Getting rid of WinFixer

I was recently inflicted with the WinFixer malware, but I was able to get rid of it using various information and programs available on the Net.

I offer enormous thanks to everyone who puts their own time/effort/bandwidth into eradicating problems of this type.

The WinFixer malware apparently installs itself on your Windows machine using security bugs in Internet Explorer. After that, it pops up IE windows every once in a while (apparently including when you're not actually running IE!) and gives you an ad for WinFixer itself, which, conveniently enough, is supposed to be able to remove malware! I got ads for other sites (porn sites nauturally) which I believe were also coming from the WinFixer malware.

WinFixer itself is trying to pose as real software that people will pay money for, and the WinFixer malware apparently attempts to actually install it on your machine. Some of the instructions you'll see on the Net (particularly from the big time antivirus vendors) basically describe how to deinstall WinFixer itself, but they don't cover getting rid of the malware. In my case, WinFixer itself never got installed, so those particular instructions were useless for me.

I ran McAfee with recent virus data, and it never found this thing. They claim that they will catch WinFixer and label it as a "Potentially Unwanted Program", but I think they're looking for WinFixer itself and not the malware. I don't know if McAfee is capable of catching the malware.

So, to get rid of this thing, I did some google searches, and one of the things that kept coming up was a tool called HiJackThis (hjt). I downloaded version 1.99.1 from http://www.tomcoyote.org/hjt/. HJT goes through your registry and other system areas and tells you what it find there, and flags certain things as potential problems. It then gives you the option of correcting each potential problem. It doesn't tell you what to do, though, you get to dig your own grave.

So, using the HJT log and advice from the net, it looked likely that the WinFixer malware in my case was using the "Vundo Trojan", and there's a program available (http://www.atribune.org/downloads/VundoFix.exe) to eliminate it. It's a little bit sneaky, in that the filename it uses isn't always the same. This is the line from the HJT log that was most relevant:

O20 - Winlogon Notify: iiiff - C:\WINDOWS\system32\iiiff.dll

In my searches on the net, I saw many other names for this file. It's a random combination of letters.

So, using the procedures given to other people as examples, I downloaded and ran VundoFix.exe, and that seems to have solved all my problems.

Did I infect myself with more malware in the process of downloading and running these random programs off the net? I certainly hope not! I'll run McAfee again soon, but I don't trust it as much as I used to.

Another good site for system tools is sysinternals.com.

I got a lot of information from the forums on tomcoyote.org, dslreports.com, and cs.net.

Again, thanks to everyone who makes the tools available to fix these problems! PayPal donations will be forthcoming. 

¶ 12/23/2005 09:05:00 AM