Winfixer in System Tray and Can't get rid of it

Ran KillBox, but it didn't get it.

Need to sleep.... Have to get up for work in 6 hours....

Anything else I can try quick or else I will look in the morning for more ideas.

Thanks again for all your time and effort.

 

Attach a fresh HJT log quick like please.

 

New HJT Log

 

Logging off for the night at 12:07 EDT

 

10-04

When you come back I will try to have you a fix ready. Now, go get some rest!

 

First, uninstall Microsoft AntiSpyware & TrojanHunter and then procede with the fixes in post 50 & 39.

After you do the above reboot and see if that got it.

 

If post 56 still doesnt work, lets try a few other things.

First, make sure the viewing of hidden files and folder is enabled. Now I want you to do a manual search for the following files.

UWFX5LP_0001_****.exe or UWFX5SP_0001_****.exe

Delete any you find, also make a note and let me know where they were located.

Now navigate to and delete the following folder IF it remains:

C:\Prorgam Files\Winfixer


Now, please download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Now enter Winfixer and post back with the results in this thread (call it regsrch.txt).

 

Hey BJ,

Don't forget my other suggestion to look at VX2 - That might clear it up as well

PP

 

Will do, thanks PP!

 

OK here's what I did

uninstalled Microsoft AntiSpyware & TrojanHunter

didn't find any .ico files in system32 folder

ran KillBox with following files (none came up blue)
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe
C:\WINDOWS\System32\param32.dll
C:\WINDOWS\System32\systr.dll
C:\WINDOWS\system32\guninst.exe
C:\WINDOWS\system\guninst.exe
and then rebooted
Problem was still there

Searched for UWFX5LP_0001_****.exe and UWFX5SP_0001_****.exe
Found nothing

There was no winfixer folder to delete but I did search for winfix and found a couple of old cookie files with its name and deleted them.

Downloaded and ran RegSrch.zip and searched for winfixer but it did not find it. Searched for winfix and it DID find it (see attached log file)!

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix1.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix2.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

After you complete the above, reboot and see if problem remains.

 

Did the reg edit and rebooted (I restarted not a cold reboot) and problem is still there.

 

Download the L2MeFix Tool

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log.

Please don't run any other files in the L2MFix folder.

 

L2MeFix Log.txt attached.


I found this site this afternoon - when I was supposed to be working - not sure if it gives ideas that might work?

http://vil.nai.com/vil/content/v_127690.htm

Will continue to follow your lead. I trust you will be able to help me get this off my machine.

Need to sign off for the night after this but will look for new suggestions in the morning.

 

Do a search for the following names:

NetInstaller

UWFX5LP

UWFX5SP

Let me know what you get as in full name and location.

Also run the RegSrch again and enter the above names and let me know if anything comes back.

 

One last thought for tonight. I have not been getting the winfixer pop-ups I had been getting. Although they were always random I was getting it a couple of times a night and I have not gotten any in the past two days or so. Is it possible the trojan/virus is gone and only the icon remains in the system tray?

Also when I scroll over the icon it says "Windows Security Alerts" and if I right click it has two choices "Open Security Center" and "Go to Microsoft Security Web Site".

I never click the icon - assuming it will create problems, load more viruses, etc. but prehaps it is now just a dead link?

Would be interested in your view on whether there is harm potential in clicking the icon and seeing where it takes me.

 

Before we do anything follow my previous post 65. Does this show in Safe Mode?

 

Searching for NetInstaller found:
DotNetInstaller.exe in 5 locations:
C:\programfiles\MusicMatch\musicmatchupdate\mmjb\engine32.cab
c:\programfiles\turbotaxdeluxe 2003\Dinst\engine32.cab
c:\programfiles\turbotaxdeluxe 2004\Dinst\engine32.cab
c:\programfiles\common files\installshield\professionl\RunTime\0701\Intel32
c:\programfiles\common files\installshield\professionl\RunTime\09\01\Intel32

Didi not delete any as they look like there are real files (?)

Did not find UWFX5LP or UWFX5SP during a search

Reg Search on NetInstaller came back with:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
"C:\\Program Files\\Common Files\\InstallShield\\Professional\\RunTime\\0701\\Intel32\\DotNetInstaller.exe"=dword:00000005

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
"C:\\Program Files\\Common Files\\InstallShield\\Professional\\RunTime\\09\\01\\Intel32\\DotNetInstaller.exe"=dword:00000002

[HKEY_USERS\S-1-5-21-795859685-539680641-2801272763-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="NetInstaller"


RegSearch on UWFX5LP came back with:

[HKEY_USERS\S-1-5-21-795859685-539680641-2801272763-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"003"="UWFX5LP_0001_****.exe"

[HKEY_USERS\S-1-5-21-795859685-539680641-2801272763-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="UWFX5LP"

[HKEY_USERS\S-1-5-21-795859685-539680641-2801272763-1006\Software\Microsoft\Search Assistant\ACMru\5604]
"001"="UWFX5LP"


RegSearch on UWFX5SP came back with:

[HKEY_USERS\S-1-5-21-795859685-539680641-2801272763-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"002"="UWFX5SP_0001_****.exe"

[HKEY_USERS\S-1-5-21-795859685-539680641-2801272763-1006\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="UWFX5SP"

[HKEY_USERS\S-1-5-21-795859685-539680641-2801272763-1006\Software\Microsoft\Search Assistant\ACMru\5604]
"002"="UWFX5SP_0001_****.exe"

 

No, the icon does not show when I boot in safe mode. But none of the icons - Norton AV, Mouse Control, Volume Control, etc. - are showing either.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\reset5.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

Reboot and see if problem remains. If it does, I have another suggestion.

 

Added registery entries and ran KillBox - Icon is still there.

The symptom of the pop-ups seems to be gone. If it weren't for the icon being in the tool box I would think we had solved the problem.

What can we try next?

Thanks,

Krony

 

Download the Generic Detection Tool - NT/2000/XP

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.


Download the L2MeFix Tool

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Attach this log along with the log from the Generic Detection Log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

 

Files attached.

 

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

C:\WINDOWS\System32\winboot.log
C:\WINDOWS\System32\wtsqx.dll
C:\WINDOWS\System32\qyusr.dll
C:\WINDOWS\System32\syywv.exe
C:\WINDOWS\System32\msconfig.dll

After you complete the above, reboot and see if problem remains.

 

Sorry to say its still there!

Still no more symptoms of pop-ups but the icon just won't go away.

 

Yes, that is he icon.

However, in the past when I clicked it it took me to WinFixer pop-up page in IE.

I believe we have fixed the issue of the pop-ups, and I had asked (see post #66) if I should try clicking the icon to see what would happen. Being afraid of re-installing a virus I had hesitated to do so.

BJ - Comments? Can I go ahead and click the sucker without fear of creating more damage to see what happens?

Thanks,
Krony

 

Krony,

You had be thinking it was the Winfixer system tray icon not the security center. I was wondering why I couldnt find anything hardly. This icon is ok to click on, the yellow one means you have available updates which you need to download. The red one means your firewall/antivirus is not found or out-of-date. Surf in to windows updates and get all critical updates, reboot and it should be gone.

 

It's gone!!
Re-set the MicroSoft Security Center setting to say that I had an anti-virus program running and it should not remind and the icon went away.

I think somewhere in looking for the vundo trojan, maybe when I eliminated MSAV, the setting must have gotten reset.

BJ, Thanks so much for all of your time and assistance.

One last question - What do you reccomned I run on my PC? And what should a re-set.

I will turn restore points back on and re-hide system files.
I run Norton AV and update it regularly.
I will start running SpybotS&D and its immunize program.
I also have a router which works as a firewall.

Anything else you recommned?

Thanks Again,
Krony

 

See this article on How to Protect yourself from malware! for recommeded programs for prevention.