

Can you please do the following.

===============

When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccurring in the future.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

O2 - BHO: ATLDistrib Object - {659E147E-BD03-4605-988C-AA6D7EA497CA} - C:\WINNT\System32\ddcaa.dll (file missing)

O20 - Winlogon Notify: ddcaa - C:\WINNT\System32\ddcaa.dll (file missing)

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

==

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.