Winfixer - How do I remove it ?

Question

Hello, I am getting winfixer download popups when I open IE.  Also my Virus protection program has stopped programs from automatically downloading into my machine.   This is the HiJackThis log and the RootKit Revealer Log.  The RootKitRevealter Log has 3 items time stamped at 11/26 which coresponds to when I think I was infected. Regedit can not access these programs.   Thank you for helping.   Logfile of HijackThis v1.99.1 Scan saved at 8:32:24 PM, on 11/27/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\basfipm.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe C:\WINNT\system32\hidserv.exe C:\WINNT\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe C:\WINNT\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\WINNT\system32egsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Fiberlink\Extend360\ServiceMgr.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE C:\WINNT\system32\stisvc.exe C:\WINNT\system32\sysedge.exe C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\WINNT\system32\vmnat.exe C:\WINNT\System32\WLTRYSVC.EXE C:\WINNT\system32\svchost.exe C:\WINNT\System32\bcmwltry.exe C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\CrystalMS.exe C:\Program Files\Common Files\Crystal Decisions\2.5\bin\crystalras.exe C:\WINNT\system32\vmnetdhcp.exe C:\WINNT\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\System32\DSentry.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\internat.exe C:\WINNT\DvzCommon\DvzMsgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\Concord Communications\eHealth for Voice\Bin\ConsoleAlert.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Palm\HOTSYNC.EXE C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINNT\system32\HPZipm12.exe C:\sysedge\jre\bin\java.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\pblen\Desktop\Sofware to remove winfixer\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.ca.com/wpad.dat R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe O4 - HKLM\..\Run: [CreateCD50] 'C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe' -r O4 - HKLM\..\Run: [AdaptecDirectCD] 'C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe' O4 - HKLM\..\Run: [ShStatEXE] 'C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE' /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] 'C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe' /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] 'C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe' O4 - HKLM\..\Run: [HP Software Update] 'C:\Program Files\HP\HP Software Update\HPWuSchd2.exe' O4 - HKLM\..\Run: [HP Component Manager] 'C:\Program Files\HP\hpcoretech\hpcmpmgr.exe' O4 - HKLM\..\Run: [POD] C:\Program Files\Omnipod\POD\omnipod.exe /allusers O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O4 - Global Startup: Policy Alert.lnk = C:\Program Files\Concord Communications\eHealth for Voice\Bin\ConsoleAlert.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://scpwca.ops.placeware.com/etc/place/CHARLIE/CHApws-a3s/5.1.8.511/lib/quicksilver.cab O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/ysb_regular.cab O16 - DPF: {C4F16955-CB66-4915-A327-C55DE360C73A} (OfflineControl Class) - file://F:\ecsJava\ecs\ecsPlayers\offline.cab O16 - DPF: {E10869DE-C0E2-40E1-B247-EE6EB3921F68} (NetisClient Class) - http://archive.globes.co.il/english/NetisUtils/install/netisclient.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ca.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ca.com O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\System32\basfipm.exe O23 - Service: Crystal Cache Server (CacheServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\cacheserver.exe' -service -name PBlen-D400.cacheserver -cache -nops -deleteCache -ns PBlen-D400 -restart (file missing) O23 - Service: Crystal Event Server (CrystalEventServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\EventServer.exe' -service -name PBlen-D400.eventserver -ns PBlen-D400 -restart (file missing) O23 - Service: Crystal Input File Repository Server (CrystalInputFileServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\inputfileserver.exe' -service -name Input.PBlen-D400 -ns PBlen-D400 -restart (file missing) O23 - Service: Crystal Management Server (CrystalMS) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\CrystalMS.exe' -service -name PBlen-D400.cms  -restart -noauditor (file missing) O23 - Service: Crystal Output File Repository Server (CrystalOutputFileServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\outputfileserver.exe' -service -name Output.PBlen-D400 -ns PBlen-D400 -restart (file missing) O23 - Service: Crystal Program Job Server (CrystalProgramServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\ProgramServer.exe' -service -name PBlen-D400.programjobserver  -ns PBlen-D400 -objectType CrystalEnterprise.Program -lib procProgram  -restart (file missing) O23 - Service: Crystal Report Application Server (CrystalReportApplicationServer) - Unknown owner - C:\Program Files\Common Files\Crystal Decisions\2.5\bin\crystalras.exe' -service -name PBlen-D400.RAS -ns PBlen-D400 (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: eHealth for Voice Policy Manager - Concord Communications - C:\Program Files\Concord Communications\eHealth for Voice\bin\PolicyManager.exe O23 - Service: eHealth for Voice Task Scheduler - Concord Communications - C:\Program Files\Concord Communications\eHealth for Voice\bin\TaskScheduler.exe O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe O23 - Service: Crystal Report Job Server (JobServer_Report) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\JobServer.exe' -service -name PBlen-D400.reportjobserver  -ns PBlen-D400 -objectType CrystalEnterprise.Report -lib procReport  -restart (file missing) O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Crystal Page Server (pageserver) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\pageserver.exe' -service -name PBlen-D400.pageserver -ns PBlen-D400  -restart (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\ServiceMgr.exe O23 - Service: SpectrumApache - Unknown owner - d:\win32app\SPECTRUM\WebApps\Report_Gateway\Apache\bin\Apache.exe' -k runservice (file missing) O23 - Service: SpectrumTomcat - Unknown owner - D:\win32app\SPECTRUM\WebApps	omcat\bin\JavaService.exe (file missing) O23 - Service: SPECTRUM Remote Admin (sradmin) - Unknown owner - C:\Program Files\SRAdmin\sradmin.exe O23 - Service: SystemEDGE (sysedge) - Unknown owner - C:\WINNT\system32\sysedge.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe O23 - Service: Crystal Web Component Server (WebCompServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\WebCompServer.exe' -service -name PBlen-D400.WCS -ns PBlen-D400  -restart (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE   ------------------------------------------ Reveal Log.txt _______________________________     HKLM\SOFTWARE\C5ijoAA7gMpm 11/26/2005 3:30 PM 0 bytes Hidden from Windows API. HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwFilesScanned 11/27/2005 8:40 PM 4 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASYNGER 11/26/2005 3:29 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet001\Services\Asynger 11/26/2005 3:29 PM 0 bytes Hidden from Windows API.

ky331 · Answer

in NORMAL mode, Run HJT. Place a check-mark in the box in front of the line:

O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe

Click on FIX CHECKED. Close HJT. Reboot. And see if WinFixer comes back or not.

[If WinFixer is still there... i.e., if this particular O4-line still appears in your log after rebooting... then you should reboot your system into SAFE MODE (by tapping the F8-key during the boot-up process, and selecting SAFE MODE), and try this FIX again while running HJT in SAFE MODE; and then, reboot into NORMAL mode.]

When you're done, generate and post your latest HJT log, by REPLYing to this thread.

feginc · Answer

Removed the item 04, but Winfixer is still there.   Logfile of HijackThis v1.99.1 Scan saved at 8:30:44 AM, on 11/28/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\basfipm.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe C:\WINNT\system32\hidserv.exe C:\WINNT\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe C:\WINNT\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\WINNT\system32egsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Fiberlink\Extend360\ServiceMgr.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE C:\WINNT\system32\stisvc.exe C:\WINNT\system32\sysedge.exe C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\WINNT\system32\vmnat.exe C:\WINNT\System32\WLTRYSVC.EXE C:\WINNT\system32\svchost.exe C:\WINNT\System32\bcmwltry.exe C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\CrystalMS.exe C:\Program Files\Common Files\Crystal Decisions\2.5\bin\crystalras.exe C:\WINNT\system32\vmnetdhcp.exe C:\WINNT\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\System32\DSentry.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\internat.exe C:\WINNT\DvzCommon\DvzMsgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\Concord Communications\eHealth for Voice\Bin\ConsoleAlert.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Palm\HOTSYNC.EXE C:\WINNT\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINNT\system32\HPZipm12.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\sysedge\jre\bin\java.exe C:\WINNT\system32\wuauclt.exe C:\Documents and Settings\pblen\Desktop\Sofware to remove winfixer\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.ca.com/wpad.dat R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe O4 - HKLM\..\Run: [CreateCD50] 'C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe' -r O4 - HKLM\..\Run: [AdaptecDirectCD] 'C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe' O4 - HKLM\..\Run: [ShStatEXE] 'C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE' /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] 'C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe' /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] 'C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe' O4 - HKLM\..\Run: [HP Software Update] 'C:\Program Files\HP\HP Software Update\HPWuSchd2.exe' O4 - HKLM\..\Run: [HP Component Manager] 'C:\Program Files\HP\hpcoretech\hpcmpmgr.exe' O4 - HKLM\..\Run: [POD] C:\Program Files\Omnipod\POD\omnipod.exe /allusers O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O4 - Global Startup: Policy Alert.lnk = C:\Program Files\Concord Communications\eHealth for Voice\Bin\ConsoleAlert.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://scpwca.ops.placeware.com/etc/place/CHARLIE/CHApws-a3s/5.1.8.511/lib/quicksilver.cab O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/ysb_regular.cab O16 - DPF: {C4F16955-CB66-4915-A327-C55DE360C73A} (OfflineControl Class) - file://F:\ecsJava\ecs\ecsPlayers\offline.cab O16 - DPF: {E10869DE-C0E2-40E1-B247-EE6EB3921F68} (NetisClient Class) - http://archive.globes.co.il/english/NetisUtils/install/netisclient.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ca.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ca.com O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\System32\basfipm.exe O23 - Service: Crystal Cache Server (CacheServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\cacheserver.exe' -service -name PBlen-D400.cacheserver -cache -nops -deleteCache -ns PBlen-D400 -restart (file missing) O23 - Service: Crystal Event Server (CrystalEventServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\EventServer.exe' -service -name PBlen-D400.eventserver -ns PBlen-D400 -restart (file missing) O23 - Service: Crystal Input File Repository Server (CrystalInputFileServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\inputfileserver.exe' -service -name Input.PBlen-D400 -ns PBlen-D400 -restart (file missing) O23 - Service: Crystal Management Server (CrystalMS) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\CrystalMS.exe' -service -name PBlen-D400.cms  -restart -noauditor (file missing) O23 - Service: Crystal Output File Repository Server (CrystalOutputFileServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\outputfileserver.exe' -service -name Output.PBlen-D400 -ns PBlen-D400 -restart (file missing) O23 - Service: Crystal Program Job Server (CrystalProgramServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\ProgramServer.exe' -service -name PBlen-D400.programjobserver  -ns PBlen-D400 -objectType CrystalEnterprise.Program -lib procProgram  -restart (file missing) O23 - Service: Crystal Report Application Server (CrystalReportApplicationServer) - Unknown owner - C:\Program Files\Common Files\Crystal Decisions\2.5\bin\crystalras.exe' -service -name PBlen-D400.RAS -ns PBlen-D400 (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: eHealth for Voice Policy Manager - Concord Communications - C:\Program Files\Concord Communications\eHealth for Voice\bin\PolicyManager.exe O23 - Service: eHealth for Voice Task Scheduler - Concord Communications - C:\Program Files\Concord Communications\eHealth for Voice\bin\TaskScheduler.exe O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe O23 - Service: Crystal Report Job Server (JobServer_Report) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\JobServer.exe' -service -name PBlen-D400.reportjobserver  -ns PBlen-D400 -objectType CrystalEnterprise.Report -lib procReport  -restart (file missing) O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Crystal Page Server (pageserver) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\pageserver.exe' -service -name PBlen-D400.pageserver -ns PBlen-D400  -restart (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\ServiceMgr.exe O23 - Service: SpectrumApache - Unknown owner - d:\win32app\SPECTRUM\WebApps\Report_Gateway\Apache\bin\Apache.exe' -k runservice (file missing) O23 - Service: SpectrumTomcat - Unknown owner - D:\win32app\SPECTRUM\WebApps	omcat\bin\JavaService.exe (file missing) O23 - Service: SPECTRUM Remote Admin (sradmin) - Unknown owner - C:\Program Files\SRAdmin\sradmin.exe O23 - Service: SystemEDGE (sysedge) - Unknown owner - C:\WINNT\system32\sysedge.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe O23 - Service: Crystal Web Component Server (WebCompServer) - Unknown owner - C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\WebCompServer.exe' -service -name PBlen-D400.WCS -ns PBlen-D400  -restart (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

ky331 · Answer

the only obvious sign of winfixer was the SurfAccuracy, which we've removed.  your log does not indicate the presence of either a vundo/virtumundo trojan, nor of the 'installer' version.   since you (from another post?) knew to run RootKitRevealer (presumably from sysinternals.com), and you only listed 3 entries, can we assume that was the entire log produced?  or you just singled-out those entries based on you belief in the time/date of the infection?   [i assume you're aware we're looking for the file wingenerics.dll in the stealth/rootkit case].   there's already some evidence around, that Winfixer may be evolving/mutating/morphing, to make it harder for us to locate.  I'm gonna try to call in some colleagues, to see if they can find something else.

feginc · Answer

Yes, I knew what to look for but those were the only listing in the log.

My plan is to install a new disk drive today. Then usb attach the old 40gb drive and copy critical files.

Is there a way to prevent a re-infection of winfixer ?

Thanks,

Phil

ky331 · Answer

here is a [safe-to-view] list of some known/alleged sources of WinFIxer. http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=43418   it is using deceptive and unethical [dare we say, illegal??] means to spread itself.   in fact, over the past few days, there are clear indications that new versions are first starting to spread!!   so unless we can cover ALL bases (which just doesn't seem possible with this beast), you risk the chance of getting a new infection, even if you were to transfer your good data to a clean drive, reformat, and reinstall.   there's a HOSTS file 'blocker' program, available from http://www.mvps.org/winhelp2002/hosts.htm that will augment your hosts file with a currently-known list of [what that author believes to be] 'undesirable' sites, to keep you from 'visiting' them.   it is my understanding that this list will block many of the known WinFixer sites.   However, if you decide to use this: 1) be advised that it may also block some sites that you yourself might like to view.   i'm testing it on one of my PC's, and i see that certain pages only 'partially' display [it blocks many of the included ads].  but it may be worth it.   As a precaution, you might want to back-up your current HOSTs file, before altering it with this program. 2) the author updates his database frequently, so if you decide to use this program, you should check for periodic updates, to download/install them.  otherwise, you'll be susceptible to newer infections.

RKinner · Answer

I see only one thing in the log that looks odd and that is:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.ca.com/wpad.dat

There may also be something in Task manager that is running at intervals. You might try turning it off.

You might see something with silent runners.vbs from:

http://www.silentrunners.org/sr_scriptuse.html

post the log (may need to be broken into two pieces to fit in the forum).

Ron

feginc · Answer

Thank you for the suggestions, but I could not get my work done.  So I erased the drive and reloaded the os.   The  popups were driving me crazy.   Thank you again.

Virus & Spyware

Was this post helpful?