amaena and winfixer problem

Question

So here's the thing. I've had this stupid dialog box pop up window on my computer for a long time now. I've done everything from. a. running the symantec FixBmalE.exe program in safe mode not connected to the internet. Didn't find anything. b. Housecall MicroTrend c. Spybot Search and Destroy d. Lavasoft ad-aware NOTE: it crashed my browser and took me to the blue screen of death e. Looked into the registry for a winfixer.exe file running, nothing found. f. I've updated my virus protection - Norton g. Read all these confusing forums about fixes and solutions telling me to download more programs to run.   What's the real fix here? There's  files that need to be removed and I'd like to know how to manually do this. I don't need anymore 'software' to download to fix it. There's a path to this thing ... bug on some part of the hard drive and configuration. I'm only a meesly web designer and developer so I don't have these answers. But I understand enough to know someone out there that's reading this knows how to create this evil little script.. so I know they know how to get rid of it as well.   Yours Truly, The not to bright web designer that got stuck with the winfixer/amaena bug.

sirkism · Answer

have you tried the instructions at

http://www.2-spyware.com/remove-winfixer.html

WinFixer manual removal:
Kill processes:
df_kme.exe, install.exe, sr.exe, wfx5.exe
Help: how to kill malicious processes

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinFixer 2005
HKEY_CLASSES_ROOT\CheckProduct2.CheckProduct.1
HKEY_CLASSES_ROOT\CompCleanCore.AppCleaner
HKEY_CLASSES_ROOT\CompCleanCore.AppCleaner.1
HKEY_CLASSES_ROOT\CompCleanCore.CCQuickScan
HKEY_CLASSES_ROOT\CompCleanCore.CCQuickScan.1
HKEY_CLASSES_ROOT\CompCleanCore.FileCleaner
HKEY_CLASSES_ROOT\CompCleanCore.FileCleaner.1
HKEY_CLASSES_ROOT\CompCleanCore.InetCleaner
HKEY_CLASSES_ROOT\CompCleanCore.InetCleaner.1
HKEY_CLASSES_ROOT\CompCleanCore.RegCleaner
HKEY_CLASSES_ROOT\CompCleanCore.RegCleaner.1
HKEY_CLASSES_ROOT\CompCleanCore.SystemCleaner
HKEY_CLASSES_ROOT\CompCleanCore.SystemCleaner.1
HKEY_CLASSES_ROOT\df_fixer.Fixer
HKEY_CLASSES_ROOT\df_fixer.Fixer.1
HKEY_CLASSES_ROOT\df_proxy.DriverManipulate
HKEY_CLASSES_ROOT\df_proxy.DriverManipulate.1
HKEY_CLASSES_ROOT\FFCom.FlFixer
HKEY_CLASSES_ROOT\FFWraper.FFEnginWraper
HKEY_CLASSES_ROOT\FFWraper.FFEnginWraper.1
HKEY_CLASSES_ROOT\FixCore.MMFixCore
HKEY_CLASSES_ROOT\FixCore.MMFixCore.1
HKEY_CLASSES_ROOT\MMFixCtrl.CoFixEngine
HKEY_CLASSES_ROOT\MMFixCtrl.CoFixEngine.1
HKEY_CLASSES_ROOT\AppID\checkproduct2.dll
HKEY_CLASSES_ROOT\AppID\compcln.dll
HKEY_CLASSES_ROOT\AppID\ffwraper.dll
HKEY_CLASSES_ROOT\AppID\fixcore.dll
HKEY_CLASSES_ROOT\AppID\mmfixctrl.dll
HKEY_CLASSES_ROOT\CLSID\{08C71FB1-1E66-4D22-9F32-4C045A451306}
HKEY_CLASSES_ROOT\CLSID\{1CDEB41B-905A-4183-AA20-26E075419B46}
HKEY_CLASSES_ROOT\AppID\{25A3C995-10C8-474B-A167-99460AB4AB2B}
HKEY_CLASSES_ROOT\AppID\{287A2BAD-6590-4EFF-9BBC-494385664A73}
HKEY_CLASSES_ROOT\AppID\{290B5B73-4963-4BA1-9D2D-07CB566CB7FA}
HKEY_CLASSES_ROOT\CLSID\{38EDB9E2-D7C4-4575-8905-FE65414FFEAD}
HKEY_CLASSES_ROOT\CLSID\{48349992-1402-4C67-B45B-2E619E641FDB}
HKEY_CLASSES_ROOT\CLSID\{538BC8F3-2E1E-4D2D-A261-158DF6E9B407}
HKEY_CLASSES_ROOT\CLSID\{53ABACCB-434C-4756-A02B-8C2A3F29FB7D}
HKEY_CLASSES_ROOT\CLSID\{66A9C4D0-BC54-4841-8FAA-DB98CBB77BAD}
HKEY_CLASSES_ROOT\CLSID\{84C43108-013C-4513-8578-F50080B9C9D0}
HKEY_CLASSES_ROOT\AppID\{8C65AEF6-E413-4314-815B-82717A3F1603}
HKEY_CLASSES_ROOT\CLSID\{9CC1BE04-3B42-4442-9A46-77E8BC1108F9}
HKEY_CLASSES_ROOT\CLSID\{AA69BBFC-1D28-4960-8061-93C1BB156238}
HKEY_CLASSES_ROOT\CLSID\{B096A483-0ABD-4AF0-856A-CAD36145AF5C}
HKEY_CLASSES_ROOT\CLSID\{B5E427F9-AB38-4348-9076-86870C2BE860}
HKEY_CLASSES_ROOT\CLSID\{C0BC364F-AB33-4778-8047-5A2148E0ECDA}
HKEY_CLASSES_ROOT\CLSID\{C427B3E3-28DC-4001-9590-D99B6776119B}
HKEY_CLASSES_ROOT\CLSID\{CAE8A9B1-ABBD-4159-A485-1DA045A5D4A1}
HKEY_CLASSES_ROOT\AppID\{E8928E69-C050-42A9-8884-94DE85E888A2}
HKEY_CLASSES_ROOT\CLSID\{F41C1430-CFDE-4AD3-B38D-7890F0843E47}
HKEY_CLASSES_ROOT\Interface\{08C71FB1-1E66-4D22-9F32-4C045A451306}
HKEY_CLASSES_ROOT\Interface\{1CE1C25B-F8B4-4974-99D2-5D4AE96B9900}
HKEY_CLASSES_ROOT\Interface\{35096C29-3507-4ABE-B6D8-C7CC881BE020}
HKEY_CLASSES_ROOT\Interface\{38F743A2-210F-49DE-9B79-DCD501CED284}
HKEY_CLASSES_ROOT\Interface\{3EEC290D-FC13-4C83-803D-4802651EEB61}
HKEY_CLASSES_ROOT\Interface\{41A5BBF6-3C9D-4CF9-9A99-32DD37CC290B}
HKEY_CLASSES_ROOT\Interface\{4E4F38D9-8736-41AE-B192-E829AE194398}
HKEY_CLASSES_ROOT\Interface\{4F79D1C5-24F9-4E59-8022-604D4B41D5CA}
HKEY_CLASSES_ROOT\Interface\{66484903-09F4-4330-927D-1F6C214221AC}
HKEY_CLASSES_ROOT\Interface\{7FA14AD6-D8E5-465F-9BD1-A37E26C1A74F}
HKEY_CLASSES_ROOT\Interface\{9E984934-CD94-4763-9DBC-618E483D4B7F}
HKEY_CLASSES_ROOT\Interface\{B115BD8E-B008-46F4-B8B6-3405EB325C3C}
HKEY_CLASSES_ROOT\Interface\{B9DFCF32-B679-4CAD-B7FC-518A48CE3922}
HKEY_CLASSES_ROOT\Interface\{CAE8A9B1-ABBD-4159-A485-1DA045A5D4A1}
HKEY_CLASSES_ROOT\Interface\{CBEEF194-EBC5-4758-9B51-AC34FC135E70}
HKEY_CLASSES_ROOT\Interface\{CD3604CC-2B95-43EE-AFC9-E7444C21BE1C}
HKEY_CLASSES_ROOT\Interface\{D21040FE-0A57-4FAB-8ED2-F0E653E55809}
HKEY_CLASSES_ROOT\Interface\{D7A2488E-53E4-4EDD-AEAA-F24778BEB100}
HKEY_CLASSES_ROOT\Interface\{D7A6DF8D-B6CF-4C27-8E99-ECA2CE370EA7}
HKEY_CLASSES_ROOT\Interface\{F41C1430-CFDE-4AD3-B38D-7890F0843E47}
HKEY_CLASSES_ROOT\Interface\{F6C1582E-B11C-4724-B8F6-240457EF1D2A}
HKEY_CLASSES_ROOT\Interface\{FB787D5E-0C7C-4BAB-B45D-20325FB886DB}
HKEY_CLASSES_ROOT\TypeLib\{0E9F6AC0-A21A-4591-910F-E2C6F3CA094C}
HKEY_CLASSES_ROOT\TypeLib\{30ED49A5-CA6C-4918-B5F3-5E6818C91D8B}
HKEY_CLASSES_ROOT\TypeLib\{4DCEEA42-794D-4855-9ECC-20DCF5F4FEA7}
HKEY_CLASSES_ROOT\TypeLib\{6A077841-5016-42C8-92C8-F2D6B865BCD1}
HKEY_CLASSES_ROOT\TypeLib\{AD70AC89-F460-4E7E-B5A5-7EAF7E207736}
HKEY_CLASSES_ROOT\TypeLib\{B6625280-8CD8-4632-97C0-83CEC12A49A3}
HKEY_CLASSES_ROOT\TypeLib\{F458ADAE-D53B-4859-B99F-9FA127791278}
HKEY_CLASSES_ROOT\TypeLib\{FC76A5B8-DB35-4F3E-8B9A-BF0EEA098D64}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\df_kmd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\df_kmd.sys
HKEY_CURRENT_USER\Software\WinSoftware
HKEY_LOCAL_MACHINE\SOFTWARE\WinSoftware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WFX5_is1
Help: how to remove registry entries

Delete files:
df_kme.exe, install.exe, sr.exe, wfx5.exe, crxml.dll, compcln.dll, df_fixer.dll, df_proxy.dll, ffcom.dll, ffwraper.dll, filetyperecognizer.dll, fixcore.dll, mmfix.dll, oedrop.dll, pcheck.dll, strres.dll, df_kmd.sys, flash.ini
Help: how to remove harmful files

Delete directories:
C:\Program Files\WinFixer 2005
C:\Program Files\Common Files\WinSoftware
C:\Documents and Settings\All Users\Start Menu\Programs\WinFixer 2005

Misc:
Exact file location:
crxml.dll, pcheck.dll - C:\Program Files\Common Files\WinSoftware
df_kme.exe - C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32
df_kmd.sys - C:\Program Files\WinFixer 2005; C:\Windows\System\Drivers, C:\Windows\System32\Drivers or C:\Winnt\System32\Drivers
--------------------taken from the link above-------------
there is also a link to a automatic removal tool on the website.

ky331 · Answer

chohoh,   one of the problems with WinFixer is that there are several different 'varieties' of it, including:   Vundo/Virtumundo trojans, installers, SurfAccuracy, and Rootkits.   And each version has a separate fix of its own --- most of which will require you to download one or more additional programs.   Any list of programs and registry keys to be deleted, such as suggested in the above reply, will only work for you if you happen to have that particular version of WinFixer.   Statistically speaking, the most common form of WinFixer is based on a Vundo/Virtumundo trojan.  And if that's the type you have, you'll probably need to run Atribune's VundoFix (version 4.2.27 or higher).     But if you have a different type, you'll first need to run HiJackThis to see what form of WinFixer you actually have... and then, an appropriate fix can be suggested.       Message Edited by ky331 on 03-01-2006 08:00 AM

stan1902 · Answer

I'm the latest with this problem.  I get the winfixer, amaena, sysprotect, etc popups.   I would appreciate advice on how to remove?

ky331 · Answer

download and run atribune's vundofix, per directions here:   http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=29584   let's see if that helps....

Virus & Spyware

Was this post helpful?