WinFixer 2005 has me beat

[Metron]

I successfully used the instructions on this page, combined with MS AVbeta, Spybot, and Ad Aware...

Generally, the user has fallen victim to a popup proclaiming the machine is infected with spyware, and offers the "solution" of installing Winfixer as a "remedy." = Self inflicted

 

[dullard]

Originally posted by: Metron
Self inflicted

The popup? WinFixer 2005 may be self inflicted. But I'm still at a loss of how exactly the popup came about.

It is a popup that comes on all web pages, puts the OK and Cancel buttons both to install WinFixer 2005. Puts up additional webpages right in front of the page you are viewing where the X button at the top left of the IE Window is not a Close button but an install button. And you get a series of 5-25 of these popups in a row. That is the annoying part. WinFixer 2005 is just one file to delete by hand. Its the popups that are difficult.

 

[Metron]

Dullard, your popups have a border thats says something like "ABI - Aurora" at the top, yes? ABI = A Better Internet (Ha! That's funny!)... ABI/Aurora/WinFixer are all the same spyware. This spyware is like a hydra... WinFixer is only 1 head of the beast.

I saw an article on the front page of the New York Times last month about people throwing PC's away, because their machines were so corrupted with spyware. Why call Geeks-on-Call or Best Buy and pay $250-$300 for a spyware sweep, when you can get a whole new system from Dell or HP for the same price? The sad part was the author's solution to prevent spyware infection was that you avoid file sharing and other nefarious websites.... how three years ago! The marketing companies are PAYING money to the former virus and script kiddie authors to write perfectly legal spyware that is covert and not detectable by normal means.

I tell my customers that spyware is a lot like obscenity... it's hard to define, but you know it when you see it.

If you're running a computer connected to the internet without any anti-spyware running, you're going to get infected in a very short period of time (minutes). Unlike anti-virus measures, more anti-spyware is better.

It's not a matter of which websites you visit... it doesn't matter that you have Symantec's latest anti-virus loaded (though they have been saying for 2 years that they "protect" you against spyware... BS).

From your original post you say you loaded Ad-Aware and Spybot AFTER experiencing trouble...

Before I connect any computer to the 'net, I install a suite of anti-spyware programs. I suggest you do the same.

*edit*
The problem with WinFixer in your case is that even though you NOW have anti-spyware enabled and cleaned your system, it has a registry entry that will execute a file called nail.exe. Nail then covertly reloads WinFixer onto your machine. I've sent updates to Microsoft and a couple other anti-spyware developers regarding this. Hopefully their future detection updates will be able to detect the registry corruption...

Follow the section Uninstall 2 on this page to disable Nail.exe...

Cliff Notes on the process:
1) Run regedit and remove the reference to nail.exe
2) Open Nail.exe in Wordpad and delete the entire contents... make it a blank executable. = No payload
3) Run Spybot, Ad-Aware, and MS ASB to clean up any other references to Aurora/ABI.
4) Use either msconfig or the System Startup tool in Spybot to ensure that WinFixer isn't still included as a startup program.
5) Reboot your machine.

PS... what's really sad is that these marketing companies are now suing companies like Lavasoft and Microsoft... contending that their actions are perfectly legal, and that "they shouldn't be included" in the anti-spyware definitions. There ought to be a law...

 

[mechBgon]

If you're running a computer connected to the internet without any anti-spyware running, you're going to get infected in a very short period of time (minutes).

I beg to differ, or at least point out the danger of generalizations. Every day my fleet puts on another ~500 machine-hours. We have no antispyware apps, and we have no spyware problem.

And why is that? Mostly because we don't go flyin' around like noObs running our browsers at Admin-level privilege levels, or anything else either. McAfee VirusScan Enterprise 8.0i also knows a darn lot of spyware/adware on sight, and that doesn't hurt as a backup measure, especially against downloaders and Trojans whose purpose is to install adware apps.

 

[Metron]

Your statement is also true, but to further generalize... *smirk*

most people are "...noObs running our browsers at Admin-level privilege levels..." and the default out of the box settings are what they use. Modifying the default browser privilege levels or INSTALLING anti-spyware are both effective methods at combating this pervasive problem. You're preaching to the choir...

I would further contend that you ARE running anti-spyware (McAfee Enterprise). My point was specific to Symantec's lame offering (not being effective as an anti-spyware).

 

[Slikkster]

Originally posted by: Metron
Dullard, your popups have a border thats says something like "ABI - Aurora" at the top, yes? ABI = A Better Internet (Ha! That's funny!)... ABI/Aurora/WinFixer are all the same spyware. This spyware is like a hydra... WinFixer is only 1 head of the beast.

This wasn't the case for me. No registry mention whatsoever of nail.exe (as you state in your post).

I only had the files found in the \windows\web\wallpaper folder and the one .dll in the \windows\system32 folder.

Again, the Winfixer *problem* is two-fold. One is the popup problem warning you of problems in your system/registry, and telling you Winfixer can help. The popup website wants to download an ActiveX control, but by default, that shouldn't happen if you have IE6 set to normal permissions. In other words, you would have to explicitly OK the ActiveX download. I did not.

However, I was still stuck with the popups. It was only through investigating that I tracked down the source.


The second part of the potential Winfixer problem is if you actually DO allow the ActiveX control to install. Once you've gone that far, I don't know what ramifications will ensue.

 

[FlyingPenguin]

I would not say an anti-spyware is a must unless you're a person prone to cliking on the wrong things. Also anti-spyware is NO preventative. Unlike an Anti-Virus program it won't stop anything - it merely warns you. If you ignore the warning and click ALLOW you still get infected.

Most spyware are just small popup windows and the author counts on the fact that some people while web browsing may just click "OK" on any small windows that looks like a standard Windows Message box without even reading it. FOR EXAMPLE: "Click.... Click.... Click... hey, what did that say?" Too late, you're infected.

DULLARD: There's a very good article on avoiding the pitfalls of Spyware on GetNetWise.org. I have a printable format version on my website here: http://soldcentralfl.com/flyingpenguin/spyware/spyware_help.html

I also have a Word document version that I print for customers who are prone to spyware infections. If you follow the advise in that article and you have a good anti-spyware to back you up and warn you when you DO goof (and you heed it's warning) you're very unlikely to ever be bothered by spyware.

The most import thing is NEVER click on ANY buttons on a suspicious popup. popups are nothing but web pages and there is NO GUARANTEE that the "No Thanks" button is not in actuality a button that downloads a spyware app. ALWAYS click on the "X" in the upper right corner of the window to close the window. In the rare situation when there's no "X" either use task manager to close the window or, make sure the drive light is not on and power down the computer.