Are WinFixer 2005 popups a sign of infection or just attempts at infection?

Discussion in 'Spyware' started by Donna Fox, Jan 13, 2006.

  1. Donna Fox

    Donna Fox Guest

    Are WinFixer 2005 popups a sign of infection or just attempts at infection?

    My hosts file is huge, Ad Aware, Spybot Search & Destroy, Spyware Blaster,
    ZoneAlarm, etc. are all running, Firefox is set to block popups, Ewido &
    Avast are running, etc. ... yet ... I gotta hand it to the WinFixer folks.
    They seem to have slipped by my defesnses somehow. Or not?

    All I know is I just now received three very professional looking Windows
    XP looking popups warning:

    http://www.winfixer.com
    NOTICE: If your computer has errors in the registry database or file
    system, it could cause unpredictable or erratic behavior, freezes and
    crashes. Fixing these errors can increase your computer's performance and
    prevent data loss. Would you like to install WinFixer 2005 to check your
    computer for free? (Recommended)
    OK Cancel

    --- After x'ing that, I get another ---

    http://www.winfixer.com
    NOTICE: You have not completed the errors scan.
    If your computer has errors in the file system or Windos registry,
    it could cause unpredictable or erratic PC behavior, freezes, crashes
    and loss of data. You need to install WinFixer 2005 to scan for and,
    if found, fix system errors now (Recommended)?
    OK Cancel

    --- Insiduously, after x'ing that, I get yet another ---

    Winfixer 2005 will scan your system for errors now.
    Please select "RUN" or "OPEN" when prompted to start the installation.
    This file has been digitally signed and independently certified as
    100% free of viruses, adware, and spyware.
    OK

    --- Given these three popups ---
    I googled for WinFixer to see lots of people get this presumed popup ad.
    But how did they slip by all the standard defenses?
    Or did they?

    Unfortunately, I am decidedly not an expert so I ask those who are:

    Are these three WinFixer 2005 popups evidence of an existing WinFixer 2005
    infection or are the three popups just an attempt at an infection?
     
    Donna Fox, Jan 13, 2006
    #1
    1. Advertisements

  2. Donna Fox

    Jim Byrd Guest

    Hi Donna - Seven approaches to removing Winfixer (Vundo). Not all will work
    on all variants. It's suggested that you try them in this order. See below
    about Sun Java for one possible infection route.

    1 - Feedback from users reports that the Removal Tool here is the most
    effective against what is currently the most common variety of this
    'malware':
    http://forums.mcafeehelp.com/viewtopic.php?t=57049



    2 - Symantec has a new Vundo remover:
    http://securityresponse.symantec.com/avcenter/FixVundo.exe
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
    http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions



    3 - Courtesy of Dave Lipman:

    "Download WinFixerFix.exe from the URL --
    http://www.ik-cs.com/programs/virtools/WinFixerFix.exe


    On the infected PC...

    Execute; WinFixerFix.exe { Note: You must accept the default of
    C:\McAfee }
    Choose; Unzip
    Choose; Close

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
    through your FireWall to enable WGET.EXE to download the needed McAfee
    related files.

    Execute; c:\mcafee\clean.bat { or Double-click on 'Clean Link' in
    c:\mcafee }

    A final report in HTML format called C:\mcafee\ScanReport.HTML will be
    generated. At the end of the scan, it will be displayed in your browser
    (Opera, FireFox or Internet Explorer). It is suggested that you move the
    report out of c:\mcafee before performing another scan. It would be a good
    idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
    report for each session."



    4 - McAfee has a combined automated/manual removal procedure here:
    http://vil.nai.com/vil/content/v_127690.htm



    5 - Then, courtesy of MVP Suzi Turner and Mosaic1:

    "Atribune, a guy in the forums, has a Vundo fix tool as well:

    Instructions for use by user as posted in the SpywareWarrior forum:

    'Please download VundoFix.exe to your desktop. Here's a link:

    http://www.atribune.org/downloads/VundoFix.exe

    Double-click VundoFix.exe to extract the files
    This will create a VundoFix folder on your desktop.
    After the files are extracted, please restart your computer into Safe Mode.

    Once in safe mode open the VundoFix folder and double-click on KillVundo.bat

    A command window will open and it should look like this:

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk

    At this point press enter one time.

    Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, to continue with the fix.


    At this point please type the following file path (make sure to enter it
    exactly as below!):
    C:\WINDOWS\system32\geeby.dll

    Press Enter.

    Next you will see:

    Please type in the second filepath as instructed by the forum staff

    At this point please type the following file path (make sure to enter it
    exactly as below!):
    C:\WINDOWS\system32\ybeeg.*

    Press Enter to continue.

    The fix will run then HijackThis will open.
    In HijackThis, please place a check next to the following items and click
    FIX CHECKED:


    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
    C:\WINDOWS\system32\geeby.dll
    O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

    After you have fixed these items, close Hijackthis.

    The fix will tell you to shutdown using the Power button. Hold in your power
    button until the computer shuts down. Wait about 15 seconds and then restart
    the computer into regular windows.

    Chkdsk will run. This is normal. It will take a few minutes and is checking
    your file system because of the Bad Shutdown we caused.

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Allow them to clean

    Panda will have the option to create a log after the scan has finished.
    Click
    the See Report button. Then click the save Report button. It will be saved
    under the name activescan.txt Do that and post that log into your next reply
    here.

    Run hijackthis and post the new log and the vundofix.txt file from the
    vundofix folder into as well.'

    The forum helpers have reported this fix from Atribune works. I don't know
    about the Symantec tool.

    If you'd like to join Spyware Warrior, you could see the thread where the
    helpers are discussing this.

    Suzi"


    Note: Here's some added info relative to the above courtesy of MVP Steve
    Wechsler (akaMowGreen):

    "the .dll's file name :

    C:\WINDOWS\system32\geeby.dll

    will be different on different systems. What you can do to identify it
    is to scan the system with HijackThis and look at the O2 BHO and/or O20
    Winlogon entries to find out it's name. Close all other programs and
    browsers prior to scanning with HJT. REMEMBER that there is a hidden file
    that will have the name of the .dll spelled backwards. Enter that name when
    the VundoFix requests the path to the second file.



    6 - Grinler, (Lawrence Abrams, a Security MVP), has another removal method
    that can be used if the recommended method fails :
    http://www.bleepingcomputer.com/forums/topic18610.html"




    7 - Courtesy of S.Sengupta[MS-MVP]

    Download VirtumundoBegone and save it to your desktop.

    VirtumundoBegone
    http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

    Run that application after booting into safe mode.





    Here's the HijackThis info you may need:

    Download HijackThis, free, here:
    http://www.merijn.org/files/hijackthis.zip (Always download a new
    fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
    You may also get it here if that link is blocked:
    http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

    There's a good "How-to-Use" tutorial here:
    http://computercops.biz/HijackThis.html

    In Windows Explorer, click on Tools|Folder Options|View and check "Show
    hidden files and folders" and uncheck "Hide protected operating system
    files". (You may want to restore these when you're all finished with
    HijackThis.)

    Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
    at the root level such as C:\HijackThis (NOT in a Temp folder or on your
    Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
    when it's finished which will create hijackthis.log. Now click the Config
    button, then Misc Tools and click on Generate StartupList.log which will
    create Startuplist.txt


    Then go to one of the following forums:

    Spyware and Hijackware Removal Support, here:
    http://forums.spywareinfo.com/
    or Jim Eshelman's site here: http://forum.aumha.org/
    or Bleepingcomputer here: http://www.bleepingcomputer.com/
    or Computer Cops here: http://www.computercops.biz/forums.html
    or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
    or Net-Integration here: http://net-integration.us/forums/index.php

    Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
    of the particular site's HiJackThis forum, then copy and paste both files
    into a message asking for assistance, Someone will answer with detailed
    instructions for the removal of your parasite(s). Be sure you include at
    the beginning of your post a description of "What specific
    problem(s)/symptoms you're trying to solve" and "What steps you've already
    taken."




    *******
    ONLY IF you've successfully eliminated the malware, you can now make a new,
    clean Restore Point and delete any previously saved (possibly infected)
    ones. The following suggested approach is courtesy of Gary Woodruff: For XP
    you can run a Disk Cleanup cycle and then look in the More Options tab. The
    System Restore option removes all but the latest Restore Point. If there
    hasn't been one made since the system was cleaned you should manually create
    one before dumping the old possibly infected ones.
    *******


    You probably should consider switching to Sun Java J2SE 5.0 JRE or later
    here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
    especially since MS will apparently no longer be distributing Java or
    providing any support for Java including security fixes after Dec 31, 2007.
    BE SURE that you uninstall any prior versions of Sun Java as some,
    specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
    notably Winfixer/Vundo, are suspected of exploiting. If you did have this
    version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
    us.


    When you get things cleaned up, take a look at my Blog, Defending Your
    Machine, addy in my Signature below, for some additional curative and
    preventive measures you might want to implement to help prevent this type of
    thing in the future.
     
    Jim Byrd, Jan 13, 2006
    #2
    1. Advertisements

  3. Donna Fox

    pcbutts1 Guest

    Use this removal tool for winfixer only run it in safe
    mode. If it does not work then run hijackthis and send
    me a log file.

    More info here
    Removal Tool - Adware-Virtumundo/WinFixer Popups
    http://forums.mcafeehelp.com/viewtopic.php?t=57049


    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com
     
    pcbutts1, Jan 13, 2006
    #3
  4. Donna Fox

    Stephen Howe Guest

    My hosts file is huge, Ad Aware, Spybot Search & Destroy, Spyware Blaster,
    .... and you are running a real-time anti-virus product like McAfees,
    Symantec, Kaspersky as well ???
    They have. You are infected. But the infected software wishes you to spend
    $$$, on fake anti-spyware removal software (which does nothing). That fake
    anti-spyware goes by names: Winfixer, SpyAxe, SpyTrooper
    They are.

    An attempt to try and get you to part with $$$ for something that is bogus
    and fake.

    See Jim's response for removal.

    Stephen Howe
     
    Stephen Howe, Jan 14, 2006
    #4
  5. Donna Fox

    Ada Price Guest

    Isn't Avast a real-time anti-virus product?
    I have these WinFixer popups which I thought were "normal" pop ups.
    How do they slip past our defenses?

    They must be doing *something* different as I don't get any popups ever
    except these WinFixer 2005 popups. What trick did they use to slip past
    what the other popups can't seem to overcome?
     
    Ada Price, Jan 14, 2006
    #5
  6. Donna Fox

    Stephen Howe Guest

    ... and you are running a real-time anti-virus product like McAfees,
    It is. I did not list all products (Trend was not listed)
    I think WinFixer, SpyTrooper, SpyAxe relied on the recent WMF flaw that
    Microsoft became aware of on 27th December 2005 and was patched on 6th
    January 2006. By now, all those using Automatic updates should have the
    patch. If you go to Control Panel, click on Add/Remove Programs, make sure
    "Show Updates" is ticked and Sort by Name, you should see if you scroll to
    the bottom text "Security Update for Windows XP (KB912919)" which is the
    patch. So before 6th January 2006 most Windows users were vulnerable (unless
    using the unofficial patch), that should not be the case now.

    Of course if your system is infected, you need to be disinfected.
    See above. It was a problem. It should not be now. Now it is just a case of
    mopping up infected PCs.
    No uninfected patched PCs should be being infected.

    Stephen Howe
     
    Stephen Howe, Jan 14, 2006
    #6
  7. Donna Fox

    Ada Price Guest

    I think WinFixer, SpyTrooper, SpyAxe relied on the recent WMF flaw that
    Hello Stephen Howe,

    I think you are a good sleuth. I was wondering myself how come those
    WinFixer popups only came ONCE on my system. Only an expert could explain
    this.

    Apparently I'm not infected but the Winfixer company took advantages of
    weaknesses in my system to pop up the requests to infect me. Clever.

    Therefore, despite the single set of popups, Winfixer didn't seem to have
    infected my system since I never clicked on any of the buttons on those
    popups (does anyone ever hit any popup buttons? I never do. I always kill
    the popup window although I guess they could force action if they wanted
    to). Yet I got those three popups myself.

    When I ran the wonderful Jim Byrd suggested Vundo remover
    http://forums.mcafeehelp.com/viewtopic.php?t=57049 it reported nothing
    found.

    [01/14/2006, 19:32:47] - VirtumundoBeGone v1.5 (
    "D:\programs\WinFixer_Removal\VirtumundoBeGone.exe" )
    [01/13/2006, 12:32:50] - Detected System Information:
    [01/13/2006, 12:32:50] - Windows Version: 5.1.2600, Service Pack 2
    [01/13/2006, 12:32:50] - Current Username: Administrator (Admin)
    [01/13/2006, 12:32:50] - Windows is in NORMAL mode.
    [01/13/2006, 12:32:50] - Searching for Browser Helper Objects:
    [01/13/2006, 12:32:50] - Finished Searching Browser Helper Objects
    [01/13/2006, 12:32:50] - Finishing up...
    [01/13/2006, 12:32:50] - Nothing found! Exiting...

    So, I'm assuming Winfixer TRIED to infect me by using a Windows flaw to
    slip past our defences in order to put those three popups on our screens
    but Winfixer I'm assuming never infected my system because I never said yes
    to the popups.

    I'm going to patch my system pronto to the suggested patch level to prevent
    Winfixer from taking advantage of my system again.

    Thanks for solving the puzzling riddle.
    Ada
     
    Ada Price, Jan 15, 2006
    #7
  8. Donna Fox

    Leythos Guest

    Thanks PCB, if you keep posting like that I will even petition MS to let
    you post on their servers again. Much appreciated.
     
    Leythos, Jan 15, 2006
    #8
  9. Donna Fox

    pcbutts1 Guest

    PHUCK YOU STALKER. I am not banned on MS why the hell do you keep saying
    that. Get lost Stalker.

    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com
     
    pcbutts1, Jan 15, 2006
    #9
  10. Donna Fox

    Leythos Guest

    Sorry to burst your bubble, but they have automatic filters and even the
    Usenet admin on their servers look for signs of you and delete your
    postings. All you have to do is post anything that identifies you and
    they will delete it.

    I tried to acknowledge your proper posting, to even say thanks for
    starting to do it right, but need to be rude about it. I guess I was
    wrong about you changing your ways.

    No matter how many times you say it's not true, MS is removing any post
    they identify as you from their Usenet servers - you can check online
    yourself.
     
    Leythos, Jan 15, 2006
    #10
  11. Donna Fox

    Stephen Howe Guest

    I am not banned on MS why the hell do you keep saying that.

    If that is so, why do I not see your posts when I login to
    msnews.microsoft.com and view

    microsoft.public.security.homeusers
    microsoft.public.windowsxp.security_admin
    ???

    Don't be fooled by the fact that you messages show up on your ISP's News
    server's copy of these newsgroups.
    The real Microsoft newsgroups are on Microsoft's news server.
    And I don't see any of your messages there.

    Looks like you are banned.

    Stephen Howe
     
    Stephen Howe, Jan 15, 2006
    #11
  12. Donna Fox

    Leythos Guest

    Nope, they delete the posts by Butts and the replies based on key words.
    I've found my posts on their servers without any problems. Just look for
    the ones that don't mention the unethicals name/subject.
     
    Leythos, Jan 15, 2006
    #12
  13. Donna Fox

    pcbutts1 Guest

    I make over 60 posts a day on 7 different MS server using
    msnews.microsoft.com they all show up. You don't know what you are talking
    about.

    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com
     
    pcbutts1, Jan 15, 2006
    #13
  14. Donna Fox

    pcbutts1 Guest

    You are an obsessed sick whacko stalker. I don't need or want a thanks from
    you you fucking pervert. Go back to your shit eating
    http://www.pcbutts1.com/downloads/license.htm

    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com
     
    pcbutts1, Jan 15, 2006
    #14
  15. Donna Fox

    Leythos Guest

    Nope, if you go to the MS Usenet servers proper, anything they can
    identify as being from you are deleted, some through automation, some
    manually, some are missed, but they seem to be real aggressive about it.
     
    Leythos, Jan 15, 2006
    #15
  16. Donna Fox

    pcbutts1 Guest

    Just can't stop with the lies can you stalker.

    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com
     
    pcbutts1, Jan 15, 2006
    #16
  17. Donna Fox

    Leythos Guest

    Prove I'm lying and make a post under your real identity, using both the
    name and email, wait till Monday and then see if it's on their servers,
    not your own Usenet server, not Google, but the normal MS Usenet server.

    Prove me wrong Chris, that would be a first for you.
     
    Leythos, Jan 15, 2006
    #17
  18. Donna Fox

    Stephen Howe Guest

    I make over 60 posts a day on 7 different MS server using
    I know exactly what I am talking about
    WHERE IS YOUR DAMN EVIDENCE?

    1. Visit Google Groups
    2. Put in "pcbutts1" as Author and Newsgroups as microsoft.public.*
    3. Hit Google Search
    4. Now sort by date
    5. The most recent message I see from you on Microsoft newsgroups is in
    microsoft.public.basic.other. 12 messages, 7 authors.
    5th jan 2006. "Thread Running BASIC under windows".
    6. Yet on Microsoft newsserver, your not there, nor is Neil Pollock who
    responded to you. Just 10 messages, 5 authors.
    And the thread is recent enough such that it wont have expired from the MS
    News server.

    And that is because you are being pulled.

    Stephen Howe
     
    Stephen Howe, Jan 15, 2006
    #18
  19. Donna Fox

    pcbutts1 Guest

    I don't post as pcbutts1 on the MS news groups you idiot. Leythos the
    stalker was impersonating me a while back, so as a compromise with MS I
    don't use that name. It is to keep the stalker Leythos from disrupting the
    group. I don't know a Neil Pollock but if there is a leythos post included
    in the thread then that is why they deleted it. They delete his disruptions
    and impersonations not my posts.

    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com
     
    pcbutts1, Jan 15, 2006
    #19
  20. Donna Fox

    Leythos Guest

    You are only half right, you post under many nicknames and I only look
    at CONTENT, not the posters names (until I open the post), and MS DOES
    DELETE YOUR POSTS, under any nickname, when they find them.

    I've NEVER impersonated anyone, but you have impersonated me many times
    - and the proof is in the headers Chris. My posts from today, where I'm
    not replying to you (and even some of those) are on the MS Usenet
    servers, but you're are not there :)

    MS Usenet Admins delete your posts, under any identity, when they find
    them, either manually or by scripts.
     
    Leythos, Jan 15, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.