Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Htj .. Winfixer 2005 Problem


  • Please log in to reply
13 replies to this topic

#1 wenicu

wenicu

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 22 October 2005 - 02:40 PM

I can't seem to rid myself of this winfixer 2005 pop up. It tries its best to get me to download it, even after i close out the window..several pop ups will follow it ..
Here is my log

Logfile of HijackThis v1.99.0
Scan saved at 2:51:31 PM, on 10/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\WINNT\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\Explorer.EXE
F:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
F:\Program Files\LimeWire\LimeWire.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r3.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - F:\WINNT\System32\cbabx.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PMXInit] F:\WINNT\system32\pmxinit.exe -SetupRunOnce
O4 - HKLM\..\Run: [Pop-Up Stopper] "F:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [PMXInit] F:\WINNT\system32\pmxinit.exe
O4 - HKCU\..\Run: [nwapi32] F:\WINNT\System32\nwapi32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = F:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - F:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127879466306
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127961932010
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O23 - Service: Adobe LM Service - Unknown - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper - Ahead Software AG - F:\Program Files\Ahead\InCD\InCDsrv.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 October 2005 - 03:54 PM

Hi wenicu and Welcome to the Bleeping Computer!

I need to see a file from your System please

Make sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Use the upload link below
http://www.bleepingcomputer.com/submit-malware.php

Upload this file--> F:\WINNT\System32\cbabx.dll


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • F:\WINNT\System32\cbabx.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):F:\WINNT\System32\xbabc.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - F:\WINNT\System32\cbabx.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#3 wenicu

wenicu
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  

Posted 23 October 2005 - 08:15 PM

Hi wenicu and Welcome to the Bleeping Computer!

I need to see a file from your System please

Make sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Use the upload link below
http://www.bleepingcomputer.com/submit-malware.php

Upload this file--> F:\WINNT\System32\cbabx.dll


I was not able to find the file cbabx.dll under that folder.. I did the first part of showing hidden files..

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 October 2005 - 03:07 PM

Go ahead with the VundoFix

#5 wenicu

wenicu
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 24 October 2005 - 07:47 PM

I tried to run the online active scan and keep getting an error message .. nothing loads as far as the page... . I see a yellow yeild sign with error next to it at the bottom left of the screen where usually on the IE window the symbol should be. Also I followed the rest of the steps and didn't delete anything in the vundofix thing because the file wasn't there in the first place.. I went ahead and ran a hijack this log again and posted it and also the vundo txt file.. .. confused as what to do next..


Logfile of HijackThis v1.99.0
Scan saved at 7:57:23 PM, on 10/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\WINNT\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\Explorer.EXE
F:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r3.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PMXInit] F:\WINNT\system32\pmxinit.exe -SetupRunOnce
O4 - HKLM\..\Run: [Pop-Up Stopper] "F:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [PMXInit] F:\WINNT\system32\pmxinit.exe
O4 - HKCU\..\Run: [nwapi32] F:\WINNT\System32\nwapi32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = F:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - F:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127879466306
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127961932010
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O23 - Service: Adobe LM Service - Unknown - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper - Ahead Software AG - F:\Program Files\Ahead\InCD\InCDsrv.exe



VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was F:\WINNT\System32\cbabx.dll

The second filepath entered was F:\WINNT\System32\xbabc.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 112 'smss.exe'

Killing PID 492 'explorer.exe'


Killing PID 160 'winlogon.exe'
Killing PID 160 'winlogon.exe'
Error 0x5 : Access is denied.

--------------------------------------------------------------------------------------

F:\WINNT\System32\cbabx.dll Deleted sucessfully.
F:\WINNT\System32\xbabc.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2005 - 04:24 AM

Lets try to get a single file scanned!

F:\WINNT\System32\nwapi32.exe

Have that file scanned at the 2 sites below

http://virusscan.jotti.org/
and
http://www.virustotal.com/flash/index_en.html

Let me know the results please!

#7 wenicu

wenicu
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  

Posted 25 October 2005 - 06:48 AM

Was not able to locate that file.. did have the file name but it was a .dll not a .exe like you wanted. I haven't had the pop up since I have cleaned the cookies off the HD but I don't know if thats just temporary ..

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2005 - 06:05 PM

Get that dll scanned and let me know the results!

#9 wenicu

wenicu
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 25 October 2005 - 09:37 PM

both ended up checking out .. on the first link .. I got the status ok and the 2nd one .. it said no viruses found for every category .. I also have not had it pop up in the last two days. It use to pop up everytime I opened explorer..

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2005 - 03:28 AM

See if you can run this Online Scan so I know we didnt leave anything behind!
http://support.f-secure.com/enu/home/ols.shtml

Post back with any results from the Online Scan!

#11 wenicu

wenicu
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  

Posted 26 October 2005 - 06:56 AM

It said no viruses found ...

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2005 - 05:28 PM

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?

#13 wenicu

wenicu
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 26 October 2005 - 09:52 PM

I downloaded Spyware blaster...

did not download second link because I dont have a program to unzip files.

I have Windows ME so I could not disable system restore

I went ahead and removed CleanUp.exe

Things seem to be running well ..

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 October 2005 - 03:58 AM

Ahh,that was bright of me,I didnt notice it was Windows 2000! :thumbsup:

I spec Spyware Blaster is good enough,there are several free Zipping Utilities out there,just google for them!

Read through those 3 little black links in my Signature for some extra ideas on how to avoid this in the future!

Make sure you keep Windows fully updated as well!

If ever you need us again,you know where to find us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users