Winfixer infiltrates AOL ads

[Anonymous Bob]

I thought I'd post this one here because many people are going to get
infected. Calamity Jane has posted some good links in the thread.

http://www.dslreports.com/forum/remark,18049412

Bob Vanderveen

 

[Randy Knobloch]

I thought I'd post this one here because many people are going to get
infected. Calamity Jane has posted some good links in the thread.

http://www.dslreports.com/forum/remark,18049412

Thanks for posting this most informative thread, Bob - thank you!
X-Posting to Spyware General.
Randy

--
siljaline

MS - MVP Windows (IE/OE) & Windows Security, AH-VSOP

Security Tools Updates:
http://aumha.net/viewforum.php?f=31
Please reply to group, as return address is invalid that we may all benefit.

 

[Guest]

I thought I'd post this one here because many people are going to get
infected. Calamity Jane has posted some good links in the thread.

http://www.dslreports.com/forum/remark,18049412

Thanks for this alert, Bob.

I've read conflicting advice about what to do if confronted by one of these
popup panels inviting a download (some of it in the links given here), and I
wonder if anyone could clarify a few things?

1. Advice is universal NOT to click on the buttons within the panel, but
I've seen it recommended to close it using the little 'x' at top right. But
also I've read recommendations that this too is unsafe, and that the best
response is either to close down Internet Explorer, or to disconnect from the
internet altogether. What, exactly, IS the best approach?

2. What would Defender's response to this be? Or AVG anti-malware? Will
their RTP recognise the Winfixer download and prevent it?

3. What about SpywareBlaster? Or Spybot's immunisation? Do these prevent the
installation of the Winfixer bad stuff?

 

[Randy Knobloch]

Thanks for this alert, Bob.

I've read conflicting advice about what to do if confronted by one of these
popup panels inviting a download (some of it in the links given here), and I
wonder if anyone could clarify a few things?

1. Advice is universal NOT to click on the buttons within the panel, but
I've seen it recommended to close it using the little 'x' at top right. But
also I've read recommendations that this too is unsafe, and that the best
response is either to close down Internet Explorer, or to disconnect from the
internet altogether. What, exactly, IS the best approach?

2. What would Defender's response to this be? Or AVG anti-malware? Will
their RTP recognise the Winfixer download and prevent it?

3. What about SpywareBlaster? Or Spybot's immunisation? Do these prevent the
installation of the Winfixer bad stuff?

PLEASE READ **ALL DISCLAIMERS AND WARNINGS - **FIRST**
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://msmvps.com:80/blogs/spywaresucks/archive/2007/03/24/704666.aspx

Randy


--
siljaline

MS - MVP Windows (IE/OE) & Windows Security, AH-VSOP

Security Tools Updates:
http://aumha.net/viewforum.php?f=31
Please reply to group, as return address is invalid that we may all benefit.

 

[Guest]

PLEASE READ **ALL DISCLAIMERS AND WARNINGS - **FIRST**

But... but ... Randy, that article (I won't repost the link in my reply)
contains a series of direct links to places that will try to infect me!!!!

I can't see how that would answer my questions ......

 

[Randy Knobloch]

But... but ... Randy, that article (I won't repost the link in my reply)
contains a series of direct links to places that will try to infect me!!!!

I can't see how that would answer my questions ......

These two Safe URLs should, Alan.
http://msmvps.com/blogs/spywaresucks/archive/2007/03/22/701346.aspx
http://msmvps.com/blogs/spywaresucks/archive/2007/03/21/697330.aspx

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Windows Security, AH-VSOP

Security Tools Updates:
http://aumha.net/viewforum.php?f=31
Please reply to group, as return address is invalid that we may all benefit.

 

[Anonymous Bob]

But... but ... Randy, that article (I won't repost the link in my reply)
contains a series of direct links to places that will try to infect me!!!!

I can't see how that would answer my questions ......

Randy posts the link for the MVPS HOSTS file in these newsgroups as it is
updated:
http://www.mvps.org/winhelp2002/
Please note that errorsafe.com is listed in that file. Strongly recommended.

Bob Vanderveen

 

[Guest]

These two Safe URLs should, Alan.
http://msmvps.com/blogs/spywaresucks/archive/2007/03/22/701346.aspx
http://msmvps.com/blogs/spywaresucks/archive/2007/03/21/697330.aspx

Thanks Randy, but I can't find anything in those links that addresses my
questions.

 

[Guest]

Randy posts the link for the MVPS HOSTS file in these newsgroups as it is
updated:
http://www.mvps.org/winhelp2002/
Please note that errorsafe.com is listed in that file. Strongly recommended.

Thanks Bob, but this takes me into territory where I don't really understand
what I'm doing, so I'm very reluctant to start messing about with the hosts
file. (I'm not even sure how to go about doing it.)

 

[Guest]

Thanks Randy, but I can't find anything in those links that addresses my
questions.

It seems to me pretty important (not just for me, but for anyone) to know
exactly what to do if one of these pop up panels appear, and the advice I've
read so far is inconsistent. So let me frame my questions again, clearly:

1. I've seen recommendations to close the panel using the little 'x' at top
right. But
also I've read recommendations that this is unsafe, and that the best
response is either to close down Internet Explorer, or to disconnect from the
internet altogether (without clicking anything at all on the pop-up panel).
What, exactly, IS the best approach?

2. Will Defender's RTP alert me to the Winfixer download, and block it?

3. What about SpywareBlaster? Or Spybot's immunisation? Do these prevent the
installation of the Winfixer bad stuff?

 

[Anonymous Bob]

recommended.

Thanks Bob, but this takes me into territory where I don't really understand
what I'm doing, so I'm very reluctant to start messing about with the hosts
file. (I'm not even sure how to go about doing it.)

They've made it as easy as possible. Download the zip file (
http://www.mvps.org/winhelp2002/hosts.zip ) and run the batch file. On XP or
2k you should disable the DNS client [1] (instructions below). There's
nothing else to it. If you have any specific questions, answers will be
provided quickly in this newsgroup.

Near the bottom of the page there're 2 batch files you can use the toggle
the DNS Client. These batch files will eliminate the need to manually
disable the service:
http://www.mvps.org/winhelp2002/DnsManual.bat
http://www.mvps.org/winhelp2002/DnsDisabled.bat

So there ya go. All done with a few mouse clicks.<g>

[1] http://www.mvps.org/winhelp2002/readme.txt

[Important Notice - 2K/XP/Vista Users]
In most cases a large HOSTS file (over 135 kb) tends to slow down the
machine. This only occurs
in W2000 and XP. Windows 98 and Windows ME are not affected.

To resolve this issue (manually) open the "Services Editor"

Start | Run (type) "services.msc" (no quotes)
Scroll down to "DNS Client", Right-click and select: Properties
Click the drop-down arrow for "Startup type"
Select: Manual, click Apply/Ok and restart.

Bob Vanderveen

 

[Anonymous Bob]

It seems to me pretty important (not just for me, but for anyone) to know
exactly what to do if one of these pop up panels appear, and the advice I've
read so far is inconsistent. So let me frame my questions again, clearly:

1. I've seen recommendations to close the panel using the little 'x' at top
right. But
also I've read recommendations that this is unsafe, and that the best
response is either to close down Internet Explorer, or to disconnect from the
internet altogether (without clicking anything at all on the pop-up panel).
What, exactly, IS the best approach?

From http://en.wikipedia.org/wiki/WinFixer
When the user chooses any of the options or tries to close this dialog (by
clicking 'Ok' or 'Cancel' or by clicking the corner 'X'), it will trigger a
pop-up window and WinFixer will download and install itself, regardless of
the user's wishes. Because this is a dialog box related to the Internet
Explorer application, it does not appear in the Windows Task Manager list
(Ctrl+Alt+Del). However, the user may be able to avoid installing the
program either by using the Alt+f4 command or by disconnecting from the
internet before closing the dialogue box.

2. Will Defender's RTP alert me to the Winfixer download, and block it?

I don't know.

3. What about SpywareBlaster? Or Spybot's immunisation? Do these prevent the
installation of the Winfixer bad stuff?

I don't know.

Sorry I can't help you on the last 2 questions, but it appears Alt/F4 is the
safest way to exit from the popup.

If you have a strong desire to use the hosts file but the desire is offset
by a strong fear of messing with your system, drop me an email at
BobV3(at)hotmail(dot)com with your phone number and I'll talk you through it
on the phone.

Bob Vanderveen

 

[Randy Knobloch]

:

They've made it as easy as possible. Download the zip file (
http://www.mvps.org/winhelp2002/hosts.zip ) and run the batch file. On XP or
2k you should disable the DNS client [1] (instructions below). There's
nothing else to it. If you have any specific questions, answers will be
provided quickly in this newsgroup.

Near the bottom of the page there're 2 batch files you can use the toggle
the DNS Client. These batch files will eliminate the need to manually
disable the service:
http://www.mvps.org/winhelp2002/DnsManual.bat
http://www.mvps.org/winhelp2002/DnsDisabled.bat

So there ya go. All done with a few mouse clicks.<g>

[1] http://www.mvps.org/winhelp2002/readme.txt

[Important Notice - 2K/XP/Vista Users]
In most cases a large HOSTS file (over 135 kb) tends to slow down the
machine. This only occurs
in W2000 and XP. Windows 98 and Windows ME are not affected.

To resolve this issue (manually) open the "Services Editor"

Start | Run (type) "services.msc" (no quotes)
Scroll down to "DNS Client", Right-click and select: Properties
Click the drop-down arrow for "Startup type"
Select: Manual, click Apply/Ok and restart.

Bob Vanderveen

Thanks very much for the assist in this thread, Bob - been away for the weekend.

Cheers & thanks again!

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Windows Security, AH-VSOP

Security Tools Updates:
http://aumha.net/viewforum.php?f=31
Please reply to group, as return address is invalid that we may all benefit.

 

[Guest]

2) Will Defender protect you? That is a guarantee that cannot be made. I
am regularly seeing new versions of the installer for this malware that is
not detected. It is too easy to recode executables just enough to break
signature detection, so don't depend on that.

3) The same goes for your other mentioned programmes. There is no 100%
guaranteed protection out there - that is the reality.

I understand that there are no guarantees in this area. What I think I
really meant was: 'Is Defender (or Spybot, or AVG) POTENTIALLY capable of
protecting me?' In other words, does it at least attempt to block a Winfixer
installation if it has the signature? I think the implication of your answer
is 'yes'?

 

[Guest]

"That's a really kind offer Bob - thank you (though I'm not sure whether
you're in the UK, like me?) However, I'm now hoping to navigate a simpler
alternative. I'm currently investigating whether it would be more sensible
(given my limited expertise) to use Spybot's hosts file instead - which
requires no more than clicking a button, and which does, I understand,
include protection against this particular threat.

For the benefit of anyone reading this who would like further helpful and
clear advice generally on this issue, see the comments in the following
thread in the Spybot forum:
http://forums.spybot.info/showthread.php?p=76321#post76321"

If all you want is a protective HOSTS file, use this instead:
http://www.mvps.org/winhelp2002/hosts.htm

--
Sandi
Microsoft MVP since 1999
http://www.ie-vista.com
Blog:
http://www.msmvps.com/spywaresucks
Internet Explorer Community
http://www.microsoft.com/windows/ie/community/default.mspx

 

[Guest]

If all you want is a protective HOSTS file, use this instead:
http://www.mvps.org/winhelp2002/hosts.htm

Thanks Sandi - I have been directed to that page several times, but I barely
understand it; certainly I question my competence to do what's required, but
I have every confidence in my ability to mess my system up by doing the wrong
thing. That's why I went down the Spybot route. Perhaps their hosts file is
less complete - I don't know. But it is simple to apply it from within Spybot
(with Spybot making the necessary backup), and in my case that seemed pretty
important.

In case you hadn't realised, I represent the voice of the millions of
'typical users' who understand very little of the information that's on
offer, but who are trying despite that handicap to grapple with the
complexities of internet security.

 

[Guest]

"From http://en.wikipedia.org/wiki/WinFixer
When the user chooses any of the options or tries to close this dialog (by
clicking 'Ok' or 'Cancel' or by clicking the corner 'X'), it will trigger a
pop-up window and WinFixer will download and install itself, regardless of
the user's wishes. Because this is a dialog box related to the Internet
Explorer application, it does not appear in the Windows Task Manager list
(Ctrl+Alt+Del). However, the user may be able to avoid installing the
program either by using the Alt+f4 command or by disconnecting from the
internet before closing the dialogue box."

I don't really like that advice - remember Wikipedia can be authored by
anybody and should not be taken as gospel.

1) it is more correct to say "Winfixer will *try* to download and install
itself".

2) Alt F4 - invariably doesn't work nowadays - the Winfixer guys spotted
that workaround and addressed it.

3) disconnecting from the internet - I will have to look deeper at that - if
the bad guys can get around that, they will and they're real pros when it
comes to watching how the man in the street is reacting, and getting around
it.

Of course, you can just turn the power off, but if you are using IE7 or
Vista that really isn't necessary anyway, because the stuff will not download
and install without your permission unless they are using an unpatched or
unknown security exploit. If your system is able to block the winfixer
malware from immediately downloading and installing *without interaction*
then you don't need to disconnect from the internet or shut down to avoid
installation - if, on the other hand, it can (old OS, unpatched system) then
disconnecting when you see that dialogue box or shutting down won't make a
difference - it's already too late.


--
Sandi
Microsoft MVP since 1999
http://www.ie-vista.com
Blog:
http://www.msmvps.com/spywaresucks
Internet Explorer Community
http://www.microsoft.com/windows/ie/community/default.mspx

 

[Guest]

I'm now hoping to navigate a simpler
alternative. I'm currently investigating whether it would be more sensible
(given my limited expertise) to use Spybot's hosts file instead - which
requires no more than clicking a button, and which does, I understand,
include protection against this particular threat.

Here's an additional note for anyone else in my position (i.e worried about
Winfixer etc, but uneasy about fiddling with the MVPS hosts file foir fear of
messing things up).

Spybot S&D makes this as simple as it can possibly be. One click of a
button, and you're protected (but don't forget to keep it updated, just like
anything else) - and, most importantly, it's entirely reversible at the click
of another button. (Expect Defender to alert you to the change, and allow
it.) Again, I'll give the link to the relevant Spybot Forum discussion which
contains some simple, clear, and helpful advice:

http://forums.spybot.info/showthread.php?p=76321#post76321

 

[Guest]

"It seems to me pretty important (not just for me, but for anyone) to know
exactly what to do if one of these pop up panels appear, and the advice I've
read so far is inconsistent. So let me frame my questions again, clearly:

1. I've seen recommendations to close the panel using the little 'x' at top
right. But
also I've read recommendations that this is unsafe, and that the best
response is either to close down Internet Explorer, or to disconnect from the
internet altogether (without clicking anything at all on the pop-up panel).
What, exactly, IS the best approach?

2. Will Defender's RTP alert me to the Winfixer download, and block it?

3. What about SpywareBlaster? Or Spybot's immunisation? Do these prevent the
installation of the Winfixer bad stuff?"

1) You know, your question may just inspire a new blog post about this
stuff - it seems there is some, if not misinformation, certainly
misunderstanding, out there.
I can understand your confusion. The advice you cite (which I recognise as
being advice I have given over the years) has changed over the years as the
behaviour of the bad guys has changed.

The advice to avoid clicking on buttons in a dialogue window is always good
advice, because those buttons can be coded to do just about anything - the
wording is no more than a label. The red cross on the title bar, on the
other hand, cannot be coded to do what it is not supposed to do - it's hard
coded. BUT, that being said, when the bad guys realised that we were
avoiding their wares by closing using the red x, chromeless popups started to
appear that were designed to *mimic* the red x - that is, it was not the real
thing which is why I started spreading the "don't touch the red button"
advice.

Then winfixer and a few others changed the goal posts again. Now we need to
remember that sometimes it does not matter how you get rid of that dialogue
box, whether by clicking on the red x or by closing the page itself, or even
the Web browser in its entirety - the act of closing can be 'interrupted' by
a warning dialogue which is what Winfixer does - there's no way to get around
it.

Just a few days ago I saw a new slide-in dialogue box (screenshot on the
winfixer/AOL blog entry cited elsewhere in this thread) that is not even a
real chrome or chromeless pop-up window, and the X cannot be clicked at all -
it's fake - all that can be clicked on are the two option buttons.

As to your question about what is the best thing to do, what is the "safe"
and "best" thing to do has depended on what you are encountering. Is it a
standard popup or is it a chromeless window with a fake title bar? How is
the page that is triggering coded? If another pop-up or download is coded to
occur on_close, then that is what the page is going to try to do, no matter
what route you take to close the window.

Nowadays I don't advise avoiding the red x because it has been a long time
since I've seen a chromeless window with fake red x and something is tickling
at the back of my memory that it may not even be possible to create the fake
box anymore - something to do with restrictions on chromeless windows. I'll
have to dig in to that further and refresh my memory.

2) Will Defender protect you? That is a guarantee that cannot be made. I
am regularly seeing new versions of the installer for this malware that is
not detected. It is too easy to recode executables just enough to break
signature detection, so don't depend on that.

3) The same goes for your other mentioned programmes. There is no 100%
guaranteed protection out there - that is the reality.

--
Sandi
Microsoft MVP since 1999
http://www.ie-vista.com
Blog:
http://www.msmvps.com/spywaresucks
Internet Explorer Community
http://www.microsoft.com/windows/ie/community/default.mspx

 

[Guest]

"But... but ... Randy, that article (I won't repost the link in my reply)
contains a series of direct links to places that will try to infect me!!!!"

The only clickable links in my article go to reputable sites. Unfortunately
any Web site using the compromised network is at risk, so if you are going go
down that particular path, get ready to exclude pretty much all of "the
Internet" because virtually every major advertising network has been
compromised now.

--
Sandi
Microsoft MVP since 1999
http://www.ie-vista.com
Blog:
http://www.msmvps.com/spywaresucks
Internet Explorer Community
http://www.microsoft.com/windows/ie/community/default.mspx