Home of a med student who likes to manage websites and talk tech!

Eliminating Winfixer Spyware!

leave a comment »

Yesterday, my sister was complaining about annoying ‘Winfixer’ popups while she was using her laptop. When I heard ‘Winfixer’, I immediately thought “SPYWARE!”. The week before she had the same problem, but I thought I removed it since Adaware SE detected and claimed to have removed it (Spybot and A-squared failed to detect it, btw).

So today, with some free time, I decided to investigate. I found that this ‘Winfixer’ is a real application but it can be integrated into certain programs for the purpose of spyware! And a lot of people were having problems removing it. The side effects of ‘Winfixer’ spyware are frequent Winfixer promotion popups in Internet Explorer and multiple browser page launches even when in the Windows Explorer. This was what my sister was experiencing from ‘Winfixer 2006’ spyware.

Anyway, it seems as though Winfixer occurs with the adware VirtuMonde and trojan Vundo, as claimed by Symantec Security Response. Here are the steps I took to remove this nasty piece of spyware (I am not responsible for any negative consequences of carrying out the proceeding. Please be careful of what you modify and delete!):

A. To Be Performed in the Windows Safe Mode

  • 1. Empty all browser caches. This includes cookies, internet files and histories.
  • 2. Update and run Spybot Search & Destroy. Fix any problems found. Also use the SS&D Secure Shredder (advanced tool) to clean all temp files (include all templates).
  • 3. Update and run a full system scan with Adaware SE. Fix any problems found. Adaware may detect VirtuMonde (TAC rating ~10!) in which case you should choose to clean. However, if you run a SmartScan afterwards you will see that Adaware keeps finding more or the same Virtumonde traces.
  • 4. Update and run a full system scan (scan all drives/partitions) with a² Free. Fix any problems found. A-Squared may find malware similar to C:\WINDOWS\system32\mljji.dll. You can choose to remove it but this file is not easy to delete. It is linked to Winfixer so make a note of its location.
  • 5. Update and run your antivirus. It may pick up a few traces of any malware linked to ‘Winfixer’ or trojans.
  • B. The following should only be performed after all major scans.

  • 6. Download the latest version of HijackThis, unzip and launch the program. Perform a ‘Scan with Log’ and look for an entry similar to O2 – BHO: MSEvents Object – {xxxxx-xxxx-xxxx-xxxx…} – C:\WINDOWS\system32\mljji.dll. Make a note of the location of ‘mljji.dll’.
  • 7. Download VundoFix.exe, extract to desktop and enter the Windows Safe Mode.
  • 8. Execute ‘killvundo.bat’, which was extracted from ‘VundoFix.exe’, accept the warning at the prompt and proceed to type in the following information:

    First filepath: C:\WINDOWS\system32\mljji.dll
    Second filepath: C:\WINDOWS\system32\ijjlm.*

  • 9. Click ‘Enter’ and allow the program to kill the running process. HijackThis should automatically launch.
  • 10. Look for O2 – BHO: MSEvents Object – {xxxxx-xxxx-xxxx-xxxx…} – C:\WINDOWS\system32\mljji.dll and O20 – Winlogon Notify: C:\WINDOWS\system32\mljji.dll. Select their relevant checkboxes and let HijackThis fix them (it actually deletes them permanently from your system).
  • 11. Download and run Symantec’s Trojan.Vundo Removal Tool. If it finds anything let it do a cleanup.
  • 12. Download and run Symantec’s Adware.VirtuMonde Removal Tool. If it finds anything let it do a cleanup.
  • Your system should now be clean from Winfixer, Virtumonde and Vundo malware! I would advise that all of these steps be performed in the Windows Safe Mode with the exception of downloading and installing the necessary software. Make sure that you have all of the software downloaded, because you will want to minimize any internet activity that might trigger Winfixer to reproduce or fix itself. (In the Windows Safe Mode you will not have any internet connectivity.)

    I must warn that the above steps may not be relevant for everyone. I only did what I did because I let all of my antispyware scan and pick up any traces of malware thereby reducing the amount that would need advanced cleaning later.

    1. Using Mozilla Firefox as an alternate internet browser will decrease any currently installed ‘Winfixer adware’. In the long run, however, you should switch to Firefox because of its enhanced security over Internet Explorer.
    2. Use the Immunize feature of Spybot Search & Destroy every time you update the software. Compounding this with Spyware Blaster’s protection doesn’t hurt either.
    3. Lock the Hosts file in Windows. There is a feature in Spybot Search & Destroy to do this. You can also lock your homepage so that browser hijackers will not be able to change it should they become installed.
    4. Keep your antispyware, antivirus and all security software updated. All of the software that I used in this fix are free!
    5. Take responsibility in the websites you visit and the links you click. Don’t fall for scams in ads. Be careful of what you download.


    Written by falcon1986

    5 November, 2005 at 5:19 PM

    Posted in Uncategorized

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )


    Connecting to %s

    %d bloggers like this: