Winfixer trouble... again

Discussion in 'Malware Help (A Specialist Will Reply)' started by Tom K, Jun 23, 2006.

  1. Tom K

    Tom K Private First Class

    Hey Chaslang, Shadow Peter Dude, and all the MajorGeeks!
    During the past week, my computer has been running just a little slower than usual, but the fan has REALLY been getting a work out especially when opening Internet Explorer. Tonight, I was online and not particularly interested in learning about new Anti-Virus software, but the spyware writing folks at WinAntiVirus Pro 2006 had other malicious ideas.

    I had a similar problem with Virtumonde once before in March, and with the help of Chaslang, was able to solve it using VundoFix. I tried that this time and it found no infected files. I should note that the symptoms my computer is showing now do not appear as severe as they did that time.

    I followed the standard procedures with some exceptions. First, I have to get rid of McAfee and will once I get rid of this spyware problem. Second, I could not run the Ad-Aware scan because that got destroyed when I had the last Virtumonde problem. And lastly, I could not run Windows Defender because I do not yet have SP2.

    Spybot found nothing except one tracking cookie. MWMSRT found nothing. Bitdefender, however, found (and said it removed) four viruses. Finally, Panda found one problem.

    I am attaching my Bitdefender, Panda ActiveScan, and HijackThis logs. Please review them at your convenience and let me know how I can resolve this problem. Thank you so much for any assistance you can provide.
     

    Attached Files:

    Tom K, Jun 23, 2006
    #1
  2. Tom K

    Tom K Private First Class

    I am still having the problem. It basically is a new window that opens up occasionally advertising this malicious anit-spyware product. What I want to add is that I have tried looking at the Bitdefender log to ascertain what viruses the program found and removed, but I cannot make sense of the .txt document. Thank you again for reviewing these logs. Any help is greatly appreciated.
     
    Tom K, Jun 23, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you happen to try reinstalling Ad-Aware SE?

    The READ ME tells you to run CounterSpy and attach the CounterSpy log if you cannot run Windows Defender. Why haven't you upgraded to SP2 as my final steps to you indicated in April ( How to Protect yourself from malware! )

    You ignored step 3 of the READ ME. You have McAfee and AVG installed. Uninstall one of them now. Since you already said you want to get rid of McAfee, then uninstall McAfee. Do this now before continuing. You should never install a new antivirus while another is already installed. It will typically cause problems.



    Start by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps (it will not work otherwise) and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of Audfat.dll once and then click the kill button. After you have killed all of the Audfat.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of Audfat.dll
    and kill it. (If you do not find the dll, just continue on.)


    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:R1 -
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O2 - BHO: (no name) - {fda84ac9-5594-488e-8501-7f65107f20d0} - C:\WINDOWS\system32\Audfat.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/12258419c3df3d007816/netzip/RdxIE601.cab
    O20 - Winlogon Notify: Audfat - C:\WINDOWS\SYSTEM32\Audfat.dll


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox:

    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    C:\WINDOWS\SYSTEM32\Audfat.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot, we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now attach a new HJT log and tell me how the steps went.
    Make sure you tell me how things are working now!
     
    Last edited: Jun 24, 2006
    chaslang, Jun 24, 2006
    #3
  4. Tom K

    Tom K Private First Class

    Hey Chaslang,
    Thank you for providing the instructions. I have followed them and am including a new HijackThis log.

    To answer your questions: 1. I did not try re-installing Ad-Aware after the malware either destroyed or gave the false appearance of a crash upon opening of that tool. I was concerned that the program was and may still be vulnerable for exploitation. 2. I did not install CounterSpy because the READ ME did not indicate the tool would run on Windows XP, only on two other Operating Systems. 3. Prior to following your last instructions to me, I have uninstalled McAfee VirusScan using Add/Remove Programs in the Control Panel.

    I have some questions about the procedure you had me follow. What is Audfat.dll? What kind of malware does this problem appear to be? And, at one point while running Process Killbox, it said there were "5 User Profiles Detected", what does this mean?

    One thing I should also mention. While running Killbox.exe, there was a box that said "Delete on Reboot" which I checked. I did not see a box that said "Unregister DLL", yet there was one that said something similar but I did not check it because I was not sure if it meant the same thing.

    At this point, things appear to be running okay, but since I am posting this message to you pretty soon after completing the operation, I have not had a lot of time to see how things are going. Upon reboot, I did notice that the fan still was going fast during the immediate startup. I have not seen any new windows open up offering bilge, so that is good.

    Please review this log when you can, Chaslang, and thank you so much for the help.
     

    Attached Files:

    Tom K, Jun 25, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I quote from the READ ME:
    It is an unclassified trojan. Similar to Virtumonde, Conhook, and Look2Me, it use Winlogon Notify to make it difficult to remove when Windows is running,

    You have multiple user accounts on your PC. It is just telling you the obvious.

    It is directly to the right of Delete on Reboot and says Unregister .DLL Before Deleting It will not activate until a DLL file is placed in the Full Path of file to delete box.


    I still see both McAfee and AVG in your HJT log. You have not uninstalled McAfee!
     
    chaslang, Jun 25, 2006
    #5
  6. Tom K

    Tom K Private First Class

    Hey again, Chaslang!
    Thanks again for the reply. I took a closer look at your quote. When I did not install and run CounterSpy, I was looking at the part that said,
    I didn't completely understand the part before that. That was my bad.

    The other part of your reply causes me some concern, though. When I said that Process Killbox reported there were "5 User Profiles Detected", and you said, "You have multiple user accounts on your PC. It is just telling you the obvious." That is what is causing me some concern. It isn't obvious to me because I checked and I double checked and there are only TWO user accounts, Administrator and a Guest account that says it is turned off. I do not understand where this application is seeing three or four other "user profiles".

    As to the McAfee still being installed, I removed the VirusScan as you told me the last time I had a problem and then again this time that it is not advisable to have to AVs installed. I must have a Firewall and am looking to install the free ZoneAlarm Firewall.

    I do not seem to be having any more problems from the trojan. I gather the procedures you recommended have eliminated the problem. :)

    How did the last HijackThis Log appear? How can I find out about these "phantom" user profiles? Thank you so much again.
     
    Tom K, Jun 27, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When you click on the menu item labeled Users tell me exactly what you see in the list that comes up.

    Your clean, other than all the McAfee stuff which really should be removed. Mixing their security center and firewall with another companies AV is not a good idea. McAfee is a resource hog anyway.

    Your welcome!
     
    chaslang, Jun 27, 2006
    #7
  8. Tom K

    Tom K Private First Class

    Hey Chaslang!
    If the menu item you mean is in the Control Panel, it is called "User Accounts". When I double-click on that, another window opens called "User Accounts". First it says "Pick A Task" and provides three options. And then it says "or pick an account to change". Underneath that, there appear to be only two accounts, "Computer Administrator" and "Guest" which says in small print below, "Guest account is off". That is all that is in there.
     
    Tom K, Jun 27, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! You said ProcessExplorer told you you have 5 user accounts so I'm referring to the menu item labeled Users in ProcessExplorer. ProcessExplorer does not normally just display a message about user accounts on its own.
     
    chaslang, Jun 27, 2006
    #9
  10. Tom K

    Tom K Private First Class

    Hey again, Chaslang!
    Actually, I was just looking back over this thread and I partially mixed up the name :rolleyes: because the application I was referring to was Killbox. I mistakenly called it Process Killbox. I did not see the "5 Users Detected" in Process Explorer. This actually happened in Killbox.
     
    Tom K, Jun 27, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You'll have to explain this in more detail. I have never seen Killbox say anything about the number of Users. Reproduce it and tell me what you did to see this.


    Since your log was clean, if you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jun 27, 2006
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds