PDA

View Full Version : can't remove winfixer



ElliottQ
2005-11-25, 03:28
Have run Trend Micro antivirus with current defs and also spybot 1.4 with currents defs. Spybot finds winfixer and says it does successful uninstall, but winfixer keeps coming back. Just ran spybot and winfixer came back and then ran hijackthis. Log file is attached.

Can you help?

And is it possible for spybot to do this successfully without this customized process?

Thank you.

Elliott
Logfile of HijackThis v1.99.1
Scan saved at 7:06:39 PM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
just after spybot has run and winfixe APPEARS to be gone

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\dlbtcoms.exe
C:\Install\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f530.mail.yahoo.com/ym/login?.rand=9bm5a459qloq9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\mllmj.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.alief.isd.tenet.edu/tech/tsweb/msrdp.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Copy pasted log. - tashi

LonnyRJones
2005-11-25, 15:26
Welcome to the forum ElliottQ

Please download VundoFix.exe to your desktop.
http://www.atribune.org/downloads/VundoFix.exe
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.
Click here if needed (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx) For instructions.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
A command window will open and it should look like this:

VundoFix V2.15 by Atri
By pressing enter you agree that you are using this at your own risk

At this point press enter one time.
Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.

At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\mllmj.dll

Press Enter.
Next you will see:

Please type in the second filepath as instructed by the forum staff
At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\jmllm.*
Press Enter to continue.
The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\mllmj.dll
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll

After you have fixed these items, close Hijackthis.
The fix will tell you to shutdown using the Power button. Hold in your power button until the computer shuts down. Wait about 15 seconds and then restart the computer into regular windows.
Chkdsk will run. This is normal. It will take a few minutes and is checking your file system because of the Bad Shutdown we caused.

Go for free online Virus scans here:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/
Allow them to clean
Panda will have the option to create a log afer the scan has finished. Click the See Report button. Then click the save Report button. It will be saved under the name activescan.txt Do that and post that log into your next reply here.
Go manualy update the sunjava plugin
j2re1.4.2_01 is several builds old
Click download now: http://java.com/en/download/index.jsp
Run hijackthis and post the new log and the vundofix.txt file from the vundofix folder into as well.

ElliottQ
2005-11-26, 01:23
Lonny,

Thank you. I have downloaded vundo and will work on this tomorrow.

Please advise.

Your note sounds like this fix, may or may not work. Is that correct?
Is this winfixer a particularly nasty spyware as I am surprised that if you all know about it that spybot can't just fix it?

My daughter's (infected) computer is brand new and she had hardly been on the internet at all. Do you know where winfixer is picked up?

Thank you.

LonnyRJones
2005-11-26, 01:38
Hi 9 time out of ten times vundofix works the first time its used
Its keeps changing so Tools like our Spybot have a hard time with it.

"Do you know where winfixer is picked up?"
I wish i did, maybe you can help ,make and run this batch file and then send me
a copy of the C:\index.dat?

Copy the bolded below into a new notepad document (not wordpad).
Click file> save as...> call it copy.bat > file types *all files*> and save it to desktop.


cd %USERPROFILE%\LocalS~1\Tempor~1\content.ie5\
attrib -h -r -s index.dat
copy index.dat %systemdrive%\


Run copy.bat and send me the C:\index.dat file

Send to lonnyATsubratam.org
Replace AT with @ and include a link back to this thread.

ElliottQ
2005-11-26, 19:07
I followed you instructions. Vundo and hijack files are attached.

During the clean process I noted 2 problems.
1. when I checked
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll at the end of the line it said "file missing"
2. Also after the power down and power up, the PC did not do a chkdsk.

72

73

74

I ran spybot after all of the above and it found 7 spywares including winfixer. I deleted all except winfixer.

Questions:
1. what about the above 2 problems?
2. Did you fix not work since I waited a day or so from your instructions until running your fix and in that time winfixer changed into something else?
3. I have heard that Xoft works well. Should I purchase and try that?
4. Since winfixer seems to sell their software to whom should I report them for such a nefarious selling technique?
5. What is your next recommendation?
Thhank you.

ElliottQ
2005-11-26, 19:58
since having started all this I tried to get on to this new pc as the adminstrator to set a password. i can't. i tried blank, password, dell, and microsoft but it won't let me in. does winfixer put its own password in under the admin account?

LonnyRJones
2005-11-27, 08:03
Hi

Why Are you tring to get into safe mode administrator ?
If i recall correctly thats a normal symtm for del pc's, i will ask around.
Normal safe mode would be fine, but you already ran the fix so why are you going there now ?

ElliottQ
2005-11-27, 20:18
Lonny,

I was trying to logon as admin just to set the password since PCs are normally delivered with a blank admin password and I am told that it should be set to a specific password to keep hackers out. This is my daughter's new computer and I was distressed to find that the password was not blank and I could not reset it.

Also you missed my prior post from yesterday at 18:07 indicating that the fix you suggested did not work. I posted the files you requested and a number of questions.

Please advise.

Elliott

LonnyRJones
2005-11-27, 22:26
Hi

Where is the index dat file aksed for, is it possible to send ?

I mentioned to post a new hiajckthis log in text format, not doc

When you ran vundofix did you do so from safe mode ?

thanks

ElliottQ
2005-11-27, 22:42
Hi Lonny,

I didn't post the index.dat because I was waiting till we had the problem solved. I thought that was to help you figure out how we got the darn sypware. As for txt for doc, sorry I missed that one. Can you provide any answers with what I sent, or did I blow it?

Here is the problem. This is my daughter's computer that I just purchased for her. She is in Houston. I was visiting over the holiday and now I am home back in Indy. She is new to PCs and probably doesn't have the skill or patience to follow all these steps as needed. One of the questions I asked you was regarding Xoft. I would be willing to pay the $40 bucks to solve her problem. DO you know if it works.

As for spybot, I have contributed in the past and will again - do you think it will be improved in the near future to deal with winfixer without having to do all this extra stuff?

And yes, I did run Vundofix from safe mode.

Did you get an answer to my question about winfixer possibly hijacking the admin password?

Thanx so much.

LonnyRJones
2005-11-27, 22:53
Hi

I believe Spysweeper can get Vundo, it might have to be ran a few times

As i said its common on del pcs for the admin account to have a passord
check its papperwork or perhaps ask del.

I cannot/wont open that hijackthis.doc, perhaps you can open it and change to a text formating

tashi
2005-12-04, 12:25
Hello ElliottQ.

There is no one security program or magic bullet that will protect anyone's computer other than not getting on the net at all.
Or using other peoples floppies, cd's etc.

Certain malware has to be removed manually once the computer is infected.
Infections can and do take place within minutes of being on the internet if the computer is not secured correctly.

Tightening the system's security.
So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279)

Regarding anti spyware programs, for your reading pleasure. :)
http://www.spywarewarrior.com/rogue_anti-spyware.htm#notes

Due to lack of a response this topic will be archived.
If you need the topic reopened please pm me.