Winfixer is a variant of the Virtumonde (Vundo) web browser hijacker. It pretends to be a program that will help you fix windows problems, but really it reports false information to try to get you to purchase the program. It is a SCAM. This nasty trojan can be removed by following the steps below:
Note: You should print out these directions before continuing, as you will need to reboot your computer.
Remove Winfixer
Step 1: HijackThis
Download and run HijackThis. Our HijackThis tutorial will get you through that part. Once you have run it and created a log file, return to these instructions.
Step 2: Examine HijackThis Log
Next, look at the log file that HijackThis created and look for entries similar to this:
Remember - YOURS will be different
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\repair\srvdisk.dll
O20 - Winlogon Notify: srvdisk - C:\WINDOWS\repair\srvdisk.dll
The file and path to the file in Blue are random (yours will be different). Everywhere you see the file in Blue change it to the name of the one you have and write it down.
Step 3: VundoFix
Please download VundoFix.exe to your desktop: http://www.atribune.org/content/section/4/30/
Double-click VundoFix.exe to extract the files. This will create a VundoFix folder on your desktop. "Vundo" is the name for the type of trojan that Winfixer is.
Step 4: Reboot into safe mode
If you're not sure of how to get into safe mode, click here for instructions.
Step 5: KillVundo.bat
Now that you are in safe mode, open the VundoFix folder on your desktop and double-click on KillVundo.bat
The first thing you see will be this :
Press Enter.
Next it will ask you for the filename - enter in the exact filename you wrote down in Step 2, i.e. C:\WINDOWS\repair\srvdisk.dll (as shown in the O2 & O20 entries in YOUR HijackThis log file)
Press Enter.
It will now ask you for a second filename. Please type the following file path (make sure to enter it exactly as below)
C:\WINDOWS\repair\ksidvrs.* This will be the vundo filename from Step 2 spelled backwards. For example, if the Vundo / Winfixer dll was C:\WINDOWS\badfile.dll you would enter C:\WINDOWS\elifdab.* - if it was C:\WINDOWS\repair\srvdisk.dll you would enter C:\WINDOWS\repair\ksidvrs.*
REMEMBER...(This is the entry as shown in the O2 & O20 entries in YOUR hijackthis ... spelled backwards)
Press Enter. The fix will run, then HijackThis will open.
Step 6: HijackThis
In Hijackthis, please place a check next to the following item(s) and click FIX CHECKED : (Again, replace srvdisk.dll with whatever you found in Step 2)
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\repair\srvdisk.dll
O20 - Winlogon Notify: srvdisk - C:\WINDOWS\repair\srvdisk.dll
After you have fixed these item(s), close Hijackthis and Press any key to Force a reboot of your computer. Pressing a key may cause a "Blue Screen of Death" this is normal, do not worry! this is normal...
Once your machine reboots please continue with the instructions below.
Step 7: CleanUp
Download and install CleanUp: http://www.stevengould.org/downloads/cleanup/CleanUp40.exe
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows :
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- Cleanup! All Users
Step 8: Panda ActiveScan
Run Panda ActiveScan virus scanner: http://www.pandasoftware.com/products/activescan.htm
Done!
Your computer should now be clean of the Winfixer trojan!
If you want your results checked....start a new thread in the Spyware Forum. Copy the results of the ActiveScan and paste them in the new thread, along with a new Hijackthis log and the vundofix.txt file from the vundofix folder. Make sure you tell us you have run the vundofix for Winfixer!