Suspicious Warning

[Guest]

During a session of surfing numerous websites, it looked like something
downloaded from a redirected site, then a picture file opened volunterilly -
I closed it as quickly as I could so that no virus could get in. But it was
too late.

Now, everytime I open Internet Explorer I get redirected without my
permission to a website: http://www.systermwarning.com Displaying all my
details, I have done my research on that site and it was NOTHING to do with
Microsoft what so ever and it is trying to sell me AntiSpyWare products -
which I assume are spyware themselves. Whenever I open Internet Explorer, not
only does it redirect me, it comes up with a bubble message at the bottom of
the screen, making me buy their product. This is not something Mircosoft
would do. It also installs a 'trial' of the their product: SpyAxe. However I
am still allowed access to the rest of the internet.

I have run SpyWare/AdWare/MalWare scans, worms and P2P files appear
everywhere. I have deleted them but there is still no difference. I've tried
Microsoft's own AntiSpyWare Beta 1 and deleted these files, but yet again no
difference.

This is a screen shot of what I see when I open Internet Explorer. Please
note the bubble message in the system tray:
http://i7.photobucket.com/albums/y292/Jenko87/screen.jpg

What do I do?!

 

[Guest]

Have you run any ANTIVIRUS software ie; Norton Internet Security or any other
"ANTIVIRUS" software? If not you can go to there websites and get a free
scan, if you have a virus you may have to purchase software to remove it. To
me it sounds like you have a virus, as opposed to spyware/adware. Good luck.

 

[Frank Saunders, MS-MVP OE]

During a session of surfing numerous websites, it looked like
something downloaded from a redirected site, then a picture file
opened volunterilly - I closed it as quickly as I could so that no
virus could get in. But it was too late.

Now, everytime I open Internet Explorer I get redirected without my
permission to a website: http://www.systermwarning.com Displaying all
my details, I have done my research on that site and it was NOTHING
to do with Microsoft what so ever and it is trying to sell me
AntiSpyWare products - which I assume are spyware themselves.
Whenever I open Internet Explorer, not only does it redirect me, it
comes up with a bubble message at the bottom of the screen, making me
buy their product. This is not something Mircosoft would do. It also
installs a 'trial' of the their product: SpyAxe. However I am still
allowed access to the rest of the internet.

I have run SpyWare/AdWare/MalWare scans, worms and P2P files appear
everywhere. I have deleted them but there is still no difference.
I've tried Microsoft's own AntiSpyWare Beta 1 and deleted these
files, but yet again no difference.

This is a screen shot of what I see when I open Internet Explorer.
Please note the bubble message in the system tray:
http://i7.photobucket.com/albums/y292/Jenko87/screen.jpg

What do I do?!

Malware Removal:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

 

[Guest]

Thats brilliant Frank, Thank you. It's all sorted now.

Thanks again

 

[plun]

Hi Jenko87

This is the wmf exploit in action.

Get your self real protection, all major
antivirus apps detects this wmf exploit.

regards
plun

 

[Bill Sanderson]

Update your antivirus products and do a full scan of the machine in safe
mode.

Alternatives:

call Microsoft PSS 1-866-pcsafety (If your are in the US or Canada)--and ask
for free help with virus or security issues.

Restart windows in Safe mode with Networking, and go to:

http://safety.live.com and do a full scan of the system. This is Microsofts
malware protection site, and has their latest antivirus definitions.

 

[Bill Sanderson]

Agreed.

(as an aside--I just was looking through the bios settings of a couple new
laptop machines I bought for a corporate client, and was surprised to note
that they have the TPM module in place and bios settings tied to a
proprietary setup to get the machines back in case of loss or theft. All of
this was turned off by default, but it's real carefully labelled--certain
settings changes to it are permanent--they can't be reversed.....) Dell
Latitude D610's or some similar number.

--

 

[plun]

Bill Sanderson formulated on lördag :

(as an aside--I just was looking through the bios settings of a couple new
laptop machines I bought for a corporate client, and was surprised to note
that they have the TPM module in place and bios settings tied to a
proprietary setup to get the machines back in case of loss or theft. All of
this was turned off by default, but it's real carefully labelled--certain
settings changes to it are permanent--they can't be reversed.....) Dell
Latitude D610's or some similar number.

Hi Bill

Happy new year !

For a corporate client notebook this maybe is a good idea
But there are a lot of other alternatives and perhaps
cheaper alternatives then TPM to protect a notebook.

For everyone else the TPM module is "George Orwell 1984".

Tried to find out more about this module in latest Vista CTP but
MS has hide it carefully among MMC modules and if you don´t have a
TPM chip you see nothing.

Also read Paul Thurrots excellent 5270 review and this is something
which must be explained more form MS.

I don´t thrust MS and TPM ;(

Perhaps they blog more rumours/facts about this..............


regards
plun

 

[Bill Sanderson]

I've just managed to get 5270 running, but it's on my own machine--no TPM
module.

I'm tempted to try running it on one of those laptops--I'll have the ability
to do that I think with one of them--they are going to get used as desktops
a good part of the time, and I have full control over them.

Happy New Year to you!

--

 

[plun]

After serious thinking Bill Sanderson wrote :

I've just managed to get 5270 running, but it's on my own machine--no TPM
module.

I'm tempted to try running it on one of those laptops--I'll have the ability
to do that I think with one of them--they are going to get used as desktops a
good part of the time, and I have full control over them.

Hi

This is a must, how to disable UAP, driving you crazy otherwise.

http://bink.nu/Article5675.bink

Audigys Beta drivers works after manual installation

Avast Antivirus works except the web protection which I disable,
perhaps
there is a setting somwhere to use this module in Vistan ?

Defendern works.

But with Defendern and UAP running it´s a pain to run Vistan.

Maybe MS choose this way to show why TPM is better

Vistan is beutiful and powerful but I cannot see the major benefits
compared to XP. It will be hard work for MS to sell Vistan I believe.
Even harder with the TPM module.............

But both MS and Intel seems to go to beutiful friendly colours for all
presentations/logos and maybe this can make users to buy it

Intel
TPM inside



regards plun

 

[Anonymous Bob]

Hi Jenko87

This is the wmf exploit in action.

Get your self real protection, all major
antivirus apps detects this wmf exploit.

Happy New Year, plun!

I haven't been keeping up very well with the posts in these newsgroups and
I've not seen other mention of this exploit here. Microsoft's temporary fix
is to disable shimgvw.dll, but there's perhaps a better temporary fix
available from Ilfak Guilfanov. It's discussed here:
http://www.grc.com/sn/notes-020.htm

Bob Vanderveen

 

[Anonymous Bob]

Oops! I just found the thread from Dave M posted on Dec 29. ;-)

Bob Vanderveen

 

[plun]

Hi Bob

Happy New Year for you also.

Directly to Ilfaks blog

http://www.hexblog.com/2005/12/wmf_vuln.html

I don`t like 3rd party patches and they will never be
spread to users really need them.

This exploit "lives" within crackz, porn, gambling sites, p2p,
IRC bots ie Internets cloak.

But we have a problem that this exploit now also spreads
within mail so I saw Symantec raised the threat level to "Elevated".


Corporate admins which have "hangover" today maybe will meet some
problem/challengies tomorrow........

regards plun

Anonymous Bob wrote on 2006-01-01 :

 

[Bill Sanderson]

Thanks for the link--I know some others who are having that trouble--so far
it doesn't seem to be bothering me--but then again, I can only get it to
access the network occasionally--don't know what the issue is--I can ping by
name, but can't bring up a web page from the same site.

The question of what will justify the upgrade is a big one--I was just
talking to some folks about that yesterday. So far, I don't have an answer.

--

 

[Anonymous Bob]

Reply interspersed

Hi Bob

Happy New Year for you also.

Directly to Ilfaks blog

http://www.hexblog.com/2005/12/wmf_vuln.html

I don`t like 3rd party patches and they will never be
spread to users really need them.

On the plus side:
Ilfak Guilfanov is certainly a trusted source.
His fix doesn't disable thumbnails.
His fix can be easily removed via Add/Remove programs.

On the minus side:
I'm uncertain if his fix would/should be removed before the final Microsoft
fix is applied.

Only those of us who frequent security newsgroups would be aware of either
Microsoft's or Ilfak's fix.

This exploit "lives" within crackz, porn, gambling sites, p2p,
IRC bots ie Internets cloak.

But we have a problem that this exploit now also spreads
within mail so I saw Symantec raised the threat level to "Elevated".


Corporate admins which have "hangover" today maybe will meet some
problem/challengies tomorrow........

I suspect many people will have a bad day at the office on Monday and/or

 

[plun]

On the plus side:
Ilfak Guilfanov is certainly a trusted source.
His fix doesn't disable thumbnails.
His fix can be easily removed via Add/Remove programs.

On the minus side:
I'm uncertain if his fix would/should be removed before the final Microsoft
fix is applied.

Only those of us who frequent security newsgroups would be aware of either
Microsoft's or Ilfak's fix.

I suspect many people will have a bad day at the office on Monday and/or
Tuesday. <g>

Hi

Within Ilfaks blog and "Comments" we can see admins without hangover
which tries to protect his/hers network

Well, who knows if MS definition/safety personell works on holidays but
security must be a 24/7 routine as for all major vendors.

regards
plun

 

[Anonymous Bob]

Hi Bob

Happy New Year for you also.

Directly to Ilfaks blog

http://www.hexblog.com/2005/12/wmf_vuln.html

I don`t like 3rd party patches and they will never be
spread to users really need them.

While I'm sympathetic to your point of view, SANS take on this issue is to
both use the unofficial patch and unregister the dll.
http://isc.sans.org/diary.php?storyid=996

Bob Vanderveen

 

[Bill Sanderson]

You can bet that all available hands are working on this issue at
Microsoft--they aren't going to make statements until they've got specific
concrete advice that will work for everyone to offer. The real statement
I've seen besides the revisions in the advisories has been a blog statement
that they've determined that a patch will be the appropriate fix.

--

 

[plun]

Anonymous Bob wrote :

While I'm sympathetic to your point of view, SANS take on this issue is to
both use the unofficial patch and unregister the dll.
http://isc.sans.org/diary.php?storyid=996

Bob Vanderveen

Hi Bob

F-Secure also recommend this !

http://www.f-secure.com/weblog/

Done it and also recommend it.

 

[plun]

Hi Bill

http://isc.sans.org/diary.php?storyid=996

" I'm being as straightforward and honest as I can possibly be: the
Microsoft WMF vulnerability is bad. It is very, very bad."

"The word from Redmond isn't encouraging. We've heard nothing to
indicate that we're going to see anything from Microsoft before January
9th. "

"The upshot is this: You cannot wait for the official MS patch, you
cannot block this one at the border, and you cannot leave your systems
unprotected."

"It's time for some real trustworthy computing. All we're asking is if
we've proved ourselves to be worthy of your trust."

--
plun



Bill Sanderson was thinking very hard :