Winfixer in System Tray and Can't get rid of it

Looking for help getting rid of Winfixer, which is now in my system tray and keeps popping up in IE.

Ran all of the steps in "Read This Before Posting Log File" Thread.
Including
Turning off system restore.
and running in safe mode
bitdefender, RAVAntivirus, Avert Stinger, AdAware & the VX plug-in, SpybotS&D, Kill2Me and CCCleaner.

If rebooting back to normal Winfixer is still there.

NOTE - In RAVAntivirus and in BitDefender two files were highlighted as infected but could not be fixed or delete. They were
c:\windows\assembly\temp\mainms.dll
c:\windows\registration\wavekb.dll

And RAVAntivirus associated them with win32/vundo.B

Have downloded HijackThis but will wait before posting a log.

Thanks, Stuart

 

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

Download the following removal tools:

• Trojan Vundo Removal Tool
• Trojan Vundo B Removal Tool

Now, Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Run both removal tools! Run each one letting it complete. Afterwards procede with a fresh HJT log!

 

Downloaded and ran both tools.
Stayed in Safe Mode (w/network support on) and ran HJT
log as follows:

Inline log attached!

 

Forgot to wqrite that both tools ran to the end and both tools said they did not find vundo or vundo.b

 

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, REBOOT INTO SAFE MODE!

Once in Safe Mode, double click the file sysclean.com

When the system cleaner loads, click SCAN to start the scanner. After the scan is complete reboot into normal mode and attach a fresh HJT log.

 

Followed all your direction and did the Trendmicro scan you suggested, in safe boot with restore off and all files unhidden.

The scan noted troj-agent.fz in two files, and said "move failed", and "delete failed" for both locations. The two files were the same as found with RAVAntivirus scan
c:\windows\assembly\temp\mainms.dll
c:\windows\registration\wavekb.dll

Here is my HJT Log

Inline log attached!

 

From now on please attach ALL logs as attachments to your post.

Now, download the following removal tools:

• Trojan.Vundo Removal Tool
  
• Trojan.Vundo.B Removal Tool

After you download both tools, REBOOT INTO SAFE MODE! Once in Safe Mode physically disconnect from the internet by pulling the cord. Now run both tools. After you have ran both tools in Safe Mode reboot back into normal mode. Reconnect to the internet and attach a fresh HJT log.

 

BJ,

I had run both tools before (see note #2), but ran them again. As directed in safe mode fully unplugged. No log file created that I know of but both tools said - did not find vundo and did not find vundo.b, but the problem is still there.

The tools that came closest to helping were Bitdefender and RAVantivirus, which found the infected files but could not get rid of it.

I attached the SystemClean logs from last night followed by a new HJT log.

Thanks for continuing to help.

Inline logs attached!

 

Krony,

This is the third time I have attached your logs, from now on attach all logs as attachments to your post!


Please look in Add or Remove Programs for the following and Uninstall them if found:

Microsoft AntiSpyware


1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

After you complete the above reboot and attach a fresh HJT log as an ATTACHMENT to your post!

 

Removed Microsoft Antispyware.

Downloaded, updated and ran Trojan Hunter. Did not do this in Safe Mode - not sure if it should have been done that way. It found nothing - Log attached.

Ran new HJT - Log attached.

Thanks for the continued help. Wish we could move through this faster but seems our schedules only allow for one communication per day.

Appreciate your time.
Krony

JUST REALIZED I DID NOT REBOOT BEOFRE RUNNING HJT. Will reboot rerun and post new file.

 

Attached new HJT log after rebooting.

 

First, you need to uninstall Mircosoft Antispyware and TrojanHunter so they will not block any parts of this fix, you must also disable Spybot's TeaTimer as it will block parts of this fix. Also you need to disable any other antispyware programs and antivirus programs so they will not block anything either!

Download Pocket KillBox
(Don't run it yet)

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: MSEvents Object - {FBD49452-69E0-4837-91FA-9227A6DD1A83} - C:\WINDOWS\Cursors\aveula.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O20 - Winlogon Notify: aveula - C:\WINDOWS\Cursors\aveula.dll
O20 - Winlogon Notify: mainms - C:\WINDOWS\assembly\temp\mainms.dll
O20 - Winlogon Notify: wavekb - C:\WINDOWS\Registration\wavekb.dll

Again, make sure All Browser Windows are Closed when you Click FIX.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\Cursors\aveula.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\assembly\temp\mainms.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\Registration\wavekb.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot into Safe Mode and procede with the rest of this fix!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

BJ,

At work now. Will run this when I get home this evening.

I've already removed Microsoft Antispy and can easily remove TrojanHunter. Not sure where to go to disable Teatime but I'll find it and all of the other virus SW.

Will post a new HJT log after I complete all steps. Should be about 9:00PM tonight.

Thanks again for the assistance.

Krony

 

Really thought this was going to do it, but it did not. Believe I followed all directions exactly.

When I finished and ran AdAware and SpybotS&D they both showed my PC as clean. But when I rebooted back into normal mode the WinFix was still there and I'm still getting pop-ups.

After following all steps I ran HJT and saved log - (labeled HJT8-3b.log) and saw the aveula.dll file still in section 02 and 20 - although I think it now had a different set of numbers and I think other stuff is there that was not before.

Ran HJT again and tried to fix the aveula.dll files a second time, and ran PocketKill Box again pasting the aveula.dll name. Rebooted to safe mode and ran SpybotS&D again and again it came up clean.

Rebooted to normal again but WinFix is still there.

The most current HJT log is attached as just HJT.log

What could I have done wrong? Where do we go from here?

 

BJ,

I did a closer comparision of the HJT logs before and after last changes. Everything you asked me to remove is gone except the aveula instances in section 02 and 20, which looks just like it did before and I don't see another new entries.

Not sure what to do next. Appreciate your help and support.

Thanks,
Krony

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Just leave this for now!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Now I want you to completely disconnect from the internet as in pulling the cable!!

NEXT:
Run CCleaner to clean up cookies and temp files.

After that, you must run a search for all aveula entries on your machine (.ini, .exe, .dat, .bak, etc. . . ) Use Windows Explorer to track them down if possible.

NEXT:
Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\Cursors\aveula.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

NOW:
After your machine reboots, Scan with HijackThis and FIX these entries:

O2 - BHO: MSEvents Object - {FBD49452-69E0-4837-91FA-9227A6DD1A83} - C:\WINDOWS\Cursors\aveula.dll
O20 - Winlogon Notify: aveula - C:\WINDOWS\Cursors\aveula.dll

NEXT:
Run the Symantec Vundo Removal Tools again and then run CCleaner again.

Finally, reboot and rescan with HJT and attach the log. Let me know how you fared with the above and whether you ran into any problems.

 

No problems running the last set of instructions, but unfortunately the problem is still there.

HJT log attached.

Comments and observations that might help in determining how to proceed.

- I found and deleted a number of avuela files with various extension. deleted them and then emptied the recycle bin.

- There are 4 user accounts on the PC (Wife and 2 kids and I). When a run CCCleaner I open and run it in each account to make sure I get everyone's temp files etc. Do I need to run anything else from each individual account?

- When I did fix.reg it did not ask me about merging but did ask if I wanted to save to the registry and I clicked OK.

- I've been running the HJT and other tools "out of the box" without changing any settings (except doing updates where available). Could I have something set wrong in one of the tools?

- When a entered C:\windows\cursors\aveula.dll into Pocket KillBox I typed it in (since I had already closed all of my other windows and couldn't copy/paste without reopening and reconnecting to the i-net.) I carefully double confirmed the spelling but it did NOT turn blue.

- When I ran Sysmantec vundo and vundo.b tools they found no virus.

Let me know what to try next.

Thanks for the support.

 

Download Killbox from the link I provided you with to make sure you have the updated version.

Before you start this, disable Norton period. Reboot into Safe Mode under the Admin account and try the fix in my previous post. That has never failed to fix this trojan so something is right.

 

Did everything you suggested and still no luck. So I did it all a second time to make sure I didn't make any mistakes and still it didn't take.
The WinFix icon is still in the system tray and the entries are still in HJT log.

Only question I had on the procedures was disable Norton. I turned off all of the auto-protect features. Did not see away to totally disable the program.

Attached the most current HJT log.

There's got to be a way to beat this. What else do I try?

Thanks again,
Krony

 

You didnt attach anything? Before you attach a log try this first...

Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and attach a fresh HJT log.

 

Thought I had attached a log. Sorry for the over site.

I'm a bit confused. The e-mail I just got linking me back to this thread says copy and run Trojan Hunter. But when I clicked on the link to take me to the actual thread it says MicroSoft AntiSpyware.

And here is the e-mail
***************
You didnt attach anything? Before you attach a log try this first...

1) Download TrojanHunter (http://www.majorgeeks.com/download1232.html)

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections, reboot and attach a fresh HJT log.


I will try Trojan Hunter first and see what I get.

I attahced the log I forgot from this morning.

 

Yeah, I didnt realize I had already requested this so just skip this if you like and just procede with the MSAS scan.

 

Glad tpo see we are both online at the same time.

Will update and run MSAV and let you now what I get.

 

Ok, I will be here for a few more minutes but dont wait on me I'll be in and out all day tomorrow. Make sure you get a full scan and remove all found infections.

 

Ran MSAS in normal mode - fully disconnected from the i-net and then again in safe mode, thinking that was a better way to go. Neither time did it find a virus. Before this all started I had MSAS running on my PC everyday and it never found this problem. I had uninstalled it based on your advice in an earlier post.

Attached latest HJT log - looks the same.

Must sleep. Will check in tomorrow.

 

Run the Panda Online Scan. After the scan attach the log to your next post.

 

Ran Panda and it found but did not fix two problems - looks like a diffrerent problem(?)

Attached Panda log and a new HJT log.

 

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\Documents and Settings\Stuart\Local Settings\Temp\st.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\Cursors\aveula.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above reboot and attach a fresh HJT log.

 

Followed as directed.and attached latest log. Feel like we are going a bit in circles. Very Frustrating not to be able to get rid of this.

Thanks, Krony

 

Do this for me quick like and then we will remove it.

-Open the Search Assistant(Click Start > Click Search)
-Select All Files and Folders
-Select Advanced Options
-Make sure there is a check by every box under Advanced Options

Now under All Files and Folders,enter this into the text box:

aveula

&

alueva

Dont add any extensions to either entry and post back with any returns!

 

Maybe we have something here.

For aveula the only file was the was the .dll

For alueva I found a number of files .bak2 .ini .ini2 .tmp

ALSO - When we first started this process I had a number of infected files which were deleted so on a hunch I searched for logeula & aluegol, vsscab and bacssv, wavekb and bkevaw, mainms and smniam

I found bacssv.bak2 and bkevaw.bak and bkevaw.ini

I assume all of these files should be deleted?

After that what is the correct step to proceed with.

Thanks, Krony

 

Yes they should bur first I need you to give me the exact location of the alueva files and the exact file names.

 

Names are:
C:\WINDOWS\Cursors\alueva.bak1
C:\WINDOWS\Cursors\alueva.bak2
C:\WINDOWS\Cursors\alueva.ini
C:\WINDOWS\Cursors\alueva.ini2
C:\WINDOWS\Cursors\alueva.tmp

Also found
C:\WINDOWS\Registration\bkevaw.bak1
C:\WINDOWS\Registration\bkevaw.ini
C:\WINDOWS\Registration\bacssz.bak2

Will delete all and empty recycle bin.

 

First, please download this NOD32 removal tool
http://www.nod32.it/cgi-bin/mapdl.pl?tool=AgentCS
(Don't run it yet)

Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: MSEvents Object - {FBD49452-69E0-4837-91FA-9227A6DD1A83} - C:\WINDOWS\Cursors\aveula.dll
O20 - Winlogon Notify: aveula - C:\WINDOWS\Cursors\aveula.dll

Make sure All Browser Windows are Closed when you Click FIX.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted as you will restart during the next step:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

C:\WINDOWS\Cursors\aveula.dll
C:\WINDOWS\Cursors\aveula.bak1
C:\WINDOWS\Cursors\aveula.bak2
C:\WINDOWS\Cursors\aveula.ini
C:\WINDOWS\Cursors\aveula.ini2
C:\WINDOWS\Cursors\aveula.tmp
C:\WINDOWS\Cursors\alueva.bak1
C:\WINDOWS\Cursors\alueva.bak2
C:\WINDOWS\Cursors\alueva.ini
C:\WINDOWS\Cursors\alueva.ini2
C:\WINDOWS\Cursors\alueva.tmp

NOW:
Open the Removal Tool From NOD32

-Double Click on "AGCSCLEAN.exe" to open it-> Click on "Run System Check" and let it Roll!

It should restart the automatically, if it doesn't just restart manually!


After you have completed the above, reboot and attach a fresh HJT log.

 

Followed directions from last post. The ACGSClean tool could not find an infected file so I pointed it to C:\WINDOWS\Cursors\aveula.dll. It then came back and said the system had been cleaned.

In the HJT log it looks like the aveula.dll file is missing, however I still have the WinFix icon in my system tray! Not sure what this means and what steps to take next.

Log attached.

 

THIS IS THE SECOND OF TWO NEW POSTS SINCE THE LAST SET OF INSTRUCTIONS

After my last post a ran HJT again and fixed the line in the 02 section with aveula .dll (file missing) and now that line has dropped from the log (see new HJT log attached) but the WinFix icon remains in the system tray.!!

 

Your HJT log is now clean!

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\param32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above reboot and let me know if any problems remain!

 

I was really hoping we had it but the icon is still there.

The file did not show up in blue and I had to reboot manually.

What else can I try?

Thanks Krony

Edited _ Can the icon still be there even though the trojan is gone? Is there a way to just remove an icon from the system tray?

 

Okay, final step should take care of it!

First, I need you to navigate to the System32 directory and delete any icons, for example:

casino.ico
date.ico
games.ico
mobile.ico
network.ico
pharm.ico
pharm2.ico
scanner.ico
spam.ico
spyware.ico

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

C:\WINDOWS\System32\param32.dll
C:\WINDOWS\System32\systr.dll
C:\WINDOWS\system32\guninst.exe
C:\WINDOWS\system\guninst.exe

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and let me know how things are now.

 

You mean c:\windows\system32?

 

Correct!

 

If that doesn't get it, I have a suggestion that may or may not work. But I don't want to butt in . . .

 

Followed the directions and deleted 7 .ico files. Ran killbox and rebooted but the icon is still there!!!!

Feel like we are closer but no cigar yet.
Please feel free to butt in - if its OK with BJ.

 

Before we do anything else, take a screenshot and attach the image. I want to see what this thing looks like.

 

Not sure how to do a screen shoot.

The icon looks just like the MS icon for updates to your computer except it is red and has an "X" in it.

It pops up first thing in the system tray in the bottom right as soon as I logon with a ballon saying that my PC is at risk and to click the icon to fix it. I of course never click. The other symptom - although it has not occurred in the past 24 hours is a pop-up a full page WinFixer page.

 

Download SilentRunners from:
http://www.silentrunners.org/Silent%20Runners.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Once finished, the script will save a Notepad document to your Desktop.
Please attach the contents of that document into this thread (call it runners.txt).

 

Figured out how to do the screen shot. Pasted into the attached. The icon is in the very lowest right hand corner.

 

Attached Silent Runner file

 

New Silent Runner file is attached here.

 

Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and see if its gone. Also get me a fresh HJT log.