Help! annoying "WinFixer" popup, but not installed.
in [Spyware]
|
From: Bubba Gump on 1 Sep 2005 22:53 Hopefully someone can solve this. First off, maybe I'm just a glutton for punishment, but I don't use a firewall. It interferes with my work. I'm a tech, so I know all the precautions to ensure my computers' safety none-the-less. Anyway, everytime I try to use IE, as soon as I enter a URL... any URL, the first thing I get is an "OK/Cancel" popup box telling me I may be infected with spyware. (I have Pro level anti-virus software on my machine and can't image I'm infected, but there it is). I know enough that Windows Dialog boxes don't have "X" cancel buttons in the corner, so I know the popup isn't from Windows. I've always clicked Cancel or the X, never the "OK" button. Yet it ALWAYS opens a new window and sends me to an advertisement for a program called "WinFixer". I close the window and only then does my URL load. After that, everytime I open IE, an ad pops up in a second window over mine. I've done a full deep virus scan in safe mode and found nothing. AdAwareSE (also in Safe Mode) finds nothing. Neither MSConfig nor HiJack This show any file that I don't recognize. I have all files, including hidden files, visible in File Explorer. I've searched my hard drives and Registry for anything that might be related to "WinFixer" and found nothing. The most I've found is a "winfixer.com" cookie, which I promptly deleted. I also have popups and Windows Messenger ads/messages blocked, so I can't figure out how it's getting through. I rarely use IE. My primary browser is Navigator 7.2, and it does not have this problem. So it may have been in my system for a long time and I never knew it. Am I infected, or must I simply start using the Windows Firewall (I have XP Pro with sp2)? Very annoying. All of the tips on stopping this popup assume you are already infected. Since I never clicked OK and HiJack shows no files I don't recognize, is this just something that all I can do is bite the bullet and activate the firewall? What a pain! :( Please help. -- -*- Bubba -*-
From: Someone on 2 Sep 2005 00:48 "Bubba Gump" <ambrosia_1(a)REMOVE.dslextreme.DELETE.com> wrote in message news:Xns96C4DECBECE71abcom(a)216.168.3.50... > Hopefully someone can solve this. > > > First off, maybe I'm just a glutton for punishment, but I don't use a > firewall. It interferes with my work. I'm a tech, so I know all the > precautions to ensure my computers' safety none-the-less. > > Anyway, everytime I try to use IE, as soon as I enter a URL... any URL, > the > first thing I get is an "OK/Cancel" popup box telling me I may be infected > with spyware. (I have Pro level anti-virus software on my machine and > can't > image I'm infected, but there it is). > > I know enough that Windows Dialog boxes don't have "X" cancel buttons in > the corner, so I know the popup isn't from Windows. I've always clicked > Cancel or the X, never the "OK" button. Yet it ALWAYS opens a new window > and sends me to an advertisement for a program called "WinFixer". I close > the window and only then does my URL load. After that, everytime I open > IE, > an ad pops up in a second window over mine. > > I've done a full deep virus scan in safe mode and found nothing. AdAwareSE > (also in Safe Mode) finds nothing. Neither MSConfig nor HiJack This show > any file that I don't recognize. > > I have all files, including hidden files, visible in File Explorer. I've > searched my hard drives and Registry for anything that might be related to > "WinFixer" and found nothing. > > The most I've found is a "winfixer.com" cookie, which I promptly deleted. > I > also have popups and Windows Messenger ads/messages blocked, so I can't > figure out how it's getting through. > > I rarely use IE. My primary browser is Navigator 7.2, and it does not have > this problem. So it may have been in my system for a long time and I never > knew it. > > Am I infected, or must I simply start using the Windows Firewall (I have > XP > Pro with sp2)? Very annoying. All of the tips on stopping this popup > assume > you are already infected. Since I never clicked OK and HiJack shows no > files I don't recognize, is this just something that all I can do is bite > the bullet and activate the firewall? What a pain! :( > > Please help. > > -- > -*- Bubba -*- Bubba, Can you please elaborate on "I have Pro level anti-virus software on my machine and can't > image I'm infected". What kind of anti-spyware software do you use?
From: YoKenny on 2 Sep 2005 00:36 Bubba Gump typed: > Hopefully someone can solve this. > > First off, maybe I'm just a glutton for punishment, but I don't use a > firewall. It interferes with my work. I'm a tech, so I know all the > precautions to ensure my computers' safety none-the-less. > > Anyway, everytime I try to use IE, as soon as I enter a URL... any > URL, the first thing I get is an "OK/Cancel" popup box telling me I > may be infected with spyware. (I have Pro level anti-virus software > on my machine and can't image I'm infected, but there it is). > > I know enough that Windows Dialog boxes don't have "X" cancel buttons > in the corner, so I know the popup isn't from Windows. I've always > clicked Cancel or the X, never the "OK" button. Yet it ALWAYS opens a > new window and sends me to an advertisement for a program called > "WinFixer". I close the window and only then does my URL load. After > that, everytime I open IE, an ad pops up in a second window over mine. > > I've done a full deep virus scan in safe mode and found nothing. > AdAwareSE (also in Safe Mode) finds nothing. Neither MSConfig nor > HiJack This show any file that I don't recognize. > > I have all files, including hidden files, visible in File Explorer. > I've searched my hard drives and Registry for anything that might be > related to "WinFixer" and found nothing. > > The most I've found is a "winfixer.com" cookie, which I promptly > deleted. I also have popups and Windows Messenger ads/messages > blocked, so I can't figure out how it's getting through. > > I rarely use IE. My primary browser is Navigator 7.2, and it does not > have this problem. So it may have been in my system for a long time > and I never knew it. > > Am I infected, or must I simply start using the Windows Firewall (I > have XP Pro with sp2)? Very annoying. All of the tips on stopping > this popup assume you are already infected. Since I never clicked OK > and HiJack shows no files I don't recognize, is this just something > that all I can do is bite the bullet and activate the firewall? What > a pain! :( > > Please help. Please read: http://www.tenebril.com/src/info.php?id=461193304 http://www.vitalsecurity.org/2005/07/winfixer-where-did-this-thing-come.html http://geekstogo.com/forum/index.php?act=ST&f=37&t=56960 http://castlecops.com/t130077-WINFIXER.html -- YoKenny Check for security application updates at least weekly: http://www.dozleng.com/updates/index.php?&act=calendar
From: Bubba Gump on 2 Sep 2005 12:09 "Someone" <someone(a)somewhere.com> wrote in news:CQQRe.500$xl6.147(a)tornado.tampabay.rr.com: > Can you please elaborate on "I have Pro level anti-virus software on > my machine and can't >> What kind of anti-spyware software do you use? I use NOD32 anti-virus (better than Norton) and AdAware-SE anti-spyware. I tried activating the Windows firewall and still I get the Winfixer pop- up. :( Thanks. -- -*- Bubba -*-
From: Bubba Gump on 2 Sep 2005 15:03
"YoKenny" <YoKenny(a)noway.invalid> wrote in news:iFQRe.8800$884.817084(a)news20.bellglobal.com: > Please read: > http://www.tenebril.com/src/info.php?id=461193304 > http://www.vitalsecurity.org/2005/07/winfixer-where-did-this-thing-come > .html http://geekstogo.com/forum/index.php?act=ST&f=37&t=56960 > http://castlecops.com/t130077-WINFIXER.html Links to ads for more anti-spyware or people telling others about the existence of "WinFixer" is no help. :( I hate when people post long log files, but I probably need to: Logfile of HijackThis v1.97.3 Scan saved at 1:46:38 PM, on 9/2/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe D:\Program Files\Motherboard Monitor 5\MBM5.EXE C:\WINDOWS\system32\RunDll32.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\NOD32\nod32kui.exe C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe C:\WINDOWS\EzDesk.exe C:\WINDOWS\system\CmSNXeye.exe D:\Program Files\CpuIdle\cpuidle.exe D:\Program Files\NewMail\NewMail.exe D:\Program Files\AVerTV2K\QuickTV.exe C:\Program Files\NOD32\nod32krn.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe D:\PROGRA~1\NETSCAPE\NETSCP.EXE C:\Program Files\HijackThis.exe D:\Program Files\Xnews\Xnews.exe N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C: \Documents and Settings\Tom\Application Data\Mozilla\Profiles\default \zlldppur.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C: \Documents and Settings\Tom\Application Data\Mozilla\Profiles\default \zlldppur.slt\prefs.js) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS \Help\Tours\utildb.dll O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\NetTransport 2\NTIEHelper.dll O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04 \bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\quicktime \qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [MBM 5] "D:\Program Files\Motherboard Monitor 5\MBM5.EXE" O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\NOD32 \nod32kui.exe" /WAITSERVICE O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger \msmsgs.exe" /background O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" O4 - HKCU\..\Run: [Mozilla Quick Launch] "D:\PROGRA~1\NETSCAPE \NETSCP.EXE" -turbo O4 - Startup: cpuidle.lnk = D:\Program Files\CpuIdle\cpuidle.exe O4 - Startup: NewMail.lnk = D:\Program Files\NewMail\NewMail.exe O4 - Startup: QuickTV.lnk = D:\Program Files\AVerTV2K\QuickTV.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files \Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: EzWare EzDesk.lnk = C:\WINDOWS\EzDesk.exe O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Net Transport - D:\Program Files \NetTransport 2\NTAddLink.html O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'imon.dll' missing O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb _site.cab?1124113073828 O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{571DF32E-5CCC-4885-9298- 3B7448EF39CE}: NameServer = 66.51.205.100 66.51.206.100 To clear up some of the "What's that?" questions: I use NOD32 anti-virus. I use a browser plug-in called "NetTransport", "Motherboard Monitor 5" and "CPU Idle" monitoring apps, "The Weather Channel" tray app, and Netscape 7.2 is my primary browser. As you can see, no "WinFixer.exe", Surf Accessory or Toolbars installed, or similar process is running, so there does not appear to be anything for me to "uninstall". I've activated Windows' built in firewall, but it made no difference. A compete Registry scan with Registry Mechanic 4.0 turned up nothing as well. If I'm infected, damned if I know where it is. -- -*- Bubba -*- |