WinAntivirusPro2006 again, via ActiveNetworks

I've been looking around for alternative Internet Explorer resources that I can point users to that compliment my own sites (www.ie-vista.com and http://inetexplorer.mvps.org).  During my wanderings I encountered an old ActiveWin page dedicated to Internet Explorer 5.

Once again, an ActiveNetwork banner advertisement is promoting Winfixer (aka WinAntivirusPro2006 aka ErrorSafe).  I've encountered this problem before on the ActiveNetwork site, back in March this year.

The dangerous banner advertisement:
 

We click on the advertisement - a dialogue box appears that stops the resultant page from loading completely until you click ok or the red x:

Then, one of two pages loads (there may be more, this is what I have seen today):

Full size - http://inetexplorer.mvps.org/images/3w.png
Page URL - http://amaena.com/securityworm5827/?p=4&ex=1&aid=fastban&lid=os&mpt=20060828045018
 
Full size - http://inetexplorer.mvps.org/images/3wa.png
Page URL - http://www.amaena.com/securityworm61/index.php?h=10&ex=2&ax=0&aid=fastinu&lid=os&mpt=20060828054414

The entire page is one giant hyperlink...click *anywhere* on the page, even apparently empty areas, and you will trigger a Winfixer download - note the cursor in the shape of a hand - this indicates that the area is a hyperlink.
       

Here is the next dialogue box - note that there is no "cancel" option.

Click on OK and we see:

Trend Antivirus does not like the download:

Cancel the download, close the dialogue box using the close button or close the page and we see:

Click on OK, Cancel or the close button and we see:

Click the close button and the page finally closes BUT a pop-up window is generated that also tries to infect your system:

Page URL: http://www.amaena.com/securityworm61/download.php?aid=fastinu_exit&lid=os&ex=2

At this point, if you are running an older version of IE, or if your security settings are too low, your system is at risk of being infected with no further user interaction.

Removal

You'll need some specialised tools to get rid of this programme, but there is no guarantee of success, especially if you're dealing with a new variant.  Try:

Vundofix - run it as a Task:
http://www.atribune.org/content/view/24/2/

If Vundofix doesn't work, try VirtumundoBeGone - run in safe mode:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

My personal preference is to also run Smitfraudfix:
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

The following information is for advanced users and for professional technical support - these steps are NOT recommended for the inexperienced.  I have not provided detailed instructions or advice and have assumed a higher than average level of skill....

Still infected?  You'll need to search for a rootkit using GMER, rootkit revealer etc.  You'll also need to generate and analyse an Hijackthis log.

An error similar to the following indicates continuing infection:

16 bit MS-DOS Subsystem
<<path to file name>>
The NTVDM CPU has encountered an illegal instruction

You will need to delete the file the old fashioned way (CMD window) or use a product such as Killbox:
http://www.killbox.net/

or Avenger as a last resort - its a very powerful programme that should not be used lightly.
http://swandog46.geekstogo.com/

You can read about previous battles with malware here:
http://msmvps.com/blogs/spywaresucks/archive/2006/06/11/100679.aspx
http://msmvps.com/blogs/spywaresucks/archive/2006/06/07/100009.aspx

Published Mon, Aug 28 2006 6:14 by sandi
Filed under: ,

Comments

# re: WinAntivirusPro2006 again, via ActiveNetworks

Monday, November 20, 2006 12:52 AM by juris1691@yahoo.com

THIS WIN ATIVIRUS PRO REALLY ANNOYS ME AS IT KEEPS ON POPPING UP TO MY COMPUTER EVERYTIME I USE MY LAPTOP THEN I WILL GET DISCONNECTED, WOULD YOU PLEASE IF ANYONE FROM YOUR COMPANY COULD EMAIL ME ON HOW TO GET RID OF THIS POP-UP FROM WIN ANTIVIRUS PRO IN MY COMPUTER WHICH I AM REALLY NOT INTERESTED, IT IS REALLY VERY, VERY ANNOYING.