Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer


  • Please log in to reply
3 replies to this topic

#1 Sweaver

Sweaver

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 27 June 2006 - 01:52 PM

Please help me get rid of a virus called WinFixer.

Shea

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:39 AM

Posted 27 June 2006 - 03:42 PM

Heya Shea, welcome to BC!

Please read the selfhelp instructions which can be found here. Please use those instructions as a guide to removing Vundo from your computer. If you are not happy doing it by yourself and would like 1 to 1 help, or cannot remove the program using the self-help guide please reply and we can consider the options possible.

David

#3 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:12:39 AM

Posted 30 June 2006 - 11:56 AM

DISCLAIMER - I'm describing here MY experience. I have never removed a trojan before. I don't know what I'm doing, only an EXPERT from this site can give help, not me.


Re: Grinler’s January instructions http://www.bleepingcomputer.com/forums/t/57013/is-this-a-virus/

There’s a variant floating about which took me 2 long evenings to cleanup using everything I’ve learned here (except following instruction to NOT fix stuff yourself, well, I had to try :thumbsup: , it was a tightly locked up office laptop, Windows2000 with McAfee software, and I had to fix it without local support)


DOWNLOADER-AWX also knows as WINFIXER is a Trojan.
Described in http://vil.nai.com/vil/content/v_139973.htm
Removal instructions were not included in the link, other than the need to use standard, updated, virus definition file. Rescan did not remove this trouble, though McAfee did not allow the installer of speedup and virus protection (WinFixer) to remain.

Bottom line: In spite of the virus scan saying the file is removable, it was not. Even with reboots. Only HJT removal on next bootup seems to have worked and/or disabling it from the startup list in Spybot S&D, and removing the registry keys.

McAfee Logs entries related to it:
1. Infected NT AUTHORITY\SYSTEM C:\WINNT\system32\auderf.dll Downloader-AWX (Trojan) (Removable)
2. Move failed (Clean failed) C:\Documents and Settings\\Local Settings\Temporary Internet Files\Content.IE5\YR8FH5OE\WinAntiVirusPro2006FreeInstall[1].exe WinFixer
3. C:\Temp\AAWTMP\C13904653\13955346 Downloader-AWX

Registry effects:
1. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rasap2K]
2. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dstr5] @="{48b42d0b-0ba6-41f7-a2f4-748b974de2fc}"

HJT entries – Note that {key} matches a registry key above
1. O2 - BHO: (no name) - {48b42d0b-0ba6-41f7-a2f4-748b974de2fc} - C:\WINNT\system32\auderf.dll
2. O20 - Winlogon Notify: auderf - C:\WINNT\SYSTEM32\auderf.dll
The DLL file replaced normal Notify file and took over. I think the DLL filename changed twice while this trojan was doing its filthy job. Until HJT/Spybot fix, the file could not be deleted, because Windows was using it (I had no access to safe mode).

Computer seems fine. Then again, that scumware might resurface, I'll be watching :flowers:
And any further advice would be most welcome.

#4 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:12:39 AM

Posted 30 June 2006 - 03:46 PM

I forgot to mention that on-access scans have to be disabled. The only way, not knowing McAfee, was to stop 2 non-firewall services and 2 non-firewall tasks. I could not find a way to shut it down in an orderly manner.

The reason was that as soon as various cleaners tried to quarantine files, McAfee was objecting that I'm trying to put in malware to this computer :thumbsup: which is why normally safe mode is the way to go.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users