WinAntiVirus Pro

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You're welcome. If it happens to come back, just complete the rest of the steps and post a HijackThis log attachment.

 

Logs must be posted from normal boot mode and they must be attachments! Do not post them inline. Please read the stickies and follow instructions.

Also look in Add/Remove programs for WildTangent and uninstall if found.

Also have HJT fix the below lines and then boot into safe mode and delete the c:\winnt\system32\lshosts32.exe file:
O4 - HKLM\..\Run: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe

You have a Virtumundo problem (some people call this form WinFixer). We can fix it after you get a proper log attachment posted from normal boot mode. But do the above steps first.

 

Yes WildTangent may get installed on your PC due to AOL software. But most people do not need it or want it. It is not needed to use AIM. I don't think Pogo uses it at all. See: http://www.liutilities.com/products/wintaskspro/processlibrary/GameDrvr/

Use Add/Remove progrmas to uninstall WeatherBug.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at. Iit should look like this

• At this point press enter one time.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINNT\msagent\chars\msmfc.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

<B>

C:\WINNT\msagent\chars\cfmsm.*</B>​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\msagent\chars\msmfc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O15 - Trusted Zone: http://www.ais.honeywell.com
O15 - Trusted Zone: http://www.wachovia.com
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/ea/needforspeed/install.cab
O20 - Winlogon Notify: msmfc - C:\WINNT\msagent\chars\msmfc.dll
​

​

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• After reboot look for the below process to be running and if it is, kill it and delete the file:

C:\Documents and Settings\Owner\Local Settings\Temp\bwgo0000d438.exe

​

• Now please attach a new HJT log from normal mode.

 

So I assume you had to fix all the other entries in normal boot mode??? I still see some of them in your log! Like the O4 BackWeb-8876480.exe line and the O15 lines.

You should also look in Add/Remove programs for WildTangent and uninstall it if found.

That strange file name at the end of the procedure has morphed:

C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo0000bae3.exe

DO you see this file right now? Kill that process and delete ALL files in this Temp folder.

I believe this file may be part ofF-Secure Backweb Temporary Files. See http://www.liutilities.com/products/wintaskspro/processlibrary/bwgo0000/

 

You must stop the process (bwgo0000bae3.exe) first before trying to delete it.

That other file is typical. Windows puts a couple files there at each boot that it is normally using at the time. The one you mention is probably from today.

Did you fix the other items yet?

 

Run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo0000bae3.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O15 - Trusted Zone: http://www.ais.honeywell.com
O15 - Trusted Zone: http://www.wachovia.com

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WildTangent
C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo0000bae3.exe <--- or similar

Now reboot normal mode and post a new HJT log.

 

Okay, you clean now. How are things running? Any more malware problems?

 

You're welcome. Make sure you work thru the steps in the below to help keep you clean:

How to Protect yourself from malware!