Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Removed Winfixer, Can Anybody Verify?


  • Please log in to reply
7 replies to this topic

#1 mat

mat

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 21 December 2005 - 10:58 AM

Hello,

I got WinFixer about month ago and tried to get rid of him myself. I even bought PestPatrol what CA claims can remove that piece of crap. It cannot and I don't recommend this "Patrol" to anybody. Free Ad-Aware and Spybot are much more user friendly. I am computer programmer (not on Windows side, though) and spent some time reading on Internet about my problem. I read several topics on this and other forums and followed recomendations on "WinCrap" :thumbsup: removal.

It looks like I got rid of it. I am asking for help of someone who is more knowledgeable in that kind of things than myself to verify what I've done and tell me if I am done-done with this, or I have to do some extra steps. I am going to list all steps I did and post final HijackThis log. Please let me know. I found people on this forum to be most knowledgeable in crap removing.

Thanks in advance :flowers:

1. I ran HijackThis in Safe mode and saved the log.

2. There vere entries in the log:

O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\jkklj.dll
O20 - Winlogon Notify: jkklj - C:\WINDOWS\system32\jkklj.dll

3. I went back to Normal mode and installed VundoFix on desktop.

4. Switched to Safe mode and run KillVundo. I entered C:\WINDOWS\system32\jkklj.dll on first prompt and C:\WINDOWS\system32\jlkkj.* on second one. It does some removal and launched HijackThis automatically but I closed HijackThis window. Computer seemed to be frozen after this. I waited a bit and rebooted it.

5. In Normal mode I launched HijackThis and it showed (missing file) for two entries from step (2).

6. I deleted both entries.

7. Ran "cleanmgr".

8. Rebooted. Checked Hijackthis. Entries were removed. I rebooted computer couple times and checked every time. Entries were removed.

9. I ran Ad-Aware, Spybot, MS AntySpyware, PestPatrol. Nothing was found.

10. I ran HijackThis and created the log below:


Logfile of HijackThis v1.99.1
Scan saved at 11:15:33 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\PestPatrol\PPActiveDetection.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hispeed.rogers.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 21 December 2005 - 06:21 PM

Yes u got it

Add remove programs remove Viewpoint

Fix the 2 O3 Toolbar file missing as you must have removed McAfee
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 mat

mat
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 21 December 2005 - 09:58 PM

Thanks a bunch :thumbsup:))) To get rid of that crap is the best gift I got this Christmas! By the way, I've learned how to do this from mostly your postings on different cases here (and someone else, this is why I did extra steps, just to be on safe side:). You are usually shorter :flowers:)

Not sure I understand your second line about some View<something>, though. And yes, I removed McAfee and don't need these entries in Registry. Removed them manually with Regedit yesterday. Should I also remove them with Hijack too?

Question, though: is it always safe to remove entries what HijackThis shows as (no file)?

Another question (not sure it is for this Forum, you don't have to answer): my friend has so severe infection that he cannot even start his computer in Normal mode, only in Safe. Can I install Spybot, etc, on flash disk and sart cleaning his computer? If no, see you after Christmas when I try to do this :huh:)))

Thanks again, you taught me a lot :huh:

Donations to follow, no doubt. Thanks, no really. :huh:

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 21 December 2005 - 10:11 PM

Go to control panel - add remove programs and remove Viewpoint

Yes remove those O3 entries with HiJack

No, some no file or missing file entries are a problems with HiJack - leave them be

For your Friend, get them Ewido - Had one like that and that was the only way to get started - Obviously you can't get updates but its a start

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 mat

mat
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 21 December 2005 - 10:33 PM

Thanks a lot again :thumbsup: I removed that Viewpoint thing easily. Regarding my friend, thousand thanks, I'll print your instruction. Can he install it in Safe mode, will it work without all .dll's? He cannot go to Normal one.

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 21 December 2005 - 10:50 PM

Yep - Gets a little tough from safe mode but it will work

Let me know
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 mat

mat
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 21 December 2005 - 11:02 PM

I will. Thanks again :thumbsup:

#8 mat

mat
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 31 December 2005 - 02:13 PM

It worked! I printed and gave my friend your instructions and he has his computer back! I just talked with him briefly on the phone a second ago. I'll advise him still to run HijackThis and post it on this forum, just in case. I have concern: he said he deleted something like 3,200 files but when I cleaned this crap on my computer, I deleted almost 60,000 (I was not protected since 1999). 3,200 seems too low for me.... Thanks a lot, again. You made one more person happy this year. :thumbsup:)) Happy New Year to you and your family!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users