WinFixer 2005

Discussion in 'Virus Information' started by Sherri, Nov 12, 2005.

  1. David,

    I tried WinFixerFix and it removed the Winfixer popup and a porn pop up too.

    Many thanks,

    Martin
     
    =?Utf-8?B?TWFydGluIEUgKFRvcm9udG8p?=, Dec 17, 2005
    1. Advertisements

  2. From: "Martin E (Toronto)" <Martin E (Toronto)@discussions.microsoft.com>

    | David,
    |
    | I tried WinFixerFix and it removed the Winfixer popup and a porn pop up too.
    |
    | Many thanks,
    |
    | Martin


    YW and Happy Holidays.
     
    David H. Lipman, Dec 17, 2005
    1. Advertisements

  3. David,
    before I do that, I just want to make sure I understand. You are saying
    open the notepad, and just save those two Hkey strings in the notepad, then
    do a save as and give it the name fixreg.reg? Then close, and reopen?

    It just seems to me that if I open the notepad again it will just show the
    two strings that I pasted in there.

    Please advise.

     
    =?Utf-8?B?VHJlbnQ=?=, Dec 18, 2005
  4. Sherri

    Max Wachtel Guest

    AKA Trent on 12/17/2005 in
    You will have created a .reg file not a .txt file. When you click on
    fixreg.reg, it will merge those strings into the registry for you.
    max
    --
    Virus Removal Instructions: http://home.neo.rr.com/manna4u/
    Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
    Windows Help: http://home.neo.rr.com/manna4u/tools.html
    Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
    Forums for HiJackThis Logs:
    http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
    To reply by e-mail change nomail.afraid.org to gmail.com
    nomail.afraid.org is setup specifically for use in USENET
    feel free to use it yourself. Registered Linux User #393236
     
    Max Wachtel, Dec 18, 2005
  5. When I double click on the file, it asks me if I want to add the information
    to the registry. When I hit YES, it then gives me an error and says "Cannot
    Import: Error opening the file. There may be a disk or file system error. "

    So now what?
     
    =?Utf-8?B?VHJlbnQ=?=, Dec 18, 2005
  6. David,
    When I double click on the file, it asks me if I want to add the information
    to the registry. When I hit YES, it then gives me an error and says "Cannot
    Import: Error opening the file. There may be a disk or file system error. "

    So now what?


     
    =?Utf-8?B?VHJlbnQ=?=, Dec 18, 2005
  7. From: "Trent" <>

    | David,
    | When I double click on the file, it asks me if I want to add the information
    | to the registry. When I hit YES, it then gives me an error and says "Cannot
    | Import: Error opening the file. There may be a disk or file system error. "
    |
    | So now what?

    Are you logged into an account with Administrative privileges ?
     
    David H. Lipman, Dec 18, 2005
  8. What do you mean by administrative priveleges?
     
    =?Utf-8?B?VHJlbnQ=?=, Dec 18, 2005
  9. From: "Trent" <>

    | What do you mean by administrative priveleges?
    |

    Assuming that you copied and pasted the the text into a .REG file correctly, it should have
    imported OK.

    However, to change the Registry, you need to have the rights and priveleges of the
    "administrator". Either you logon as "administrator" or the account you use must have
    administrative rights.

    Alternatively...

    You will have to run regedit and traverse the HKEY_LOCAL_MACHINE Registry Hive as below

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

    Under "Notify" you'll see legitimate items such as "crypt32chain" and "wzcnotif"

    You need to highlight and delete the following two...

    pmkhf
    vtstu
     
    David H. Lipman, Dec 18, 2005
  10. Be sure to check the permissions of the registry entries.
     
    Matt Thompson, Dec 18, 2005
  11. If you ran VirtumundoBeGone (from Step 1) it would be helpful to post the
    results of the VBG.TXT file located on your desktop.

     
    Matt Thompson, Dec 18, 2005
  12. Dave, I'm still not following. What logging on are you referring to? When I
    boot up, I just choose the Windows icon that shows my name and then my
    desktop comes up. I was not logged on to any website or "account" when I
    tried to execute the .reg file.

    And when you say "traverse" do you just mean go to start, run, "regedit",
    then manually go find those two files and delete? Sounds much easier than
    trying to jack around with this .reg file.
     
    =?Utf-8?B?VHJlbnQ=?=, Dec 19, 2005
  13. Just looked in the registry and there were no such folders under Windows
    NT/notify in there. I did in fact see the crypt32chain, but did not see
    wzcnotif.

    Not sure what to do now.
     
    =?Utf-8?B?VHJlbnQ=?=, Dec 19, 2005
  14. From: "Trent" <>

    | Just looked in the registry and there were no such folders under Windows
    | NT/notify in there. I did in fact see the crypt32chain, but did not see
    | wzcnotif.
    |
    | Not sure what to do now.
    |

    Are you still getting the error --
    "Winlogon.exe encountered a problem and needed to close. We have created an error report.
    Send error report to Microsoft?"
     
    David H. Lipman, Dec 19, 2005
  15. Sherri

    venus Guest

    I don't know why he told you to remove those anyways. What you need to do is
    run Hijackthis, save a copy of the log file and post it to this group for
    expert analysis just click on the link No
    registration required.
     
    venus, Dec 19, 2005
  16. My wife tells me that when she turned the computer on for the first time
    today she did not recall getting the winlogon.exe error.
     
    =?Utf-8?B?VHJlbnQ=?=, Dec 19, 2005
  17. From: "Trent" <>

    | My wife tells me that when she turned the computer on for the first time
    | today she did not recall getting the winlogon.exe error.
    |

    Fantastic !

    Happy Holidays Trent.
     
    David H. Lipman, Dec 19, 2005
  18. Sherri

    Max Wachtel Guest

    AKA venus,pcbutts1,Sharon F,four,sohtyel,Sharon
    ******************Reply Separator*************************

    Why it's pcbutthead!!!! I can smell you a mile away!!!

    NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
    69.237.53.123

    NEVER download files from anywhere unless it is from the website of the
    developer,manufacturer or some entity you trust. The developers
    websites ALWAYS have the most up to date files that haven't been
    tampered with by some third party who is "hosting"(read Leeching or
    Stealing) those files without permission.

    max
    --
    Virus Removal Instructions: http://home.neo.rr.com/manna4u/
    Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
    Windows Help: http://home.neo.rr.com/manna4u/tools.html
    Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
    Forums for HiJackThis Logs:
    http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
    To reply by e-mail change nomail.afraid.org to gmail.com
    nomail.afraid.org is setup specifically for use in USENET
    feel free to use it yourself. Registered Linux User #393236
     
    Max Wachtel, Dec 19, 2005
  19. Sherri

    Leythos Guest

    Yep, in just the last day or so, he's posted the following:

    =======================================
    Examples of PCBUTTS1 Posting Locations and fake nicknames
    =======================================

    From: "Leythos" <>
    References: <>
    Subject: Re: Newsgroup help
    Date: Sat, 17 Dec 2005 08:47:26 -0800
    Lines: 16
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-RFC2646: Format=Flowed; Response
    Message-ID: <>
    Newsgroups: microsoft.public.windowsxp.help_and_support
    NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
    69.237.53.123
    microsoft.public.windowsxp.help_and_support:603952

    =======================================
    From: "1sttubcp" <>
    References: <>
    <uAAurTT#> <DB3EC990-3291-412A-A548-
    > <#rJouHV#>
    <>
    Subject: Re: Spy Axe and security toolbar
    Date: Sat, 17 Dec 2005 09:28:07 -0800
    Lines: 71
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-RFC2646: Format=Flowed; Original
    Message-ID: <>
    Newsgroups: microsoft.public.windowsxp.help_and_support
    NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
    69.237.53.123
    =======================================
    From: "1sttubcp" <>
    References: <>
    <uAAurTT#> <DB3EC990-3291-412A-A548-
    > <#rJouHV#>
    <> <OSrTG9yAGHA.208
    @tk2msftngp13.phx.gbl> <d4Yof.195816$>
    Subject: STALKER ALERT Re: Spy Axe and security toolbar
    Date: Sat, 17 Dec 2005 10:18:18 -0800
    Lines: 59
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-RFC2646: Format=Flowed; Original
    Message-ID: <>
    Newsgroups: microsoft.public.windowsxp.help_and_support
    NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
    69.237.53.123
    =======================================
    NNTP-Posting-Date: Sat, 17 Dec 2005 21:13:34 -0600
    From: "pcbutts1" <>
    Newsgroups: alt.privacy.spyware
    References: <43a49279$0$7328$>
    Subject: Re: spyware infection ,your system is infected...
    Date: Sat, 17 Dec 2005 19:12:58 -0800
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-RFC2646: Format=Flowed; Response
    Message-ID: <>
    Lines: 57
    X-Trace: sv3-
    FVzYc1vfJz/743QW5G5/dE8ZSlmsAAA1a8b8nrJqxjcTVdV+aJ8A2EdxaMAEhLECgPz7NpCn
    BmxU2ac!
    Ra4NKpQ8FklGCcVVNORajq9X2kHpsar2lfvShXLxWpxndLIqjQkWcY6eED/LQHSp+fNKith4
    /5I=
    X-Complaints-To:
    X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
    X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
    X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
    complaint properly
    X-Postfilter: 1.3.32
    =======================================
    From: "venus" <>
    References: <>
    <> <A4CBB24D-DF93-4B7C-B2DD-
    >
    Subject: Re: windows\inet20001\winlogon.exe
    Date: Sat, 17 Dec 2005 18:22:22 -0800
    Lines: 76
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-RFC2646: Format=Flowed; Original
    Message-ID: <>
    Newsgroups: microsoft.public.windowsxp.basics
    NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
    69.237.53.123
    =======================================
    From: "venus" <>
    References: <> <e$rlyx75FHA.2576
    @TK2MSFTNGP09.phx.gbl> <EDE8D8EC-02D9-406A-AFB3-080E203ABA10
    @microsoft.com> <>
    <#> <8D1C909D-12D4-45C3-A7F0-
    > <>
    <> <eUJnEWcAGHA.2040
    @TK2MSFTNGP14.phx.gbl> <6DD39661-981F-4303-B204-
    > <>
    <> <Oc5ryu4AGHA.4036
    @TK2MSFTNGP10.phx.gbl> <F1083BDA-B12E-423E-A9A5-
    > <OH8Fgu#>
    <>
    Subject: Re: WinFixer 2005
    Date: Sun, 18 Dec 2005 17:25:03 -0800
    Lines: 59
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-RFC2646: Format=Flowed; Original
    Message-ID: <>
    Newsgroups: microsoft.public.security.virus
    NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
    69.237.53.123
    =======================================
    From: "venus" <>
    References: <>
    Subject: Re: still getting search popup upon opening windows
    Date: Sun, 18 Dec 2005 17:31:54 -0800
    Lines: 20
    X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-RFC2646: Format=Flowed; Response
    Message-ID: <>
    Newsgroups: microsoft.public.windowsxp.general
    NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
    69.237.53.123
    =======================================
    From: "venus" <>
    References: <>
    Subject: Re: Warning! Your Computer is Infected! Press Here for Help!
    Date: Sun, 18 Dec 2005 17:30:13 -0800
    Lines: 45
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-RFC2646: Format=Flowed; Original
    Message-ID: <>
    Newsgroups: microsoft.public.windowsxp.general
    NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
    69.237.53.123
    =======================================
     
    Leythos, Dec 19, 2005
  20. 1. Go to add/remove programs and remove any programs that resemble ad/spyware.

    2. Run Lavasoft's Ad ware remover
    http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1
    it should find or recogize about 4 processes that Winfixer requires to
    run. I believe it's Side bar Buddy, Alexa, CCrs and another I forget.

    3. Run msconfig and find the listing for winfixer or winsoftware in the
    startup folder. Check in windows explorer for the about name folders also and
    delete them.

    4. Reboot

    **Disclaimer: Not responsible for any damage to computer for advice given.
    To the best of my knowledge the above steps are that I did to remove that
    silly program. No more pop up window at bootup or pop up in general. Hope it
    helps.
    I tend to remember this process fixing my compuer
     
    =?Utf-8?B?a3VlaG5lbCB0cmFkaW5n?=, Dec 22, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.