Winfix Infection

[Guest]

Hello,

We are currently working remotely on a clients pc who has an winfix infection.
This pc has all the updates, running Windows Defender and One Care.

Somehow this infection has infected a fully patched machine, yet Defender
and OneCare will not detect it.

Pop-ups come when entering Windows Updates, Banking...etc.


Can anyone help in discovering why Defender is not picking up this as a
threat? And has anyone else experienced this infection and removed with a
successful tool?


Thank you,

Chad

 

[plun]

Hi Chad

I have asked this forum about the same but for some unknown reasons
One Care and WD doesn´t detect Smitfraud and Vundo infest.

Winfixer, Vundo infest removals.

http://forum.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=50366

http://www.bleepingcomputer.com/forums/topic18610.html

http://wiki.castlecops.com/Malware_Removal:_Virtumundo


Spyaxe, Spyfalcon etc, Smitfraud removals

http://www.bleepingcomputer.com/forums/forum55.html

Thats it...

regards
plun

 

[Guest]

Hi, plun. Are there any programs that actually detect Vundo and try to
prevent it from installing? I am using McAfee Anti-Virus, Defender, and
Spyweeper real time, with Ewido, Spybot, and Ad Aware as demand scanners. My
question is serious. Are there any programs protecting, or do we just need to
be satisfied with clean up afterwards?

 

[Dave M]

http://research.spysweeper.com/search.php?name=Virtumonde

....but keep atribune/smitrem/castlecops's sites in your toolbox I've seen
SS fail on this... ~rolls eyes~

 

[plun]

Hi Old Rebel

Vundo and Smitfraud infests are "complicated" in the way that they
are using all known weaknesses within a Windows box.

They are also special in the way that these infests cannot be compared
with 180Solution, Direct Revenue, WhenU etc beacuse these comes from
the "real bad guys".

They are also using "Social Engineering" methods ie "click on me".

During the WMF exploit challenge the bad guys infest PCs using the
security hole, we have also seen it with crackz, ads within prOn, p2p,
and gambling sites, also IRC Java chats is used.

It all starts with a Trojan Downloader which download Vundo or
Smitfraud often also a PUP as Winfixer, Errorsafe, Spyfalcon etc
etc......

Now we also have keyloggers and radmin apps coming with these infests.

The whole security business and their intelligence also knows that this
is mainly a "dirty site" problem and this makes it somehow difficult
how to handle this challenge.

Why protect a user which applies a crack ? Visits a wellknown p2p
torrent site and click on banners, Or even running a non updated PC ?

Lavasoft Adaware and Spybot has included several removals and the
others RTP protection for several PUPs.

It is also "funny" to see all NIS2005 users without any protection
beacuse Symantec have a special module for these risks which only is
available within 2006 modles.

TrendMicros PC Cillin also have a "fake" to antispyware module....

WD detects some of them.

And so on with every protection from every vendor............

The key challenge as I sees it, is how to handle all Trojan Downloaders
which constantly changes behavior.

Mark at Sysinternals shows it within his blog and maybe we have
conspiracy

http://www.sysinternals.com/blog/2006/01/antispyware-conspiracy.html

This movie is really good to study what happens when a user applies a
crack.
http://www.sysinternals.com/blog/images/spyware-infestation.wmv

So this is a challenge............but it must be easy to include
Vundo/Smitfraud removals nevertheless of the Trojan Downloader.

regards
plun

 

[Guest]

I don't visit the "bad" sites, but with new Windows vulnerabilities, you
never know where they might occur. I keep CastlesCops, bleeping computer, and
Dell forums at the top of my favorites links. I have also been brushing up on
the Dell PC restore process - Just In Case - worst case scenario. I am
anxiously waiting for Microsoft and McAfee to fix the problem with McAfee not
working on IE7. I am heavily loaded with McAFee programs and none of them
would work on IE7, I have been told. That's a real PITA!!! I can reproduce
that problem on IE6 by totally disabling active scripting - then McAfee not
only will not work, the screens for McAfee programs appear as blank boxes
with no controls available. I have no idea what happens with other anti-virus
programs and IE7 since I cannot experiment with them - especially Norton -
which has other problems and is too hard to remove from PC anyway. I did that
once and "broke" my BITS. Been there, done that! Never again. Thank for the
info. REGARDS,

 

[plun]

Hi Old Rebel

Also read this from Mr Nash about April 11.
ActiveX is already a challenge with IE7 and it will
also be for IE6 after next security update.......

http://blogs.technet.com/msrc/default.aspx.


For example With IE7, online scanners

Safety Live works, much work with ActiveX permissions (Manage Addons)

Housecall crashes

Kaspersky not working

Panda not working

Symantecs online support using ActiveX, a lot of trouble.....

and so on....


ActiveX mess but it´s better to block the bad guys......


regards
plun

 

[Guest]

Hi, plun! I have already applied that IE update and see no significant
problems that I cannot work around. It does not affect the local zone and has
no effect on McAfee. I am having to click to enable some activeX controls on
certain web pages, however. Nothing I can't live with!

 

[plun]

Hi

Hopefully McAfee fixes this, Mr Nash writes about how to fix ActiveX
problems and also a period to June with a patch.

I don´t know if this also is the case with IE7... ???

Housecall, Kaspersky and Panda is impossible to run and
I cannot find any disabled ActiveX to play with or setting.

Javabased scanner works for Housecall (another Kernel)


http://housecall.trendmicro.com/

http://www.pandasoftware.com/products/ActiveScan.htm?sitepanda=particulares

http://www.kaspersky.com/virusscanner

http://safety.live.com/site/en-US/default.htm Works...

But maybe I´m blind

regards
plun

 

[Guest]

I have not tried to do online scan with Panda or Housecall lately so I didn't
know that. Did hitting Ctrl or Tab keys not show any activeX controls?
Hmmmm! And this is not even a real security update,just something involved in
patent dispute!!! PITA!!!

 

[Guest]

Hello, plun! I just got done running a Panda online scan using IE6 with all
optional MS updates installed. The only problem was at the end when I was
viewing the final report. I had to click on an invisible control beneath 1
spyware entry (cookie - com.com - LOL) in order to get details about it.
Otherwise, the scan worked normally. I'm not goin to try Trend using ActiveX
controls because in the past befoe the updates, it already caused my IE to
crash sometimes. Don't know why. Might be the AOL connection I use.

 

[plun]

Hi

The same for me... It was 4 ActiveX modules....

I hate "Manage Addons" dreaming about MSAS and how easy it was
with
MSAS to handle ActiveX modules...

Kaspersky Labs "state of the art scanner" is impossible.... ;(

regards
plun

 

[Guest]

Hi, Old Rebel.

As you will soon realize after reading this very long thread started by
CalamityJane (Microsoft MVP, Windows Security) at
http://www.broadbandreports.com/forum/remark,14738046?r=663 , very frequently
the Winfix/Vundo infection is a result of a vulnerability in old versions of
Sun Java that have not been removed from the computer. Unfortunately,
updating Sun Java is not sufficient. It is necessary to UNINSTALL all prior
versions of Java on the computer as well.

Regards,

 

[plun]

Hi

I have also asked Calamity Jane about MS Java traces but the answer
I got was that MS Java is patched, OK but how long....until next
vulnerability, no answer (Castlecops).

IMHO it must better to also remove MS Java.......

http://www.spywareinfo.com/~merijn/uninstmsjava.html

About Suns Java this is a mess and maybe it´s time to
include Suns Java update with Windows update......

It must be in MS interrest that this securityhole
is closed......but maybe they don´t talk with each other ?



regards
plun

 

[Guest]

As far as I am aware, plun (although don't quote me ), it is only old
versions of Sun Java that are vulnerable, not Microsoft Java.

As to MS including the update, the legal implications are well beyond me,
but I am certain they make that an impossibility. Besides, the sad part of
this situation is that the update does not remove the vulnerable version of
the Sun Java software. As long and hard as MowGreen and others have tried to
get this corrected, there have no changes yet. In the interim, Sun Java
could at least include a notice to uninstall the previous versions in the
instructions.

 

[plun]

Hi Corrine

Well, this was more a principle discussion from me to also remove MS
Java. Remove all "junk", just in case

I know that "MowGreen" has done a great job with Sun Javas "black
hole".

Nevertheless this situation is impossible when mostly all users
doesn´t know that Sun Java is a "ticking bomb".

And also a lot of "3rd party" advices about it misses that a uninstall
is needed for older versions.

-----------------------------------------------------------------------

Proposal........

Maybe it´s time close all HijackThis forums (for a while ) and
force these companys including all security vendors to come up with an
solution.

Also to change Malwarecomplaints to also include what protection a user
has installed.

But maybe we have conspiracy ?
http://www.sysinternals.com/blog/2006/01/antispyware-conspiracy.html


For sure MS and Sun works with each other if it´s about TPM
https://www.trustedcomputinggroup.org/home

But who cares about home users and small business..........

regards
plun