Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

WinAntivirusPro2006 again, via ActiveNetworks

August 28th 2006 in Uncategorized

I’ve been looking around for alternative Internet Explorer resources that I can point users to that compliment my own sites (www.ie-vista.com and http://inetexplorer.mvps.org).  During my wanderings I encountered an old ActiveWin page dedicated to Internet Explorer 5.


Once again, an ActiveNetwork banner advertisement is promoting Winfixer (aka WinAntivirusPro2006 aka ErrorSafe).  I’ve encountered this problem before on the ActiveNetwork site, back in March this year.


The dangerous banner advertisement:
 


We click on the advertisement – a dialogue box appears that stops the resultant page from loading completely until you click ok or the red x:


Then, one of two pages loads (there may be more, this is what I have seen today):

Full size – http://inetexplorer.mvps.org/images/3w.png
Page URL – http://amaena.com/securityworm5827/?p=4&ex=1&aid=fastban&lid=os&mpt=20060828045018
 
Full size – http://inetexplorer.mvps.org/images/3wa.png
Page URL – http://www.amaena.com/securityworm61/index.php?h=10&ex=2&ax=0&aid=fastinu&lid=os&mpt=20060828054414


The entire page is one giant hyperlink…click *anywhere* on the page, even apparently empty areas, and you will trigger a Winfixer download – note the cursor in the shape of a hand – this indicates that the area is a hyperlink.
       


Here is the next dialogue box – note that there is no “cancel” option.


Click on OK and we see:


Trend Antivirus does not like the download:


Cancel the download, close the dialogue box using the close button or close the page and we see:


Click on OK, Cancel or the close button and we see:


Click the close button and the page finally closes BUT a pop-up window is generated that also tries to infect your system:

Page URL: http://www.amaena.com/securityworm61/download.php?aid=fastinu_exit&lid=os&ex=2


At this point, if you are running an older version of IE, or if your security settings are too low, your system is at risk of being infected with no further user interaction.


Removal


You’ll need some specialised tools to get rid of this programme, but there is no guarantee of success, especially if you’re dealing with a new variant.  Try:


Vundofix – run it as a Task:
http://www.atribune.org/content/view/24/2/


If Vundofix doesn’t work, try VirtumundoBeGone – run in safe mode:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe


My personal preference is to also run Smitfraudfix:
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


The following information is for advanced users and for professional technical support – these steps are NOT recommended for the inexperienced.  I have not provided detailed instructions or advice and have assumed a higher than average level of skill….


Still infected?  You’ll need to search for a rootkit using GMER, rootkit revealer etc.  You’ll also need to generate and analyse an Hijackthis log.


An error similar to the following indicates continuing infection:


16 bit MS-DOS Subsystem
<<path to file name>>
The NTVDM CPU has encountered an illegal instruction


You will need to delete the file the old fashioned way (CMD window) or use a product such as Killbox:
http://www.killbox.net/


or Avenger as a last resort – its a very powerful programme that should not be used lightly.
http://swandog46.geekstogo.com/


You can read about previous battles with malware here:
http://msmvps.com/blogs/spywaresucks/archive/2006/06/11/100679.aspx
http://msmvps.com/blogs/spywaresucks/archive/2006/06/07/100009.aspx


One comment to...
“WinAntivirusPro2006 again, via ActiveNetworks”

juris1691@yahoo.com

THIS WIN ATIVIRUS PRO REALLY ANNOYS ME AS IT KEEPS ON POPPING UP TO MY COMPUTER EVERYTIME I USE MY LAPTOP THEN I WILL GET DISCONNECTED, WOULD YOU PLEASE IF ANYONE FROM YOUR COMPANY COULD EMAIL ME ON HOW TO GET RID OF THIS POP-UP FROM WIN ANTIVIRUS PRO IN MY COMPUTER WHICH I AM REALLY NOT INTERESTED, IT IS REALLY VERY, VERY ANNOYING.


Fascinating…
“Lydia Fairchild couldn’t prove her kids were her own through a simple DNA test. She fought in court to keep her children. Finally, doctors told her she had a rare disorder, chimera.”http://abcnews.go.com/Primetime/story?id=2315693&page=1
“Jane was a puzzle to doctors. She needed a kidney transplant, but her naturally conceived sons could not donate – because they were not […]

Previous Entry

Aww heck, some of us actually enjoyed the peace and quiet during a flight [:(]
“THE last refuge of the weary business traveller is about to vanish, with Qantas announcing plans to allow domestic passengers to use mobiles in-flight from early 2007.
The airline will evaluate the on-board use of mobiles and other portable devices, such as […]

Next Entry

Archives