Winfixer malware. I need help!

Question

Here is my logfile.  I don't have the 02-BHO:MSEvents line to delete.  Any help would be greatly appreciated (and if I do get rid of it, how can I keep from getting it again?)   Logfile of HijackThis v1.99.1 Scan saved at 1:26:01 PM, on 12/4/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Nhksrv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus
avapsvc.exe C:\Program Files\Venturi2\Configurator\ventcfg.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\DELLMMKB.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\RamBooster\Rambooster.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\CEB Practice Libraries\bin
plocal.exe C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe C:\Program Files\Shutterfly Express\SflyMon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Venturi2\Client\ventc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\BRMFRSMG.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Netropa\OSD.exe C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe C:\Program Files\HijackThis\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LEXIS-NEXIS\CheckCite\llieobj.dll (file missing) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [gcasServ] 'C:\Program Files\Microsoft AntiSpyware\gcasServ.exe' O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [AdaptecDirectCD] 'C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe' O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe O4 - Startup: SflyMon.lnk = C:\Program Files\Shutterfly Express\SflyMon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: CEB Practice Libraries.lnk = ? O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: RemindU - file://C:\Program Files	opMoxie\TEMP\upromise_script0.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0D706C01-1B2C-11D1-9566-00C04FC9DF81} (MmaFill Control) - http://courts.countyofventura.org/JCF-Web/filler/mmafill.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://quicken.ehosts.net/netagent/objects/custappx3.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093893434992 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124300216379 O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{77646C9B-2ABF-4B97-B939-469C8AE8B473}: NameServer = 209.144.103.10,209.144.103.11 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exe O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing) O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

SpotCheckBilly · Answer

Hello mclojai,Welcome to the Dell forums. I don't see anything in your log file that would indicate the WinFixer problem. There ARE a couple of things that we can get rid of. After we clean these up, we can dig a little deeper, if we need to and go from there. Once we get everything cleaned up, I can give you some pointers on how to keep from being reinfected. Go to www.trendmicro.com, then: 1. Click ' Free Online Scan'. 2. Click ' Scan now, it's free'. Follow the screen prompts. Save a copy of the report,: Click ' Print the report', then copy/paste to a new Notepad file and save to a convenient location. Post results into the next reply if requested to do so. Run HiJackThis and click ' Scan', then check(tick) the following, if present: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LEXIS-NEXIS\CheckCite\llieobj.dll (file missing) O8 - Extra context menu item: RemindU - file://C:\Program Files	opMoxie\TEMP\upromise_script0.htm O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{77646C9B-2ABF-4B97-B939-469C8AE8B473}: NameServer = 209.144.103.10,209.144.103.11 ...( Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.) O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing) With all windows closed except HiJackThis, click ' Fix checked'. Post back a new log, along with the results from the online scan. :smileyhappy: George a.k.a. SpotCheckBilly

Virus & Spyware

Was this post helpful?