Would love some help with Winfixer!

Hello Everyone,
I'm trying to get rid of WinFixer. I've done everything in the "Read Me First" thread with no luck. I ran Hijackthis and attached the log file. If anyone could take a look at it and let me know what my next step should be, I would really appreciate it. Thanks in advance.
sara

 

Please follow the instructions in the following threads:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Please make sure System Restore is OFF.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files

• This will create a VundoFix folder on your desktop.

• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this

• At this point press enter one time.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\gebya.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\aybeg.*​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• The fix will run then HijackThis will open.

• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.

• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

• Once your machine reboots please attach a fresh HJT log from normal mode.

 

Hi,
Thanks so much Shadow_puter_dude for helping me out. I followed your directions and attached is the second HiJackThis log. Anymore help you or anyone available can offer is greatly appreciated. Thanks.
sara

 

The log didn't attach.

 

ok, had some slight issues, but all clear now. Here is the attached file-finally. Thanks again.
sara

 

scan and have HJT Fix the following:

Now boot to Safe Mode.

Using the search function in the Start Menu serach for the following and delete every instance of the file:

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

Hi super_puder_dude and to anyone else reading this thread. OK, I ran three scans and have attached two. Will attach the third on the next post. I ran all three scans in Safe Mode with Networking because I didn't know I was supposed to run them in normal mode ( I know one was supposed to be in Safe Mode, right?) When I did a search for the files you listed, the computer found two. When I went to delete them, the computer deleted one, but would not delete the other because it said it was in use by another user or program. The filename is pmkhi.dll.

MS Antispyware and panda found Virtumondo, and said they deleted them, but I'm still getting popups for, "Search the Web" and WinFixer as I'm typing this to you. How come the spyware software seems to locate WinFixer (Vitumondo) but doesn't seem to really get rid of it? Anyhow, could you tell me what my next step should be? The next post will have the third log file. Thanks again.
sara

 

Here is the third log.
sarfa

 

From Safe Mode open Windows Explorer navigate to and delete the following:

Reboot to Normal Mode and post a fresh HijackThis log.

 

Hello Again,
I did what you said and I've attached the latest HijackThis log. I noticed that pesky file, pmkhi.dll is still on the list. Anyhow...

Thanks again!
sara

 

We are getting somewhere, at least there is only the one left now; I hope.

Please follow the instructions in the following threads:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Please make sure System Restore is OFF.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files

• This will create a VundoFix folder on your desktop.

• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hitenter.

• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

• You will first be presented with a warning and a list of forums to seek help at.
  
  it should look like this

• At this point press enter one time.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\pmkhi.dll
​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\ihkmp.*​

• Press Enter, then press the F6 key, then press Enter one more time tocontinue with the fix.

• The fix will run then HijackThis will open.

• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.

• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

• Once your machine reboots please attach a fresh HJT log from normal mode.

 

SPD, this is one of the newest variants that requires the Vundo fixes we talked about a few days ago. If nothing works, give those a try! If you need anything let me know!

 

Hello again,
I did as advised and have attached the latest Hijackthis log. I couldn't resist temptation and had to open the windows\system32 folder to see if the dreaded pmkhi file was there and it wasn't, but I'm not getting my hopes up. Moving forward.... Have I thanked you lately for all of your help?
sara

 

Have HijackThis fix the following line:

Reboot a couple of times, open and close some programs, surf the web; then come back and post a fresh HijackThis log from Normal Mode.

 

Hello again,
I did what you said. I had one pop up appear and one "Search the Web" pop up appear while I was browsing. Attached is another log. Let me know what my next step should be. Thanks.
sara

 

Just an FYI: I've been browing for about 1/2 hour and I've gotten less than 5 pop ups. It's usually a lot more. Boy, this is a stubborn one!
sara

 

OK, WinFixer is gone. Your HijackThis log is clean. The popups may be caused by something that is not showing in the HJT log.

Do the following:
Running Ewido Security Suite

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

Post both logs when finished.

 

Hello (good morning),
Here are both files. I've been browsing again tonight and I've only gotten a handful of pop ups-which is a good sign. I did, however, get one pop up for Win Antivirus, which I think is WinFixer. Anyhow, any help is much appreciated.

Take care,
sara

 

I was just browsing some more (wanted to see if any more pop ups appear) and everything was going fine. I noticed though that every few seconds the hourglass would appear for a split second. Is there a pop up blocker working in the background? I've installed so many things over the past week, I can't remember what they all do! I have the Google toolbar installed and is my pop up blocker and it's always done a terrific job. Since the winfixer problem however, it has not blocked on single pop up. Any suggestions as to why? Thanks!
sara

 

Boot to Safe Mode.

Open Windows Explorer, navigate to and delete the following:

 

Hello,
I deleted the files you listed, although some of the files were not there.

C:\WINDOWS\SYSTEM32\NewJmolhsu.xml and
C:\WINDOWS\SYSTEM32\NewYghcmiu.xml

were not there. There were several files with almost identical names. Should I have deleted those as well?

I'm not really sure what my next step should be. If everything is fixed (and I certainly hope it is!) what should I do to fix the obvious gaps in my security? I noticed that Ewido is a 14 day trial. Is that something I should look into purchasing? What other things should I do, in terms of maintenance, to assure that I stay ahead of the game so that I catch something before it wrecks havoc on my machine in the future? Currently I run Adaware whenever I remember and of course my antivirus software is up-to-date. Anything else? Any suggestions/advice is most appreciated.
Thanks,
sara

 

UUGGHH! I just got a pop up for WinAntivirus Software! Is Winfixer still on my computer? Why isn't Google stopping it like it did before?
sara

 

Please download Spy Sweeper

• Click the link above to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.