Winfixer 2005 Problem

Pleae attach the BitDefender log that is requested in step 6.

Is your Spyware Doctor program a paid version? If not, uninstall it because it will not do anything for you except waste system resouces. If it is a paid version, you should complain to them and ask them why they do not detect and fix Winfixer and Virtumonde.

 

Then you should be complaining to them. Asked them why they do not detect the real troublesome kind of malware and also remove it. Like many other tools they spend lots of time detecting and removing trivial items like cookies, MRUs and minor malware annoyances. But when it comes to real issues like Look 2 Me VX2, WinFixer, Virtumonde, Smitfraud, SpyAxe, about:Blank hijacks, HSA hijacks and a load more, they do not detect and remove them. Unless people complain to them and demand that they fix the problems, the software will not improve.

Let's fix your problems.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\DOCUME~1\DONNAS~1\LOCALS~1\Temp\WFX7E.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NI.WFX5_0001_N56E0311] "C:\DOCUME~1\DONNAS~1\LOCALS~1\Temp\WFX7E.exe" -nag
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Donna Stankiewicz\Local Settings\Temp\WFX7E.exe
C:\WINDOWS\system32\pmkhi.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Attach the follow upi HJT log I requested just so I can double check. Don''t worry about the files you could not find. Sometimes HJT is able to remove them. But note for your education, Windows Search will not locate hidden file or system files unless it is properly configured. Step 2 of the READ ME only applies to Windows Explorer not to Windows Search. To allow search to look for these kind of files and in system folders you need to configure it as indicated here: Searching for Hidden Files on WinXP

Good deal! Hopefully if everyone starts doing this, some of these companies will do more to fix the real problem malware instead of just easy trivial stuff.

 

In the future, please remember that HJT logs must be from Normal boot mode not safe mode. Also, while we are working on fixing PCs we request that msconfig not be used to control startups (you have it running).

Did you forget to fix the below two lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

Or did you not allow MS Antispyware or SpywareDoctor to permit the changes. They will normally protect your start page and see the attempted change. They will ask if you want to allow the change. If you click No, then the HijackThis fix will fail. The other alternative is to disable the protection while fixing or to uninstall the applications. You may want to uninstall MS AntiSpyware anyware since you have SpywareDoctor.

 

Well you still have one of those Dell MyWay lines.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

You really need to Reset Web Settings as I indicated in message # 4. You can reset your start page later on back to what you want. But you probably will need to uninstall Spyware Doctor and anything else you have protecting your start pages because something is blocking the changes or you are not doing it properly.

The Dell MyWay line is not a real big deal but it would be nice to remove it completely.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!