Link to home
Start Free TrialLog in
Avatar of aptnetworks
aptnetworks

asked on

Winfixer

I have Winfixer popups on my laptop.  I have tried HJT, Eiwedo, Spybot S&D, Ad-aware, and 6 or 7 other anti-spyware/adware programs.  I have it 90% cleaned up... but I'm missing something because it keeps coming back.  Some of the anti-spyware programs found winfixer or a trojan and removed them, and now they find nothing, but alas winfixer is still on board.  Any ideas?
I've tried the steps in the two current postings on the site where winfixer was cleaned up... but I think I have a variant or something.
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Winfixer popups points to at least 2 specific malware infections, can we look at your Hijackthis log please?
download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe

Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created and post the link to the log here.

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click Analyse, Save.  Post a link to the saved list here.
You said you already used hijackthis, can we looked at the HJT log, winfixer entries normally shows up there, it will show us what specific malware that is causing the winfixer popups and then advise you the right tool to use.
Most common causes of winfixer popups is Vundo infection, have you tried either of these fixes below?

1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.

2. Download VirtumundoBegone from here:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
 and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot. If you like, post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
Avatar of aptnetworks
aptnetworks

ASKER

Already used Vundo... it helped a little I think.
I updated to the latest Spybot Search and Destroy just now ran it again and it found a registry entry for a firewall redirector? for XP SP2... it removed it, and there hasn't been a popup since.  I usually get them once for about every 5 or 10 times I open IE.
I'll close this post if that fixed it... thanks for the suggestions.
If I get another pop-up today, I'll post HJT and VBG.txt to this thread.
Thanks guys!
RPG Gamer Girl... Here you go.

http://www.hijackthis.de/logfiles/f28e6bb1d4de2a000c99187c062f1e35.html

It appears sstqq.dll is the culprit... just delete it?  Or what?
Oh... it's still on my machine BTW, Spybot S&D is just blocking it.  I don't want it just blocked, I want it OFF!!!
I can see the problem, and it is vundo infection.
try the second link I gave you, if that doesn't fix the problem, I'll help you remove it manually.

Download VirtumundoBegone from here:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
 and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot. If you like, post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
Gamer Girl...


[02/11/2006, 17:09:46] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\tlangham\Desktop\VirtumundoBeGone.exe" )
[02/11/2006, 17:09:51] - Detected System Information:
[02/11/2006, 17:09:51] -  Windows Version: 5.1.2600, Service Pack 2
[02/11/2006, 17:09:51] -  Current Username: tlangham (Admin)
[02/11/2006, 17:09:51] -  Windows is in NORMAL mode.
[02/11/2006, 17:09:51] - Searching for Browser Helper Objects:
[02/11/2006, 17:09:51] -  BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[02/11/2006, 17:09:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/11/2006, 17:09:51] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[02/11/2006, 17:09:52] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[02/11/2006, 17:09:52] -  BHO 2: {83A5F7B7-DC75-44CE-9195-264F41709FA9} (ATLDistrib Object)
[02/11/2006, 17:09:52] - ALERT: Found ATLDistrib Object!
[02/11/2006, 17:09:52] - Finished Searching Browser Helper Objects
[02/11/2006, 17:09:52] - *** Detected ATLDistrib Object
[02/11/2006, 17:09:52] - Trying to remove ATLDistrib Object...
[02/11/2006, 17:09:53] -    Terminating Process: IEXPLORE.EXE
[02/11/2006, 17:09:53] -    Terminating Process: RUNDLL32.EXE
[02/11/2006, 17:09:53] -    Disabling Automatic Shell Restart
[02/11/2006, 17:09:53] -    Terminating Process: EXPLORER.EXE
[02/11/2006, 17:09:53] -    Suspending the NT Session Manager System Service
[02/11/2006, 17:09:53] -    Terminating Windows NT Logon/Logoff Manager
[02/11/2006, 17:09:53] -    Re-enabling Automatic Shell Restart
[02/11/2006, 17:09:53] -   File to disable: C:\WINDOWS\system32\sstqq.dll
[02/11/2006, 17:09:53] -  Renaming C:\WINDOWS\system32\sstqq.dll -> C:\WINDOWS\system32\sstqq.dll.vir
[02/11/2006, 17:09:53] -  File successfully renamed!
[02/11/2006, 17:09:53] -   Removing HKLM\...\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
[02/11/2006, 17:09:53] -   Removing HKCR\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
[02/11/2006, 17:09:53] -   Adding Kill Bit for ActiveX for GUID: {83A5F7B7-DC75-44CE-9195-264F41709FA9}
[02/11/2006, 17:09:53] -   Deleting ATLEvents/MSEvents Registry entries
[02/11/2006, 17:09:53] -   Removing HKLM\...\Winlogon\Notify\sstqq
[02/11/2006, 17:09:53] - Searching for Browser Helper Objects:
[02/11/2006, 17:09:53] -  BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[02/11/2006, 17:09:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/11/2006, 17:09:53] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[02/11/2006, 17:09:53] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[02/11/2006, 17:09:54] - Finished Searching Browser Helper Objects
[02/11/2006, 17:09:54] - Finishing up...
[02/11/2006, 17:09:54] - A restart is needed.
[02/11/2006, 17:09:54] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[02/11/2006, 17:10:09] - Attempting to Restart via STOP error (Blue Screen!)

It found the "nasty" file and removed it... problem solved?
and it was sstqq.dll
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yeah, it's gone from your Hijackthis log!
good job!

Thanks for the points with an "A" grading!

Happy computing! :)
Thanks Gamer Girl...
Who says chicks don't rule?  I've worked on that damn WinFixer for three weeks!
You da girl.
Thanks again.
Thanks for the compliments very much appreciated :)
Most Askers give points but never say thanks.
Some Askers give low grading("A" grade makes a lot of difference in points)
Some Askers just abandoned their thread not caring of anyone has replied to their thread.

I have to say, You are a Perfect Asker! the best!
Thank you so much, :)