rimpainter.com

Toshiba Satellite running Windows XP. Somehow I got this stupid Winfixer thing on my laptop and it keeps popping up. My security was pretty high, so it must have been something I downloaded – I don’t know. Anyway, I installed Ad-aware SE and did a full system scan. The scan found 27 items and quarantined them. I then deleted them. The Winfixer keeps popping up, so Ad-aware obviously did not solve the problem.

I then tried (downloaded) another program that does something similar as Ad-aware but specifically targets crap like Winfixer. It found over 100 “issues” and rated them from dangerous to severe. Of course it was “unregistered” and mentioned nothing about paying a fee at the end, so I was never able to remove that junk from my system because I didn’t want to pay the “hidden” $30 charge.

This really makes me mad. I don’t think I ever really understood how bad the spyware issue was until it actually happened to me (that I knew of). How can these jerks get away with this? Can’t some computer genius take these guys down?

Anyway, I have done some searches on google for “how to remove Winfixer” and read through some posts – mainly threads in chat rooms – that go a bit beyond my capabilities; like going into registries and deleting stuff. I am not a computer guru, so go easy on me. I have checked for Winfixer in the Add/Remove programs list and found nothing.

In addition to the Ad-aware scan, is there anything free that will zap this Winfixer junk? I don’t even want to do banking on my laptop now. This sucks.

Thanks in advance for the advice/help.

4Hummer

Ad-aware cannot remove the file completly because it is running in the background, And re-loads itself after a re-boot. you need to shut the service down first.

Use a program called HIJACK THIS... (Its Free) to remove any unneeded services and crap that load at startup. Allot of Spyware and virus's dont show up with msconfig.

http://www.majorgeeks.com/download3155.html

Run Both AVG Antivirus (its free too) and Ad-Aware again
Link to Free AVG : http://free.grisoft.com/doc/2/lng/us/tpl/v5

Corey

iTrader: (1)

This PC at work had that on it, I kept seeing the pop up window for it.
I DL'd Spybot Search & Destroy and installed it on the old PII 300 or whatever boat anchor it is, and it fixed it.

It took a reboot and another pass at it, but it got rid of all the spyware on that box, around 27 or so.

midiwall

hmm...

These guys point to a couple of apps:
http://www.softwarepatch.com/tips/wi...ove-popup.html

Some more options here:
http://winfixer.f2g.net/


I figure you're up now so I'll post this and keep looking for more.

Churnd

I just cleaned a laptop that had Winfixer. I used Microsoft Antispyware, and it seemed to do the trick.

rwmorrisonjr

I'm running AdAware, SpyBot, Spy Sweeper, MS Anti-spyware and AVG and don't have a lot of issues. I'm going to DL HijackThis and see what else is running on my machine that might be getting missed.

PirateFins

Right on the money. I was going to suggest using the Microsoft Antispyware also. Lots of good tools and removers inside the program. I have not had one problem with spyware since using MS antispy along with ZoneAlarm Pro.

Make sure when you run your scans you follow these steps.

1.Disconnect from the internet
2.Turn off System Restore (and remove old restore points)
3.Reboot into safe mode (only loads limited resources)
4.Run all Anti-spy and Antivirus scans (using multiple scanners is a good thing as some catch things others do not).
5. Type "msconfig" in the run box and look at the startup entries to make sure nothing is trying to load that shouldn't be. This feature is also available in the Microsoft anti-spy under tools.
6. Reboot normal
7. Run Scans again
8. Turn on System Restore
9. Reboot and enjoy nice clean machine.

Hope that helps.

rimpainter.com

Wow, you guys are helpful. I am actually at work right now, but I am going to DL that MSFT deal tonight. Thanks.

rimpainter.com

I followed this as instructed and ran the MSFT antispyware and Ad-aware SE. MSFT found nothing and Ad-aware found 13 things. I quarantined and deleted the 13 items, rebooted into normal mode, and rechecked system restore. About 5 minutes into surfing the net, WinFixer came back. Any other ideas? Should I do the same thing, only ad another Spyware "killer" to my arsenal?

Churnd

You could also try the trial version of Webroot Spysweeper, which does a very good job also. Did you update MS AntiSpy before you used it? I thought it was odd it didn't catch anything.

PirateFins

Also did you use the MS anitspy tools section to check the startup section and other areas it helps clean?

I found some very detailed instructions on another forum to help you get rid of it.

http://www.geekstogo.com/forum/index...T&f=37&t=62589

It looks like these are the registry entries you are trying to get rid of
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\mlljk.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll

I would use the instructions on the page along with downloading Hijackthis.

Hope that helps.





Hope that works for you.

rimpainter.com

I have just about had it with this Winfixer crap. I am seriously ready to just reformat my HD and be done with it (if that would even solve it). I have tried the safe mode thing mentioned above, ran MS Antispyware a number of times in safe and normal mode (it detects something called "Virtumundo" each scan, then allegedly kills it), installed and ran Ad-aware SE (it has a detected a number of issues and quarantined and removed them all), did a clean sweep of my temp files (internet and other), and screamed.

Ever since this thing showed up, I get an error message for "pad.exe" at start-up. I assume that has something to do with my touch pad, but it works ok. I wonder if Winfixer has something to do with this.

Man, this really pisses me off. How can people get away with this? It really has changed the performance of my PC, and it is really annoying. Argh!

Any other somewhat easy ideas?

Thanks.

Churnd

Very time consuming, and may or may not be worth it vs. formatting the drive, but here ya go:

http://theflyingpenguin.com/spyware-removal.shtml

Corey

iTrader: (1)

That is just it, they are getting away with it.
If I had my way, I would tie them up between two 'Yotas and let 'er rip.
Spyware is no different than someone breaking into your home, where you have the legal right to shoot them.

drkgypsy

1. disable system restore
2. run spybot, delete whatever it's tells you, don't quaratine anything
3. run ad-aware, delete what files that tells you to. agian do not quaratine

4. cold boot your machine into safe mode
5. while in safe mode, delete all restore points,scan the registry, defrag and run error check
6. cold boot agian this time in normal mode, scan and backup the registry.
7. run spybot, should be clean as a whistle now....
8.turn on system resore, create new rstore point..cold boot agian after waiting 1-2 min before boot up.


Very time consuming.....trust me......just did it on my friends machine almost 3 weeks ago....still having nightmares....



:::sniff...sniff... It rains way too much here in Cougar, Wa....it's gonna a loooong 2 or so months before I can get back home and get back to my truck..I know it misses me:::::<----that wasn't whining....nobody heard anything...really it wasn't....muhahahahaha

midiwall

I thought I'd add my 2 cents into this...

I've been at DarylD's house for the past 4 hours fighting this &*!@%# and we're only a hair closer to getting rid of it.

One thing that I've ID'd is that the app will randomize it's name on install. For example, Brad (PirateFins) refers to the Hijack log above and sees "O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll". On Daryl's system, this thing has installed itself as "gebcy.dll".

In itself, that's not a problem, but when you delete the registry entries for the launch on notify, they get re-created on the next boot - even in safemode. argh.

As well, the DLL itself is in use (yes, in safemode) so you can't delete it... But again there's a companion app somewhere that will re-create the DLL (and launch entries) as soon as it finds it missing.

This is all "classic" tactics, but damn it's a pain. Very well implemented...

fwiw, Daryl now has SpyBot, AdAware, MS Anti, SpyCatcher and SpywareDetector all installed. For the most part, 50% of these apps won't find anything but the other ones will. In one case, I had AdWare & SpyBot report clean only to have MS Anti find 16 instances.

The root issue at the moment seems to be that NONE of the apps will setup a delete-on-next-boot scenario that TRUELY gets rid of the app (and it's friend). It may get rid of the root DLL, but the companion will recreate it before it itself can be deleted.

And yes... again... I'm in safemode and watching this happen. It's a little ugly.


My next attempt will be to use the Windows Ultimate Boot CD (basically Linux with a NICE utility shell) to boot the machine from a non-Windows OS and then get access to the drives and whack the DLL. I have a low expectation of this working since I imagine that the companion will be there to replace it.

"argh" "argh" "argh"

rimpainter.com

Good, at least the pro's are having trouble. I don't mean that in a bad way of course, but it makes me feel better that you PC-savvy guys are having trouble with this piece of work. Yeah, I would also like to know where this piece of junk's "friend" is hiding out. Keep us posted Mark.

Churnd

Backup & Reformat... my two favorite words that solves ALL problems.

Seriously, if you find a solution, let me know via posting here, PM me, or whatever. I get a nasty feeling I'm gonna be seeing more of this in the near future.

midiwall

Okay.. I THINK I found an interim solution...

Check into BHO Demon. This won't REMOVE WinFixer, but it will disconnect it from IE thus stopping the popups.

A "BHO" is a "Browser Helper Object" and it's what's allowing the DLL to hook into IE. If you kill the connection then it will stop the popups. I've been surfing and typing for about 20 minutes now and that's appx 19:20 longer than I've been able to previously.

One thing to be sure to do though is to run BHODemon under EACH account that you have on your machine. The IE BHO hooks are stored per account, not system wide.

My plan at the moment is to leave Daryl like this and see what happens across the next 24 hours. In the meantime that'll give me some time to surf and find more info on getting rid of this thing. Once Daryl and I can get our schedules back in sync, I'll be back to try again to kill it for real.


And yeah Chris, I love reformating to fix Windows, but Daryl has separate accounts on here for his wife and kids, and ... eek. It's a lotta stuff to rebuild. (a backup & restore cycle isn't really practical)

Kevin286

I dont think this counts as 2 cents even, but I removed winfixer off a friends laptop last week. I used ad-aware SE Pro. After removing all that could be removed it needed to reboot to remove the rest. Before the welcome screen came up, Ad-aware ran and removed the remaining files to winfixer. Of course the pro version of ad-aware costs but sometimes it's worth it. Oh yeah, also a quick way to see what is loading at startup. Start>run "msconfig" then click the startup tab.
Good Luck
:bounce2: