"It seems to me pretty important (not just for me, but for anyone) to know
exactly what to do if one of these pop up panels appear, and the advice I've
read so far is inconsistent. So let me frame my questions again, clearly:
1. I've seen recommendations to close the panel using the little 'x' at top
right. But
also I've read recommendations that this is unsafe, and that the best
response is either to close down Internet Explorer, or to disconnect from the
internet altogether (without clicking anything at all on the pop-up panel).
What, exactly, IS the best approach?
2. Will Defender's RTP alert me to the Winfixer download, and block it?
3. What about SpywareBlaster? Or Spybot's immunisation? Do these prevent the
installation of the Winfixer bad stuff?"
1) You know, your question may just inspire a new blog post about this
stuff - it seems there is some, if not misinformation, certainly
misunderstanding, out there.
I can understand your confusion. The advice you cite (which I recognise as
being advice I have given over the years) has changed over the years as the
behaviour of the bad guys has changed.
The advice to avoid clicking on buttons in a dialogue window is always good
advice, because those buttons can be coded to do just about anything - the
wording is no more than a label. The red cross on the title bar, on the
other hand, cannot be coded to do what it is not supposed to do - it's hard
coded. BUT, that being said, when the bad guys realised that we were
avoiding their wares by closing using the red x, chromeless popups started to
appear that were designed to *mimic* the red x - that is, it was not the real
thing which is why I started spreading the "don't touch the red button"
advice.
Then winfixer and a few others changed the goal posts again. Now we need to
remember that sometimes it does not matter how you get rid of that dialogue
box, whether by clicking on the red x or by closing the page itself, or even
the Web browser in its entirety - the act of closing can be 'interrupted' by
a warning dialogue which is what Winfixer does - there's no way to get around
it.
Just a few days ago I saw a new slide-in dialogue box (screenshot on the
winfixer/AOL blog entry cited elsewhere in this thread) that is not even a
real chrome or chromeless pop-up window, and the X cannot be clicked at all -
it's fake - all that can be clicked on are the two option buttons.
As to your question about what is the best thing to do, what is the "safe"
and "best" thing to do has depended on what you are encountering. Is it a
standard popup or is it a chromeless window with a fake title bar? How is
the page that is triggering coded? If another pop-up or download is coded to
occur on_close, then that is what the page is going to try to do, no matter
what route you take to close the window.
Nowadays I don't advise avoiding the red x because it has been a long time
since I've seen a chromeless window with fake red x and something is tickling
at the back of my memory that it may not even be possible to create the fake
box anymore - something to do with restrictions on chromeless windows. I'll
have to dig in to that further and refresh my memory.
2) Will Defender protect you? That is a guarantee that cannot be made. I
am regularly seeing new versions of the installer for this malware that is
not detected. It is too easy to recode executables just enough to break
signature detection, so don't depend on that.
3) The same goes for your other mentioned programmes. There is no 100%
guaranteed protection out there - that is the reality.
--
Sandi
Microsoft MVP since 1999
http://www.ie-vista.com
Blog:
http://www.msmvps.com/spywaresucks
Internet Explorer Community
http://www.microsoft.com/windows/ie/community/default.mspx