Malicious popup

[Steve]

Please help! I have a popup problem and 2 Windows
AntiSpyware problems.

1) I have a popup that is linked to a series of
popups. This attacks my desktop sporadically and
unpredictably. The source address is:
http://www.winantispyware.com/pages/scanner/index.php?
aid=vm_fm_wfx5kw_4_uwas_ed&lid=&ex=1&p=&ax=1. This site
claims to be certified and approved, yet I find it to be
malicious.
2) I have downloaded the Windows AntiSpyware (Beta).
The program runs just fine but cannot detect this
infection.
3) I have attempted to use the Microsoft built in
reporting system, "Suspected Spyware Reporting Tool," but
the report will not send. The error message given
is "check your internet proxy settings and try again." As
you can see, there is nothing wrong with my proxy
settings.

 

[AndyManchesta]

This is not approved or genuine, Its the same company as
Winfixer2005 and WinAntivirus2005 under a different name
and very malicious, They will give you alot of false
positives then try charge you to remove them and doing so
could mean deleting genuine system files and giving these
people credit card info'.

Ive just checked this site and it tries to install a
ActiveX then if you try to close the site it takes you to
the download page and starts giving more pop ups about
critical threats on the system.

However this isnt the cause of your pop-ups unless you
have any of the above programs installed, these scum are
just affiliated with what you have and that could be
anything to be honest.

I have a feeling this may be Trojan.Vundo but its hard to
know at this stage without seeing a Hijack This log can
you download thesecopy this to notepad so you can view
it when you reboot into safe mode)


http://securityresponse.symantec.com/avcenter/FixVundo.exe

http://securityresponse.symantec.com/avcenter/FxVundoB.exe

http://securityresponse.symantec.com/avcenter/FxVMonde.exe


Download the FixVundo.exe files and the Virtumonde fix.

Save the files to a convenient location, such as your
desktop.


Download Ewido Security Suite
------------------------------

http://www.ewido.net/en/download/

When installing, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".

From the main ewido screen, click on update in the left
menu, then click the Start update button.

After the update finishes (the status bar at the bottom
will display "Update successful")

Exit Ewido. DO NOT SCAN yet.


Download Ccleaner
-------------------

http://www.ccleaner.com/ccdownload.asp



Reboot into safe mode (Reboot and keep tapping F8 then
choose safe mode from the list )


Close all open browser windows

Locate the files that you downloaded.

Double-click the FixVundo.exe files to start the removal
tools. Run them all to make sure you are not infected
with this.

Click Start to begin the process, and then allow the
tools to run. Important: Do not launch any new
applications while the tools are running.


run Ewido

Click on the Scanner button in the left menu, then click
on Complete System Scan. This scan can take quite a while
to run.

If ewido finds anything, it will pop up a notification,
select "Remove" as the action for each or check "Perform
action with all infections" and press remove. When the
scan finishes, click on "Save Report". This will create a
text file. Make sure you know where to find this file
again.

Delete Prefetch and Temp Files

Goto start run and type

%temp%

Delete the contents of this folder

Goto start run and type

prefetch

Delete the contents of this folder


Run Ccleaner and press "Run Cleaner"

Then reboot back to normal mode and check if you still
get the pop ups .


Run the removal tools again if files were found to ensure
that the system is clean.


Let us know how it goes

Regards

Andy

 

[AndyManchesta]

Just wanted to make this clearer to prevent problems, If
this is Trojan Vundo the Vundo Fix tools must be run in
safe mode !! Because Vundo adds entries to Winlogon its
very important you follow this.

If Im wrong and its not Vundo try some of these online
Virus scanners and let us know if you need any help with
this

Trend Micro

http://housecall.antivirus.com/


Panda

http://www.pandasoftware.com/activescan/


Trojan Scanner

http://www.windowsecurity.com/trojanscan/trojanscan.asp


Kaspersky

http://www.kaspersky.com/virusscanner

 

[AndyManchesta]

Any Idea's Why the below message nows says unavailable ?

All it said was to make sure the fix tools are run in
safe mode so not sure why its been deleted.

My thinking is this, in some cases (notably when you are
trying to delete a file called by the Winlogon\Notify
key), deleting the file but not removing the registry
entry that calls the file could cause conflict, if a
winlogon key points to an invalid entry, there is a very
real chance the system will refuse to boot. The problem
is with running fixes in normal mode is that lots of
infections, like Vundo and look2me for example, monitor
that registry key and if you remove it, they replace it.
So you THINK you removed the registry key, but it really
replaced it, and so after you delete the file Windows
fails to start.


Maybe the person who deleted this thinks Im talking
rubbish so hopefully they can post next time rather than
deleting my comments and making it look like junk mail.

Thanks Andy