Hi,? I will thank anyone who can offer me any advice in advance!?

A couple days ago random pop ups started advertising Winantispyware and Winfixer on my computer.? I'm wondering if someone can help give me the solution to removing them.? I've attached a hijackthis logfile.

Thanks!

:-) Hi Pete,

Welcome to PCHF. We have had a rash of those rotton little monsters lately.

Let me check over your HijackThis! Log to make sure there isn't anything else we should also be addressing.

I'll get right back to you.

Just to make sure, did you follow the instructions about what to do before posting your log? Just want to know where we are starting from.

TTFN

T

Hi pete3330,

Yeah, I had the same problem before: WinFixer pop-ups, Aurora pop-ups,...it's was annoying as well as a hassle to get rid of.

Here's what you should do:

First, download the following programs:
Spybot Search & Destroy: http://www.download.com/Spybot-Searc...ml?tag=lst-0-1

AdAware SE Personal Edition: http://www.download.com/Ad-Aware-SE-...ml?tag=lst-0-1

CCleaner: http://www.download.com/CCleaner/300...ml?tag=lst-0-1

Spyware Blaster: http://www.download.com/SpywareBlast...ml?tag=lst-0-1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Then update Spybot, AdAware and Spyware Blaster...

After that, restart your computer in Safe Mode by pressing 'F8' while booting up.

Then log into Windows and run each program listed above one at a time (this is important because if you run multiple scans at the same time, it might freeze your computer...).

After that, follow the instructions given from each program...

...Then restart your computer, run Hijack This! and then post a Hijack This! log here. :-)

Also, after you finish using the AntiSpyware programs, you might want to run CCleaner...then post a Hijack This! log. :-)

@PC Forum Helper (or whatever youre name may be tommorow...) , that is not going to help to get rid of that infection.


@pete3330 , just wait for TJ's instructions please.

why not? (unless i forgot to mention turning system restore off)...

Because neither of those apps removes the winantispyware/winfixer/vundo infection.

:-) Hi Pete,

I'm back, actually the fix that PC Forum Helper just gave you is not the correct fix for this problem, I applogize and will address that later.

right now, I need you to make sure that you read the following instructions carefully, if you have printer capability, you will want to print them out as you will need to be in Safe Mode for the majority of the fix, and you must stay in Safe Mode until you are finished or you will have to start all over again.

Please download Process Explorer by Systernals

Next download KillBox by Option^Explicit

Also, Please download and install CCleaner from my signature

It is always a good idea to disable System Restore before going forward with any clean to make sure you are not reinfected. To do this, right-click on My Computer, click on Properties, System Restore, check the box that says disable System restore, and answer Yes to any warnings.

Then boot up in SAFE MODE and stay in safe mode untill the entire fix is done.(hit f8 when booting up)

Run CCleaner, also to prevent any reinfection, make sure all options are selected including Advanced, answer Yes to all warnings and click on Analyse, when the program has finished, click on Run Cleaner and allow it to clean everything. Then procede with the rest of the fix.

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mlljg.dll once and then click the kill button.

After you have killed all of the mlljg.dll's under winlogon click OK.

Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of mlljg.dll then click the kill button.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.

Quote
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\mlljg.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {DA92F66E-49D0-3873-F2FF-171332FD3CB7} - C:\WINDOWS\system32\ufsmad.dll (file missing)
The following two are missing files, you may want to reinstall JavaO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
Unless you absolutely know what this is and want it,it should be fixed, known adware
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab

O20 - Winlogon Notify: mlljg - C:\WINDOWS\system32\mlljg.dll

Now click fix checked and close HijackThis.

Please copy the text in the quote below, and paste it into a blank notepad window.
Save it as vundo.reg and in the "save as type" box choose "all files".

Once you have saved it double click it and allow it to merge with the registry.

Quote
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B5527 4-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB 5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts.1]


Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box


C:\WINDOWS\system32\mlljg.dll


Click the red circle with the white x and allow your computer to reboot.



After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

I know it sounds like a lot, but these are very invasive rotton little monsters. ?:wink:

I'll be looking forward to your reply.

TTFN

T