Neigbour infected with Winifighter, impossible to remove

Hello - I have tried several anti-malware tools to remove this nasty Winifighter infestation from my neighbour's XP machine to no avail. I have tried XP's system restore facility and it never appears to work, no reason ever given. I have tried SpyBot (which apparently detects and removes one trojan infection but afterwards the Winifighter infection is still there). I tried AdAware (which does not detect anything and winifighter apparently keeps it from updating definition files), Windows Defender (Winifighter apparently prevents it from updating definition files). The most promising thing I have tried so far is Spyware Doctor which does identify several infections on his machine, but you have to pay to get the version that actually removes anything. I don't want to buy anything on my neighbour's behalf not knowing whether it will work or not.

I would like to enlist your help but I am confused about the 'Hijack This!' that I need to run so I can post a log file. It appears to be the same file name as the Malwarebytes Anti-Malware software (winlogon.exe). What is winlogon.exe - is it a diagnostic tool, or an anti-malware program, or both?

Thanks for your help.
JenC

Last edited by jenc on 1st August 2009, 2:59 pm; edited 1 time in total (Reason for editing : changed 'anti-virus' to 'anti-malware' for pedantic reasons)

Having read around a bit more on this site, I am really confused about what software tools are available here. Under "Malware Removal Guides" in the post called "How To Remove Winifighter" the link for downloading Malwarebytes Anti-Malware points to a link "http://www.sendspace.com/pro/dl/4jbidh" and the file available to download is "winlogon.exe". (Additionally I am confused by the instructions which say "rename to mbam to winlogon"...Do the instructions mean to say "rename mbam to winlogon"?.. or rename "winlogon to mbam")

(But on some other guides the link for downloading Malwarebytes Anti-Malware points to a file "mbamsetup.exe"... now that makes more sense)

On the "Read this before posting" topic in this focum, the link for downloading "Hijack This" points to http://www.sendspace.com/pro/dl/932rpd where again the file available to download is "winlogon.exe".

How can both Malwarebytes Anti-Malware and Hijack This be in winlogon.exe? Surely this can't be right?

Last edited by jenc on 1st August 2009, 12:52 pm; edited 1 time in total (Reason for editing : for clarity.. as if that were even possible any more)

Well, continuing this fascinating conversation with myself, I thought I would give a little update. I downloaded Malwarebytes Anti-Malware (NOT via the instructions for "How to remove Winifighter" but via the other instructions, which linked to file "mbam-setup.exe"). I installed MBAM, ran it on my neighbour's computer and I'll be damned if it did not rid his computer of Winifighter, as if by magic. And all this for free!??!! I.. am... totally... gobsmacked. Wish I had tried this software first and I would have saved about 8 hours of my life, instead of fooling around with Windows Defender, Ad-Aware, SpyBot S&D...etc. Damn.

Hello jenc,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

• If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  
• If you have any cracked/pirated software in your computer delete them or we will not help you.
  
• Only follow advise from Geek Police Staff and not a regular member.
  
• Do NOT run any tool without Geek Police supervision as it could hinder your system useless.
  

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Thanks very much for your reply... but installing MalwareBytes Anti-Malware (mbamsetup.exe) has actually solved my problem already...!

That is very impressive software, that is!

kind regards
Jenc

Please post the HijackThis file, while MBAM took care of most of the infections there are still somethings to take care of.

What sort of things? My neighbour is really quite satisfied that the problem is case closed in his view, and I can't keep messing with his computer for no specific reason.

MBAM will have removed the run values along with some other things which has stopped the malware from loading, but it may not all be gone.