Winfixer

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. Also you must install and run HJT properly which you did not do.


Please run the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and select all those O18 lines with Logitech Desktop Messenger and then click fix.

- Now rescan with HJT and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

By the way you have a Virtumundo problem we will need to fix after you complete the previous steps.

 

I decided to post the Virtumundo fix ahead of time to keep you moving along. So complete the previous steps and them move on to these stesp.

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of rasdb.dll once and then click the kill button. After you have killed all of the rasdb.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of rasdb.dlll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\rasdb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: rasdb - C:\WINDOWS\Help\rasdb.dll


Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\Help\dbsar.ini
C:\WINDOWS\Help\dbsar.ini2
C:\WINDOWS\Help\dbsar.bak
C:\WINDOWS\Help\dbsar.bak2
C:\WINDOWS\Help\dbsar.tmp
C:\WINDOWS\Help\rasdb.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

No problem. I know it will take you awhile to run thru all of this but it will be worth it.

 

Looks like you did not follow the steps in message number 4 yet? Is that correct?

If you did, you need to do it again because something was not executed properly.

How to attach a HijackThis Log

Assuming you have the hijackthis.log file saved on your PC and you know where it is:

- Click the Reply button here to answer a message
- At the bottom of the message window click the Go Advanced button
- then scroll down a little until you see the Manage Attachments button and click it.
- in the window that comes up click the Browse button and browse to the location on your PC where the hijackthis.log file is saved.
- select it by double clicking on it.
- Then click the Upload button. Observe the messages in that Window you should either see that the file is attached or the could be an error message if you did something wrong.
- then close that window
- then save your message

 

Do you have a Start button on the bottom left when in safe mode?

Can you bring Task Manager using CTRL-SHIFT-ESC when in safe mode?

 

If you can run Task Manager, you can have it run the Process Explorer and Pocket KillBox applications. Just use browse to locate them where you extracted them to in normal boot mode. You can also run applications from Process Explorer by clicking File, Run. Thus once Process Explorer is opened Task Manager can be closed. Obviously you also need to open HijackThis the same way.

To merge in the registry patch, run regedit (the same way as you run all the above) and then click File, Import and locate the fixVundo.reg file to merge it in.

Let me know if you follow all of this.