WinFixer 2005 trying to Install

N

Ned

Can someone tell me how to permantly remove this WinFixer
2005 Install program? I have ran Micro AntiSpyware,
Adaware 6 & Spybot but it is not detecting it. I looked
on another site and they are calling it a 'parasite'. I
tried to submit a report about it, but it gives me an
error occured message.

Thanks in advance~
Ned
 
R

Randy Knobloch

Ned said:
Can someone tell me how to permantly remove this WinFixer
2005 Install program? I have ran Micro AntiSpyware,
Adaware 6 & Spybot but it is not detecting it. I looked
on another site and they are calling it a 'parasite'. I
tried to submit a report about it, but it gives me an
error occured message.
Click to expand...

Download and run HijackThis;
(http://aumha.org/downloads/hijackthis.zip)
Read this Tutorial *before* first use;
(http://www.bleepingcomputer.com/forums/index.php?showtutorial=42)
Once done > run HijackThis > save a scan log and post it to /any/ of the
following (expert) forums for analysis.
*Note, registration is required prior to posting a log.
- Not listed in any particular order -
(http://aumha.net/viewforum.php?f=30)
(http://www.bleepingcomputer.com/forums/forum22.html)
(http://www.dslreports.com/forum/security)
(http://castlecops.com/forum67.html)
(http://www.cybertechhelp.com/forums/forumdisplay.php?f=25)
(http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html)
(http://gladiator-antivirus.com/forum/index.php?showforum=170)
(http://forum.iamnotageek.com/f-130.html)
(http://forums.maddoktor2.com/index.php?showforum=17)
(http://www.spywarewarrior.com/viewforum.php?f=5)
(http://forums.spywareinfo.com/index.php?showforum=18)
(http://forums.techguy.org/f54-s.html)
(http://forums.tomcoyote.org/index.php?showforum=27)
(http://forums.subratam.org/index.php?showforum=7)

Silj

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

(Reply to group, as return address
is invalid - that we may all benefit)
 
S

Stu

You may also like to try the following: point your browser
to:

http://geekstogo.com/forum/index.php?act=ST&f=37&t=56960

and read the forum posting (dated 20/08/05)from Bancclare
and the response from tampa bell on how to remove.
Interestingly, my version of S & D 1.4 (with latest defs)
does list Winfixer in its database as malaware, so I`m
surprised it did not detect it.

Stu
 
M

Merv Porter

Got it here too Ned. So far, it appears that Micro AntiSpyware will ask if
you want to block it when it pops up to do its install. After you do the
block, it leave an install icon on the desktop and a couple of pop-up
screens. Actually running a Micro AntiSpyware scan does not detect or
remove it.

Spybot 1.4 claims to have Winfixer targeted in its definitions but it won't
detect it during a scan either. Same for Ad-aware. Same for Spy Sweeper.

A trial copy of CounterSpy (Sunbelt Software) is very similar to Micro
AntiSpyware (I think same company wrote the code - Giant Software) but a
CounterSpy scan will detect and remove misc.Winsoftware.Winfixer (Misc).

http://www.sunbelt-software.com/CounterSpy.cfm

The problem I have now is that it comes back after several hours.


Merv
 
B

Bill Sanderson

If it comes back, you haven't got rid of it.

Have you tried any or all of these products with Windows started in safe
mode?

--
 
M

Merv Porter

Hi Bill,

Yep, tried Counterspy in Safe Mode. It removed misc.Winsoftware.winfixer
(misc). I rebooted but Winfixer 2005/WinAntivirus 2005 came back a few
hours later.

Seems it's now settled down to a giving me a popup to "trafficexplorer.com"
every few hours. This then auto-redirects to one of several other web
sites. I can cancel this IE window and everything is fine for the next
several hours. I'm still gathering info on this.


Merv
-----------------
 
M

Merv Porter

I downloaded a trial of SpySweeper a couple of days ago and it didn't find
any Winfixer (or other) spyware on my machine. Spybot 1.4 also claims it
has it in definitions database, but it doesn't find it either.

I've now added a "127.0.0.1 trafficexplorer.com" entry in my hosts file.
We'll see if this at least helps for that popup. :)


Merv
---------
 
M

Merv Porter

Doh! How could I forget about Trend Micro? Thanks Tom.

I downloaded the trial version, installed and ran it. It found several
Cookie "infections" but also Trojan.Vundo. I think I've read that this is
somehow related to Winfixer or another bad actor. I then removed "127.0.0.1
Trafficexplorer.com" from my Hosts file and allowed Trend Micro to deleted
everything it found. So far, so good (about 5 hours and still OK).
 
M

Merv Porter

Actually, if the Trend Micro product doesn't get the job done, I think it's
time to flatten this critter and get on with life. :)
 
R

Ron Kinner

In addition to the entries shown by TampaBell:

O4 - HKLM\..\Run: [WinFixer 2005] C:\Program
Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program
Files\SurfAccuracy\SAcc.exe

there is another one similar to:
O4 - HKLM\..\Run:
[NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program
Files\UWFX5LP_0001_0614NetInstaller.exe"

or

O4 - HKLM\..\Run:
[NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program
Files\UWFX5LP_0001_0715NetInstaller.exe"

or some variation on the theme. Seems to always end in
NetInstaller.exe but may be in a different folder.

If you boot into Safe Mode (F8) and run hijackthis and
check them then Fix Checked you should be OK.

If it actually installs then you will have two entries
with matching randomname.dlls:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-
5812EB50A834} - C:\WINDOWS\repair\expsys.dll

O20 - Winlogon Notify: expsys -
C:\WINDOWS\repair\expsys.dll

Follow Rawe's procedure at

http://tinyurl.com/72khc

Ron Kinner
MVP 2004 & 2005
 
B

Bill Sanderson

Better than the online scan is the SYSCLEAN, which you can run locally.

Download the sysclean package and the zip of the latest definitions, unzip
the defs in the same folder as sysclean.exe and run it--I believe you can do
that in safe mode.

I'm not sure whether the online scan does a broader job--i.e. spyware et al
in addition to viruses, but sysclean cleans every virus they can clean, as I
recall.

The online scan was a great idea--Thanks Tom!

--

Merv Porter said:
Actually, if the Trend Micro product doesn't get the job done, I think
it's time to flatten this critter and get on with life. :)

--
Merv Porter [SBS MVP]
===================================

Bill Sanderson said:
I think at this point I'd head over to www.aumha.org and go for guided
cleaning via HijackThis logs.
Click to expand...
Click to expand...
 
A

Anonymous Coward

It sounds like WinFixer has not installed but is
constantly trying to install?

I have had luck with going into MSAS Advanced Tools and
blocking a file named something like "WinSoft
NetInstaller". (Sorry, don't have it so I can't get the
name. :) ) You have to kill it in the running processes
too, if you find it there....
 
B

Bill Sanderson

Ahh--I missed that--didn't read carefully enough. Thanks--that is something
I haven't looked at.

--
 
J

Jim Byrd

B

Bill Sanderson

Thanks - I believe that fix was eventually cited somewhere in the
thread--I'll remember it next time!

--
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Winfixer passes right through MSAS? 3
Winfixer POP UP is loading even MS AntiSpware deleting that file 1
winfixer and winantispyware2005 deceptive popups with other side effects? 1
Do I have two real "security threats"? 2
NAV 2005 won't autoprotect at startup.... 1
Can't Remove Trend Micro Icons from Control Panel & Security Cen 4
Can't Remove Trend Micro Icons from Control Panel & Security Centr 7
already caved to weatherbug!!!! 16

Top