Member Panel

ClareB · 04:29 PM

Hey

I'm having a problem with the Winfixer popup on my home PC, I've scanned the PC with Ad-Aware and Microsoft antispyware but it's still coming up.

Help!

joe5 · 10:36 PM

Hya Clare , welcome to PCHF.

Lets see what needs to be done here. :smiley:

Before fixing things with HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

You have a LOP infection that comes together with Messenger Plus. To remove it we will try the simple way first.

1. Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove) (see quote below!)

2. The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

3. The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

4. If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

5. To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer and, hopefully one nasty infection is gone.

When removing Lop.com from the Add/Remove screen it may not show up as Messenger Plus instead also look for these and remove them:

Window Search
Window Searching
Lop.com
LOP SEARCH
Browser Enhancer
Ultimate Browser Enhancer
L.O P. Un insta11
L O.P. Un instal1
Live 0n line Portal
Live.0nli ne Porta1
Window Active

Finally there is a step in the removal process of Messneger Plus where the sponsor asks if you want to uninstall that aswell, You have to click YES to this part of the removal process

If you dont do this corretly then you will have no other choice but to reinstall Messenger Plus and then go through the whole removal process again from the start.

Then please download CCleaner

And download Process Explorer by Systernals from HERE.

Also download KillBox by Option^Explicit from HERE.

Then boot up in SAFE MODE and stay in safe mode (hit f8 when booting up), untill the entire fix is done.

Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of gebca.dll once and then click the kill button.
After you have killed all of the gebca.dll's under winlogon click OK.

Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of gebca.dll then click the kill button.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following:
(if still present)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06EC875A-90AC-6DFF-F5AE-D6FD6CF133E3} - blank (file missing)
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\gebca.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Comp Jump Base Balm] C:\Documents and Settings\All Users\Application Data\Regs Funk Comp Jump\joy trust.exe
O4 - HKLM\..\Run: [NI.UWFX6_0001_N57M0912] "C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N57M0912NetInstaller.exe" -nag
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball...GameLoader.dll
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/.../english/5.0/w in/PulsePlayer5AxWin.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/...ds/player/Inst all3.0/Installer.exe
O16 - DPF: {FAF10F23-0AC1-1213-A139-0F032B2112CA} - http://uk.global-acces.com/7adpower/nat2.exe
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: gebca - C:\WINDOWS\system32\gebca.dll

Now click fix checked and close HijackThis. Delete the files in bold , and run Ccleaner.

Please copy the text in the code box below, and paste it into a blank notepad window.
Save it as vundo.reg and in the "save as" type box choose "all files".
Once you have saved it double click it and allow it to merge with the registry.

Code:

REGEDIT4 
 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}] 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}] 
[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}] 
[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}] 
[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}] 
[-HKEY_CLASSES_ROOT\ATLDistrib Object] 
[-HKEY_CLASSES_ROOT\ATLDistrib Object.1] 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib Object] 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib Object.1]

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box:

C:\WINDOWS\system32\gebca.dll

Click the red circle with the white x and allow your computer to reboot.
(if killbox doesn't reboot on its own then please reboot manually)

After your computer has rebooted please run Hijackthis again and post a new Hijackthis log.