X
xlurker
Symantec Norton AnriVirus is showing me in a virus alert notification
box that Norton finds a trojan.vundo virus in a file named geedd.dll.
That Norton box notifies that Norton cannot access or repair that file
and will not close that notice box.
Generous participants in these groups have suggested that Symantec and
I cannot access that file b/c an application is using it. I wish the
on-screen access denial notifications had delivered that explanation.
One intuits that the correct response to this problem is for Symantec
Norton or MS anti-spyware to close the application which is using the
file and then cleanse the virus. Why are Symantec Norton and MS not
doing that?
The most onerous consequence of pop up intrusions is that MSIE loses
the path to the browser cache almost every time a new window or
application starts up. That means that MSIE has to go to the publisher
for the current version of those previously-viewed web pages instead of
just recovering them from the user's browser cache. Why does MSIE do
this?
The second most onerous consequence from pop ups for me is that all my
applications freeze up for about a minute when a pop up intrusion
starts. I intuit that happens because the pop up new window procedures
and the anti-virus applications trying to fight them off consume all my
processing power. Is that correct? If so, it discourages adding new
anti-malware applications which would consume even more CPU capacity.
All the curative suggestions posted by generous participants in these
groups are really too complicated for the very many home users who have
plug and play computing skills, and expect our home applicances to be
more simple and reliable to operate. We expect our devices to be
self-monitoring and self-correcting, especially after we have bought
and installed a major brand product for accomplishing those things like
Symantec Norton. Remember that cleansing procedures would have to be
repeated following every infection, and infections are likely to occur
at least once every day.
Did I make a terrible mistake by buying a MS Windows computer?
Newsgroups: symantec.customerservice.general
From: "tcoop" <[email protected]>
Date: Sat, 20 Aug 2005 09:47:43 -0400
Local: Sat, Aug 20 2005 5:47 am
Subject: winfixer2005
I just had a popup, and it seemed to want to take over my browser. I
wanted to start downloading a file but my Norton stopped it. It is
called winfixer 2005. It put an downloading process icon in my system
tray but it isnt downloading anything,(that i can tell)
What is this and where did it come from? How do i get rid of
it?...thanks for the help...tcoop
Newsgroups: symantec.customerservice.general
From: (e-mail address removed) - Find messages by this author
Date: 16 Sep 2005 18:22:27 -0700
Local: Fri, Sep 16 2005 5:22 pm
Subject: MALWARE: winfixer2005, winantivirus, vipfares
How can we Symantec customers make Symantec/Norton rid our computers of
the winfixer2005, winantivirus and vipfares MALWARE pop ups? I find no
clues at the Symantec web site. I was motivated to buy Symantec with
the expectation Symantec would help us with this. I added the URLs to
Symantec ad blocking and pop up blocking configurations to no avail.
Potential customers of winfixer, winantivirus and vipfares will want to
know this is how they treat potential customers.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support
From: (e-mail address removed) - Find messages by this author
Date: 19 Sep 2005 20:00:20 -0700
Local: Mon, Sep 19 2005 7:00 pm
Subject: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
Why is Symantec not reading, posting and providing customer service at
these Symantec newsgroups? I find no facility to seek or obtain service
on these issues on the Symantec web site.
Passion.com is apparently throwing pop up windows using this same
malware.
----- ------
From: "" <[email protected]>
Newsgroups: symantec.customerservice.general
Subject: Re: MALWARE: winfixer2005, winantivirus, vipfares
Date: Mon, 16 Sep 2005
How can we Symantec customers make Symantec/Norton rid our computers of
the winfixer2005, winantivirus and vipfares MALWARE pop ups? I find no
clues at the Symantec web site. I was motivated to buy Symantec with
the expectation Symantec would help us with this. I added the URLs to
Symantec ad blocking and pop up blocking configurations to no avail.
Potential customers of winfixer, winantivirus and vipfares will want to
know this is how they treat potential customers.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: (e-mail address removed) - Find messages by this author
Date: 23 Sep 2005 19:04:23 -0700
Local: Fri, Sep 23 2005 6:04 pm
Subject: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
passiion.com
Still no help or response. Symantec sent out on 9/20/2005 a notice that
Symantec would no longer scan for infections of Trojan.Vundo, which
Symantec associates with pop ups. Does this mean that Symantec now
gives even less protection against pop ups than before?
A pop up attack totally disables my PC for most of one minute, then
reduces the functionality of my browser back and forward buttons for
much of one hour. This is a significant nuisance and intrusion on the
device which holds my personal information, although I do know that
Symantec has more damaging sociopathies to battle.
christianmingle.com is apparently throwing pop up windows using this
same malware.
The winfixer and winantivirus business model is apparently to extort
money for a promise that they will stop attacking, then use the
identities of those who pay to launch further extortion attacks.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: (e-mail address removed) - Find messages by this author
Date: 23 Nov 2005 19:03:24 -0800
Local: Wed, Nov 23 2005 7:03 pm
Subject: Pop Up MALWARE: winfixer2005, winantivirus etc.
I posted on this topic 7 weeks ago.
Symantec / Norton has been showing me a "high risk virus alert,
Trojan.Vundo, unable to repair, access denied" alert box CONTINUOUSLY
for that entire 7 week period. A Windows alert box recommending running
WinFixer shows on my PC almost continuously.
Every pop up intrusion attack seriously diminishes the functionality of
my browser back and forward buttons. I suffer frequent system freezes
which last more than one minute and some of which never recover.
I am running Symantec / Norton "internet security 2005 antispyware
edition." Why is Symantec / Norton entirely helpless in the face of
this common and simple spyware problem? Is it a terrible mistake to
have bought a Windows operating system computer?
David H. Lipman
Nov 24, 10:09 am
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "David H. Lipman" <[email protected]>
Date: Thu, 24 Nov 2005 18:09:07 GMT
Local: Thurs, Nov 24 2005 10:09 am
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
And I answered it on 10/15.
Since then the WinFixerFix Winfixer 2005 Removal tool has been updated.
Please download, install and update the following software...
* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
* SpyBot Search and Destroy v1.4
http://security.kolla.de/
After the software is updated, I suggest scanning the system in Safe
Mode.
I also suggest downloading, installing and updating BHODemon for any
Browser Helper Objects
that may be on the PC.
* BHODemon
http://www.definitivesolutions.com/bhodemon.htm
* Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
On the infected PC...
Execute; WinFixerFix.exe { Note: You must accept the default of
C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE
to go through your
FireWall to enable WGET.EXE to download the needed McAfee related
files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end of the scan, it will be displayed in your
browser (Opera, FireFox or Internet Explorer). It is suggested that you
move the report out of c:\mcafee before
performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and
save a copy of the HTML report for each session.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: (e-mail address removed) - Find messages by this author
Date: 24 Nov 2005 21:27:44 -0800
Local: Thurs, Nov 24 2005 9:27 pm
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
i dL'd and ran spybot, but it just made my xp lockup/crash. i am
disinclined to take the other actions (especially after that
experience) b/c i don't want to risk harm from any deviation from their
complicated implementation instructions, i don't want to risk infection
from unfamiliar s/w, i don't want additional applications to further
slow my xp and i don't want to incur further $ expense. the norton
product is labeled as "the all-in-one solution for online peace of
mind" and it should have been performing for me that way.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "David H. Lipman" <[email protected]> - Find messages
by this author
Date: Fri, 25 Nov 2005 15:20:45 GMT
Local: Fri, Nov 25 2005 7:20 am
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
Ad-aware, SpyBot S&D and BHODemon are well recognized and highly rated
anti malware applications All are free.
Check for both well rated and rogue anti spyware at Spyware Warrior.
The following is the
rogue gallery...
http://www.spywarewarrior.com/rogue_anti-spyware.htm
As for the WinFixer Fix utility... I wrote that. It is based upon the
KiXtart scripting language and performs the actions and procedures that
have been culminated from many locations to remove the Vundo Trojan and
the WinFixer 2005 program. Additionally it incorporates the McAfee
Command Line Scanner which has a library of 160,000 malware items
so it can catch and clean additionally found malware.
As for why SpyBot S&D crashed. I have no idea. It has been used
successfully on thousands of platforms with excellent results. having
had it crash is no reason to give. It could be indicative of greater
proplems on the PC besides malware like lost sectors.
There is no such thing as a "all-in-one solution". It is a fallicy.
One may catch what another may miss. This is called a False Negative.
It is a multi-tiered approach that removes malware more effectively.
Of course one must practice Safe Hex to prevent being infected with
malware in the first place.
http://www.claymania.com/safe-hex.html
I suggest you also contact industry wide News Groups rather than just
Symantec
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus
alt.privacy.spyware
I monitor *many* virus and spyware News Groups but if I see your post
in another News Group the I will step back and let others reply.
Except for my WinFixer Fix utility (which I wrote) you will find my
response will be similalar to other responses.
As to actually cleaning your PC, either you will have follow suggested
procedures or wipe you computer and start from scratch,. It's your
choise, your computer. I'm only giving you my experienced advice.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "KLR" <[email protected]>
Date: 26 Nov 2005 09:54:49 -0800
Local: Sat, Nov 26 2005 9:54 am
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
Have you tried the following as well as AdAware
http://sarc.com/avcenter/venc/data/trojan.vundo.removal.tool.html
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "David H. Lipman" <[email protected]>
Date: Mon, 28 Nov 2005 01:31:53 GMT
Local: Sun, Nov 27 2005 5:31 pm
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
It has come to my attention that SuperAdBlocker is very effective in
rermoving these infectors. The authors allow it to be used for a free
15 day trial.
SuperAdBlocker.com - SUPERAntiSpyware
http://www.superadblocker.com
http://blogs.superadblocker.com
http://forums.superadblocker.com
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
----
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "MyndPhlyp" <[email protected]>
Date: Sat, 24 Sep 2005 15:42:37 GMT
Local: Sat, Sep 24 2005 7:42 am
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
passion.com
ROFL. Silly user. You actually expected SUPPORT from Symantec? That's
like expecting quality support from Earthlink!
<tyrannical rant>
Those of us who have been using the Norton product line since the old
DOS days remember well how robust the suite of utilities. Over time
though we have seen utilities disappear from the NU product and
half-hearted attempts at maintaining (I'll refrain from using the word
"improving") the NAV product ever since Symantec took the reigns.
They don't lurk these NGs. Their web-based user support forum is gone.
Their KB borders on worthless. Their LiveUpdate has better odds of
messing up an installation than the odds at a roulette table. And if,
for some lucky reason, you do actually speak with their support staff
(at some cost to you) the resolution will most likely be to uninstall
and reinstall the product.
They've just grown too big to care about the people who made them
successful in the first place - the single license end users.
</tyrannical rant>
But onward to your problem.
You mentioned malware on your machine and pop-ups taking control. There
are lots of things you can do to cripple pop-ups. There are also a
couple of very good FREE utilities that should already be part of your
arsenal and they are quite effective in eliminating spyware/malware
that has accumulated on your machine.
AdAware
http://www.lavasoftusa.com
Spybot Search+Destroy
http://security.kolla.de
Use both (one at a time, of course). What one doesn't pick up the other
one usually does.
Spybot has an additional feature to "immunize" your system. It adds
several entries to the Restricted Sites of IE's Security settings and,
if memory serves me correctly, to the blocked cookies list in IE's
Privacy settings.
You can further tweak down the Restricted Sites of IE's Security
settings to literally disable everything yielding pretty much plain
HTML. For more information on security zones in IE see:
http://support.microsoft.com/?kbid=174360
If you haven't kept up-to-date on your Internet Explorer updates, you
really should. There is one old exploit that can make an Internet site
appear as
though it is an Intranet site. (There are SO MANY exploits a book could
be written. Ooops, several books already HAVE been written!)
For those sites not added by SpyBot to the Restricted Sites list,
manually add them. Over time you will accumulate quite a list if you
tend to
wander from the more well-traveled and trusted paths often.
Another trick is to use the HOSTS file to block hosts. Using this
method you equate the host name ("ad.doubleclick.net" for example) with
the IP
address 127.0.0.1 ("localhost"). Windows will consult the HOSTS file
before
attempting to resolve a name to an address via DNS. Although some HTML
content will use an IP address rather than a host name, most (in my
experience) do not. See the following:
http://www.mvps.org/winhelp2002/hosts.htm
Another good link for dealing with unwanted spyware and parasites is:
http://www.mvps.org/winhelp2002/unwanted.htm
Want to control tracking cookies better? In IE's Internet Options, go
to the Privacy tab and set the slider control up to at least Medium
High.
Periodically clear the cache (General Tab, Delete Files button), but
save the cookies, and check the remaining files (General tab, Settings
button, View Files button) to see what cookies you've accumulated. For
those
that have no need to be on your system, add them to the blocked cookies
sites
(Privacy tab, Edit button). If you run into sites that absolutely
insist on
writing a cookie but your settings have it blocked, add them to the
allowed
cookies sites (Privacy tab, Edit button). Just as with the Restricted
Sites
above, you will accumulate quite a list over time.
And if you want to see what web sites can determine about your browser
and system, try the Browser Mirror at:
http://centralops.net/co/
Of particular interest to you are the Cookies and the "clipboard".
What is this "clipboard" thing? It is the contents of the Windows
clipboard.
Try it. Select some text and copy it. Then go to Browser Mirror.
Surprise!
Now imagine you were previously working on your financials, personal
records, or doing some online shopping and copied your Social Security
Number, credit card number, or some other sensitive bit of information
to
the clipboard along the way.
I don't recall the exact setting to change to prevent the clipboard
contents from being read, but it is on IE's Internet Options, Security
tab.
Select the Internet icon and click Custom Level. It is either the "Drag
and drop or
copy and paste files" or the "Allow paste operations via script"
setting.
They should both be set to "Disable" anyway.
While you are there, some other things worth disabling are:
* Download unsigned ActiveX controls.
* Initialize and script ActiveX controls not marked as safe.
* Access data sources across domains.
* Don't prompt for client certificate selection when no certificates or
only
one certificate exists.
* Launching programs and files in an IFRAME.
And make sure "Automatic logon only in Intranet zone" is selected.
As for the other settings, Enable or Prompt as appropriate for the
risk.
Another thing to consider is using Firefox instead of Internet
Explorer. It
is the core used by Netscape and others. Firefox has pop-up blocking
built
in as well as many other nice features. Best of all, it is probably the
most
HTML and CSS compliant browser out there and it is FREE.
http://www.mozilla.org/
Yep, there are lots of things you can do and use for free to battle
spyware,
malware and tracking cookies. There are lots of free things you can do
to block malicious sites. There are lots of free things you can do to
block
pop-ups. The typical "Ma & Pa Kettle" is never aware of these things
and
usually the subject content is so far over their heads as to put them
in a coma. But if you are able to understand how it all works, and you
do some research on the subject, you can effectively protect yourself
from rogue and unwanted sites.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support
From: (e-mail address removed)
Date: 13 Oct 2005 19:26:13 -0700
Local: Thurs, Oct 13 2005 6:26 pm
Subject: geedd.dll MalWare Virus Cleanse
Symantec Norton AnriVirus is showing me in a virus alert notification
box that Norton finds a trojan.vundo virus in a file named geedd.dll.
That Norton box notifies that Norton cannot access or repair that file.
Windows will not let me move or delete it. I cannot even get that
Norton notification box to go away.
What should we users/customers do and why are we getting jerked around
this way by Symantec, the Windows file manager SW and the pop up ad
offenders?
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support
From: "David H. Lipman" <[email protected]>
Date: Sat, 15 Oct 2005 12:46:00 GMT
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
passiion.com
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
Execute; WinFixerFix.exe { Note: You must accept the default of
C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow FTP.EXE
to go through your
FireWall to enable FTP.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end
of the scan, it will be displayed in your browser (Opera, FireFox or
Internet Explorer). It
is suggested that you move the report out of c:\mcafee before
performing another scan. It
would be a good idea to scan in Safe Mode and in Normal Mode and save a
copy of the HTML
report for each session.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: (e-mail address removed)
Date: 23 Oct 2005 10:44:36 -0700
Local: Sun, Oct 23 2005 9:44 am
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
passiion.com
Pop Up attacks on me declined for a couple of weeks, then returned
fiercely in the last 6 days. What is an effective rememdy for this and
why does Symantec/Norton Internet Security AntiSpyware Edition 2005 not
provide it?
Here are 2 new additions to the abusively-pop-up-maketed web business
hall of shame:
americarx.com
doctorsherbalgroup.com
Symantec Norton AnriVirus is still continuously showing me in a virus
alert notification box that Norton finds a trojan.vundo virus in a file
named geedd.dll.
That Norton box notifies that Norton cannot access or repair that file.
I still cannot even get that Norton notification box to go away.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "David H. Lipman" <[email protected]>
Date: Mon, 24 Oct 2005 00:07:10 GMT
Local: Sun, Oct 23 2005 4:07 pm
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
passiion.com
You have to defind the Pop-Ups.
Are they Messenger Service Pop-Ups ?
Are they Internet Explorer Pop-Ups ?
Are you still infected with WinFixer2005 ?
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
Execute; WinFixerFix.exe { Note: You must accept the default of
C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow FTP.EXE
to go through your
FireWall to enable FTP.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end of the scan, it will be displayed in your
browser (Opera, FireFox or Internet Explorer). It is suggested that you
move the report out of c:\mcafee before
performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and
save a copy of the HTML report for each session.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Newsgroups: microsoft.public.security.virus, alt.comp.virus,
alt.comp.anti-virus, alt.privacy.spyware,
symantec.customerservice.general
From: (e-mail address removed) - Find messages by this author
Date: 27 Nov 2005 20:57:39 -0800
Local: Sun, Nov 27 2005 8:57 pm
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
All of these fixes may be a very long trip to what should be a very
short and quick solution. I have an application which overwrites files
with random numbers. I would use it on the file with the virus if
access to that file were not denied.
Does that infected file generate this problem? Why are Symantec and I
denied access to it? How can we disolve that denial? Why could Symantec
not quarantine that file so that no code from it could ever run?
Anyhow, I ran Spybot and the Symantec FixVundo utility on 11/27/2005.
FixVundo created a log which includes:
"Trojan.Vundo has been successfully removed from your computer!
Here is the report:
The total number of the scanned files: 183114
The number of deleted files: 0
The number of viral processes terminated: 3
The number of viral processes suspended: 3
The number of viral threads terminated: 7
The number of registry entries fixed: 2"
When I next rebooted after running FixVundo, the virus alert
immediately appeared as it had before.
The Spybot search and destroy function delivered a list of what it
thought were suspicious cookies. All of those looked innocuous to me
except some in a folder with WinFix in its folder name. I let Spybot
kill the cookies in that folder. However, I do not intuit that cookies
can execute a pop up intrusion.
Newsgroups: microsoft.public.security.virus, alt.comp.virus,
alt.comp.anti-virus, alt.privacy.spyware,
symantec.customerservice.general
From: "Nick Skrepetos \(SuperAdBlocker.com\)" <[email protected]>
Date: Sun, 27 Nov 2005 21:17:15 -0800
Local: Sun, Nov 27 2005 9:17 pm
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
Hello,
Yes, the removal should be simple, and it is with some spyware
scanners, and
not so with others.
To answer your questions:
1) Typically you/programs are denied access to the files if another
application has the file open and has not closed the handle and does
not open it with sharing. May spyware/malware applications do this to
prevent
getting the MD5/fingerprint of the application, or examining the
contents of
the file. There are two direct (and more) ways for applications to get
around this limitation, both of which we employ in our SuperAdBlocker |
SUPERAntiSpyware product. This involves finding the open handle and
using
it, or reading directly from the volume in the native format which will
by
pass all of Windows security and protection. This involves parsing the
NTFS
or FAT volume directly.
2) Many kernel level drivers, now referred to as "rootkits", can
protect a
file so that the operating system cannot access it at all, but it's own
processes can have full accesss. This can involve a filter system
filter
driver or API hooking driver to accomplish the protection and hiding.
If you still have the infection, you may wish to try Super Ad Blocker
with SUPERAntiSpyware:
http://www.superadblocker.com
Super Ad Blocker | SUPERAntiSpyware offers several unique features such
as using a system level driver to delete detected items, so pests do
not come back once detected and cleaned.
Super Ad Blocker offers a fully functional 15-day trial. You can scan
and clean your computer and then remove Super Ad Blocker if you do not
wish to keep it. We do appreciate when users support our development
efforts by purchasing the product
If that does not find and/or remove the spyware/adware on your machine,
you can submit a diagnostic and I will diagnose your machine for free
and post the results back to the group and update our rules with
anything found:
http://www.superadblocker.com/diagnostic.html?id=nicks
You may also wish to "see" what is running on your computer here:
http://www.fileresearchcenter.com
Nick Skrepetos
SuperAdBlocker.com - SUPERAntiSpyware
http://www.superadblocker.com
http://blogs.superadblocker.com
http://forums.superadblocker.com
** Please note that I am the author of the above programs and sites and
I do have a vested interest in Super Ad Blocker, SUPERAntiSpyware and
FileResearchCenter.com. You, the user, have no obligation to purchase
the software and are free to try the software, clean/fix your system,
and then uninstall.
box that Norton finds a trojan.vundo virus in a file named geedd.dll.
That Norton box notifies that Norton cannot access or repair that file
and will not close that notice box.
Generous participants in these groups have suggested that Symantec and
I cannot access that file b/c an application is using it. I wish the
on-screen access denial notifications had delivered that explanation.
One intuits that the correct response to this problem is for Symantec
Norton or MS anti-spyware to close the application which is using the
file and then cleanse the virus. Why are Symantec Norton and MS not
doing that?
The most onerous consequence of pop up intrusions is that MSIE loses
the path to the browser cache almost every time a new window or
application starts up. That means that MSIE has to go to the publisher
for the current version of those previously-viewed web pages instead of
just recovering them from the user's browser cache. Why does MSIE do
this?
The second most onerous consequence from pop ups for me is that all my
applications freeze up for about a minute when a pop up intrusion
starts. I intuit that happens because the pop up new window procedures
and the anti-virus applications trying to fight them off consume all my
processing power. Is that correct? If so, it discourages adding new
anti-malware applications which would consume even more CPU capacity.
All the curative suggestions posted by generous participants in these
groups are really too complicated for the very many home users who have
plug and play computing skills, and expect our home applicances to be
more simple and reliable to operate. We expect our devices to be
self-monitoring and self-correcting, especially after we have bought
and installed a major brand product for accomplishing those things like
Symantec Norton. Remember that cleansing procedures would have to be
repeated following every infection, and infections are likely to occur
at least once every day.
Did I make a terrible mistake by buying a MS Windows computer?
Newsgroups: symantec.customerservice.general
From: "tcoop" <[email protected]>
Date: Sat, 20 Aug 2005 09:47:43 -0400
Local: Sat, Aug 20 2005 5:47 am
Subject: winfixer2005
I just had a popup, and it seemed to want to take over my browser. I
wanted to start downloading a file but my Norton stopped it. It is
called winfixer 2005. It put an downloading process icon in my system
tray but it isnt downloading anything,(that i can tell)
What is this and where did it come from? How do i get rid of
it?...thanks for the help...tcoop
Newsgroups: symantec.customerservice.general
From: (e-mail address removed) - Find messages by this author
Date: 16 Sep 2005 18:22:27 -0700
Local: Fri, Sep 16 2005 5:22 pm
Subject: MALWARE: winfixer2005, winantivirus, vipfares
How can we Symantec customers make Symantec/Norton rid our computers of
the winfixer2005, winantivirus and vipfares MALWARE pop ups? I find no
clues at the Symantec web site. I was motivated to buy Symantec with
the expectation Symantec would help us with this. I added the URLs to
Symantec ad blocking and pop up blocking configurations to no avail.
Potential customers of winfixer, winantivirus and vipfares will want to
know this is how they treat potential customers.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support
From: (e-mail address removed) - Find messages by this author
Date: 19 Sep 2005 20:00:20 -0700
Local: Mon, Sep 19 2005 7:00 pm
Subject: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
Why is Symantec not reading, posting and providing customer service at
these Symantec newsgroups? I find no facility to seek or obtain service
on these issues on the Symantec web site.
Passion.com is apparently throwing pop up windows using this same
malware.
----- ------
From: "" <[email protected]>
Newsgroups: symantec.customerservice.general
Subject: Re: MALWARE: winfixer2005, winantivirus, vipfares
Date: Mon, 16 Sep 2005
How can we Symantec customers make Symantec/Norton rid our computers of
the winfixer2005, winantivirus and vipfares MALWARE pop ups? I find no
clues at the Symantec web site. I was motivated to buy Symantec with
the expectation Symantec would help us with this. I added the URLs to
Symantec ad blocking and pop up blocking configurations to no avail.
Potential customers of winfixer, winantivirus and vipfares will want to
know this is how they treat potential customers.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: (e-mail address removed) - Find messages by this author
Date: 23 Sep 2005 19:04:23 -0700
Local: Fri, Sep 23 2005 6:04 pm
Subject: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
passiion.com
Still no help or response. Symantec sent out on 9/20/2005 a notice that
Symantec would no longer scan for infections of Trojan.Vundo, which
Symantec associates with pop ups. Does this mean that Symantec now
gives even less protection against pop ups than before?
A pop up attack totally disables my PC for most of one minute, then
reduces the functionality of my browser back and forward buttons for
much of one hour. This is a significant nuisance and intrusion on the
device which holds my personal information, although I do know that
Symantec has more damaging sociopathies to battle.
christianmingle.com is apparently throwing pop up windows using this
same malware.
The winfixer and winantivirus business model is apparently to extort
money for a promise that they will stop attacking, then use the
identities of those who pay to launch further extortion attacks.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: (e-mail address removed) - Find messages by this author
Date: 23 Nov 2005 19:03:24 -0800
Local: Wed, Nov 23 2005 7:03 pm
Subject: Pop Up MALWARE: winfixer2005, winantivirus etc.
I posted on this topic 7 weeks ago.
Symantec / Norton has been showing me a "high risk virus alert,
Trojan.Vundo, unable to repair, access denied" alert box CONTINUOUSLY
for that entire 7 week period. A Windows alert box recommending running
WinFixer shows on my PC almost continuously.
Every pop up intrusion attack seriously diminishes the functionality of
my browser back and forward buttons. I suffer frequent system freezes
which last more than one minute and some of which never recover.
I am running Symantec / Norton "internet security 2005 antispyware
edition." Why is Symantec / Norton entirely helpless in the face of
this common and simple spyware problem? Is it a terrible mistake to
have bought a Windows operating system computer?
David H. Lipman
Nov 24, 10:09 am
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "David H. Lipman" <[email protected]>
Date: Thu, 24 Nov 2005 18:09:07 GMT
Local: Thurs, Nov 24 2005 10:09 am
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
And I answered it on 10/15.
Since then the WinFixerFix Winfixer 2005 Removal tool has been updated.
Please download, install and update the following software...
* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
* SpyBot Search and Destroy v1.4
http://security.kolla.de/
After the software is updated, I suggest scanning the system in Safe
Mode.
I also suggest downloading, installing and updating BHODemon for any
Browser Helper Objects
that may be on the PC.
* BHODemon
http://www.definitivesolutions.com/bhodemon.htm
* Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
On the infected PC...
Execute; WinFixerFix.exe { Note: You must accept the default of
C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE
to go through your
FireWall to enable WGET.EXE to download the needed McAfee related
files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end of the scan, it will be displayed in your
browser (Opera, FireFox or Internet Explorer). It is suggested that you
move the report out of c:\mcafee before
performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and
save a copy of the HTML report for each session.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: (e-mail address removed) - Find messages by this author
Date: 24 Nov 2005 21:27:44 -0800
Local: Thurs, Nov 24 2005 9:27 pm
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
i dL'd and ran spybot, but it just made my xp lockup/crash. i am
disinclined to take the other actions (especially after that
experience) b/c i don't want to risk harm from any deviation from their
complicated implementation instructions, i don't want to risk infection
from unfamiliar s/w, i don't want additional applications to further
slow my xp and i don't want to incur further $ expense. the norton
product is labeled as "the all-in-one solution for online peace of
mind" and it should have been performing for me that way.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "David H. Lipman" <[email protected]> - Find messages
by this author
Date: Fri, 25 Nov 2005 15:20:45 GMT
Local: Fri, Nov 25 2005 7:20 am
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
Ad-aware, SpyBot S&D and BHODemon are well recognized and highly rated
anti malware applications All are free.
Check for both well rated and rogue anti spyware at Spyware Warrior.
The following is the
rogue gallery...
http://www.spywarewarrior.com/rogue_anti-spyware.htm
As for the WinFixer Fix utility... I wrote that. It is based upon the
KiXtart scripting language and performs the actions and procedures that
have been culminated from many locations to remove the Vundo Trojan and
the WinFixer 2005 program. Additionally it incorporates the McAfee
Command Line Scanner which has a library of 160,000 malware items
so it can catch and clean additionally found malware.
As for why SpyBot S&D crashed. I have no idea. It has been used
successfully on thousands of platforms with excellent results. having
had it crash is no reason to give. It could be indicative of greater
proplems on the PC besides malware like lost sectors.
There is no such thing as a "all-in-one solution". It is a fallicy.
One may catch what another may miss. This is called a False Negative.
It is a multi-tiered approach that removes malware more effectively.
Of course one must practice Safe Hex to prevent being infected with
malware in the first place.
http://www.claymania.com/safe-hex.html
I suggest you also contact industry wide News Groups rather than just
Symantec
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus
alt.privacy.spyware
I monitor *many* virus and spyware News Groups but if I see your post
in another News Group the I will step back and let others reply.
Except for my WinFixer Fix utility (which I wrote) you will find my
response will be similalar to other responses.
As to actually cleaning your PC, either you will have follow suggested
procedures or wipe you computer and start from scratch,. It's your
choise, your computer. I'm only giving you my experienced advice.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "KLR" <[email protected]>
Date: 26 Nov 2005 09:54:49 -0800
Local: Sat, Nov 26 2005 9:54 am
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
Have you tried the following as well as AdAware
http://sarc.com/avcenter/venc/data/trojan.vundo.removal.tool.html
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "David H. Lipman" <[email protected]>
Date: Mon, 28 Nov 2005 01:31:53 GMT
Local: Sun, Nov 27 2005 5:31 pm
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
It has come to my attention that SuperAdBlocker is very effective in
rermoving these infectors. The authors allow it to be used for a free
15 day trial.
SuperAdBlocker.com - SUPERAntiSpyware
http://www.superadblocker.com
http://blogs.superadblocker.com
http://forums.superadblocker.com
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
----
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "MyndPhlyp" <[email protected]>
Date: Sat, 24 Sep 2005 15:42:37 GMT
Local: Sat, Sep 24 2005 7:42 am
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
passion.com
ROFL. Silly user. You actually expected SUPPORT from Symantec? That's
like expecting quality support from Earthlink!
<tyrannical rant>
Those of us who have been using the Norton product line since the old
DOS days remember well how robust the suite of utilities. Over time
though we have seen utilities disappear from the NU product and
half-hearted attempts at maintaining (I'll refrain from using the word
"improving") the NAV product ever since Symantec took the reigns.
They don't lurk these NGs. Their web-based user support forum is gone.
Their KB borders on worthless. Their LiveUpdate has better odds of
messing up an installation than the odds at a roulette table. And if,
for some lucky reason, you do actually speak with their support staff
(at some cost to you) the resolution will most likely be to uninstall
and reinstall the product.
They've just grown too big to care about the people who made them
successful in the first place - the single license end users.
</tyrannical rant>
But onward to your problem.
You mentioned malware on your machine and pop-ups taking control. There
are lots of things you can do to cripple pop-ups. There are also a
couple of very good FREE utilities that should already be part of your
arsenal and they are quite effective in eliminating spyware/malware
that has accumulated on your machine.
AdAware
http://www.lavasoftusa.com
Spybot Search+Destroy
http://security.kolla.de
Use both (one at a time, of course). What one doesn't pick up the other
one usually does.
Spybot has an additional feature to "immunize" your system. It adds
several entries to the Restricted Sites of IE's Security settings and,
if memory serves me correctly, to the blocked cookies list in IE's
Privacy settings.
You can further tweak down the Restricted Sites of IE's Security
settings to literally disable everything yielding pretty much plain
HTML. For more information on security zones in IE see:
http://support.microsoft.com/?kbid=174360
If you haven't kept up-to-date on your Internet Explorer updates, you
really should. There is one old exploit that can make an Internet site
appear as
though it is an Intranet site. (There are SO MANY exploits a book could
be written. Ooops, several books already HAVE been written!)
For those sites not added by SpyBot to the Restricted Sites list,
manually add them. Over time you will accumulate quite a list if you
tend to
wander from the more well-traveled and trusted paths often.
Another trick is to use the HOSTS file to block hosts. Using this
method you equate the host name ("ad.doubleclick.net" for example) with
the IP
address 127.0.0.1 ("localhost"). Windows will consult the HOSTS file
before
attempting to resolve a name to an address via DNS. Although some HTML
content will use an IP address rather than a host name, most (in my
experience) do not. See the following:
http://www.mvps.org/winhelp2002/hosts.htm
Another good link for dealing with unwanted spyware and parasites is:
http://www.mvps.org/winhelp2002/unwanted.htm
Want to control tracking cookies better? In IE's Internet Options, go
to the Privacy tab and set the slider control up to at least Medium
High.
Periodically clear the cache (General Tab, Delete Files button), but
save the cookies, and check the remaining files (General tab, Settings
button, View Files button) to see what cookies you've accumulated. For
those
that have no need to be on your system, add them to the blocked cookies
sites
(Privacy tab, Edit button). If you run into sites that absolutely
insist on
writing a cookie but your settings have it blocked, add them to the
allowed
cookies sites (Privacy tab, Edit button). Just as with the Restricted
Sites
above, you will accumulate quite a list over time.
And if you want to see what web sites can determine about your browser
and system, try the Browser Mirror at:
http://centralops.net/co/
Of particular interest to you are the Cookies and the "clipboard".
What is this "clipboard" thing? It is the contents of the Windows
clipboard.
Try it. Select some text and copy it. Then go to Browser Mirror.
Surprise!
Now imagine you were previously working on your financials, personal
records, or doing some online shopping and copied your Social Security
Number, credit card number, or some other sensitive bit of information
to
the clipboard along the way.
I don't recall the exact setting to change to prevent the clipboard
contents from being read, but it is on IE's Internet Options, Security
tab.
Select the Internet icon and click Custom Level. It is either the "Drag
and drop or
copy and paste files" or the "Allow paste operations via script"
setting.
They should both be set to "Disable" anyway.
While you are there, some other things worth disabling are:
* Download unsigned ActiveX controls.
* Initialize and script ActiveX controls not marked as safe.
* Access data sources across domains.
* Don't prompt for client certificate selection when no certificates or
only
one certificate exists.
* Launching programs and files in an IFRAME.
And make sure "Automatic logon only in Intranet zone" is selected.
As for the other settings, Enable or Prompt as appropriate for the
risk.
Another thing to consider is using Firefox instead of Internet
Explorer. It
is the core used by Netscape and others. Firefox has pop-up blocking
built
in as well as many other nice features. Best of all, it is probably the
most
HTML and CSS compliant browser out there and it is FREE.
http://www.mozilla.org/
Yep, there are lots of things you can do and use for free to battle
spyware,
malware and tracking cookies. There are lots of free things you can do
to block malicious sites. There are lots of free things you can do to
block
pop-ups. The typical "Ma & Pa Kettle" is never aware of these things
and
usually the subject content is so far over their heads as to put them
in a coma. But if you are able to understand how it all works, and you
do some research on the subject, you can effectively protect yourself
from rogue and unwanted sites.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support
From: (e-mail address removed)
Date: 13 Oct 2005 19:26:13 -0700
Local: Thurs, Oct 13 2005 6:26 pm
Subject: geedd.dll MalWare Virus Cleanse
Symantec Norton AnriVirus is showing me in a virus alert notification
box that Norton finds a trojan.vundo virus in a file named geedd.dll.
That Norton box notifies that Norton cannot access or repair that file.
Windows will not let me move or delete it. I cannot even get that
Norton notification box to go away.
What should we users/customers do and why are we getting jerked around
this way by Symantec, the Windows file manager SW and the pop up ad
offenders?
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support
From: "David H. Lipman" <[email protected]>
Date: Sat, 15 Oct 2005 12:46:00 GMT
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
passiion.com
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
Execute; WinFixerFix.exe { Note: You must accept the default of
C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow FTP.EXE
to go through your
FireWall to enable FTP.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end
of the scan, it will be displayed in your browser (Opera, FireFox or
Internet Explorer). It
is suggested that you move the report out of c:\mcafee before
performing another scan. It
would be a good idea to scan in Safe Mode and in Normal Mode and save a
copy of the HTML
report for each session.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: (e-mail address removed)
Date: 23 Oct 2005 10:44:36 -0700
Local: Sun, Oct 23 2005 9:44 am
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
passiion.com
Pop Up attacks on me declined for a couple of weeks, then returned
fiercely in the last 6 days. What is an effective rememdy for this and
why does Symantec/Norton Internet Security AntiSpyware Edition 2005 not
provide it?
Here are 2 new additions to the abusively-pop-up-maketed web business
hall of shame:
americarx.com
doctorsherbalgroup.com
Symantec Norton AnriVirus is still continuously showing me in a virus
alert notification box that Norton finds a trojan.vundo virus in a file
named geedd.dll.
That Norton box notifies that Norton cannot access or repair that file.
I still cannot even get that Norton notification box to go away.
Newsgroups: symantec.customerservice.general,
symantec.support.winnt.nortonantivirus.general, symantec.support,
alt.online-service.earthlink
From: "David H. Lipman" <[email protected]>
Date: Mon, 24 Oct 2005 00:07:10 GMT
Local: Sun, Oct 23 2005 4:07 pm
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus, vipfares,
passiion.com
You have to defind the Pop-Ups.
Are they Messenger Service Pop-Ups ?
Are they Internet Explorer Pop-Ups ?
Are you still infected with WinFixer2005 ?
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
Execute; WinFixerFix.exe { Note: You must accept the default of
C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow FTP.EXE
to go through your
FireWall to enable FTP.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end of the scan, it will be displayed in your
browser (Opera, FireFox or Internet Explorer). It is suggested that you
move the report out of c:\mcafee before
performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and
save a copy of the HTML report for each session.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Newsgroups: microsoft.public.security.virus, alt.comp.virus,
alt.comp.anti-virus, alt.privacy.spyware,
symantec.customerservice.general
From: (e-mail address removed) - Find messages by this author
Date: 27 Nov 2005 20:57:39 -0800
Local: Sun, Nov 27 2005 8:57 pm
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
All of these fixes may be a very long trip to what should be a very
short and quick solution. I have an application which overwrites files
with random numbers. I would use it on the file with the virus if
access to that file were not denied.
Does that infected file generate this problem? Why are Symantec and I
denied access to it? How can we disolve that denial? Why could Symantec
not quarantine that file so that no code from it could ever run?
Anyhow, I ran Spybot and the Symantec FixVundo utility on 11/27/2005.
FixVundo created a log which includes:
"Trojan.Vundo has been successfully removed from your computer!
Here is the report:
The total number of the scanned files: 183114
The number of deleted files: 0
The number of viral processes terminated: 3
The number of viral processes suspended: 3
The number of viral threads terminated: 7
The number of registry entries fixed: 2"
When I next rebooted after running FixVundo, the virus alert
immediately appeared as it had before.
The Spybot search and destroy function delivered a list of what it
thought were suspicious cookies. All of those looked innocuous to me
except some in a folder with WinFix in its folder name. I let Spybot
kill the cookies in that folder. However, I do not intuit that cookies
can execute a pop up intrusion.
Newsgroups: microsoft.public.security.virus, alt.comp.virus,
alt.comp.anti-virus, alt.privacy.spyware,
symantec.customerservice.general
From: "Nick Skrepetos \(SuperAdBlocker.com\)" <[email protected]>
Date: Sun, 27 Nov 2005 21:17:15 -0800
Local: Sun, Nov 27 2005 9:17 pm
Subject: Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
Hello,
Yes, the removal should be simple, and it is with some spyware
scanners, and
not so with others.
To answer your questions:
1) Typically you/programs are denied access to the files if another
application has the file open and has not closed the handle and does
not open it with sharing. May spyware/malware applications do this to
prevent
getting the MD5/fingerprint of the application, or examining the
contents of
the file. There are two direct (and more) ways for applications to get
around this limitation, both of which we employ in our SuperAdBlocker |
SUPERAntiSpyware product. This involves finding the open handle and
using
it, or reading directly from the volume in the native format which will
by
pass all of Windows security and protection. This involves parsing the
NTFS
or FAT volume directly.
2) Many kernel level drivers, now referred to as "rootkits", can
protect a
file so that the operating system cannot access it at all, but it's own
processes can have full accesss. This can involve a filter system
filter
driver or API hooking driver to accomplish the protection and hiding.
If you still have the infection, you may wish to try Super Ad Blocker
with SUPERAntiSpyware:
http://www.superadblocker.com
Super Ad Blocker | SUPERAntiSpyware offers several unique features such
as using a system level driver to delete detected items, so pests do
not come back once detected and cleaned.
Super Ad Blocker offers a fully functional 15-day trial. You can scan
and clean your computer and then remove Super Ad Blocker if you do not
wish to keep it. We do appreciate when users support our development
efforts by purchasing the product
If that does not find and/or remove the spyware/adware on your machine,
you can submit a diagnostic and I will diagnose your machine for free
and post the results back to the group and update our rules with
anything found:
http://www.superadblocker.com/diagnostic.html?id=nicks
You may also wish to "see" what is running on your computer here:
http://www.fileresearchcenter.com
Nick Skrepetos
SuperAdBlocker.com - SUPERAntiSpyware
http://www.superadblocker.com
http://blogs.superadblocker.com
http://forums.superadblocker.com
** Please note that I am the author of the above programs and sites and
I do have a vested interest in Super Ad Blocker, SUPERAntiSpyware and
FileResearchCenter.com. You, the user, have no obligation to purchase
the software and are free to try the software, clean/fix your system,
and then uninstall.