Winfixer and spyware detector popups

Proper procedures must be followed before posting HJT logs and it must be installed and run properly.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

Now download the new version of the Symantec Tool: Symantec Trojan.Vundo Removal Tool 1.3.1

Make sure you follow the directions on the download page.

You appear to have SpywareDetector installed. This is a rogue tool that should be uninstall. See the info on it here: http://www.spywarewarrior.com/rogue_anti-spyware.htm



After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

.

 

The Symantec tool has been updated to version 1.4 (clicking the same link I gave before will give the new version) and it does remove the problems if the directions for using it are followed. It must be run twice (with a reboot inbetween) and while not connection to the internet exists.

Give it another try and make sure you boot into safe mode (you can use with networking) and disconnect your cable to the internet. Then run the new tool. Then immediately reboot and then run the tool again. Now reboot one mode time but into normal mode and reconnnect to the internet and post the results. Keep the logs from running the tool and let me know what they show.

You should see something like in message # 12 of the following thread:

http://forums.majorgeeks.com/showthread.php?t=75250

 

Okay! The tool did fix the infection (at least what i could find). So post a current HijackThis log and let's see what we still have hanging around that is causing these problems.

 

In the READ ME FIRST and in my first message to you I mentioned installing and running HijackThis properly. You did not follow those important instructions. You are running it from the ZIP file and you did not exit your browsers before running it. See the below lines from your log:

C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

Leaving browsers open can block fixes and also makes it difficult for us because some malware will run iexplorer.exe by themselves. If you are running it. We cannot tell the difference. If you did close browsers and these are running on their own, excuse this comment and just tell me that from now on if you notice browsers running but you know you closed them

Running HJT like you are will prevent you from getting any backups of things we fix.
Please correctly install HJT now before continuing and remember to exit browsers from now on before running HJT. This is covered in the directions I gave you.

It also appears that you did not uninstall SpywareDetector per my previous message which said:

Or did you have a problem trying to uninstall. Following directions is important in helping us to help you. So is providing proper feedback so that questions like this may be unnecessary.

After following the above let's continue with your cleanup which will still take a couple steps because of what you still had installed right now.

Goto Add/Remove programs and uninstall any of the below if found:
MySearch
MySearchBar
MyWay
FreezeScreenSaver
SpywareDetector or SpywareDetectorSVC or SpyDetectSVC or MonitorSD
SDAutoLiveupdate
trioService

After this, reboot your PC and then attach a new HJT log so we can move on to the Vundo infection.

 

No comments on FreezeScreenSaver or trioService ?????? I need to know whether these were in Add/Remove programs and you decided to keep them or whether they are are not in Add/Remove programs and you could not uninstall them etc.

 

I'm going to assume those other items were bad and could not be uninstalled.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  it should look like this

• At this point press enter one time.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\sstqq.dll ​

• Press Enter to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):
  

C:\WINDOWS\system32\qqtss.*​

​

​

• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: Bho - {C648ECF7-E1FE-47ca-87F0-3B584FD631A3} - C:\WINDOWS\system32\bmrgbcej.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [trioService] "C:\PROGRA~1\Freeze.com\3D Falling Leaves\\trioService.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe (file missing)​

​

​

​

• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.

Once your machine reboots please attach a new HJT log from normal boot mode.

Also locate and delete (if found) the below:
C:\WINDOWS\system32\bmrgbcej.dll
C:\Program Files\Freeze.com
C:\WINDOWS\system32\FreezeScreenSaver.exe

We will probably have some final cleanup work to do on the O23 service entry.

 

Try selecting safe mode with networking and then unplug (physically) your cable to the internet. Let me know if that works. Sometimes this does get your Desktop back.

If not, I will give you another procedure to try. We have two other procedures. One is manual which has always worked the other is another somewhat automatic tool but it need safe mode boot too.

 

It is still in your log along with some of the other items. Hang on while I work up another fix. However, the Virtumundo problem is now inactive.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down toFreezeScreenSaver. Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

FreezeScreenSaver

Now exit HJT and do not reboot if it asks you to do so. We will reboot further down.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: Bho - {C648ECF7-E1FE-47ca-87F0-3B584FD631A3} - C:\WINDOWS\system32\bmrgbcej.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [trioService] "C:\PROGRA~1\Freeze.com\3D Falling Leaves\\trioService.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing)


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Freeze.com <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

That's because it reactivated itself because the previous cleanup was not complete due to your problems with booting in safe mode. You had too many other problems that needed to be fixed first.

Did you forget to fix the below line with HJT because I still see it?

O4 - HKLM\..\Run: [trioService] "C:\PROGRA~1\Freeze.com\3D Falling Leaves\\trioService.exe "

Try fixing it again now!

I will work up a manual fix for Virtumundo in my next message.

 

Start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later. You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now!

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of awtsq.dll once and then click the kill button. After you have killed all of the awtsq.dllunder winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of awtsq.dlland kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\awtsq.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: awtsq - C:\WINDOWS\system32\awtsq.dll


Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINDOWS\SYSTEM32\qstwa.ini
C:\WINDOWS\SYSTEM32\qstwa.ini2
C:\WINDOWS\SYSTEM32\qstwa.bak
C:\WINDOWS\SYSTEM32\qstwa.bak1
C:\WINDOWS\SYSTEM32\qstwa.bak2
C:\WINDOWS\SYSTEM32\qstwa.tmp
C:\WINDOWS\System32\awtsq.dll

If you find any other files in this folder that begin withqstwaand end with any other extension ( the .ini is an an extension) delete them to.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log and tell me how the steps went. Doing this in normal boot mode does not always work. That is why we try to use safe mode.

 

Looks clean now! Are you having any other problems?

 

You're welcome! So now to help keep it that way, work thru the below:

How to Protect yourself from malware!