WinAntivirusPro2006 again, via ActiveNetworks
I've been looking around for alternative Internet Explorer resources that I can point users to that compliment my own sites (www.ie-vista.com and http://inetexplorer.mvps.org). During my wanderings I encountered an old ActiveWin page dedicated to Internet Explorer 5.
Once again, an ActiveNetwork banner advertisement is promoting Winfixer (aka WinAntivirusPro2006 aka ErrorSafe). I've encountered this problem before on the ActiveNetwork site, back in March this year.
The dangerous banner advertisement:
We click on the advertisement - a dialogue box appears that stops the resultant page from loading completely until you click ok or the red x:
Then, one of two pages loads (there may be more, this is what I have seen today):
Full size - http://inetexplorer.mvps.org/images/3w.png
Page URL - http://amaena.com/securityworm5827/?p=4&ex=1&aid=fastban&lid=os&mpt=20060828045018
Full size - http://inetexplorer.mvps.org/images/3wa.png
Page URL - http://www.amaena.com/securityworm61/index.php?h=10&ex=2&ax=0&aid=fastinu&lid=os&mpt=20060828054414
The entire page is one giant hyperlink...click *anywhere* on the page, even apparently empty areas, and you will trigger a Winfixer download - note the cursor in the shape of a hand - this indicates that the area is a hyperlink.
Here is the next dialogue box - note that there is no "cancel" option.
Click on OK and we see:
Trend Antivirus does not like the download:
Cancel the download, close the dialogue box using the close button or close the page and we see:
Click on OK, Cancel or the close button and we see:
Click the close button and the page finally closes BUT a pop-up window is generated that also tries to infect your system:
Page URL: http://www.amaena.com/securityworm61/download.php?aid=fastinu_exit&lid=os&ex=2
At this point, if you are running an older version of IE, or if your security settings are too low, your system is at risk of being infected with no further user interaction.
You'll need some specialised tools to get rid of this programme, but there is no guarantee of success, especially if you're dealing with a new variant. Try:
Vundofix - run it as a Task:
If Vundofix doesn't work, try VirtumundoBeGone - run in safe mode:
My personal preference is to also run Smitfraudfix:
The following information is for advanced users and for professional technical support - these steps are NOT recommended for the inexperienced. I have not provided detailed instructions or advice and have assumed a higher than average level of skill....
Still infected? You'll need to search for a rootkit using GMER, rootkit revealer etc. You'll also need to generate and analyse an Hijackthis log.
An error similar to the following indicates continuing infection:
16 bit MS-DOS Subsystem
<<path to file name>>
The NTVDM CPU has encountered an illegal instruction
You will need to delete the file the old fashioned way (CMD window) or use a product such as Killbox:
or Avenger as a last resort - its a very powerful programme that should not be used lightly.
You can read about previous battles with malware here: