How do I stop Winfixer popups?

Discussion in 'Computer Support' started by Steve, Dec 29, 2005.

  1. Steve

    Steve Guest

    I can't get shut of this, I've tried spybot, Adware se and Kaspersky.
    But it just keeps reappearing.

    Steve
    Steve, Dec 29, 2005
    #1
    1. Advertising

  2. =?ISO-8859-1?Q?R=F4g=EAr?=, Dec 29, 2005
    #2
    1. Advertising

  3. Steve

    Noel Paton Guest

    Note that the recommended XoftSpy software on that page has a very dubious
    history - although it does seem to have cleaned up its act of late.

    http://www.bleepingcomputer.com/forums/topic18610.html
    is a better bet for instructions on removal

    --
    Noel Paton (MS-MVP 2002-2006, Windows)

    Nil Carborundum Illegitemi
    http://www.crashfixpc.com/millsrpch.htm

    http://tinyurl.com/6oztj

    Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
    "Rôgêr" <> wrote in message
    news:43b3b915$0$5683$...
    > Steve wrote:
    >> I can't get shut of this, I've tried spybot, Adware se and Kaspersky.
    >> But it just keeps reappearing.

    >
    > http://www.free-web-browsers.com/support/remove-winfixer.shtml
    Noel Paton, Dec 29, 2005
    #3
  4. Steve

    pcbutts1 Guest

    Use this removal tool for winfixer only run it in safe
    mode. If it does not work then run hijackthis and send
    me a log file.

    More info here
    Removal Tool - Adware-Virtumundo/WinFixer Popups
    http://forums.mcafeehelp.com/viewtopic.php?t=57049

    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com



    "Steve" <> wrote in message
    news:...
    >I can't get shut of this, I've tried spybot, Adware se and Kaspersky.
    > But it just keeps reappearing.
    >
    > Steve
    pcbutts1, Dec 29, 2005
    #4
  5. Steve

    Plato Guest

    Plato, Dec 30, 2005
    #5
  6. Steve

    Jim Byrd Guest

    Hi Steve - Seven approaches to removing Winfixer (Vundo). Not all will work
    on all variants. It's suggested that you try them in this order.

    1 - Feedback from users reports that the Removal Tool here is the most
    effective against what is currently the most common variety of this
    'malware':
    http://forums.mcafeehelp.com/viewtopic.php?t=57049



    2 - Symantec has a new Vundo remover:
    http://securityresponse.symantec.com/avcenter/FixVundo.exe
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
    http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions



    3 - Courtesy of Dave Lipman:

    "Download WinFixerFix.exe from the URL --
    http://www.ik-cs.com/programs/virtools/WinFixerFix.exe


    On the infected PC...

    Execute; WinFixerFix.exe { Note: You must accept the default of
    C:\McAfee }
    Choose; Unzip
    Choose; Close

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
    through your FireWall to enable WGET.EXE to download the needed McAfee
    related files.

    Execute; c:\mcafee\clean.bat { or Double-click on 'Clean Link' in
    c:\mcafee }

    A final report in HTML format called C:\mcafee\ScanReport.HTML will be
    generated. At the end of the scan, it will be displayed in your browser
    (Opera, FireFox or Internet Explorer). It is suggested that you move the
    report out of c:\mcafee before performing another scan. It would be a good
    idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
    report for each session."



    4 - McAfee has a combined automated/manual removal procedure here:
    http://vil.nai.com/vil/content/v_127690.htm



    5 - Then, courtesy of MVP Suzi Turner and Mosaic1:

    "Atribune, a guy in the forums, has a Vundo fix tool as well:

    Instructions for use by user as posted in the SpywareWarrior forum:

    'Please download VundoFix.exe to your desktop. Here's a link:

    http://www.atribune.org/downloads/VundoFix.exe

    Double-click VundoFix.exe to extract the files
    This will create a VundoFix folder on your desktop.
    After the files are extracted, please restart your computer into Safe Mode.

    Once in safe mode open the VundoFix folder and double-click on KillVundo.bat

    A command window will open and it should look like this:

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk

    At this point press enter one time.

    Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, to continue with the fix.


    At this point please type the following file path (make sure to enter it
    exactly as below!):
    C:\WINDOWS\system32\geeby.dll

    Press Enter.

    Next you will see:

    Please type in the second filepath as instructed by the forum staff

    At this point please type the following file path (make sure to enter it
    exactly as below!):
    C:\WINDOWS\system32\ybeeg.*

    Press Enter to continue.

    The fix will run then HijackThis will open.
    In HijackThis, please place a check next to the following items and click
    FIX CHECKED:


    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
    C:\WINDOWS\system32\geeby.dll
    O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

    After you have fixed these items, close Hijackthis.

    The fix will tell you to shutdown using the Power button. Hold in your power
    button until the computer shuts down. Wait about 15 seconds and then restart
    the computer into regular windows.

    Chkdsk will run. This is normal. It will take a few minutes and is checking
    your file system because of the Bad Shutdown we caused.

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Allow them to clean

    Panda will have the option to create a log after the scan has finished.
    Click
    the See Report button. Then click the save Report button. It will be saved
    under the name activescan.txt Do that and post that log into your next reply
    here.

    Run hijackthis and post the new log and the vundofix.txt file from the
    vundofix folder into as well.'

    The forum helpers have reported this fix from Atribune works. I don't know
    about the Symantec tool.

    If you'd like to join Spyware Warrior, you could see the thread where the
    helpers are discussing this.

    Suzi"


    Note: Here's some added info relative to the above courtesy of MVP Steve
    Wechsler (akaMowGreen):

    "the .dll's file name :

    C:\WINDOWS\system32\geeby.dll

    will be different on different systems. What you can do to identify it
    is to scan the system with HijackThis and look at the O2 BHO and/or O20
    Winlogon entries to find out it's name. Close all other programs and
    browsers prior to scanning with HJT. REMEMBER that there is a hidden file
    that will have the name of the .dll spelled backwards. Enter that name when
    the VundoFix requests the path to the second file.



    6 - Grinler, (Lawrence Abrams, a Security MVP), has another removal method
    that can be used if the recommended method fails :
    http://www.bleepingcomputer.com/forums/topic18610.html"




    7 - Courtesy of S.Sengupta[MS-MVP]

    Download VirtumundoBegone and save it to your desktop.

    VirtumundoBegone
    http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

    Run that application after booting into safe mode.





    Here's the HijackThis info you may need:

    Download HijackThis, free, here:
    http://www.merijn.org/files/hijackthis.zip (Always download a new
    fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
    You may also get it here if that link is blocked:
    http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

    There's a good "How-to-Use" tutorial here:
    http://computercops.biz/HijackThis.html

    In Windows Explorer, click on Tools|Folder Options|View and check "Show
    hidden files and folders" and uncheck "Hide protected operating system
    files". (You may want to restore these when you're all finished with
    HijackThis.)

    Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
    at the root level such as C:\HijackThis (NOT in a Temp folder or on your
    Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
    when it's finished which will create hijackthis.log. Now click the Config
    button, then Misc Tools and click on Generate StartupList.log which will
    create Startuplist.txt


    Then go to one of the following forums:

    Spyware and Hijackware Removal Support, here:
    http://forums.spywareinfo.com/
    or Jim Eshelman's site here: http://forum.aumha.org/
    or Bleepingcomputer here: http://www.bleepingcomputer.com/
    or Computer Cops here: http://www.computercops.biz/forums.html
    or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
    or Net-Integration here: http://net-integration.us/forums/index.php

    Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
    of the particular site's HiJackThis forum, then copy and paste both files
    into a message asking for assistance, Someone will answer with detailed
    instructions for the removal of your parasite(s). Be sure you include at
    the beginning of your post a description of "What specific
    problem(s)/symptoms you're trying to solve" and "What steps you've already
    taken."




    *******
    ONLY IF you've successfully eliminated the malware, you can now make a new,
    clean Restore Point and delete any previously saved (possibly infected)
    ones. The following suggested approach is courtesy of Gary Woodruff: For XP
    you can run a Disk Cleanup cycle and then look in the More Options tab. The
    System Restore option removes all but the latest Restore Point. If there
    hasn't been one made since the system was cleaned you should manually create
    one before dumping the old possibly infected ones.
    *******


    You probably should consider switching to Sun Java J2SE 5.0 JRE or later
    here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
    especially since MS will apparently no longer be distributing Java or
    providing any support for Java including security fixes after Dec 31, 2007.
    BE SURE that you uninstall any prior versions of Sun Java as some,
    specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
    notably Winfixer/Vundo, are suspected of exploiting. If you did have this
    version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
    us.


    When you get things cleaned up, take a look at my Blog, Defending Your
    Machine, addy in my Signature below, for some additional curative and
    preventive measures you might want to implement to help prevent this type of
    thing in the future.

    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/



    "Steve" <> wrote in message
    news:
    > I can't get shut of this, I've tried spybot, Adware se and Kaspersky.
    > But it just keeps reappearing.
    >
    > Steve
    Jim Byrd, Dec 30, 2005
    #6
  7. Steve

    Steve Guest

    On Thu, 29 Dec 2005 10:15:32 +0000, Steve <>
    wrote:

    Thanks everyone, I'll try them today.
    Cheers
    Steve
    Steve, Dec 30, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QWFyb24=?=

    How to stop wireless balloon popups.

    =?Utf-8?B?QWFyb24=?=, Dec 22, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    6,639
    itemyar
    Dec 22, 2005
  2. Jimmy Dean

    How to stop these "SECURITY POPUPS"??

    Jimmy Dean, Oct 13, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    3,354
  3. laminate
    Replies:
    3
    Views:
    5,061
    °Mike°
    Dec 29, 2003
  4. Martijn
    Replies:
    21
    Views:
    1,294
  5. Why

    XP how to stop balloon popups?

    Why, Jun 23, 2005, in forum: Computer Support
    Replies:
    16
    Views:
    16,782
Loading...

Share This Page