WinFixer 2005 has me beat

[dullard]

I was using McAfee with updates every night. Windows was updated as fully as possible. Also was using Windows XP firewall. Not the best protection, but I never had problems before.

Then the WinFixer 2005 popups started coming. About 4 messages appear, and then internet explorer opens up to an ad. Close the ad and IE reopens again, this time to the WinFixer 2005 ad. Close that and IE reopens again, this time in a tiny window (which sets the IE default size small - the only really bothersome thing with this infection). Close that and I'm good for another 2-3 hours.

How can I stop these?

I searched and tried many of the suggestions. Nothing worked so far.
[*]Downloaded the free AntiVir virus software. It found the WinFixer 2005 installation .exe but nothing else. Deleted that. The problem continued.
[*]Downloaded AdAware, it did nothing.
[*]Downloaded Spybot. It found one file related to WinFixer 2005. Deleted it. The problem continued.
[*]Safe mode is screwed up - Explorer won't stay open for more than 3 seconds. But after hours of trying, I was able to run a virus scan/Adaware/Spybot from Safe mode. Found nothing.
[*]HijackThis says:

Logfile of HijackThis v1.99.1
Scan saved at 2:26:01 PM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott Whitney\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\antisrv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda...86/client/wuweb_site.cab?1122917336471
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: antisrv - C:\WINDOWS\Cursors\antisrv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Any suggestions?

 

[FlyingPenguin]

Please refer to my detailed spyware removal instructions here: http://theflyingpenguin.com/spyware-removal.shtml

I see several potential problems in your log. There's a BHO for antisrv.dll that's VERY suspicious since it's a DLL file hiding in the Cursors folder. The AlternaTIFF ActiveX plugin is also suspicious. Please be aware that you can't just nuke these with HijaackThis and expect that to be the end of it. I do spyware removal for a living. Refer to the link above.

Hope this helps...

 

[Slikkster]

I just dealt with this beast. Note: I never had the actual Winfixer app installed; just the popups.

Here's where it put it's files for me. Yours is similar, but not quite the same folder. Mine was in the c:\windows\web\wallpaper folder. Of course, only .jpg files should be there.

Anyway, I used the l2mfix.exe app to FIND these files. Winfixer's dll attaches itself to the Winlogon:Notify process, if I'm remembering right.

http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

There were four odd files in my wallpaper folder. A DLL, a couple of .bak files, and a .tmp file. L2mfix also pointed out an oddly named file in my windows\system32 folder (dll file).

I used notepad to view the .tmp file in the \wallpaper folder, and its contents made reference to the weirdly named dll in the \system32 folder, so I knew I was on the right track.

So, to sum it up so far, I used L2mfix.bat in "Scan" mode (first option) to find suspicious entries.

It found a file with an odd name in the\system32 folder, and also a dll file in the \windows\web\wallpaper folder that should normally only have .jpg files.

Once inthe wallpaper folder, I noticed a .tmp file, two .bak files, and a .dll file.

Notepad to view .tmp file confirmed that the file found in \windows\system32 was associated with the \wallpaper folder dll.

Ok, so now what? Trying to delete these files manually didn't work. There ARE ways to go about that while windows is running, but I chose an easier route.

I have a parallel installation of XP on my system, which uses different drives than the infected installation. I booted up in that, and deleted the five (5) files I was dealing with.

Four files in the \windows\web\wallpaper folder, and the one .dll in the \windows\system32 folder.

Rebooted to the previously infected system afterwards, and voila, popups gone forever.

Now, if you don't have a parallel install, and you've identified the suspicious files by SCANNING with L2mfix (use notepad to view the .tmp file in the cursors folder if you have one there), you can probably use BartPE's bootable CD to get into your drive and delete these files.

You might also be able to do it in XP's Recovery Console. However, Recovery Console doesn't let you manipulate files in all folders by default. It usually limits you to system areas of Windows, which might be sufficient. But it would be wise to set an environmental variable once in Recovery Console to allow it to "See" all folders:

AllowAllPaths = TRUE

 

[mechBgon]

Try this 1-2-3-4 combo: what I suggested in this thread here, including using Safe Mode. Do use the McAfee scanner that I mention there as part of the arsenel, because with the command line that is given for running the utility, it'll go after WinFixer.

Let me throw a fifth scanner on the pile, use this after the rest: F-Secure BlackLight Beta. More adware is using rootkits to hide itself now.


Bigger picture: if you suspect a browser exploit accomplished this, then don't run your Internet browsers with Computer-Administrator-class credentials if you don't have to. Other vectors of infection are obvious, the 'usual stuff,' but I expect you know about that

 

[Slikkster]

Note: For Winfixer popups, not a single anti-spyware application either detected it, much less dealt with it.

They included:

MS Antispyware
Counterspy
Spybot
SpywareBlaster
McAfee Scanner
AVG Antivirus
TrendMicro Housecall Antivirus
TrendMicro scanner
WebRoot Spysweeper

etc., etc., etc. This thing doesn't seem to be on most anti-spyware radars as of yet.

 

[MikeyIs4Dcats]

Linktry this

 

[Slikkster]

That's a pretty generic link. I saw that when I was first looking for answers, and it didn't help me. But, feel free. I say, whatever works.

 

[mechBgon]

How does it get installed, any info on where it got its foot in the door?

 

[MikeyIs4Dcats]

There was a link on the Dell forums where someon posted a link to a Blog with removal instructions, but I had no way of making sure it wasn't a hoax

 

[dullard]

Originally posted by: FlyingPenguin
I see several potential problems in your log. There's a BHO for antisrv.dll that's VERY suspicious since it's a DLL file hiding in the Cursors folder. The AlternaTIFF ActiveX plugin is also suspicious.

I thought the antisrv.dll seemed the most odd. Especially since it appears twice in the log. The AlternaTIFF plugin is required for me (its a work computer) to view patents online. I downloaded it from the US governments webpage. So I thought it was safe.

I'll try yours and the other peoples suggestions later today and post back if anything worked.

 

[MikeyIs4Dcats]

The is a HiJacKThis webpage that you can paste your log into and have it analyze it....can't remember the URL

 

[mechBgon]

It's http://hijackthis.de . dullard, since the command-line McAfee scanner is run from the command line, you can run it right from Task Manager > New Task > CMD > big long command string even if Explorer.exe won't work for more than 3 seconds in Safe Mode.

 

[dullard]

I realized that I had already tried that l2mfix.exe, that Slikkster suggested. It also identified antisrv.dll as a suspicious file. However, my antivirus software hates that program (it thinks all of the files are infected) and the l2mfix couldn't operate.

I tried FlyinPenguin's webpage. The BHODemon program also identified antisrv.dll but couldn't do anything to it, just like HijackThis and l2mfix. So at least the culprit was identified. BHODemon did however have a link to bleepingcomputer.com that suggested it might be the Vundo.B Trojan that makes dlls with random names. There are manual removal instructions there for that trojan.

The manual removal was very difficult to use as Safe Mode won't run properly. I had to find and run all the programs and files through the Task Manager. But I eventually did it. The program KillBox found antisrv.dll and could kill it. The antisrv.dll would open itself up in at least one other instance every 5 seconds, so it was a long battle of me versus the various instances of it. But I finally conquered it. Mouse skills from years of gaming helped.

Now HijackThis, BHODemon, and l2mfix don't see the antisrv.dll file anymore.

I'll try the computer today and next week and see if WinFixer pop-ups come back. This may have just been a side issue.

 

[mechBgon]

dullard, it sounds like a corporate lappie? VirusScan Enterprise 8.0i, right, not home-user version? You want to switch on all the bells and whistles... mech's stuff on VirusScan Enterprise setup

If they're using ePolicy Orchestrator to control VSE8, then your settings will revert to what ePO Agent wants them to be, probably every 5 minutes or so, in which case the command-line scanner is probably your best bet since it won't be subject to that. But if ePO is disabling any of the following, then you probably ought to get your IT person to change the settings to max: heuristics, compressed-file scanning, and enabling all the Unwanted Programs options. And they should change those both for the real-time protection and the on-demand scanner panels.

 

[Jeff7]

Also sometimes useful is Killbox, by Option^Explicit. It can usually delete a file that you can't delete in Explorer due to the File In Use error. Killbox can terminate the explorer.exe process when it attempts to kill the file.

 

[Slikkster]

He did use killbox. See his post above. I was alluding to killbox much earlier when I said "There ARE ways to do that (delete files while in use)..." but since I had a second installation of XP on the same pc, I didn't have to go that route. The infection didn't interfere with my second install, so it was quite easy to delete the files in question by booting to it instead.

 

[mechBgon]

/me is still interested in anyone's theories on how WinFixer 2005 got onto their rigs?

 

[Slikkster]

I wish I knew, Mech. The only thing I remember doing out of the ordinary was installing stuff from PCPitstop so I could walk my sister through some troubleshooting. I'm pretty meticulous about not installing spyware or unknown apps.

You need to know something about the Winfixer deal. The popups are not the actual Winfixer application. The popups take you to a page where it wants to download a Winfixer app to your system.

So, it's two separate things. Anyone who has the popups and then installs the Winfixer app has a double problem.

I guess their reasoning is that if they can bombard you with a popup telling you there's something wrong with your system, you might be tempted to install their application to "fix" it. Well, at least that what they hope newbs will do, anyway.

This is part of my L2mfix logfile that shows the nasty dll in my windows\web\wallpaper folder:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\aptapi]
"Asynchronous"=dword:00000001
"DllName"="G:\\WINDOWS\\Web\\WALLPA~1\\aptapi.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"


Looks like this deal is pretty nefarious in that it spawns all kinds of files with different names when different people have it on their systems.

Here's another part of the logfile that shows the spinoff dll Winfixer put in my system32 folder:

Directory Listing of system files:
Volume in drive G is GDRIVE
Volume Serial Number is CC0B-7685

Directory of G:\WINDOWS\System32

08/29/2005 07:57 PM 26,112 pmnnn.dll
08/13/2005 06:23 AM <DIR> dllcache
01/15/2005 01:14 PM <DIR> Microsoft
1 File(s) 26,112 bytes
2 Dir(s) 103,714,045,952 bytes free

See the one named pmnnn.dll? Well, the aptapi.dll file in my wallpaper folder created that pmnnn.dll file. As I mentioned above, the wallpaper folder had aptapi1.bak and aptapi2.bak (or similar), and aptapi.tmp. When I used notepad to look at aptapi.tmp, it revealed text that was very similar to pmnnn.dll. Not exact, but it had a string that said "pmnnnn", and that was close enough for me to tell me that it was associated with the aptapi.dll file.

Of course, all these files are gone now. But I still have the logfile excerpted above.

Remember, my files were named aptapi.dll and pmnnn.dll. But this beast seems to generate names randomly, so those names are not of much use.

The weak part of this guy's planning was that it seems to dump the original dll files in folders where no dll would normally exist. In my case, the \windows\web\wallpaper folder, which only has .jpg files and a thumbnail.db file. So, it stuck out like a sore thumb.

The OP has a dll in his cursors folder. There should only be .cur and .ani files there. So, a dll file again sticks out. I guess he felt most spyware programs wouldn't find stuff there, and he's right. But other programs looking at the registry for things like the "Winlogon" process can easily pick these files up.

 

[FlyingPenguin]

I haven't seen a WinFixer infestation yet. The big problem around here is Aurora and that's a bitch to remove.

 

[Braxus]

I was recently infected with this piece of adware and yes, it was one of the harder ones to remove. System was infected even though everything was patched up. The dll seems to be named something different on each infected machine. Yours in this case seems to be that antisrv.dll one.

The way I removed it was to run the following:

1. l2mfix

Find any stray dll files that doesn't look like it should be there using this utility. Usually you can type the the dll file in google and you should be able to find out if it's valid or not. The winfixer dll in my case was in my system32 folder named ssqpq.dll.

If l2mfix doesn't run, another way to search for it is going to the system32 folder in detailed mode and sorting by date, with newest changed files listed first. Usually the dll and similar .ini file are near, if not at the top of the list.

2. VundoFix

This proggy will pretty much kill every process on the machine letting you delete the infected dll. I couldn't remove the infected dll from my machine as it tends to always load right when you logon even in safe mode as it force loads right when you logon (via the Winlogon Notify string I think).

The only other way I know save using this proggy is booting to the command prompt of your drive using a bootable WinXP CD as it bypasses your system drive all together, thus loading nothing allowing you to delete the dll(s).

3. HijackThis!

After Vundofix does it's magic, it'll run HiJackThis! which will allow you to remove two important keys the one under BHO and another under Winlogon Notify. Reboot your machine and this damn winfixer adware should be gone for good. Make sure you delete the ini file.

If HiJackThis! won't run, you may have to manually delete the enteries. Though if the dll is gone in the first place via step 2, this step shouldn't be required. Basically the paths are there but the files aren't so you should be safe. The OS can't load what it can't find.

 

[daveybrat]

FlyingPenguin,

I've had a tough time with Aurora too on my customer's pc's until i found this:

Aurora:Nail Remover Beta

You simply download it to your desktop, boot into safe mode, run it and it will crash out explorer.exe and then say it's finished installing. It doesn't actually install though, it just means it's finished. Everytime i've run it on Aurora infected systems lately, it's worked perfectly. Whoever created it deserves some credit!

 

[mechBgon]

If anyone else comes along and has sufficient skillz to capture the WinFixer files alive (rename them from the Recovery Console or whatever), I would like to submit them to major antivirus vendors, or you can do so too. Anyone with captive samples, drop me a PM

 

[dullard]

Originally posted by: mechBgon
dullard, it sounds like a corporate lappie? VirusScan Enterprise 8.0i, right, not home-user version?

Nope. Very small business. It was a desktop - using the free home-user version that came with the computer.

Originally posted by: mechBgon
/me is still interested in anyone's theories on how WinFixer 2005 got onto their rigs?

I went on vacation for a week and my boss started to use my computer during that time (better room). Who knows what he did. But when I came back the machine was infected.

Seems like things are ok now.

 

[FlyingPenguin]

Thanks Davey. I spotted that on MajorGeek's a few days ago and downloaded it. Had no opportunity to try it yet.

 

[daveybrat]

no prob, i've used it many times, it's the only utility i've used that actually does what is says!