.comment-link {margin-left:.6em;}
Plenty Of Free Parking
Friday, December 23, 2005
 
Getting rid of WinFixer

I was recently inflicted with the WinFixer malware, but I was able to get rid of it using various information and programs available on the Net.

I offer enormous thanks to everyone who puts their own time/effort/bandwidth into eradicating problems of this type.

The WinFixer malware apparently installs itself on your Windows machine using security bugs in Internet Explorer. After that, it pops up IE windows every once in a while (apparently including when you're not actually running IE!) and gives you an ad for WinFixer itself, which, conveniently enough, is supposed to be able to remove malware! I got ads for other sites (porn sites nauturally) which I believe were also coming from the WinFixer malware.

WinFixer itself is trying to pose as real software that people will pay money for, and the WinFixer malware apparently attempts to actually install it on your machine. Some of the instructions you'll see on the Net (particularly from the big time antivirus vendors) basically describe how to deinstall WinFixer itself, but they don't cover getting rid of the malware. In my case, WinFixer itself never got installed, so those particular instructions were useless for me.

I ran McAfee with recent virus data, and it never found this thing. They claim that they will catch WinFixer and label it as a "Potentially Unwanted Program", but I think they're looking for WinFixer itself and not the malware. I don't know if McAfee is capable of catching the malware.

So, to get rid of this thing, I did some google searches, and one of the things that kept coming up was a tool called HiJackThis (hjt). I downloaded version 1.99.1 from http://www.tomcoyote.org/hjt/. HJT goes through your registry and other system areas and tells you what it find there, and flags certain things as potential problems. It then gives you the option of correcting each potential problem. It doesn't tell you what to do, though, you get to dig your own grave.

So, using the HJT log and advice from the net, it looked likely that the WinFixer malware in my case was using the "Vundo Trojan", and there's a program available (http://www.atribune.org/downloads/VundoFix.exe) to eliminate it. It's a little bit sneaky, in that the filename it uses isn't always the same. This is the line from the HJT log that was most relevant:

O20 - Winlogon Notify: iiiff - C:\WINDOWS\system32\iiiff.dll

In my searches on the net, I saw many other names for this file. It's a random combination of letters.

So, using the procedures given to other people as examples, I downloaded and ran VundoFix.exe, and that seems to have solved all my problems.

Did I infect myself with more malware in the process of downloading and running these random programs off the net? I certainly hope not! I'll run McAfee again soon, but I don't trust it as much as I used to.

Another good site for system tools is sysinternals.com.

I got a lot of information from the forums on tomcoyote.org, dslreports.com, and cs.net.

Again, thanks to everyone who makes the tools available to fix these problems! PayPal donations will be forthcoming.
 
Comments: Post a Comment



<< Home
Q: What's the difference between the city and the suburbs?
A: Plenty of free parking!

Cleveland, trains, urbanism, righteous indignation

Name:
Location: Northeast, Ohio, United States

Subscribe to
Posts [Atom]

ARCHIVES
May 2005 / December 2005 / January 2006 / February 2006 / October 2006 / December 2006 / November 2007 / January 2008 / February 2008 / March 2008 / June 2008 / September 2008 / October 2008 / December 2008 / April 2009 / August 2009 / October 2009 / November 2009 / December 2009 / January 2010 / July 2010 /


PERMANENT POSTS
Getting rid of Winfixer
Sprawl: a Compact History, by Robert Bruegmann -- Collected Posts
Gus Gallucci's/Gust Gallucci's


LINKS
Christine Borne/Really Bad Cleveland Accent
Cleveland Area History
Cleveland Crib Webcam
An Unamplified Voice
Jane Galt/Megan McArdle/Asymmetrical Information
Mickey Kaus/Kausfiles

Powered by Blogger