Winlogon.exe chewing up CPU

G

GeebyHater

!!!! SUCCES
!!!!
[b:568c3ee5ef]Re: WINFIXER - VIRTUMONDE - VUNDO - GEEBY.DL

I have spent MANY hours trying to get rid of this devil. :crybaby:

Went through the methods below from 1st to success

1 - :crybaby: Symantec: Backed off using this method when I saw tha
it required turning off the RESTORE TOOL. Had a previous ba
experience with that and this particular Trojan

2 - :crybaby: McAfee - Went through this method. Not work
Additionally their description of files this beast puts on compute
was all wrong. I assume the program has morphed what it does

3 - :D Removal Tool (VirtumundoBeGone.exe) at
http://forums.mcafeehelp.com/viewtopic.php?t=5704

Read the information - 45 seconds
Downloaded VirtumundoBeGone.exe - 10 seconds
Ran VirtumundoBeGone.exe - 2 minutes
Computer rebooted - 2 minutes
Read VGB.TXT report on my desktop - 30 seconds
Deleated all remaining remnants of this freak - 60 seconds
Now plan to party ALL NIGHT
It worked, it was simple
THANK YOU!!!!![/b:568c3ee5ef

:D :nod: :D ;) :evil: :nod: :D
______________________

[b:568c3ee5ef]For those of you interested, here is the removal repor
that was put on my desktop:[/b:568c3ee5ef

[color=green:568c3ee5ef][12/23/2005, 23:12:46] - VirtumundoBeGone v1.
( "c:\My Downloads\0-LoadFromHere\VirtumundoBeGone.exe"
[12/23/2005, 23:13:08] - Detected System Information
[12/23/2005, 23:13:08] - Windows Version: 5.1.2600, Service Pack
[12/23/2005, 23:13:08] - Current Username: XXXXX XXXXXXX (Admin
[12/23/2005, 23:13:08] - Windows is in NORMAL mode
[12/23/2005, 23:13:08] - Searching for Browser Helper Objects
[12/23/2005, 23:13:08] - BHO 1
{02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO
[12/23/2005, 23:13:08] - BHO 2
{06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifrau
Toolbar
[12/23/2005, 23:13:08] - BHO 3
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class
[12/23/2005, 23:13:08] - BHO 4
{53707962-6F74-2D53-2644-206D7942484F} (
[12/23/2005, 23:13:08] - WARNING: BHO has no default name. Checkin
for Winlogon reference
[12/23/2005, 23:13:08] - Checking fo
HKLM\...\Winlogon\Notify\SDHelpe
[12/23/2005, 23:13:08] - Key not found
HKLM\...\Winlogon\Notify\SDHelper, continuing
[12/23/2005, 23:13:08] - BHO 5
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard
[12/23/2005, 23:13:08] - BHO 6
{7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object
[12/23/2005, 23:13:09] - BHO 7
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper
[12/23/2005, 23:13:09] - BHO 8
{B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor
[12/23/2005, 23:13:09] - BHO 9
{FC148228-87E1-4D00-AC06-58DCAA52A4D1} (MSEvents Object
[12/23/2005, 23:13:09] - ALERT: Found MSEvents Object
[12/23/2005, 23:13:09] - Finished Searching Browser Helper Object
[12/23/2005, 23:13:09] - *** Detected MSEvents Objec
[12/23/2005, 23:13:09] - Trying to remove MSEvents Object..
[12/23/2005, 23:13:10] - Terminating Process: IEXPLORE.EX
[12/23/2005, 23:13:10] - Terminating Process: RUNDLL32.EX
[12/23/2005, 23:13:10] - Disabling Automatic Shell Restar
[12/23/2005, 23:13:10] - Terminating Process: EXPLORER.EX
[12/23/2005, 23:13:10] - Suspending the NT Session Manager Syste
Servic
[12/23/2005, 23:13:11] - Terminating Windows NT Logon/Logof
Manage
[12/23/2005, 23:13:12] - Re-enabling Automatic Shell Restar
[12/23/2005, 23:13:12] - File to disable
C:\WINDOWS\system32\geeby.dl
[12/23/2005, 23:13:12] - Renaming C:\WINDOWS\system32\geeby.dll -
C:\WINDOWS\system32\geeby.dll.vi
[12/23/2005, 23:13:12] - File successfully renamed
[12/23/2005, 23:13:12] - Removing HKLM\...\Browser Helpe
Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1
[12/23/2005, 23:13:12] - Removin
HKCR\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1
[12/23/2005, 23:13:12] - Adding Kill Bit for ActiveX for GUID
{FC148228-87E1-4D00-AC06-58DCAA52A4D1
[12/23/2005, 23:13:12] - Deleting ATLEvents/MSEvents Registr
entrie
[12/23/2005, 23:13:12] - Removing HKLM\...\Winlogon\Notify\geeb
[12/23/2005, 23:13:12] - Searching for Browser Helper Objects
[12/23/2005, 23:13:12] - BHO 1:
{02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/23/2005, 23:13:12] - BHO 2:
{06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud
Toolbar)
[12/23/2005, 23:13:12] - BHO 3:
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/23/2005, 23:13:12] - BHO 4:
{53707962-6F74-2D53-2644-206D7942484F} ()
[12/23/2005, 23:13:12] - WARNING: BHO has no default name. Checking
for Winlogon reference.
[12/23/2005, 23:13:12] - Checking for
HKLM\...\Winlogon\Notify\SDHelper
[12/23/2005, 23:13:12] - Key not found:
HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/23/2005, 23:13:12] - BHO 5:
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/23/2005, 23:13:12] - BHO 6:
{7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object)
[12/23/2005, 23:13:13] - BHO 7:
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/23/2005, 23:13:13] - BHO 8:
{B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/23/2005, 23:13:13] - Finished Searching Browser Helper Objects
[12/23/2005, 23:13:13] - Finishing up...
[12/23/2005, 23:13:13] - A restart is needed.
[12/23/2005, 23:13:25] - Attempting to Restart via STOP error (Blue
Screen!)[/color:568c3ee5ef]
--------------------------

[b:568c3ee5ef]Re-ran the program and this was what it gave me (no
reboot because it had been cleaned):[/b:568c3ee5ef]

[color=green:568c3ee5ef]
[12/23/2005, 23:27:16] - VirtumundoBeGone v1.5 ( "c:\My
Downloads\0-LoadFromHere\VirtumundoBeGone.exe" )
[12/23/2005, 23:27:20] - Detected System Information:
[12/23/2005, 23:27:20] - Windows Version: 5.1.2600, Service Pack 2
[12/23/2005, 23:27:20] - Current Username: XXXXXX XXXXXXXX (Admin)
[12/23/2005, 23:27:20] - Windows is in NORMAL mode.
[12/23/2005, 23:27:20] - Searching for Browser Helper Objects:
[12/23/2005, 23:27:20] - BHO 1:
{02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/23/2005, 23:27:20] - BHO 2:
{06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud
Toolbar)
[12/23/2005, 23:27:20] - BHO 3:
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/23/2005, 23:27:20] - BHO 4:
{53707962-6F74-2D53-2644-206D7942484F} ()
[12/23/2005, 23:27:21] - WARNING: BHO has no default name. Checking
for Winlogon reference.
[12/23/2005, 23:27:21] - Checking for
HKLM\...\Winlogon\Notify\SDHelper
[12/23/2005, 23:27:21] - Key not found:
HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/23/2005, 23:27:21] - BHO 5:
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/23/2005, 23:27:21] - BHO 6:
{7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object)
[12/23/2005, 23:27:21] - BHO 7:
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/23/2005, 23:27:21] - BHO 8:
{B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/23/2005, 23:27:21] - Finished Searching Browser Helper Objects
[12/23/2005, 23:27:21] - Finishing up...
[12/23/2005, 23:27:21] - Nothing found! Exiting...[/color:568c3ee5ef]

-------------------------------------------------------

[b:568c3ee5ef]Additional information: Free to try EWIDO
(http://www.ewido.net/en/) has been good at spoting it. It
also removed it from 14 locations on my computer. It could not get
geeby.dll in window/system32 that was called by winlogon.exe. But it
got the other places it was waiting.[/b:568c3ee5ef]






Jim Byrdwrote:
Click to expand...
Hi Barryco - Five approaches to removing Winfixer (Vundo). Not all
will
work on all variants. It's suggested that you try them in this order.

1 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions

2 - McAfee has a combined automated/manual removal procedure here:
http://vil.nai.com/vil/content/v_127690.htm


3 - It's been reported that the Removal Tool here is worthwhile:
http://forums.mcafeehelp.com/viewtopic.php?t=57049


4 - Then, courtesy of MVP Suzi Turner and Mosaic1:

"Atribune, a guy in the forums, has a Vundo fix tool as well:

Instructions for use by user as posted in the SpywareWarrior forum:

'Please download VundoFix.exe to your desktop. Here's a link:

http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.

Once in safe mode open the VundoFix folder and double-click on KillVundo.bat

A command window will open and it should look like this:

VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk

At this point press enter one time.

Next you will see:

Type in the filepath as instructed by the forum staf
Then Press Enter, to continue with the fix


At this point please type the following file path (make sure t enter i
exactly as below!)
C:\WINDOWS\system32\geeby.dl

Press Enter

Next you will see

Please type in the second filepath as instructed by the forum staf

At this point please type the following file path (make sure t enter i
exactly as below!)
C:\WINDOWS\system32\ybeeg.

Press Enter to continue

The fix will run then HijackThis will open
In HijackThis, please place a check next to the following items an clic
FIX CHECKED


O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697
Click to expand...
C:\WINDOWS\system32\geeby.dl
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dl

After you have fixed these items, close Hijackthis

The fix will tell you to shutdown using the Power button. Hold i your powe
button until the computer shuts down. Wait about 15 seconds and the restar
the computer into regular windows

Chkdsk will run. This is normal. It will take a few minutes and i checkin
your file system because of the Bad Shutdown we caused

Go for free online Virus scans here

http://housecall.trendmicro.com/housecall/start_corp.as
http://www.pandasoftware.com/activescan

Allow them to clea

Panda will have the option to create a log after the scan ha finished
Clic
the See Report button. Then click the save Report button. It will b save
under the name activescan.txt Do that and post that log into you next repl
here

Run hijackthis and post the new log and the vundofix.txt file fro th
vundofix folder into as well.
---------------------------------------------------------------------------
-

The forum helpers have reported this fix from Atribune works. don't kno
about the Symantec tool

If you'd like to join Spyware Warrior, you could see the threa where th
helpers are discussing this

Suzi


Note: Here's some added info relative to the above courtesy of MV Stev
Wechsler (akaMowGreen)

"the .dll's file name

C:\WINDOWS\system32\geeby.dl

will be different on different systems. What you can do to identif i
is to scan the system with HijackThis and look at the O2 BHO and/o O2
Winlogon entries to find out it's name. Close all other program an
browsers prior to scanning with HJT. REMEMBER that there is hidden fil
that will have the name of the .dll spelled backwards. Enter tha name whe
the VundoFix requests the path to the second file

5 - Grinler, (Lawrence Abrams, a Security MVP), has another remova metho
that can be used if the recommended method fails
http://www.bleepingcomputer.com/forums/topic18610.html
____________________________________________________

Here's the HijackThis info you may need

Download HijackThis, free, here
http://209.133.47.200/~merijn/files/HijackThis.exe (Always downloa a ne
fresh copy of HijackThis [and CWShredder also] - It's UPDATE frequently.
You may also get it here if that link is blocked
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc1

There's a good "How-to-Use" tutorial here
http://computercops.biz/HijackThis.htm

In Windows Explorer, click on Tools|Folder Options|View and chec "Sho
hidden files and folders" and uncheck "Hide protected operatin syste
files". (You may want to restore these when you're all finishe wit
HijackThis.

Place HijackThis.exe or unzip HijackThis.zip into its own dedicate folde
at the root level such as C:\HijackThis (NOT in a Temp folder or o you
Desktop), reboot to Safe mode, start HT then press Scan. Click o SaveLo
when it's finished which will create hijackthis.log. Now click th Confi
button, then Misc Tools and click on Generate StartupList.log whic wil
create Startuplist.tx


Then go to one of the following forums

Spyware and Hijackware Removal Support, here
http://forums.spywareinfo.com/
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here: http://net-integration.us/forums/index.php

Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."




*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******


You probably should consider switching to Sun Java J2SE 5.0 JRE or later
here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
especially since MS will apparently no longer be distributing Java or
providing any support for Java including security fixes after Dec 31, 2007.
BE SURE that you uninstall any prior versions of Sun Java as some,
specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
notably Winfixer/Vundo, are suspected of exploiting. If you did have this
version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
us.


When you get things cleaned up, take a look at my Blog, Defending Your
Machine, addy in my Signature below, for some additional curative and
preventive measures you might want to implement to help prevent this type of
thing in the future.

--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/

I think we're on the right track here. I definitely have Winfixer on my
PC
and have been having a bugger of a time trying to get rid of it. Also
Vundo
was identified this morning but supposedly cleaned by eTrust.

In trying to get WInfixer sorted out I found out about HijackThis but have
not had a chance to go through all the steps.

I hoped there was a simple solution :)

Thanks to you all for your prompt and informative replies.

:

Sounds like a Vundo/WinFixer infection. At this time, no anti-malware
tools
can identify and remove all Vundo/Winfixer variants. You will have to
post
your HijackThis log to one of the above forums and take several steps to
remove it, all under the guidance of someone experienced in this Bag Guy.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/archive/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware.
**Post
your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), AH-VSOP

Barryco wrote:
My system is running very very slowly. A check of Task Manager shows
that
Winlogon.exe is continually using 50-60% of the CPU.

This happens regardless of which user account you log on to.

When you do a fresh reboot, logon to one account and then have nothing
else running, good old Winlogon is sitting there chugging away - cycling
around between System Idle process and WInlogon, CPU sitting around
average 60% used with spikes up to 100%.

I have scanned for viruses, malware and nothing comes up. XP with SP2,
all regular updates automatically applied, running eTrust AV and regular
scans with Adaware and Spybot.

The system is unusable this state.

Suggestions welcome - thanks in advance.[/quote:568c3ee5ef] :) :D :D
Click to expand...
 
G

GeebyHater

!!!! SUCCES
!!!!
[b:6edbc53dd2]Re: WINFIXER - VIRTUMONDE - VUNDO - GEEBY.DL

I have spent MANY hours trying to get rid of this devil. :crybaby:

Went through the methods below from 1st to success

1 - :crybaby: Symantec: Backed off using this method when I saw tha
it required turning off the RESTORE TOOL. Had a previous ba
experience with that and this particular Trojan

2 - :crybaby: McAfee - Went through this method. Not work
Additionally their description of files this beast puts on compute
was all wrong. I assume the program has morphed what it does

3 - :D Removal Tool (VirtumundoBeGone.exe) at
http://forums.mcafeehelp.com/viewtopic.php?t=5704

Read the information - 45 seconds
Downloaded VirtumundoBeGone.exe - 10 seconds
Ran VirtumundoBeGone.exe - 2 minutes
Computer rebooted - 2 minutes
Read VGB.TXT report on my desktop - 30 seconds
Deleated all remaining remnants of this freak - 60 seconds
Now plan to party ALL NIGHT
It worked, it was simple
THANK YOU!!!!![/b:6edbc53dd2

:D :nod: :D ;) :evil: :nod: :D
______________________

[b:6edbc53dd2]For those of you interested, here is the removal repor
that was put on my desktop:[/b:6edbc53dd2

[color=green:6edbc53dd2][12/23/2005, 23:12:46] - VirtumundoBeGone v1.
( "c:\My Downloads\0-LoadFromHere\VirtumundoBeGone.exe"
[12/23/2005, 23:13:08] - Detected System Information
[12/23/2005, 23:13:08] - Windows Version: 5.1.2600, Service Pack
[12/23/2005, 23:13:08] - Current Username: XXXXX XXXXXXX (Admin
[12/23/2005, 23:13:08] - Windows is in NORMAL mode
[12/23/2005, 23:13:08] - Searching for Browser Helper Objects
[12/23/2005, 23:13:08] - BHO 1
{02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO
[12/23/2005, 23:13:08] - BHO 2
{06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifrau
Toolbar
[12/23/2005, 23:13:08] - BHO 3
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class
[12/23/2005, 23:13:08] - BHO 4
{53707962-6F74-2D53-2644-206D7942484F} (
[12/23/2005, 23:13:08] - WARNING: BHO has no default name. Checkin
for Winlogon reference
[12/23/2005, 23:13:08] - Checking fo
HKLM\...\Winlogon\Notify\SDHelpe
[12/23/2005, 23:13:08] - Key not found
HKLM\...\Winlogon\Notify\SDHelper, continuing
[12/23/2005, 23:13:08] - BHO 5
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard
[12/23/2005, 23:13:08] - BHO 6
{7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object
[12/23/2005, 23:13:09] - BHO 7
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper
[12/23/2005, 23:13:09] - BHO 8
{B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor
[12/23/2005, 23:13:09] - BHO 9
{FC148228-87E1-4D00-AC06-58DCAA52A4D1} (MSEvents Object
[12/23/2005, 23:13:09] - ALERT: Found MSEvents Object
[12/23/2005, 23:13:09] - Finished Searching Browser Helper Object
[12/23/2005, 23:13:09] - *** Detected MSEvents Objec
[12/23/2005, 23:13:09] - Trying to remove MSEvents Object..
[12/23/2005, 23:13:10] - Terminating Process: IEXPLORE.EX
[12/23/2005, 23:13:10] - Terminating Process: RUNDLL32.EX
[12/23/2005, 23:13:10] - Disabling Automatic Shell Restar
[12/23/2005, 23:13:10] - Terminating Process: EXPLORER.EX
[12/23/2005, 23:13:10] - Suspending the NT Session Manager Syste
Servic
[12/23/2005, 23:13:11] - Terminating Windows NT Logon/Logof
Manage
[12/23/2005, 23:13:12] - Re-enabling Automatic Shell Restar
[12/23/2005, 23:13:12] - File to disable
C:\WINDOWS\system32\geeby.dl
[12/23/2005, 23:13:12] - Renaming C:\WINDOWS\system32\geeby.dll -
C:\WINDOWS\system32\geeby.dll.vi
[12/23/2005, 23:13:12] - File successfully renamed
[12/23/2005, 23:13:12] - Removing HKLM\...\Browser Helpe
Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1
[12/23/2005, 23:13:12] - Removin
HKCR\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1
[12/23/2005, 23:13:12] - Adding Kill Bit for ActiveX for GUID
{FC148228-87E1-4D00-AC06-58DCAA52A4D1
[12/23/2005, 23:13:12] - Deleting ATLEvents/MSEvents Registr
entrie
[12/23/2005, 23:13:12] - Removing HKLM\...\Winlogon\Notify\geeb
[12/23/2005, 23:13:12] - Searching for Browser Helper Objects
[12/23/2005, 23:13:12] - BHO 1:
{02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/23/2005, 23:13:12] - BHO 2:
{06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud
Toolbar)
[12/23/2005, 23:13:12] - BHO 3:
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/23/2005, 23:13:12] - BHO 4:
{53707962-6F74-2D53-2644-206D7942484F} ()
[12/23/2005, 23:13:12] - WARNING: BHO has no default name. Checking
for Winlogon reference.
[12/23/2005, 23:13:12] - Checking for
HKLM\...\Winlogon\Notify\SDHelper
[12/23/2005, 23:13:12] - Key not found:
HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/23/2005, 23:13:12] - BHO 5:
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/23/2005, 23:13:12] - BHO 6:
{7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object)
[12/23/2005, 23:13:13] - BHO 7:
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/23/2005, 23:13:13] - BHO 8:
{B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/23/2005, 23:13:13] - Finished Searching Browser Helper Objects
[12/23/2005, 23:13:13] - Finishing up...
[12/23/2005, 23:13:13] - A restart is needed.
[12/23/2005, 23:13:25] - Attempting to Restart via STOP error (Blue
Screen!)[/color:6edbc53dd2]
--------------------------

[b:6edbc53dd2]Re-ran the program and this was what it gave me (no
reboot because it had been cleaned):[/b:6edbc53dd2]

[color=green:6edbc53dd2]
[12/23/2005, 23:27:16] - VirtumundoBeGone v1.5 ( "c:\My
Downloads\0-LoadFromHere\VirtumundoBeGone.exe" )
[12/23/2005, 23:27:20] - Detected System Information:
[12/23/2005, 23:27:20] - Windows Version: 5.1.2600, Service Pack 2
[12/23/2005, 23:27:20] - Current Username: XXXXXX XXXXXXXX (Admin)
[12/23/2005, 23:27:20] - Windows is in NORMAL mode.
[12/23/2005, 23:27:20] - Searching for Browser Helper Objects:
[12/23/2005, 23:27:20] - BHO 1:
{02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/23/2005, 23:27:20] - BHO 2:
{06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud
Toolbar)
[12/23/2005, 23:27:20] - BHO 3:
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/23/2005, 23:27:20] - BHO 4:
{53707962-6F74-2D53-2644-206D7942484F} ()
[12/23/2005, 23:27:21] - WARNING: BHO has no default name. Checking
for Winlogon reference.
[12/23/2005, 23:27:21] - Checking for
HKLM\...\Winlogon\Notify\SDHelper
[12/23/2005, 23:27:21] - Key not found:
HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/23/2005, 23:27:21] - BHO 5:
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/23/2005, 23:27:21] - BHO 6:
{7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object)
[12/23/2005, 23:27:21] - BHO 7:
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/23/2005, 23:27:21] - BHO 8:
{B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/23/2005, 23:27:21] - Finished Searching Browser Helper Objects
[12/23/2005, 23:27:21] - Finishing up...
[12/23/2005, 23:27:21] - Nothing found! Exiting...[/color:6edbc53dd2]

-------------------------------------------------------

[b:6edbc53dd2]Additional information: Free to try EWIDO
(http://www.ewido.net/en/) has been good at spoting it. It
also removed it from 14 locations on my computer. It could not get
geeby.dll in window/system32 that was called by winlogon.exe. But it
got the other places it was waiting.[/b:6edbc53dd2]






Jim Byrdwrote:
Click to expand...
Hi Barryco - Five approaches to removing Winfixer (Vundo). Not all
will
work on all variants. It's suggested that you try them in this order.

1 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions

2 - McAfee has a combined automated/manual removal procedure here:
http://vil.nai.com/vil/content/v_127690.htm


3 - It's been reported that the Removal Tool here is worthwhile:
http://forums.mcafeehelp.com/viewtopic.php?t=57049


4 - Then, courtesy of MVP Suzi Turner and Mosaic1:

"Atribune, a guy in the forums, has a Vundo fix tool as well:

Instructions for use by user as posted in the SpywareWarrior forum:

'Please download VundoFix.exe to your desktop. Here's a link:

http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.

Once in safe mode open the VundoFix folder and double-click on KillVundo.bat

A command window will open and it should look like this:

VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk

At this point press enter one time.

Next you will see:

Type in the filepath as instructed by the forum staf
Then Press Enter, to continue with the fix


At this point please type the following file path (make sure t enter i
exactly as below!)
C:\WINDOWS\system32\geeby.dl

Press Enter

Next you will see

Please type in the second filepath as instructed by the forum staf

At this point please type the following file path (make sure t enter i
exactly as below!)
C:\WINDOWS\system32\ybeeg.

Press Enter to continue

The fix will run then HijackThis will open
In HijackThis, please place a check next to the following items an clic
FIX CHECKED


O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697
Click to expand...
C:\WINDOWS\system32\geeby.dl
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dl

After you have fixed these items, close Hijackthis

The fix will tell you to shutdown using the Power button. Hold i your powe
button until the computer shuts down. Wait about 15 seconds and the restar
the computer into regular windows

Chkdsk will run. This is normal. It will take a few minutes and i checkin
your file system because of the Bad Shutdown we caused

Go for free online Virus scans here

http://housecall.trendmicro.com/housecall/start_corp.as
http://www.pandasoftware.com/activescan

Allow them to clea

Panda will have the option to create a log after the scan ha finished
Clic
the See Report button. Then click the save Report button. It will b save
under the name activescan.txt Do that and post that log into you next repl
here

Run hijackthis and post the new log and the vundofix.txt file fro th
vundofix folder into as well.
---------------------------------------------------------------------------
-

The forum helpers have reported this fix from Atribune works. don't kno
about the Symantec tool

If you'd like to join Spyware Warrior, you could see the threa where th
helpers are discussing this

Suzi


Note: Here's some added info relative to the above courtesy of MV Stev
Wechsler (akaMowGreen)

"the .dll's file name

C:\WINDOWS\system32\geeby.dl

will be different on different systems. What you can do to identif i
is to scan the system with HijackThis and look at the O2 BHO and/o O2
Winlogon entries to find out it's name. Close all other program an
browsers prior to scanning with HJT. REMEMBER that there is hidden fil
that will have the name of the .dll spelled backwards. Enter tha name whe
the VundoFix requests the path to the second file

5 - Grinler, (Lawrence Abrams, a Security MVP), has another remova metho
that can be used if the recommended method fails
http://www.bleepingcomputer.com/forums/topic18610.html
____________________________________________________

Here's the HijackThis info you may need

Download HijackThis, free, here
http://209.133.47.200/~merijn/files/HijackThis.exe (Always downloa a ne
fresh copy of HijackThis [and CWShredder also] - It's UPDATE frequently.
You may also get it here if that link is blocked
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc1

There's a good "How-to-Use" tutorial here
http://computercops.biz/HijackThis.htm

In Windows Explorer, click on Tools|Folder Options|View and chec "Sho
hidden files and folders" and uncheck "Hide protected operatin syste
files". (You may want to restore these when you're all finishe wit
HijackThis.

Place HijackThis.exe or unzip HijackThis.zip into its own dedicate folde
at the root level such as C:\HijackThis (NOT in a Temp folder or o you
Desktop), reboot to Safe mode, start HT then press Scan. Click o SaveLo
when it's finished which will create hijackthis.log. Now click th Confi
button, then Misc Tools and click on Generate StartupList.log whic wil
create Startuplist.tx


Then go to one of the following forums

Spyware and Hijackware Removal Support, here
http://forums.spywareinfo.com/
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here: http://net-integration.us/forums/index.php

Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."




*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******


You probably should consider switching to Sun Java J2SE 5.0 JRE or later
here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
especially since MS will apparently no longer be distributing Java or
providing any support for Java including security fixes after Dec 31, 2007.
BE SURE that you uninstall any prior versions of Sun Java as some,
specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
notably Winfixer/Vundo, are suspected of exploiting. If you did have this
version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
us.


When you get things cleaned up, take a look at my Blog, Defending Your
Machine, addy in my Signature below, for some additional curative and
preventive measures you might want to implement to help prevent this type of
thing in the future.

--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/

I think we're on the right track here. I definitely have Winfixer on my
PC
and have been having a bugger of a time trying to get rid of it. Also
Vundo
was identified this morning but supposedly cleaned by eTrust.

In trying to get WInfixer sorted out I found out about HijackThis but have
not had a chance to go through all the steps.

I hoped there was a simple solution :)

Thanks to you all for your prompt and informative replies.

:

Sounds like a Vundo/WinFixer infection. At this time, no anti-malware
tools
can identify and remove all Vundo/Winfixer variants. You will have to
post
your HijackThis log to one of the above forums and take several steps to
remove it, all under the guidance of someone experienced in this Bag Guy.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/archive/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware.
**Post
your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), AH-VSOP

Barryco wrote:
My system is running very very slowly. A check of Task Manager shows
that
Winlogon.exe is continually using 50-60% of the CPU.

This happens regardless of which user account you log on to.

When you do a fresh reboot, logon to one account and then have nothing
else running, good old Winlogon is sitting there chugging away - cycling
around between System Idle process and WInlogon, CPU sitting around
average 60% used with spikes up to 100%.

I have scanned for viruses, malware and nothing comes up. XP with SP2,
all regular updates automatically applied, running eTrust AV and regular
scans with Adaware and Spybot.

The system is unusable this state.

Suggestions welcome - thanks in advance.[/quote:6edbc53dd2] :) :D :D
Click to expand...
 
J

Jim Byrd

OK, Well Done! Now,

1. It's strongly suspected that certain "malware" (Winfixer/Vundo) is
making
use of an exploit in earlier versions of the Sun Java JRE if they are
present on your machine even if they are not the selected version of Java
that's in use. Anything earlier than one of the 5.0_X releases should be
removed, particularly any 3.0_X versions.

You can get the Sun Java J2SE RunTimes or SDK here:

http://java.sun.com/downloads/index.html (all versions - select using the
dropdown - I recommend that you don't install any version prior to 1.5.0_06
in order to get an important security fix. Uninstall ALL prior versions -
they are a serious security risk even if you have a later version
installed.) This is what I use, BTW.


2. Take a look at my Blog, Defending Your Machine, addy below in my
Signature, especially the last section, for some steps you can take to help
prevent this in the future.
 
P

pwangdel

My friend computer is infected with Winfixer popsup. She is a
computer dummy and I don't live nearby to help her out. I am
wondering if XoftSpy is a legitimate program that she can buy and
download to remove this pesky adware / spyware.

Thank you all for your input and help.
 
D

David H. Lipman

From: "pwangdel" <[email protected]>

| My friend computer is infected with Winfixer popsup. She is a
| computer dummy and I don't live nearby to help her out. I am
| wondering if XoftSpy is a legitimate program that she can buy and
| download to remove this pesky adware / spyware.
|
| Thank you all for your input and help.



If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp



Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.

Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *
 
G

Guest

Thanks to all wgo contributed to this thread. I'm having the same problems so
I am about to give it a try.

Tee
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Winlogon.exe uses 100% CPU 0
Winlogon.exe possesed! 2
"system" consumes 95-100% cpu? 5
Weird CPU usage in XP 3
CPU usage went up 2
winlogon.exe crashes on logging off or shutting down 4
Uknown CPU Hog 13
CPU at 100% on Winlogon.exe, IE & Outlook launch 1

Top