Winfixer Help

I've had this virus pop up on Symantec Corporate edition a few times, but it never went away. I followed all the steps in the Read & Run ME First Post. Spybot, Windows Malicious Software Remover, and Windows defender detected nothing. BitDefender and panda Active scan did find some and the logs are attached. As well as a Hijack this log after being properly installed.

 

I'm also attaching GetRunKey log and ShowNew logs. Thanks for any help I can get, and your thorough precleaning instructions.

 

Download
- Pocket Killbox

Using Add or Remove Programs in the Control Panel; uninstall the following:

Update Mozilla Firefox (1.5) to the latest version. LINK

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

I see from the ShowNew log that you ran VundoFix earlier. Please post the log from VundoFix in addition to the HijackThis log.

 

Here is the fresh Hijack log. I am still getting popups from winantivirus. The results from VundoFix V4.2.22 was as follows: C:\Windows\AppPatch\eolddv.bak1 ; C:\windows\apppatche\eolddv.bak2 ; C:\windows\apppatch\eolddv.ini ; c:windows\apppatch\vddloe.dll

 

Downloading
- Process Explorer

Extract Process Explorer to it's own folder somewhere that you will be able to locate it later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

Note: Some of the below processes may not be running on your sytem. In that case just skip the process and continue to the next process.

In the top section of the Process Explorer screen double click on smss.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of vddloe.dll once and then click the kill button. After you have killed all of the vddloe.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on winlogon.exe and again click once on each instance of vddloe.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of vddloe.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of vddloe.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on rundll32.exe and again click once on each instance of vddloe.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on wrssdk.exe and again click once on each instance of vddloe.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\AppPatch\vddloe.dll
C:\WINDOWS\AppPatch\eolddv.bak1
C:\WINDOWS\AppPatch\eolddv.bak2
C:\WINDOWS\AppPatch\eolddv.ini
C:\WINDOWS\AppPatch\eolddv.ini2
C:\WINDOWS\AppPatch\eolddv.tmp

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now Delete the folder C:\WINDOWS\AppPatch

Run CCleaner

Attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

I was able to get rid of the viruses by running hijack and pocket kill box in safe mode. It successfully removed all the infected files. Thanks for the help.