aptnetworks
asked on
Winfixer
I have Winfixer popups on my laptop. I have tried HJT, Eiwedo, Spybot S&D, Ad-aware, and 6 or 7 other anti-spyware/adware programs. I have it 90% cleaned up... but I'm missing something because it keeps coming back. Some of the anti-spyware programs found winfixer or a trojan and removed them, and now they find nothing, but alas winfixer is still on board. Any ideas?
I've tried the steps in the two current postings on the site where winfixer was cleaned up... but I think I have a variant or something.
I've tried the steps in the two current postings on the site where winfixer was cleaned up... but I think I have a variant or something.
You said you already used hijackthis, can we looked at the HJT log, winfixer entries normally shows up there, it will show us what specific malware that is causing the winfixer popups and then advise you the right tool to use.
Most common causes of winfixer popups is Vundo infection, have you tried either of these fixes below?
1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
2. Download VirtumundoBegone from here:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot. If you like, post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
2. Download VirtumundoBegone from here:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot. If you like, post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
ASKER
Already used Vundo... it helped a little I think.
I updated to the latest Spybot Search and Destroy just now ran it again and it found a registry entry for a firewall redirector? for XP SP2... it removed it, and there hasn't been a popup since. I usually get them once for about every 5 or 10 times I open IE.
I'll close this post if that fixed it... thanks for the suggestions.
If I get another pop-up today, I'll post HJT and VBG.txt to this thread.
Thanks guys!
I updated to the latest Spybot Search and Destroy just now ran it again and it found a registry entry for a firewall redirector? for XP SP2... it removed it, and there hasn't been a popup since. I usually get them once for about every 5 or 10 times I open IE.
I'll close this post if that fixed it... thanks for the suggestions.
If I get another pop-up today, I'll post HJT and VBG.txt to this thread.
Thanks guys!
ASKER
RPG Gamer Girl... Here you go.
http://www.hijackthis.de/logfiles/f28e6bb1d4de2a000c99187c062f1e35.html
It appears sstqq.dll is the culprit... just delete it? Or what?
http://www.hijackthis.de/logfiles/f28e6bb1d4de2a000c99187c062f1e35.html
It appears sstqq.dll is the culprit... just delete it? Or what?
ASKER
Oh... it's still on my machine BTW, Spybot S&D is just blocking it. I don't want it just blocked, I want it OFF!!!
I can see the problem, and it is vundo infection.
try the second link I gave you, if that doesn't fix the problem, I'll help you remove it manually.
Download VirtumundoBegone from here:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot. If you like, post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
try the second link I gave you, if that doesn't fix the problem, I'll help you remove it manually.
Download VirtumundoBegone from here:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot. If you like, post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
ASKER
Gamer Girl...
[02/11/2006, 17:09:46] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\tlangham\Desktop\ Virtumundo BeGone.exe " )
[02/11/2006, 17:09:51] - Detected System Information:
[02/11/2006, 17:09:51] - Windows Version: 5.1.2600, Service Pack 2
[02/11/2006, 17:09:51] - Current Username: tlangham (Admin)
[02/11/2006, 17:09:51] - Windows is in NORMAL mode.
[02/11/2006, 17:09:51] - Searching for Browser Helper Objects:
[02/11/2006, 17:09:51] - BHO 1: {53707962-6F74-2D53-2644-2 06D7942484 F} ()
[02/11/2006, 17:09:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/11/2006, 17:09:51] - Checking for HKLM\...\Winlogon\Notify\S DHelper
[02/11/2006, 17:09:52] - Key not found: HKLM\...\Winlogon\Notify\S DHelper, continuing.
[02/11/2006, 17:09:52] - BHO 2: {83A5F7B7-DC75-44CE-9195-2 64F41709FA 9} (ATLDistrib Object)
[02/11/2006, 17:09:52] - ALERT: Found ATLDistrib Object!
[02/11/2006, 17:09:52] - Finished Searching Browser Helper Objects
[02/11/2006, 17:09:52] - *** Detected ATLDistrib Object
[02/11/2006, 17:09:52] - Trying to remove ATLDistrib Object...
[02/11/2006, 17:09:53] - Terminating Process: IEXPLORE.EXE
[02/11/2006, 17:09:53] - Terminating Process: RUNDLL32.EXE
[02/11/2006, 17:09:53] - Disabling Automatic Shell Restart
[02/11/2006, 17:09:53] - Terminating Process: EXPLORER.EXE
[02/11/2006, 17:09:53] - Suspending the NT Session Manager System Service
[02/11/2006, 17:09:53] - Terminating Windows NT Logon/Logoff Manager
[02/11/2006, 17:09:53] - Re-enabling Automatic Shell Restart
[02/11/2006, 17:09:53] - File to disable: C:\WINDOWS\system32\sstqq. dll
[02/11/2006, 17:09:53] - Renaming C:\WINDOWS\system32\sstqq. dll -> C:\WINDOWS\system32\sstqq. dll.vir
[02/11/2006, 17:09:53] - File successfully renamed!
[02/11/2006, 17:09:53] - Removing HKLM\...\Browser Helper Objects\{83A5F7B7-DC75-44C E-9195-264 F41709FA9}
[02/11/2006, 17:09:53] - Removing HKCR\CLSID\{83A5F7B7-DC75- 44CE-9195- 264F41709F A9}
[02/11/2006, 17:09:53] - Adding Kill Bit for ActiveX for GUID: {83A5F7B7-DC75-44CE-9195-2 64F41709FA 9}
[02/11/2006, 17:09:53] - Deleting ATLEvents/MSEvents Registry entries
[02/11/2006, 17:09:53] - Removing HKLM\...\Winlogon\Notify\s stqq
[02/11/2006, 17:09:53] - Searching for Browser Helper Objects:
[02/11/2006, 17:09:53] - BHO 1: {53707962-6F74-2D53-2644-2 06D7942484 F} ()
[02/11/2006, 17:09:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/11/2006, 17:09:53] - Checking for HKLM\...\Winlogon\Notify\S DHelper
[02/11/2006, 17:09:53] - Key not found: HKLM\...\Winlogon\Notify\S DHelper, continuing.
[02/11/2006, 17:09:54] - Finished Searching Browser Helper Objects
[02/11/2006, 17:09:54] - Finishing up...
[02/11/2006, 17:09:54] - A restart is needed.
[02/11/2006, 17:09:54] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[02/11/2006, 17:10:09] - Attempting to Restart via STOP error (Blue Screen!)
It found the "nasty" file and removed it... problem solved?
[02/11/2006, 17:09:46] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\tlangham\Desktop\
[02/11/2006, 17:09:51] - Detected System Information:
[02/11/2006, 17:09:51] - Windows Version: 5.1.2600, Service Pack 2
[02/11/2006, 17:09:51] - Current Username: tlangham (Admin)
[02/11/2006, 17:09:51] - Windows is in NORMAL mode.
[02/11/2006, 17:09:51] - Searching for Browser Helper Objects:
[02/11/2006, 17:09:51] - BHO 1: {53707962-6F74-2D53-2644-2
[02/11/2006, 17:09:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/11/2006, 17:09:51] - Checking for HKLM\...\Winlogon\Notify\S
[02/11/2006, 17:09:52] - Key not found: HKLM\...\Winlogon\Notify\S
[02/11/2006, 17:09:52] - BHO 2: {83A5F7B7-DC75-44CE-9195-2
[02/11/2006, 17:09:52] - ALERT: Found ATLDistrib Object!
[02/11/2006, 17:09:52] - Finished Searching Browser Helper Objects
[02/11/2006, 17:09:52] - *** Detected ATLDistrib Object
[02/11/2006, 17:09:52] - Trying to remove ATLDistrib Object...
[02/11/2006, 17:09:53] - Terminating Process: IEXPLORE.EXE
[02/11/2006, 17:09:53] - Terminating Process: RUNDLL32.EXE
[02/11/2006, 17:09:53] - Disabling Automatic Shell Restart
[02/11/2006, 17:09:53] - Terminating Process: EXPLORER.EXE
[02/11/2006, 17:09:53] - Suspending the NT Session Manager System Service
[02/11/2006, 17:09:53] - Terminating Windows NT Logon/Logoff Manager
[02/11/2006, 17:09:53] - Re-enabling Automatic Shell Restart
[02/11/2006, 17:09:53] - File to disable: C:\WINDOWS\system32\sstqq.
[02/11/2006, 17:09:53] - Renaming C:\WINDOWS\system32\sstqq.
[02/11/2006, 17:09:53] - File successfully renamed!
[02/11/2006, 17:09:53] - Removing HKLM\...\Browser Helper Objects\{83A5F7B7-DC75-44C
[02/11/2006, 17:09:53] - Removing HKCR\CLSID\{83A5F7B7-DC75-
[02/11/2006, 17:09:53] - Adding Kill Bit for ActiveX for GUID: {83A5F7B7-DC75-44CE-9195-2
[02/11/2006, 17:09:53] - Deleting ATLEvents/MSEvents Registry entries
[02/11/2006, 17:09:53] - Removing HKLM\...\Winlogon\Notify\s
[02/11/2006, 17:09:53] - Searching for Browser Helper Objects:
[02/11/2006, 17:09:53] - BHO 1: {53707962-6F74-2D53-2644-2
[02/11/2006, 17:09:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/11/2006, 17:09:53] - Checking for HKLM\...\Winlogon\Notify\S
[02/11/2006, 17:09:53] - Key not found: HKLM\...\Winlogon\Notify\S
[02/11/2006, 17:09:54] - Finished Searching Browser Helper Objects
[02/11/2006, 17:09:54] - Finishing up...
[02/11/2006, 17:09:54] - A restart is needed.
[02/11/2006, 17:09:54] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[02/11/2006, 17:10:09] - Attempting to Restart via STOP error (Blue Screen!)
It found the "nasty" file and removed it... problem solved?
ASKER
and it was sstqq.dll
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah, it's gone from your Hijackthis log!
good job!
Thanks for the points with an "A" grading!
Happy computing! :)
good job!
Thanks for the points with an "A" grading!
Happy computing! :)
ASKER
Thanks Gamer Girl...
Who says chicks don't rule? I've worked on that damn WinFixer for three weeks!
You da girl.
Thanks again.
Who says chicks don't rule? I've worked on that damn WinFixer for three weeks!
You da girl.
Thanks again.
Thanks for the compliments very much appreciated :)
Most Askers give points but never say thanks.
Some Askers give low grading("A" grade makes a lot of difference in points)
Some Askers just abandoned their thread not caring of anyone has replied to their thread.
I have to say, You are a Perfect Asker! the best!
Thank you so much, :)
Most Askers give points but never say thanks.
Some Askers give low grading("A" grade makes a lot of difference in points)
Some Askers just abandoned their thread not caring of anyone has replied to their thread.
I have to say, You are a Perfect Asker! the best!
Thank you so much, :)
download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created and post the link to the log here.
Or copy and paste the log at;
http://www.hijackthis.de/
and click Analyse, Save. Post a link to the saved list here.