WinFixer 2005

Discussion in 'Computer Security' started by Jim Watt, Dec 19, 2005.

  1. Jim Watt

    Jim Watt Guest

    Whilst browsing the web, not I might add on porn a site,
    got a pop up telling me of the evils that may lurk in my
    PC and that downloading Winfixer would cure them.

    Not being of a trusting nature I declined to download it

    However the bloody thing had a go at installing itself on
    my system and ZoneAlarm reported it calling home.

    There is a registry key trying to run it at startup

    NI.UWFX5_0001_N57M2811

    "C:\WINNT\Downloaded Program
    Files\UWFX5_0001_N57M2811NetInstaller.exe" -nag

    Rather worrying, as if it had not accessed the internet it
    might have got away with installing itself ...

    The case for dumping IE and using only firefox gets stronger.

    Google shows a website http://www.winfixer.com/

    http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094807
    The pest patrol website says:

    Category
    Adware : Software that displays popup/popunder ads when the primary
    user interface is not visible or which do not appear to be associated
    with the product ... WinFixer violates the following criteria: First,
    Installs itself or any other item without user permission or knowledge

    ---

    BEWARE !
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 19, 2005
    #1
    1. Advertising

  2. From: "Jim Watt" <_way>

    | Whilst browsing the web, not I might add on porn a site,
    | got a pop up telling me of the evils that may lurk in my
    | PC and that downloading Winfixer would cure them.
    |
    | Not being of a trusting nature I declined to download it
    |
    | However the bloody thing had a go at installing itself on
    | my system and ZoneAlarm reported it calling home.
    |
    | There is a registry key trying to run it at startup
    |
    | NI.UWFX5_0001_N57M2811
    |
    | "C:\WINNT\Downloaded Program
    | Files\UWFX5_0001_N57M2811NetInstaller.exe" -nag
    |
    | Rather worrying, as if it had not accessed the internet it
    | might have got away with installing itself ...
    |
    | The case for dumping IE and using only firefox gets stronger.
    |
    | Google shows a website http://www.winfixer.com/
    |
    | http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094807
    | The pest patrol website says:
    |
    | Category
    | Adware : Software that displays popup/popunder ads when the primary
    | user interface is not visible or which do not appear to be associated
    | with the product ... WinFixer violates the following criteria: First,
    | Installs itself or any other item without user permission or knowledge
    |
    | ---
    |
    | BEWARE !

    Two phase answer...

    Perform Part 1 the perform part 2

    Part 1
    ------------
    Download Adware-Virtumundo Removal Tool v1.5 --
    http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

    Information on the Adware-Virtumundo Removal Tool:
    http://forums.mcafeehelp.com/viewtopic.php?t=57049

    Part 2
    ------------
    Download WinFixerFix.exe from the URL --
    http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

    Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
    Choose; Unzip
    Choose; Close

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to enable WGET.EXE to download the needed McAfee related files.

    Execute; c:\mcafee\clean.bat
    { or Double-click on 'Clean Link' in c:\mcafee }

    A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
    end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
    It is suggested that you move the report out of c:\mcafee before performing another scan.
    It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
    report for each session.

    * * * Please report back your results * * *


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Dec 19, 2005
    #2
    1. Advertising

  3. Jim Watt

    Jim Watt Guest

    On Mon, 19 Dec 2005 16:28:06 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >* * * Please report back your results * * *


    I went directly to phase 2.

    Summary report on C:\*.*
    File(s)
    Total files: ........... 431385
    Clean: ................. 429763
    Possibly Infected: ..... 354
    Cleaned: ............... 0
    Deleted: ............... 104
    Non-critical Error(s): 3
    Master Boot Record(s): ......... 1
    Possibly Infected: ..... 0
    Boot Sector(s): ................ 1
    Possibly Infected: ..... 0

    Most of these come down to a couple of directories with raw email
    messages containing a number of real virus's (usual suspects, bagle
    mydoom sober etc)

    The scanner removed a few things I would rather it had not, and may
    put back from the backups. Unfortunately if one takes an interest in
    getting rid of bad things its necesary to have them to hand.

    What went down of note:

    toolbar_uninstall.exe ... Found the Swizzor.gen trojan !!!
    This was the program to remove LOP which seemed to do
    the trick nicely. I suspect its a false positive.

    UNABOMB.EXE ... Found the Spam-UnaBomber trojan !!!
    no its not a trojan. Maybe antisocial and infrequently used.

    desktop.exe ... Found the W32/Danshbot.worm virus !!!
    it was there for research purposes being a bit of crap found on a
    clients machine.

    WEBCRACK.EXE ... Found potentially unwanted program WebCracker.sfx
    sounds judgemental to me, there again it wasn't very good.

    C:\Program Files\SolarWinds\Free Tools\TFTP-Server.exe ... Found
    potentially unwanted program Generic PUP.a.
    Dunno about that, I was using that as a TFTP server to update my SIP
    phones occasionally.

    nimda.txt ... Found the Exploit-MIME.gen virus !!!
    Hmmm I wrote that file, so its a false positive.

    w00t.exe ... Found the MultiDropper-JG trojan !!!
    Yeah I found that on a clients machine and was researching it

    C:\WINNT\Downloaded Program
    Files\CONFLICT.1\UWFX5_0001_N57M2811NetInstaller.exe ... Found
    potentially unwanted program Winfixer. The file or process has been
    deleted.

    Ah it was in there, or at least its installer was

    C:\WINNT\system32\tmksrvu.exe ... Found potentially unwanted program
    Adware-XPlugin.
    Hmmm WTF is that and whats it a do-in there ! Google: tmksrvu.exe is
    a file extension related to CoolWebSearch. aggghhh! uncool.

    eudpass.com ... Found potentially unwanted program HTool/pwd
    bugger that one is occasionally useful password recovery tool.

    -----

    Maybe its time to get a thin client machine to surf the web, and a
    separate machine for malware research.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 20, 2005
    #3
  4. Jim Watt

    Winged Guest

    Jim Watt wrote:
    > Whilst browsing the web, not I might add on porn a site,
    > got a pop up telling me of the evils that may lurk in my
    > PC and that downloading Winfixer would cure them.
    >
    > Not being of a trusting nature I declined to download it
    >
    > However the bloody thing had a go at installing itself on
    > my system and ZoneAlarm reported it calling home.
    >
    > There is a registry key trying to run it at startup
    >
    > NI.UWFX5_0001_N57M2811
    >
    > "C:\WINNT\Downloaded Program
    > Files\UWFX5_0001_N57M2811NetInstaller.exe" -nag
    >
    > Rather worrying, as if it had not accessed the internet it
    > might have got away with installing itself ...
    >
    > The case for dumping IE and using only firefox gets stronger.
    >
    > Google shows a website http://www.winfixer.com/
    >
    > http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094807
    > The pest patrol website says:
    >
    > Category
    > Adware : Software that displays popup/popunder ads when the primary
    > user interface is not visible or which do not appear to be associated
    > with the product ... WinFixer violates the following criteria: First,
    > Installs itself or any other item without user permission or knowledge
    >
    > ---
    >
    > BEWARE !
    > --
    > Jim Watt
    > http://www.gibnet.com


    With the exploits published and in the wild and no current workaround
    for IE....I think the case for dumping IE is very strong. Yes Firefox
    too has had issues, though few of them have arisen with the regularity
    and seriousness of the IE exploits.

    Until MS allows me finite control over what is allowed where, I will use
    my javaless Firefox to get what I need. I will turn on Java at trusted
    sites only and turn it off once I leave. I will turn on graphics only
    when needed and only from originating sites.

    I get the nfo I need by being mindful. I question the longevity of a
    web where the remote server has any right to process code on the local
    machine in an uncontrolled manner. Yes, I know I do process html tags
    in this mode, but luckily there have been few text exploits.

    Microsoft's trusted computing..baa as far as I can spit...no thats too
    far.... Trust no one...(it has been a bad day...) There are some real
    nasty folks taking advantage of MS's latest holes.

    Winged
     
    Winged, Dec 20, 2005
    #4
  5. Replies ar inline..


    | On Mon, 19 Dec 2005 16:28:06 GMT, "David H. Lipman"
    | <DLipman~nospam~@Verizon.Net> wrote:
    |
    >> * * * Please report back your results * * *

    |
    | I went directly to phase 2.
    |
    | Summary report on C:\*.*
    | File(s)
    | Total files: ........... 431385
    | Clean: ................. 429763
    | Possibly Infected: ..... 354
    | Cleaned: ............... 0
    | Deleted: ............... 104
    | Non-critical Error(s): 3
    | Master Boot Record(s): ......... 1
    | Possibly Infected: ..... 0
    | Boot Sector(s): ................ 1
    | Possibly Infected: ..... 0
    |
    | Most of these come down to a couple of directories with raw email
    | messages containing a number of real virus's (usual suspects, bagle
    | mydoom sober etc)
    |
    | The scanner removed a few things I would rather it had not, and may
    | put back from the backups. Unfortunately if one takes an interest in
    | getting rid of bad things its necesary to have them to hand.
    |
    | What went down of note:
    |
    | toolbar_uninstall.exe ... Found the Swizzor.gen trojan !!!
    | This was the program to remove LOP which seemed to do
    | the trick nicely. I suspect its a false positive.


    My understanding is that it is an untrustworthy uninstaller.


    |
    | UNABOMB.EXE ... Found the Spam-UnaBomber trojan !!!
    | no its not a trojan. Maybe antisocial and infrequently used.
    |
    | desktop.exe ... Found the W32/Danshbot.worm virus !!!
    | it was there for research purposes being a bit of crap found on a
    | clients machine.
    |
    | WEBCRACK.EXE ... Found potentially unwanted program WebCracker.sfx
    | sounds judgemental to me, there again it wasn't very good.
    |
    | C:\Program Files\SolarWinds\Free Tools\TFTP-Server.exe ... Found
    | potentially unwanted program Generic PUP.a.
    | Dunno about that, I was using that as a TFTP server to update my SIP
    | phones occasionally.


    That's a False Positive for sure !

    | nimda.txt ... Found the Exploit-MIME.gen virus !!!
    | Hmmm I wrote that file, so its a false positive.


    I wonder what it focused in on.


    | w00t.exe ... Found the MultiDropper-JG trojan !!!
    | Yeah I found that on a clients machine and was researching it
    |
    | C:\WINNT\Downloaded Program
    | Files\CONFLICT.1\UWFX5_0001_N57M2811NetInstaller.exe ... Found
    | potentially unwanted program Winfixer. The file or process has been
    | deleted.
    |
    | Ah it was in there, or at least its installer was
    |
    | C:\WINNT\system32\tmksrvu.exe ... Found potentially unwanted program
    | Adware-XPlugin.
    | Hmmm WTF is that and whats it a do-in there ! Google: tmksrvu.exe is
    | a file extension related to CoolWebSearch. aggghhh! uncool.
    |
    | eudpass.com ... Found potentially unwanted program HTool/pwd
    | bugger that one is occasionally useful password recovery tool.
    |
    | -----
    |
    | Maybe its time to get a thin client machine to surf the web, and a
    | separate machine for malware research.


    Sorry about the SolarWinds TFTP Daemon. There's nothing wrong with their software.

    As for some malware you are testing, rule of thumb is to always keep them in Password
    protected ZIP files. This way they won't be accidently executed or in this case, removed
    when you wanted them.

    Some tools whiles not malicious in themselves can be used in malicious processes. The
    McAfee scanner was set to use the "/program" switch and is aggressive in its scans.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Dec 20, 2005
    #5
  6. Jim Watt

    Jim Byrd Guest

    Hi Jim - While there are situations in which flattening the computer is a
    reasonable approach to ending a malware infestation, Winfixer isn't, IMO,
    one of these.


    Seven approaches to removing Winfixer (Vundo). Not all will work on all
    variants. It's suggested that you try them in this order.

    1 - Feedback from users reports that the Removal Tool here is the most
    effective against what is currently the most common variety of this
    'malware':
    http://forums.mcafeehelp.com/viewtopic.php?t=57049



    2 - Symantec has a new Vundo remover:
    http://securityresponse.symantec.com/avcenter/FixVundo.exe
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
    http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions



    3 - Courtesy of Dave Lipman:

    "Download WinFixerFix.exe from the URL --
    http://www.ik-cs.com/programs/virtools/WinFixerFix.exe


    On the infected PC...

    Execute; WinFixerFix.exe { Note: You must accept the default of
    C:\McAfee }
    Choose; Unzip
    Choose; Close

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
    through your FireWall to enable WGET.EXE to download the needed McAfee
    related files.

    Execute; c:\mcafee\clean.bat { or Double-click on 'Clean Link' in
    c:\mcafee }

    A final report in HTML format called C:\mcafee\ScanReport.HTML will be
    generated. At the end of the scan, it will be displayed in your browser
    (Opera, FireFox or Internet Explorer). It is suggested that you move the
    report out of c:\mcafee before performing another scan. It would be a good
    idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
    report for each session."



    4 - McAfee has a combined automated/manual removal procedure here:
    http://vil.nai.com/vil/content/v_127690.htm



    5 - Then, courtesy of MVP Suzi Turner and Mosaic1:

    "Atribune, a guy in the forums, has a Vundo fix tool as well:

    Instructions for use by user as posted in the SpywareWarrior forum:

    'Please download VundoFix.exe to your desktop. Here's a link:

    http://www.atribune.org/downloads/VundoFix.exe

    Double-click VundoFix.exe to extract the files
    This will create a VundoFix folder on your desktop.
    After the files are extracted, please restart your computer into Safe Mode.

    Once in safe mode open the VundoFix folder and double-click on KillVundo.bat

    A command window will open and it should look like this:

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk

    At this point press enter one time.

    Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, to continue with the fix.


    At this point please type the following file path (make sure to enter it
    exactly as below!):
    C:\WINDOWS\system32\geeby.dll

    Press Enter.

    Next you will see:

    Please type in the second filepath as instructed by the forum staff

    At this point please type the following file path (make sure to enter it
    exactly as below!):
    C:\WINDOWS\system32\ybeeg.*

    Press Enter to continue.

    The fix will run then HijackThis will open.
    In HijackThis, please place a check next to the following items and click
    FIX CHECKED:


    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
    C:\WINDOWS\system32\geeby.dll
    O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

    After you have fixed these items, close Hijackthis.

    The fix will tell you to shutdown using the Power button. Hold in your power
    button until the computer shuts down. Wait about 15 seconds and then restart
    the computer into regular windows.

    Chkdsk will run. This is normal. It will take a few minutes and is checking
    your file system because of the Bad Shutdown we caused.

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Allow them to clean

    Panda will have the option to create a log after the scan has finished.
    Click
    the See Report button. Then click the save Report button. It will be saved
    under the name activescan.txt Do that and post that log into your next reply
    here.

    Run hijackthis and post the new log and the vundofix.txt file from the
    vundofix folder into as well.'

    The forum helpers have reported this fix from Atribune works. I don't know
    about the Symantec tool.

    If you'd like to join Spyware Warrior, you could see the thread where the
    helpers are discussing this.

    Suzi"


    Note: Here's some added info relative to the above courtesy of MVP Steve
    Wechsler (akaMowGreen):

    "the .dll's file name :

    C:\WINDOWS\system32\geeby.dll

    will be different on different systems. What you can do to identify it
    is to scan the system with HijackThis and look at the O2 BHO and/or O20
    Winlogon entries to find out it's name. Close all other programs and
    browsers prior to scanning with HJT. REMEMBER that there is a hidden file
    that will have the name of the .dll spelled backwards. Enter that name when
    the VundoFix requests the path to the second file.



    6 - Grinler, (Lawrence Abrams, a Security MVP), has another removal method
    that can be used if the recommended method fails :
    http://www.bleepingcomputer.com/forums/topic18610.html"




    7 - Courtesy of S.Sengupta[MS-MVP]

    Download VirtumundoBegone and save it to your desktop.

    VirtumundoBegone
    http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

    Run that application after booting into safe mode.





    Here's the HijackThis info you may need:

    Download HijackThis, free, here:
    http://www.merijn.org/files/hijackthis.zip (Always download a new
    fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
    You may also get it here if that link is blocked:
    http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

    There's a good "How-to-Use" tutorial here:
    http://computercops.biz/HijackThis.html

    In Windows Explorer, click on Tools|Folder Options|View and check "Show
    hidden files and folders" and uncheck "Hide protected operating system
    files". (You may want to restore these when you're all finished with
    HijackThis.)

    Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
    at the root level such as C:\HijackThis (NOT in a Temp folder or on your
    Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
    when it's finished which will create hijackthis.log. Now click the Config
    button, then Misc Tools and click on Generate StartupList.log which will
    create Startuplist.txt


    Then go to one of the following forums:

    Spyware and Hijackware Removal Support, here:
    http://forums.spywareinfo.com/
    or Jim Eshelman's site here: http://forum.aumha.org/
    or Bleepingcomputer here: http://www.bleepingcomputer.com/
    or Computer Cops here: http://www.computercops.biz/forums.html
    or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
    or Net-Integration here: http://net-integration.us/forums/index.php

    Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
    of the particular site's HiJackThis forum, then copy and paste both files
    into a message asking for assistance, Someone will answer with detailed
    instructions for the removal of your parasite(s). Be sure you include at
    the beginning of your post a description of "What specific
    problem(s)/symptoms you're trying to solve" and "What steps you've already
    taken."




    *******
    ONLY IF you've successfully eliminated the malware, you can now make a new,
    clean Restore Point and delete any previously saved (possibly infected)
    ones. The following suggested approach is courtesy of Gary Woodruff: For XP
    you can run a Disk Cleanup cycle and then look in the More Options tab. The
    System Restore option removes all but the latest Restore Point. If there
    hasn't been one made since the system was cleaned you should manually create
    one before dumping the old possibly infected ones.
    *******


    You probably should consider switching to Sun Java J2SE 5.0 JRE or later
    here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
    especially since MS will apparently no longer be distributing Java or
    providing any support for Java including security fixes after Dec 31, 2007.
    BE SURE that you uninstall any prior versions of Sun Java as some,
    specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
    notably Winfixer/Vundo, are suspected of exploiting. If you did have this
    version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
    us.


    When you get things cleaned up, take a look at my Blog, Defending Your
    Machine, addy in my Signature below, for some additional curative and
    preventive measures you might want to implement to help prevent this type of
    thing in the future.

    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/



    "Jim Watt" <_way> wrote in message
    news:
    > On Mon, 19 Dec 2005 16:28:06 GMT, "David H. Lipman"
    > <DLipman~nospam~@Verizon.Net> wrote:
    >
    >> * * * Please report back your results * * *

    >
    > I went directly to phase 2.
    >
    > Summary report on C:\*.*
    > File(s)
    > Total files: ........... 431385
    > Clean: ................. 429763
    > Possibly Infected: ..... 354
    > Cleaned: ............... 0
    > Deleted: ............... 104
    > Non-critical Error(s): 3
    > Master Boot Record(s): ......... 1
    > Possibly Infected: ..... 0
    > Boot Sector(s): ................ 1
    > Possibly Infected: ..... 0
    >
    > Most of these come down to a couple of directories with raw email
    > messages containing a number of real virus's (usual suspects, bagle
    > mydoom sober etc)
    >
    > The scanner removed a few things I would rather it had not, and may
    > put back from the backups. Unfortunately if one takes an interest in
    > getting rid of bad things its necesary to have them to hand.
    >
    > What went down of note:
    >
    > toolbar_uninstall.exe ... Found the Swizzor.gen trojan !!!
    > This was the program to remove LOP which seemed to do
    > the trick nicely. I suspect its a false positive.
    >
    > UNABOMB.EXE ... Found the Spam-UnaBomber trojan !!!
    > no its not a trojan. Maybe antisocial and infrequently used.
    >
    > desktop.exe ... Found the W32/Danshbot.worm virus !!!
    > it was there for research purposes being a bit of crap found on a
    > clients machine.
    >
    > WEBCRACK.EXE ... Found potentially unwanted program WebCracker.sfx
    > sounds judgemental to me, there again it wasn't very good.
    >
    > C:\Program Files\SolarWinds\Free Tools\TFTP-Server.exe ... Found
    > potentially unwanted program Generic PUP.a.
    > Dunno about that, I was using that as a TFTP server to update my SIP
    > phones occasionally.
    >
    > nimda.txt ... Found the Exploit-MIME.gen virus !!!
    > Hmmm I wrote that file, so its a false positive.
    >
    > w00t.exe ... Found the MultiDropper-JG trojan !!!
    > Yeah I found that on a clients machine and was researching it
    >
    > C:\WINNT\Downloaded Program
    > Files\CONFLICT.1\UWFX5_0001_N57M2811NetInstaller.exe ... Found
    > potentially unwanted program Winfixer. The file or process has been
    > deleted.
    >
    > Ah it was in there, or at least its installer was
    >
    > C:\WINNT\system32\tmksrvu.exe ... Found potentially unwanted program
    > Adware-XPlugin.
    > Hmmm WTF is that and whats it a do-in there ! Google: tmksrvu.exe is
    > a file extension related to CoolWebSearch. aggghhh! uncool.
    >
    > eudpass.com ... Found potentially unwanted program HTool/pwd
    > bugger that one is occasionally useful password recovery tool.
    >
    > -----
    >
    > Maybe its time to get a thin client machine to surf the web, and a
    > separate machine for malware research.
     
    Jim Byrd, Dec 20, 2005
    #6
  7. Jim Watt

    Jim Byrd Guest

    Hi Jim - While there are situations in which flattening the computer is a
    reasonable approach to ending a malware infestation, Winfixer isn't, IMO,
    one of these.


    Seven approaches to removing Winfixer (Vundo). Not all will work on all
    variants. It's suggested that you try them in this order.

    1 - Feedback from users reports that the Removal Tool here is the most
    effective against what is currently the most common variety of this
    'malware':
    http://forums.mcafeehelp.com/viewtopic.php?t=57049



    2 - Symantec has a new Vundo remover:
    http://securityresponse.symantec.com/avcenter/FixVundo.exe
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
    http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions



    3 - Courtesy of Dave Lipman:

    "Download WinFixerFix.exe from the URL --
    http://www.ik-cs.com/programs/virtools/WinFixerFix.exe


    On the infected PC...

    Execute; WinFixerFix.exe { Note: You must accept the default of
    C:\McAfee }
    Choose; Unzip
    Choose; Close

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
    through your FireWall to enable WGET.EXE to download the needed McAfee
    related files.

    Execute; c:\mcafee\clean.bat { or Double-click on 'Clean Link' in
    c:\mcafee }

    A final report in HTML format called C:\mcafee\ScanReport.HTML will be
    generated. At the end of the scan, it will be displayed in your browser
    (Opera, FireFox or Internet Explorer). It is suggested that you move the
    report out of c:\mcafee before performing another scan. It would be a good
    idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
    report for each session."



    4 - McAfee has a combined automated/manual removal procedure here:
    http://vil.nai.com/vil/content/v_127690.htm



    5 - Then, courtesy of MVP Suzi Turner and Mosaic1:

    "Atribune, a guy in the forums, has a Vundo fix tool as well:

    Instructions for use by user as posted in the SpywareWarrior forum:

    'Please download VundoFix.exe to your desktop. Here's a link:

    http://www.atribune.org/downloads/VundoFix.exe

    Double-click VundoFix.exe to extract the files
    This will create a VundoFix folder on your desktop.
    After the files are extracted, please restart your computer into Safe Mode.

    Once in safe mode open the VundoFix folder and double-click on KillVundo.bat

    A command window will open and it should look like this:

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk

    At this point press enter one time.

    Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, to continue with the fix.


    At this point please type the following file path (make sure to enter it
    exactly as below!):
    C:\WINDOWS\system32\geeby.dll

    Press Enter.

    Next you will see:

    Please type in the second filepath as instructed by the forum staff

    At this point please type the following file path (make sure to enter it
    exactly as below!):
    C:\WINDOWS\system32\ybeeg.*

    Press Enter to continue.

    The fix will run then HijackThis will open.
    In HijackThis, please place a check next to the following items and click
    FIX CHECKED:


    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
    C:\WINDOWS\system32\geeby.dll
    O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

    After you have fixed these items, close Hijackthis.

    The fix will tell you to shutdown using the Power button. Hold in your power
    button until the computer shuts down. Wait about 15 seconds and then restart
    the computer into regular windows.

    Chkdsk will run. This is normal. It will take a few minutes and is checking
    your file system because of the Bad Shutdown we caused.

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Allow them to clean

    Panda will have the option to create a log after the scan has finished.
    Click
    the See Report button. Then click the save Report button. It will be saved
    under the name activescan.txt Do that and post that log into your next reply
    here.

    Run hijackthis and post the new log and the vundofix.txt file from the
    vundofix folder into as well.'

    The forum helpers have reported this fix from Atribune works. I don't know
    about the Symantec tool.

    If you'd like to join Spyware Warrior, you could see the thread where the
    helpers are discussing this.

    Suzi"


    Note: Here's some added info relative to the above courtesy of MVP Steve
    Wechsler (akaMowGreen):

    "the .dll's file name :

    C:\WINDOWS\system32\geeby.dll

    will be different on different systems. What you can do to identify it
    is to scan the system with HijackThis and look at the O2 BHO and/or O20
    Winlogon entries to find out it's name. Close all other programs and
    browsers prior to scanning with HJT. REMEMBER that there is a hidden file
    that will have the name of the .dll spelled backwards. Enter that name when
    the VundoFix requests the path to the second file.



    6 - Grinler, (Lawrence Abrams, a Security MVP), has another removal method
    that can be used if the recommended method fails :
    http://www.bleepingcomputer.com/forums/topic18610.html"




    7 - Courtesy of S.Sengupta[MS-MVP]

    Download VirtumundoBegone and save it to your desktop.

    VirtumundoBegone
    http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

    Run that application after booting into safe mode.





    Here's the HijackThis info you may need:

    Download HijackThis, free, here:
    http://www.merijn.org/files/hijackthis.zip (Always download a new
    fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
    You may also get it here if that link is blocked:
    http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

    There's a good "How-to-Use" tutorial here:
    http://computercops.biz/HijackThis.html

    In Windows Explorer, click on Tools|Folder Options|View and check "Show
    hidden files and folders" and uncheck "Hide protected operating system
    files". (You may want to restore these when you're all finished with
    HijackThis.)

    Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
    at the root level such as C:\HijackThis (NOT in a Temp folder or on your
    Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
    when it's finished which will create hijackthis.log. Now click the Config
    button, then Misc Tools and click on Generate StartupList.log which will
    create Startuplist.txt


    Then go to one of the following forums:

    Spyware and Hijackware Removal Support, here:
    http://forums.spywareinfo.com/
    or Jim Eshelman's site here: http://forum.aumha.org/
    or Bleepingcomputer here: http://www.bleepingcomputer.com/
    or Computer Cops here: http://www.computercops.biz/forums.html
    or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
    or Net-Integration here: http://net-integration.us/forums/index.php

    Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
    of the particular site's HiJackThis forum, then copy and paste both files
    into a message asking for assistance, Someone will answer with detailed
    instructions for the removal of your parasite(s). Be sure you include at
    the beginning of your post a description of "What specific
    problem(s)/symptoms you're trying to solve" and "What steps you've already
    taken."




    *******
    ONLY IF you've successfully eliminated the malware, you can now make a new,
    clean Restore Point and delete any previously saved (possibly infected)
    ones. The following suggested approach is courtesy of Gary Woodruff: For XP
    you can run a Disk Cleanup cycle and then look in the More Options tab. The
    System Restore option removes all but the latest Restore Point. If there
    hasn't been one made since the system was cleaned you should manually create
    one before dumping the old possibly infected ones.
    *******


    You probably should consider switching to Sun Java J2SE 5.0 JRE or later
    here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
    especially since MS will apparently no longer be distributing Java or
    providing any support for Java including security fixes after Dec 31, 2007.
    BE SURE that you uninstall any prior versions of Sun Java as some,
    specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
    notably Winfixer/Vundo, are suspected of exploiting. If you did have this
    version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
    us.


    When you get things cleaned up, take a look at my Blog, Defending Your
    Machine, addy in my Signature below, for some additional curative and
    preventive measures you might want to implement to help prevent this type of
    thing in the future.

    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/



    "Jim Watt" <_way> wrote in message
    news:
    > On Mon, 19 Dec 2005 16:28:06 GMT, "David H. Lipman"
    > <DLipman~nospam~@Verizon.Net> wrote:
    >
    >> * * * Please report back your results * * *

    >
    > I went directly to phase 2.
    >
    > Summary report on C:\*.*
    > File(s)
    > Total files: ........... 431385
    > Clean: ................. 429763
    > Possibly Infected: ..... 354
    > Cleaned: ............... 0
    > Deleted: ............... 104
    > Non-critical Error(s): 3
    > Master Boot Record(s): ......... 1
    > Possibly Infected: ..... 0
    > Boot Sector(s): ................ 1
    > Possibly Infected: ..... 0
    >
    > Most of these come down to a couple of directories with raw email
    > messages containing a number of real virus's (usual suspects, bagle
    > mydoom sober etc)
    >
    > The scanner removed a few things I would rather it had not, and may
    > put back from the backups. Unfortunately if one takes an interest in
    > getting rid of bad things its necesary to have them to hand.
    >
    > What went down of note:
    >
    > toolbar_uninstall.exe ... Found the Swizzor.gen trojan !!!
    > This was the program to remove LOP which seemed to do
    > the trick nicely. I suspect its a false positive.
    >
    > UNABOMB.EXE ... Found the Spam-UnaBomber trojan !!!
    > no its not a trojan. Maybe antisocial and infrequently used.
    >
    > desktop.exe ... Found the W32/Danshbot.worm virus !!!
    > it was there for research purposes being a bit of crap found on a
    > clients machine.
    >
    > WEBCRACK.EXE ... Found potentially unwanted program WebCracker.sfx
    > sounds judgemental to me, there again it wasn't very good.
    >
    > C:\Program Files\SolarWinds\Free Tools\TFTP-Server.exe ... Found
    > potentially unwanted program Generic PUP.a.
    > Dunno about that, I was using that as a TFTP server to update my SIP
    > phones occasionally.
    >
    > nimda.txt ... Found the Exploit-MIME.gen virus !!!
    > Hmmm I wrote that file, so its a false positive.
    >
    > w00t.exe ... Found the MultiDropper-JG trojan !!!
    > Yeah I found that on a clients machine and was researching it
    >
    > C:\WINNT\Downloaded Program
    > Files\CONFLICT.1\UWFX5_0001_N57M2811NetInstaller.exe ... Found
    > potentially unwanted program Winfixer. The file or process has been
    > deleted.
    >
    > Ah it was in there, or at least its installer was
    >
    > C:\WINNT\system32\tmksrvu.exe ... Found potentially unwanted program
    > Adware-XPlugin.
    > Hmmm WTF is that and whats it a do-in there ! Google: tmksrvu.exe is
    > a file extension related to CoolWebSearch. aggghhh! uncool.
    >
    > eudpass.com ... Found potentially unwanted program HTool/pwd
    > bugger that one is occasionally useful password recovery tool.
    >
    > -----
    >
    > Maybe its time to get a thin client machine to surf the web, and a
    > separate machine for malware research.
     
    Jim Byrd, Dec 20, 2005
    #7
  8. Jim Watt

    Donnie Guest

    "Jim Watt" <_way> wrote in message
    news:...
    > Whilst browsing the web, not I might add on porn a site,
    > got a pop up telling me of the evils that may lurk in my
    > PC and that downloading Winfixer would cure them.
    >

    ##################################
    I've been using the custom security setting in IE and stopping just about
    all scripting that can be run in the browser. I never get any pop ups.
    You've been around a long time. I'm surprised you don't do that.
    donnie
     
    Donnie, Dec 20, 2005
    #8
  9. Jim Watt

    Jim Watt Guest

    On Tue, 20 Dec 2005 01:54:34 GMT, "Donnie" <>
    wrote:

    >
    >"Jim Watt" <_way> wrote in message
    >news:...
    >> Whilst browsing the web, not I might add on porn a site,
    >> got a pop up telling me of the evils that may lurk in my
    >> PC and that downloading Winfixer would cure them.
    >>

    >##################################
    >I've been using the custom security setting in IE and stopping just about
    >all scripting that can be run in the browser. I never get any pop ups.
    >You've been around a long time. I'm surprised you don't do that.


    I do. Part of the reason for remarking on this exploit is that its
    the first to sneak through.

    However, I do use java and javascript a lot so can't disable that
    although methinks this was down to activex

    As a good bit of income now comes from developing websites,
    I need to use IE to view the things, however other work will now
    go Firefox.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 20, 2005
    #9
  10. Jim Watt

    Jim Watt Guest

    On Tue, 20 Dec 2005 01:44:44 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >| C:\Program Files\SolarWinds\Free Tools\TFTP-Server.exe ... Found
    >| potentially unwanted program Generic PUP.a.
    >| Dunno about that, I was using that as a TFTP server to update my SIP
    >| phones occasionally.
    >
    >
    >That's a False Positive for sure !


    Yeah and i got it from their site. But it can be installed again.

    >| nimda.txt ... Found the Exploit-MIME.gen virus !!!
    >| Hmmm I wrote that file, so its a false positive.


    >I wonder what it focused in on.


    It was part of my virus spotting site, which I stopped updating so is
    not currenty online so need to reach for the DVD backup to find out.
    it was a text description of nimda and what to do to remove it.

    >Some tools whiles not malicious in themselves can be used in malicious processes. The
    >McAfee scanner was set to use the "/program" switch and is aggressive in its scans.


    Not complaining, it got rid of a lot of crap that was cluttering up
    the disk.

    I turned to the lop installer because nothing else would shift it off
    a clients machine. It seemed to do the business very well and there
    were no noticiable after effects. It asks for a security code to
    prevent it being used automatically. Not bad in a very small
    executable. I'd like to be able to generate .gif files like that
    easily in perl but it seems to be a messy business.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 20, 2005
    #10
  11. Jim Watt

    Jim Byrd Guest

    Hi Jim - Did you note this from my previous post?

    You probably should consider switching to Sun Java J2SE 5.0 JRE or later
    here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
    especially since MS will apparently no longer be distributing Java or
    providing any support for Java including security fixes after Dec 31, 2007.
    BE SURE that you uninstall any prior versions of Sun Java as some,
    specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
    notably Winfixer/Vundo, are suspected of exploiting. If you did have this
    version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
    us.


    Currently an investigation by some MVP's has led us to strongly suspect that
    a flaw in Sun JRE v.1.4.2_03 is being exploited by Winfixer **** even if a
    different, later Java version is being used as long as _03 is present on the
    machine *****.


    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/



    "Jim Watt" <_way> wrote in message
    news:
    > On Tue, 20 Dec 2005 01:54:34 GMT, "Donnie" <>
    > wrote:
    >
    >>
    >> "Jim Watt" <_way> wrote in message
    >> news:...
    >>> Whilst browsing the web, not I might add on porn a site,
    >>> got a pop up telling me of the evils that may lurk in my
    >>> PC and that downloading Winfixer would cure them.
    >>>

    >> ##################################
    >> I've been using the custom security setting in IE and stopping just about
    >> all scripting that can be run in the browser. I never get any pop ups.
    >> You've been around a long time. I'm surprised you don't do that.

    >
    > I do. Part of the reason for remarking on this exploit is that its
    > the first to sneak through.
    >
    > However, I do use java and javascript a lot so can't disable that
    > although methinks this was down to activex
    >
    > As a good bit of income now comes from developing websites,
    > I need to use IE to view the things, however other work will now
    > go Firefox.
     
    Jim Byrd, Dec 20, 2005
    #11
  12. From: "Jim Byrd" <>

    | Hi Jim - Did you note this from my previous post?
    |
    | You probably should consider switching to Sun Java J2SE 5.0 JRE or later
    | here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
    | especially since MS will apparently no longer be distributing Java or
    | providing any support for Java including security fixes after Dec 31, 2007.
    | BE SURE that you uninstall any prior versions of Sun Java as some,
    | specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
    | notably Winfixer/Vundo, are suspected of exploiting. If you did have this
    | version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
    | us.
    |
    | Currently an investigation by some MVP's has led us to strongly suspect that
    | a flaw in Sun JRE v.1.4.2_03 is being exploited by Winfixer **** even if a
    | different, later Java version is being used as long as _03 is present on the
    | machine *****.
    |

    I'd be interested in learning the finding's of the MVP community in regards to the JRE
    v1.4.2-03 exploitation possibility once discerned.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Dec 20, 2005
    #12
  13. Jim Watt

    Jim Byrd Guest

    Ans by email.

    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/



    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:AQWpf.11028$CL.4372@trnddc04
    > From: "Jim Byrd" <>
    >
    >> Hi Jim - Did you note this from my previous post?
    >>
    >> You probably should consider switching to Sun Java J2SE 5.0 JRE or later
    >> here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
    >> especially since MS will apparently no longer be distributing Java or
    >> providing any support for Java including security fixes after Dec 31,

    2007.
    >> BE SURE that you uninstall any prior versions of Sun Java as some,
    >> specifically JRE v. 1.4.2_03, contain a security bug which certain

    malware,
    >> notably Winfixer/Vundo, are suspected of exploiting. If you did have

    this
    >> version of Sun Java, JRE v. 1.4.2-03, installed, please post back and

    tell
    >> us.
    >>
    >> Currently an investigation by some MVP's has led us to strongly suspect

    that
    >> a flaw in Sun JRE v.1.4.2_03 is being exploited by Winfixer **** even if

    a
    >> different, later Java version is being used as long as _03 is present on

    the
    >> machine *****.
    >>

    >
    > I'd be interested in learning the finding's of the MVP community in

    regards to the
    > JRE v1.4.2-03 exploitation possibility once discerned.
     
    Jim Byrd, Dec 20, 2005
    #13
  14. David H. Lipman, Dec 20, 2005
    #14
  15. Jim Watt

    Jim Byrd Guest

    Hi David - You should have it now - I forgot to de-mung your addy the first
    time. :)

    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/



    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:jfZpf.11075$CL.10713@trnddc04
    > From: "Jim Byrd" <>
    >
    >> Ans by email.
    >>

    >
    > None received yet :-(
     
    Jim Byrd, Dec 20, 2005
    #15
  16. David H. Lipman, Dec 20, 2005
    #16
  17. Jim Watt

    Jim Byrd Guest

    YW, Sir!

    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/



    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:FAZpf.25830$aU4.25112@trnddc06
    > From: "Jim Byrd" <>
    >
    >> Hi David - You should have it now - I forgot to de-mung your addy the

    first
    >> time. :)
    >>

    >
    > Got it and forwarded data request.
    >
    > Thank You Jim !
     
    Jim Byrd, Dec 20, 2005
    #17
  18. "Jim Byrd" <> wrote in message
    news:...
    > Ans by email.
    >
    > --
    > Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    > My Blog, Defending Your Machine, here:
    > http://DefendingYourMachine.blogspot.com/


    <Snip>

    Would appreciate similar, if either party has the time..

    i.dislike.nosey.people <at> ntlworld.com (cough) guess the throwaway address
    ;o)

    (I'm at least partially interested in everyone else's experience when
    reporting bugs to Sun. We still have a "biggie" from 1997 :eek:(

    Thanx

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Dec 21, 2005
    #18
  19. Jim Watt

    Jim Watt Guest

    On Tue, 20 Dec 2005 08:56:34 -0800, "Jim Byrd"
    <> wrote:

    >Hi Jim - Did you note this from my previous post?


    I seem to recall installing some version of Sun Java on
    this machine, errr how does one check whats on ?
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 21, 2005
    #19
  20. Jim Watt

    Donnie Guest

    "Jim Watt" <_way> wrote in message
    news:...
    > On Tue, 20 Dec 2005 01:54:34 GMT, "Donnie" <>
    > wrote:
    >
    > >
    > >"Jim Watt" <_way> wrote in message
    > >news:...
    > >> Whilst browsing the web, not I might add on porn a site,
    > >> got a pop up telling me of the evils that may lurk in my
    > >> PC and that downloading Winfixer would cure them.
    > >>

    > >##################################
    > >I've been using the custom security setting in IE and stopping just about
    > >all scripting that can be run in the browser. I never get any pop ups.
    > >You've been around a long time. I'm surprised you don't do that.

    >
    > I do. Part of the reason for remarking on this exploit is that its
    > the first to sneak through.
    >
    > However, I do use java and javascript a lot so can't disable that
    > although methinks this was down to activex
    >
    > As a good bit of income now comes from developing websites,
    > I need to use IE to view the things, however other work will now
    > go Firefox.
    > --
    > Jim Watt
    > http://www.gibnet.com

    ############################
    I choose the prompt option. I know it can be a pain in the butt with the
    constant dialog box asking if I want to run scripts or not but it sure has
    served me well. That goes for ActiveX as well as java scripting and the
    rest.
    donnie.
     
    Donnie, Dec 21, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mljc

    winfixer

    mljc, Aug 3, 2005, in forum: Computer Support
    Replies:
    4
    Views:
    670
    Toolman Tim
    Aug 4, 2005
  2. John Breckenridge
    Replies:
    8
    Views:
    961
    Toolman Tim
    Aug 14, 2005
  3. _The_Wraith_

    Winfixer help...

    _The_Wraith_, Sep 17, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    521
  4. fars

    winfixer

    fars, Sep 21, 2005, in forum: Computer Support
    Replies:
    4
    Views:
    2,411
    pcbutts1
    Sep 23, 2005
  5. WorcesterRed

    Hijack this log - winfixer 2005 popup

    WorcesterRed, Nov 10, 2005, in forum: Computer Support
    Replies:
    29
    Views:
    834
    pcbutts1
    Nov 13, 2005
Loading...

Share This Page