P
pcbutts1
Hello ? does it look like I have been banned?
P
PA Bear
Good news. Barry, I suggest you take the precaution of posting your current
HijackThis log to an appropriate forum for review.
--
~PA Bear
HijackThis log to an appropriate forum for review.
--
~PA Bear
I've got some bad news for you Aquafina.
Dave's WInfixer fix is awesome. Has solved all my issues. Found a whole
bunch of things other scanners missed. No more WInlogon buring CPU - just
sitting there at 2-3%.
Dave - you rule! Thanks for your help.
Cheers.
Aquafina said:As you can see David doesn't like me. I have a fix for your winfixer
issues. My fix works, David's does not. I have been told by users who
have tried his fix that it does not work. Mine does, you have to email
me because it is a file, not instruction, this is not a binary group so
the only way to get you the file is to email it to you. David is a
jealous pissed little boy, ignore him. email me
(e-mail address removed) and I will send you a fix tool that will
remove that pest. Remove the XXX to make the email valid.
Barryco said:Thanks again to you all. I now have the opposite issue which is an
abundance
of things to try! That's a whole lot better than where I was this
morning.
Not quite sure what to make of Aquafina's post but I will work through
some
of the great suggestions and get this sorted.
Cheers.
:
Hi Barryco - Five approaches to removing Winfixer (Vundo). Not all
will work on all variants. It's suggested that you try them in
this order.
1 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions
2 - McAfee has a combined automated/manual removal procedure here:
http://vil.nai.com/vil/content/v_127690.htm
3 - It's been reported that the Removal Tool here is worthwhile:
http://forums.mcafeehelp.com/viewtopic.php?t=57049
4 - Then, courtesy of MVP Suzi Turner and Mosaic1:
"Atribune, a guy in the forums, has a Vundo fix tool as well:
Instructions for use by user as posted in the SpywareWarrior forum:
'Please download VundoFix.exe to your desktop. Here's a link:
http://www.atribune.org/downloads/VundoFix.exe
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into
Safe Mode.
Once in safe mode open the VundoFix folder and double-click on
KillVundo.bat
A command window will open and it should look like this:
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
At this point press enter one time.
Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.
At this point please type the following file path (make sure to
enter it exactly as below!):
C:\WINDOWS\system32\geeby.dll
Press Enter.
Next you will see:
Please type in the second filepath as instructed by the forum staff
At this point please type the following file path (make sure to
enter it exactly as below!):
C:\WINDOWS\system32\ybeeg.*
Press Enter to continue.
The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and
click FIX CHECKED:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll
After you have fixed these items, close Hijackthis.
The fix will tell you to shutdown using the Power button. Hold in
your power
button until the computer shuts down. Wait about 15 seconds and then
restart
the computer into regular windows.
Chkdsk will run. This is normal. It will take a few minutes and is
checking
your file system because of the Bad Shutdown we caused.
Go for free online Virus scans here:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/
Allow them to clean
Panda will have the option to create a log after the scan has
finished. Click
the See Report button. Then click the save Report button. It will be
saved
under the name activescan.txt Do that and post that log into your
next reply
here.
Run hijackthis and post the new log and the vundofix.txt file from
the vundofix folder into as well.'
----------------------------------------------------------------------------
--
The forum helpers have reported this fix from Atribune works. I
don't know
about the Symantec tool.
If you'd like to join Spyware Warrior, you could see the thread
where the helpers are discussing this.
Suzi"
Note: Here's some added info relative to the above courtesy of MVP
Steve Wechsler (akaMowGreen):
"the .dll's file name :
C:\WINDOWS\system32\geeby.dll
will be different on different systems. What you can do to identify
it is to scan the system with HijackThis and look at the O2 BHO
and/or O20 Winlogon entries to find out it's name. Close all other
programs and browsers prior to scanning with HJT. REMEMBER that
there is a hidden file
that will have the name of the .dll spelled backwards. Enter that
name when
the VundoFix requests the path to the second file.
5 - Grinler, (Lawrence Abrams, a Security MVP), has another removal
method
that can be used if the recommended method fails :
http://www.bleepingcomputer.com/forums/topic18610.html"
_____________________________________________________
Here's the HijackThis info you may need:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download
a new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check
"Show hidden files and folders" and uncheck "Hide protected
operating system files". (You may want to restore these when you're
all finished with HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated
folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on
your Desktop), reboot to Safe mode, start HT then press Scan. Click
on SaveLog when it's finished which will create hijackthis.log. Now
click the Config button, then Misc Tools and click on Generate
StartupList.log which will create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here: http://net-integration.us/forums/index.php
Register if necessary, then sign in and READ THE DIRECTIONS at the
beginning
of the particular site's HiJackThis forum, then copy and paste both
files into a message asking for assistance, Someone will answer
with detailed instructions for the removal of your parasite(s). Be
sure you include at the beginning of your post a description of
"What specific problem(s)/symptoms you're trying to solve" and
"What steps you've already
taken."
*******
ONLY IF you've successfully eliminated the malware, you can now
make a new,
clean Restore Point and delete any previously saved (possibly
infected) ones. The following suggested approach is courtesy of
Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options
tab. The
System Restore option removes all but the latest Restore Point. If
there hasn't been one made since the system was cleaned you should
manually create
one before dumping the old possibly infected ones.
*******
You probably should consider switching to Sun Java J2SE 5.0 JRE or
later here: http://java.sun.com/j2se/1.5.0/download.jsp (What I
use, BTW), especially since MS will apparently no longer be
distributing Java or providing any support for Java including
security fixes after Dec 31, 2007.
BE SURE that you uninstall any prior versions of Sun Java as some,
specifically JRE v. 1.4.2_03, contain a security bug which certain
malware,
notably Winfixer/Vundo, are suspected of exploiting. If you did
have this
version of Sun Java, JRE v. 1.4.2-03, installed, please post back
and tell
us.
When you get things cleaned up, take a look at my Blog, Defending
Your Machine, addy in my Signature below, for some additional
curative and preventive measures you might want to implement to
help prevent this type of
thing in the future.
--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/
I think we're on the right track here. I definitely have
Winfixer on my
PC
and have been having a bugger of a time trying to get rid of it.
Also Vundo was identified this morning but supposedly cleaned by
eTrust.
In trying to get WInfixer sorted out I found out about HijackThis
but have
not had a chance to go through all the steps.
I hoped there was a simple solution
Thanks to you all for your prompt and informative replies.
:
Sounds like a Vundo/WinFixer infection. At this time, no
anti-malware tools can identify and remove all Vundo/Winfixer
variants. You will have to post your HijackThis log to one of
the above forums and take several steps to
remove it, all under the guidance of someone experienced in
this Bag Guy.
Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/archive/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/
When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred
tool to use.
It will help you to both identify and remove any
hijackware/spyware. **Post your log to
http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or
http://aumha.net/viewforum.php?f=30
D
David H. Lipman
From: "Barryco" <[email protected]>
| I've got some bad news for you Aquafina.
|
| Dave's WInfixer fix is awesome. Has solved all my issues. Found a whole
| bunch of things other scanners missed. No more WInlogon buring CPU - just
| sitting there at 2-3%.
|
| Dave - you rule! Thanks for your help.
|
| Cheers.
Barryco:
I am very glad to hear that. I have received some failure notifications and so I have
beefed up its capabilities included dealing with the Vundo Trojan and Virtumonde adware.
The addition of the McAfee Command Line Scanner means that it has the wealth of a library
that contains ~162,000 malware signitures so it goes beyond the WinFixer 2003/Trojan Vundo
fix.
Thanx for updating the thread.
It wouldn't hurt to follow Robear Dyer's (PA Bear) suggestion of creating a HiJack This! log
and posting it in one of his suggested expert forums. I'd be *very* interested in the
feedback you may get from said forum so I can bolster the utility for others who may find
themselves in a simliar situation.
| I've got some bad news for you Aquafina.
|
| Dave's WInfixer fix is awesome. Has solved all my issues. Found a whole
| bunch of things other scanners missed. No more WInlogon buring CPU - just
| sitting there at 2-3%.
|
| Dave - you rule! Thanks for your help.
|
| Cheers.
Barryco:
I am very glad to hear that. I have received some failure notifications and so I have
beefed up its capabilities included dealing with the Vundo Trojan and Virtumonde adware.
The addition of the McAfee Command Line Scanner means that it has the wealth of a library
that contains ~162,000 malware signitures so it goes beyond the WinFixer 2003/Trojan Vundo
fix.
Thanx for updating the thread.
It wouldn't hurt to follow Robear Dyer's (PA Bear) suggestion of creating a HiJack This! log
and posting it in one of his suggested expert forums. I'd be *very* interested in the
feedback you may get from said forum so I can bolster the utility for others who may find
themselves in a simliar situation.
P
PA Bear
Not yet using that addy or IP but JohnE'll get you in short order. <eg>
swbell & sbc both have a case-file on you.
swbell & sbc both have a case-file on you.
P
PA Bear
David, check your inbox. If you don't receive a message from me, please
ping me via email. Thx.
ping me via email. Thx.
M
Michael Stevens
In
You proved nothing. You are a fraud and continue to spin your absurd story.
If you were legit, you would have no need to send your fixes by email.
Try posting with your one of your other alias <mem><[email protected]> address
and pcbutts1 in the from line and see if it gets posted.
It is pretty assured you can get one or a few posts with pcbutts1 in the
from line as long as you keep changing some part of the email address.
--
Michael Stevens MS-MVP XP
(e-mail address removed)
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/outlookexpressnewreader.htm
pcbutts1 said:
You proved nothing. You are a fraud and continue to spin your absurd story.
If you were legit, you would have no need to send your fixes by email.
Try posting with your one of your other alias <mem><[email protected]> address
and pcbutts1 in the from line and see if it gets posted.
It is pretty assured you can get one or a few posts with pcbutts1 in the
from line as long as you keep changing some part of the email address.
--
Michael Stevens MS-MVP XP
(e-mail address removed)
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/outlookexpressnewreader.htm
L
Leythos
It sure doesn't look like your posting under the name/email address
combination that got banned.
Sure doesn't look like you've posted an apology to the group for being
wrong about having permission to host the files.
Sure doesn't look like you've apologized to those that you stole code
from.
D
David H. Lipman
From: "Michael Stevens" <[email protected]>
| In | You proved nothing. You are a fraud and continue to spin your absurd story.
| If you were legit, you would have no need to send your fixes by email.
| Try posting with your one of your other alias <mem><[email protected]> address
| and pcbutts1 in the from line and see if it gets posted.
| It is pretty assured you can get one or a few posts with pcbutts1 in the
| from line as long as you keep changing some part of the email address.
|
New psedonym for PCBUTTS1 -- Sharon
From: "Sharon" <[email protected]>
References: <[email protected]>
Subject: Re: Winfixer -- Need help from Microsoft, McAfee, or Symantec
Date: Sat, 26 Nov 2005 08:33:19 -0800
Lines: 39
X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-RFC2646: Format=Flowed; Original
Message-ID: <[email protected]>
Newsgroups: microsoft.public.security.virus
NNTP-Posting-Host: adsl-69-226-169-240.dsl.bkfd14.pacbell.net 69.226.169.240
Path: TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: TK2MSFTNGP08.phx.gbl microsoft.public.security.virus:71061
Send me an email at (e-mail address removed) and I will send you a fix
tool that will remove that pest. Yes it does work. Remove the XXX to make
the email valid. Oh BTW ignore the response you will get from David or
Leythos they are sick obsessed stalkers who cannot fix your problem. They
would rather have you suffer with this issue then to receive help from me.
| In | You proved nothing. You are a fraud and continue to spin your absurd story.
| If you were legit, you would have no need to send your fixes by email.
| Try posting with your one of your other alias <mem><[email protected]> address
| and pcbutts1 in the from line and see if it gets posted.
| It is pretty assured you can get one or a few posts with pcbutts1 in the
| from line as long as you keep changing some part of the email address.
|
New psedonym for PCBUTTS1 -- Sharon
From: "Sharon" <[email protected]>
References: <[email protected]>
Subject: Re: Winfixer -- Need help from Microsoft, McAfee, or Symantec
Date: Sat, 26 Nov 2005 08:33:19 -0800
Lines: 39
X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-RFC2646: Format=Flowed; Original
Message-ID: <[email protected]>
Newsgroups: microsoft.public.security.virus
NNTP-Posting-Host: adsl-69-226-169-240.dsl.bkfd14.pacbell.net 69.226.169.240
Path: TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: TK2MSFTNGP08.phx.gbl microsoft.public.security.virus:71061
Send me an email at (e-mail address removed) and I will send you a fix
tool that will remove that pest. Yes it does work. Remove the XXX to make
the email valid. Oh BTW ignore the response you will get from David or
Leythos they are sick obsessed stalkers who cannot fix your problem. They
would rather have you suffer with this issue then to receive help from me.
S
Sharon
New pseudonym for David H Lipman -- Sh*teater
http://www.pcbutts1.com/license.htm
http://www.pcbutts1.com/license.htm
L
Leythos
Thanks for the warning. Most people that don't read the users names can
spot the little BOY just from the content in his posts
Maybe he's on to something - using a Womans name, like a poster here he
claims to have helped.... Wonder if he's posting fake malware issues and
then being the only salvation for them, so that he appears to be doing
good work, when in reality he's just trying to pull a fast one on the
group.
D
David H. Lipman
No he's pretty good at what he does, his fixes and things do work.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
L
Leythos
To bad you can't fake a post properly and that you can't hide that you
are PCBUTTS1, it's all in the headers butts:
NNTP-Posting-Host: adsl-69-226-169-240.dsl.bkfd14.pacbell.net
69.226.169.240
PCBUTTS1 posts from the above address all the time, for you new people
he's the group troll and is currently impersonating a respected member
of the group.
G
Guest
Barryco - let me know if you solve this - I have the same problem except it
is pegged at 99% all the time. I am working through the fixes also, kind of
hard to see who to trust. Will let you know if I am sucessful. Mine was
triggered by a MS antispyware update yesterday.
is pegged at 99% all the time. I am working through the fixes also, kind of
hard to see who to trust. Will let you know if I am sucessful. Mine was
triggered by a MS antispyware update yesterday.
D
David H. Lipman
From: "mrgumby" <[email protected]>
| Barryco - let me know if you solve this - I have the same problem except it
| is pegged at 99% all the time. I am working through the fixes also, kind of
| hard to see who to trust. Will let you know if I am sucessful. Mine was
| triggered by a MS antispyware update yesterday.
Barryco indicated WinFixerFix cured his problem. The combination of the following towo
should be able to handle this.
The Adware-Virtumundo Removal Tool will specifically clean the Vundo Trojan and Virtumundo
Adware. Adware-Virtumundo Removal Tool v1.5 --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049
* Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.
* * * Please report back your results * * *
| Barryco - let me know if you solve this - I have the same problem except it
| is pegged at 99% all the time. I am working through the fixes also, kind of
| hard to see who to trust. Will let you know if I am sucessful. Mine was
| triggered by a MS antispyware update yesterday.
Barryco indicated WinFixerFix cured his problem. The combination of the following towo
should be able to handle this.
The Adware-Virtumundo Removal Tool will specifically clean the Vundo Trojan and Virtumundo
Adware. Adware-Virtumundo Removal Tool v1.5 --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049
* Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.
* * * Please report back your results * * *
G
Guest
Hello - thanks for the help - It did not work.
So far I have run fixvundo, fix monde and now virtumondobegone and
winfixerfix.
I am running in safe mode and am on a wireless link - I am not sure I can
get files through the internet on that computer - I am using my wife's
computer now. Winfixerfix ran very fast ans did not try to get any files that
I am aware of.
mrgumby
So far I have run fixvundo, fix monde and now virtumondobegone and
winfixerfix.
I am running in safe mode and am on a wireless link - I am not sure I can
get files through the internet on that computer - I am using my wife's
computer now. Winfixerfix ran very fast ans did not try to get any files that
I am aware of.
mrgumby
D
David H. Lipman
From: "mrgumby" <[email protected]>
| Hello - thanks for the help - It did not work.
|
| So far I have run fixvundo, fix monde and now virtumondobegone and
| winfixerfix.
| I am running in safe mode and am on a wireless link - I am not sure I can
| get files through the internet on that computer - I am using my wife's
| computer now. Winfixerfix ran very fast ans did not try to get any files that
| I am aware of.
Then I suggested re-posting in a NEW post, not part of this thread, exactly what you are
experiencing and indicate exactly what utilities you have executed.
| Hello - thanks for the help - It did not work.
|
| So far I have run fixvundo, fix monde and now virtumondobegone and
| winfixerfix.
| I am running in safe mode and am on a wireless link - I am not sure I can
| get files through the internet on that computer - I am using my wife's
| computer now. Winfixerfix ran very fast ans did not try to get any files that
| I am aware of.
Then I suggested re-posting in a NEW post, not part of this thread, exactly what you are
experiencing and indicate exactly what utilities you have executed.
D
David H. Lipman
From: "mrgumby" <[email protected]>
| Hello - thanks for the help - It did not work.
|
| So far I have run fixvundo, fix monde and now virtumondobegone and
| winfixerfix.
| I am running in safe mode and am on a wireless link - I am not sure I can
| get files through the internet on that computer - I am using my wife's
| computer now. Winfixerfix ran very fast ans did not try to get any files that
| I am aware of.
|
| mrgumby
|
mrgumby:
A recent update to WinFixerFix actually also introduced a bug into the utility which caused
premature exiting of the utility without finishing the job. You may wish to download a
fixed version and run the utility again.
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
| Hello - thanks for the help - It did not work.
|
| So far I have run fixvundo, fix monde and now virtumondobegone and
| winfixerfix.
| I am running in safe mode and am on a wireless link - I am not sure I can
| get files through the internet on that computer - I am using my wife's
| computer now. Winfixerfix ran very fast ans did not try to get any files that
| I am aware of.
|
| mrgumby
|
mrgumby:
A recent update to WinFixerFix actually also introduced a bug into the utility which caused
premature exiting of the utility without finishing the job. You may wish to download a
fixed version and run the utility again.
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
S
SharonS
You need to run Hijackthis and I need to see the hjt log file. Download HJT
from here
http://www.pcbutts1.com/downloads/HijackThis.zip run it, save a copy of the
log file and post your log file to the group listed below, NO registration
required. You have to post it to the group below just click on the link. If
you post it to this here group you will be screamed at because they
freak-out at seeing HJT logs.
from here
http://www.pcbutts1.com/downloads/HijackThis.zip run it, save a copy of the
log file and post your log file to the group listed below, NO registration
required. You have to post it to the group below just click on the link. If
you post it to this here group you will be screamed at because they
freak-out at seeing HJT logs.
J
Jim Byrd
Hi Mr. Gumby - Seven approaches to removing Winfixer (Vundo). Not all will
work on all
variants. It's suggested that you try them in this order.
1 - Feedback from users reports that the Removal Tool here is the most
effective against what is currently the most common variety of this
'malware':
http://forums.mcafeehelp.com/viewtopic.php?t=57049
2 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions
3 - Courtesy of Dave Lipman:
"Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
On the infected PC...
Execute; WinFixerFix.exe { Note: You must accept the default of
C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your FireWall to enable WGET.EXE to download the needed McAfee
related files.
Execute; c:\mcafee\clean.bat { or Double-click on 'Clean Link' in
c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end of the scan, it will be displayed in your browser
(Opera, FireFox or Internet Explorer). It is suggested that you move the
report out of c:\mcafee before performing another scan. It would be a good
idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session."
4 - McAfee has a combined automated/manual removal procedure here:
http://vil.nai.com/vil/content/v_127690.htm
5 - Then, courtesy of MVP Suzi Turner and Mosaic1:
"Atribune, a guy in the forums, has a Vundo fix tool as well:
Instructions for use by user as posted in the SpywareWarrior forum:
'Please download VundoFix.exe to your desktop. Here's a link:
http://www.atribune.org/downloads/VundoFix.exe
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.
Once in safe mode open the VundoFix folder and double-click on KillVundo.bat
A command window will open and it should look like this:
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
At this point press enter one time.
Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.
At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\geeby.dll
Press Enter.
Next you will see:
Please type in the second filepath as instructed by the forum staff
At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\ybeeg.*
Press Enter to continue.
The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click
FIX CHECKED:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll
After you have fixed these items, close Hijackthis.
The fix will tell you to shutdown using the Power button. Hold in your power
button until the computer shuts down. Wait about 15 seconds and then restart
the computer into regular windows.
Chkdsk will run. This is normal. It will take a few minutes and is checking
your file system because of the Bad Shutdown we caused.
Go for free online Virus scans here:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/
Allow them to clean
Panda will have the option to create a log after the scan has finished.
Click
the See Report button. Then click the save Report button. It will be saved
under the name activescan.txt Do that and post that log into your next reply
here.
Run hijackthis and post the new log and the vundofix.txt file from the
vundofix folder into as well.'
The forum helpers have reported this fix from Atribune works. I don't know
about the Symantec tool.
If you'd like to join Spyware Warrior, you could see the thread where the
helpers are discussing this.
Suzi"
Note: Here's some added info relative to the above courtesy of MVP Steve
Wechsler (akaMowGreen):
"the .dll's file name :
C:\WINDOWS\system32\geeby.dll
will be different on different systems. What you can do to identify it
is to scan the system with HijackThis and look at the O2 BHO and/or O20
Winlogon entries to find out it's name. Close all other programs and
browsers prior to scanning with HJT. REMEMBER that there is a hidden file
that will have the name of the .dll spelled backwards. Enter that name when
the VundoFix requests the path to the second file.
6 - Grinler, (Lawrence Abrams, a Security MVP), has another removal method
that can be used if the recommended method fails :
http://www.bleepingcomputer.com/forums/topic18610.html"
7 - Courtesy of S.Sengupta[MS-MVP]
Download VirtumundoBegone and save it to your desktop.
VirtumundoBegone
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Run that application after booting into safe mode.
Here's the HijackThis info you may need:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here: http://net-integration.us/forums/index.php
Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******
You probably should consider switching to Sun Java J2SE 5.0 JRE or later
here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
especially since MS will apparently no longer be distributing Java or
providing any support for Java including security fixes after Dec 31, 2007.
BE SURE that you uninstall any prior versions of Sun Java as some,
specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
notably Winfixer/Vundo, are suspected of exploiting. If you did have this
version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
us.
When you get things cleaned up, take a look at my Blog, Defending Your
Machine, addy in my Signature below, for some additional curative and
preventive measures you might want to implement to help prevent this type of
thing in the future.
work on all
variants. It's suggested that you try them in this order.
1 - Feedback from users reports that the Removal Tool here is the most
effective against what is currently the most common variety of this
'malware':
http://forums.mcafeehelp.com/viewtopic.php?t=57049
2 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions
3 - Courtesy of Dave Lipman:
"Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
On the infected PC...
Execute; WinFixerFix.exe { Note: You must accept the default of
C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your FireWall to enable WGET.EXE to download the needed McAfee
related files.
Execute; c:\mcafee\clean.bat { or Double-click on 'Clean Link' in
c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end of the scan, it will be displayed in your browser
(Opera, FireFox or Internet Explorer). It is suggested that you move the
report out of c:\mcafee before performing another scan. It would be a good
idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session."
4 - McAfee has a combined automated/manual removal procedure here:
http://vil.nai.com/vil/content/v_127690.htm
5 - Then, courtesy of MVP Suzi Turner and Mosaic1:
"Atribune, a guy in the forums, has a Vundo fix tool as well:
Instructions for use by user as posted in the SpywareWarrior forum:
'Please download VundoFix.exe to your desktop. Here's a link:
http://www.atribune.org/downloads/VundoFix.exe
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.
Once in safe mode open the VundoFix folder and double-click on KillVundo.bat
A command window will open and it should look like this:
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
At this point press enter one time.
Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.
At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\geeby.dll
Press Enter.
Next you will see:
Please type in the second filepath as instructed by the forum staff
At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\ybeeg.*
Press Enter to continue.
The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click
FIX CHECKED:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll
After you have fixed these items, close Hijackthis.
The fix will tell you to shutdown using the Power button. Hold in your power
button until the computer shuts down. Wait about 15 seconds and then restart
the computer into regular windows.
Chkdsk will run. This is normal. It will take a few minutes and is checking
your file system because of the Bad Shutdown we caused.
Go for free online Virus scans here:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/
Allow them to clean
Panda will have the option to create a log after the scan has finished.
Click
the See Report button. Then click the save Report button. It will be saved
under the name activescan.txt Do that and post that log into your next reply
here.
Run hijackthis and post the new log and the vundofix.txt file from the
vundofix folder into as well.'
The forum helpers have reported this fix from Atribune works. I don't know
about the Symantec tool.
If you'd like to join Spyware Warrior, you could see the thread where the
helpers are discussing this.
Suzi"
Note: Here's some added info relative to the above courtesy of MVP Steve
Wechsler (akaMowGreen):
"the .dll's file name :
C:\WINDOWS\system32\geeby.dll
will be different on different systems. What you can do to identify it
is to scan the system with HijackThis and look at the O2 BHO and/or O20
Winlogon entries to find out it's name. Close all other programs and
browsers prior to scanning with HJT. REMEMBER that there is a hidden file
that will have the name of the .dll spelled backwards. Enter that name when
the VundoFix requests the path to the second file.
6 - Grinler, (Lawrence Abrams, a Security MVP), has another removal method
that can be used if the recommended method fails :
http://www.bleepingcomputer.com/forums/topic18610.html"
7 - Courtesy of S.Sengupta[MS-MVP]
Download VirtumundoBegone and save it to your desktop.
VirtumundoBegone
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Run that application after booting into safe mode.
Here's the HijackThis info you may need:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here: http://net-integration.us/forums/index.php
Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******
You probably should consider switching to Sun Java J2SE 5.0 JRE or later
here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
especially since MS will apparently no longer be distributing Java or
providing any support for Java including security fixes after Dec 31, 2007.
BE SURE that you uninstall any prior versions of Sun Java as some,
specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
notably Winfixer/Vundo, are suspected of exploiting. If you did have this
version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
us.
When you get things cleaned up, take a look at my Blog, Defending Your
Machine, addy in my Signature below, for some additional curative and
preventive measures you might want to implement to help prevent this type of
thing in the future.
G
Guest
see continuation as new post