Lately I have been plagued by ads for Windows Antispyware that kept
popping up all the damn time with it's message that my system may be
running slow because of a virus. Ha! The only "virus" is the damn ad. I
used an anti-spyware & adware program to get rid of all the tracking
cookies, and for a while those ads stopped popping up. Now my system is
being hijacked to:

http://brandsurveypanel.com/rd_p?p=1...emc_d31&a=3735

I would be in the middle of somthing, then my browser would jump to
that webpage. The anti-spyware program doesn't seem to stop this
problem at all. Can anyone tell me what's going on here and is there
some way to stop my browser from being hijacked to that page as well as
getting rid of that anti-virus ad for good? Thanks.

Ron

Ron wrote:
Stupid idea. A compromised system cannot be simply "cleaned".

What? Sounds bullshitty.

Your system is compromised.

Now would you please flatten and rebuild?

On Fri, 23 Jun 2006 17:27:39 +0200, Sebastian Gottschalk wrote:

Two options

1 Install Firefox

2 Format and install Linux

second option recommended

From: "Ron" <ryon@quik.com>

| Lately I have been plagued by ads for Windows Antispyware that kept
| popping up all the damn time with it's message that my system may be
| running slow because of a virus. Ha! The only "virus" is the damn ad. I
| used an anti-spyware & adware program to get rid of all the tracking
| cookies, and for a while those ads stopped popping up. Now my system is
| being hijacked to:
|
| http://brandsurveypanel.com/rd_p?p=1...emc_d31&a=3735
|
| I would be in the middle of somthing, then my browser would jump to
| that webpage. The anti-spyware program doesn't seem to stop this
| problem at all. Can anyone tell me what's going on here and is there
| some way to stop my browser from being hijacked to that page as well as
| getting rid of that anti-virus ad for good? Thanks.
|
| Ron

What is the EXACT mesages inidicating in you are infected ?

What exactly is the anti malware application that you are suggested to use ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:

Somewhat ironically it was the Win Anti-Virus program I think it was
called. I had used an anti-spyware program which claimed it had fixed
the problem, but that was always temporary. I then tried a new program
that was supposed to be freeware-- and it is as long as you don't ask
the program to do anything effective besides locating adware and
spyware. But once I found out there were a couple of hijacking java
scripts lurking around in my temporary Internet files, I deleted all of
those and numerous cookies, everything once again seems safe and
normal. But I'll have to wait and see if the problems are really gone
for good; sometimes it seems to be gone for a day or two, then it would
be back again

Ron




..

Ron wrote:

Generally you can run only 1 AV and 1 anti-spyware program: they tend to
report one another!

Rick Merrill wrote:
Up until now, I never had occasion to think about that before. I had
acquired a virus that simply would not go away despite my anti-virus
program (Grisoft Anti-virus), so I eventually erased everything and
re-installed Windows 2000 as a very last resort. Now I am much more
careful when it comes to viruses, but these spyware programs and ads
are nearly as annoying and as destructive as any virus.

Ron

Ron wrote:
Malware is malware is malware. You can only give a lower bound for the
maliciousness.

From: "Ron" <ryon@quik.com>


| Somewhat ironically it was the Win Anti-Virus program I think it was
| called. I had used an anti-spyware program which claimed it had fixed
| the problem, but that was always temporary. I then tried a new program
| that was supposed to be freeware-- and it is as long as you don't ask
| the program to do anything effective besides locating adware and
| spyware. But once I found out there were a couple of hijacking java
| scripts lurking around in my temporary Internet files, I deleted all of
| those and numerous cookies, everything once again seems safe and
| normal. But I'll have to wait and see if the problems are really gone
| for good; sometimes it seems to be gone for a day or two, then it would
| be back again
|
| Ron
|



Two phase answer...

Perform Part 1 then perform Part 2

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
This is most likely why you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0 Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07


http://www.java.com/en/download/manual.jsp



Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/to...undoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:
--------------

Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:

Is this a.c.security or a.c.bullshitting-around?

Ouch. WTF does disallow connections initiated from the inside? And WTF
should you care for the executable name rather than for protocol and port?

No need to, the system keeps on being compromised.

From: "Sebastian Gottschalk" <seppi@seppig.de>


|
| Is this a.c.security or a.c.bullshitting-around?
|

No Bullsh!t !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:
How exactly would you classify recommending computer programs that are
supposed to work with magic?

From: "Sebastian Gottschalk" <seppi@seppig.de>

| David H. Lipman wrote:
|>>
| How exactly would you classify recommending computer programs that are
| supposed to work with magic?

No magic.
Hard coded, programmed, removal with subsequent signature and heuristic detection and
removal.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:

man cloaking
man Rootkit

Reliably cleaning a compromised system from the running system itself is
equivalent to halting problem, both in theory and practice.

Sebastian Gottschalk wrote:

I suppose that as a Windoze lUser you actually expected this to produce
something useful, huh?

<laugh>

From: "Sebastian Gottschalk" <seppi@seppig.de>


|
| man cloaking
| man Rootkit
|
| Reliably cleaning a compromised system from the running system itself is
| equivalent to halting problem, both in theory and practice.

There is NO RootKit in this.
It is a case of a Vundo Trojan and/or Virtuomunde Adware infection.

At the very most the malware loads a DLL in the Winlogon Nofify key and a BHO.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:

So, how do you know?

No. It's a case where something that looks like these and probably a lot
of addition unrecognized malware has used a security hole, and this
indentified malware has already downloaded and installed a lot of other
unidentified malware, which has done the same, ...

And you assume that there's no rootkit in this big load of crap? Get
serious!

You'd wish.

TwistyCreek wrote:
Yes. It first searches all manpages and after not finding anything it
opens lynx and browses to the relevant Wikipedia entry.

From: "Sebastian Gottschalk" <seppi@seppig.de>

| David H. Lipman wrote:
|
|>> man cloaking
|>> man Rootkit
|>>
|>> Reliably cleaning a compromised system from the running system itself is
|>> equivalent to halting problem, both in theory and practice.
| So, how do you know?
|
| No. It's a case where something that looks like these and probably a lot
| of addition unrecognized malware has used a security hole, and this
| indentified malware has already downloaded and installed a lot of other
| unidentified malware, which has done the same, ...
|
| And you assume that there's no rootkit in this big load of crap? Get
| serious!
|
| You'd wish.

Please stick to a subject matter that you have direct knowledge on. Ron specifically noted
"Win Anti-Virus".

It is the Vundo Trojan and/or Virtuomunde Adware infection that points to the download and
installation of WinAntivirus Pro, WinAntiSpyware Pro and WinFixer 2006. This is propogated
by...
Amaena
P.O. box1048
Chernigov, NA 14032
UA

Other symptoms are Pop-Ups indicating;
"There is a security vulnerability from the Blackworm virus. We recomen you DOWNLOAD ..."
and
"There is a security vulnerability from the Beagle virus. We recomen you DOWNLOAD ..."

The malware is well known to take advantage of a vulnerability in older versions of Sun
Java.
http://sunsolve.sun.com/search/docum...=1-26-102171-1

In fact even if you have a non-vulnerable version on the PC, if a vulnerable version is on
the PC the Trojan will traverse the version until a vulnerable version can be exploited.
That's why it is imperative that old versions be removed when updating to a new version.
Unfortunately, the Sun Java installer does NOT remove prior versions before installing a
lter version.

I have been studying and working on this family of malware for about 9 months and is the
reason I have written the WinFixerFix utility.

Please see the post "A Hijacking Problem" in the News Group; alt.binaries.comp.virus
The graphics captured were from platforms infected with this family of malware.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:

Dave;

Does the company that makes all of the above anti-virus programs
responsible for this infection or some other party? If the company is
responsible, why aren't they being sued or fined for starting what is
essentially a virus that their program can cure? That seems to me like
software extortion.

Ron