Stubborn WinFixer

Discussion in 'Malware Help (A Specialist Will Reply)' started by lbmest, Sep 16, 2006.

  1. lbmest

    lbmest MajorGeek

    Working on a friend's comp. Have gone through the procedure and used the special tool and still can't get the trojan off. See attached reports.
     

    Attached Files:

    lbmest, Sep 16, 2006
    #1
  2. lbmest

    lbmest MajorGeek

    Additional reports.
     

    Attached Files:

    lbmest, Sep 16, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not follow the READ & RUN ME instructions quite properly.
    • You did not uninstall Viewpoint Media Player in step 0 as requested.
    • You are using Spybot - Search & Destroy 1.3 which has not been used in over two years. If you follow the instructions in the READ ME, you would have the current version.
    You should address the above and then continue to the below.

    Now uninstall the below old version of Sun Java:
    Java 2 Runtime Environment, SE v1.4.2_03


    Now make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\Program Files\Common Files\Win Fixer 2006\wfcookwr.exe


    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {45885BC9-201D-45FA-8623-94404ED5804a} - C:\WINDOWS\system32\kyhyytue.dll
    O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe \RESET
    O4 - HKLM\..\Run: [WinFX_cwr] C:\Program Files\Common Files\Win Fixer 2006\wfcookwr.exe
    O20 - Winlogon Notify: mljjk - mljjk.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\Program Files\Common Files\Win Fixer 2006 <--- the whole folder
    C:\WINDOWS\system32\kyhyytue.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Now reboot in normal mode.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    Now attach a new HJT log and tell me how the steps went.
    Make sure you tell me how things are working now.
     
    chaslang, Sep 17, 2006
    #3
  4. lbmest

    lbmest MajorGeek

    Hi Chaslang,
    I apologize for making a difficult job harder.
    After posting yesterday, removed Norton Systemworks 2004 and installed AVG and Zone Alarm Free.

    This AM did the following from your reply:
    Viewpoint Media Player has been uninstalled.
    Spybot has been upgraded to the most recent version and rerun. Found and fixed 3 problems - 2 of which were WinFixer.
    Old Java version has been uninstalled.
    Viewing of hidden files was enabled before per tutorial.

    Win Fixer 2006\wfcookwr.exe process was killed with no problem in HiJack.
    The four lines from the scan were fixed.
    Booted to safe mode and both items deleted with no problem w/o opening Task Manager.
    Running XP Home and all items were deleted from Prefetch folder.
    Ran CCleaner.
    Booted to normal mode.
    Only 2 files were in C:\Windows\Temp - ZLT07b1c.TMP and ZLT07b1f.TMP. Neither could be deleted.
    Reran HiJack and attached log.


    Comp seems to be fine now. Reran the following after doing your procedure:
    Reran spybot - no problems.
    Reran AdAwareSE - 1 critical, 2 MRU - all 3 removed.
    Reran MS Malicious Tool Sept 2006 - None Detected.
    Reran Windows Defender - None detected.
    AVG ran scan this AM and found 7 trojans and deleted them to Virus Vault.
    Details - C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP 250\A0778764.exe Trojan horse BackDoor.Generic3.LEQ
    The only change for the others was the final number before the .exe - 65, 66, 67, 68, 69, 70.
    This comp will have to go back to my friend today, so hopefully all is well. Thanks for your help.
     

    Attached Files:

    lbmest, Sep 17, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean!

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Sep 18, 2006
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds