Re: Pop Up MALWARE: winfixer2005, winantivirus etc.
From: Nick Skrepetos \(SuperAdBlocker.com\) (nicks_at_superadblocker.com)
Date: Sun, 27 Nov 2005 21:17:15 -0800
Yes, the removal should be simple, and it is with some spyware scanners, and
not so with others.
To answer your questions:
1) Typically you/programs are denied access to the files if another
application has the file open and has not closed the handle and does not
open it with sharing. May spyware/malware applications do this to prevent
getting the MD5/fingerprint of the application, or examining the contents of
the file. There are two direct (and more) ways for applications to get
around this limitation, both of which we employ in our SuperAdBlocker |
SUPERAntiSpyware product. This involves finding the open handle and using
it, or reading directly from the volume in the native format which will by
pass all of Windows security and protection. This involves parsing the NTFS
or FAT volume directly.
2) Many kernel level drivers, now referred to as "rootkits", can protect a
file so that the operating system cannot access it at all, but it's own
processes can have full accesss. This can involve a filter system filter
driver or API hooking driver to accomplish the protection and hiding.
If you still have the infection, you may wish to try Super Ad Blocker with
Super Ad Blocker | SUPERAntiSpyware offers several unique features such as
using a system level driver to delete detected items, so pests do not come
back once detected and cleaned.
Super Ad Blocker offers a fully functional 15-day trial. You can scan and
clean your computer and then remove Super Ad Blocker if you do not wish to
keep it. We do appreciate when users support our development efforts by
purchasing the product :)
If that does not find and/or remove the spyware/adware on your machine, you
can submit a diagnostic and I will diagnose your machine for free and post
the results back to the group and update our rules with anything found:
You may also wish to "see" what is running on your computer here:
** Please note that I am the author of the above programs and sites and I do
have a vested interest in Super Ad Blocker, SUPERAntiSpyware and
FileResearchCenter.com. You, the user, have no obligation to purchase the
software and are free to try the software, clean/fix your system, and then
<email@example.com> wrote in message
> All of these fixes may be a very long trip to what should be a very
> short and quick solution. I have an application which overwrites files
> with random numbers. I would use it on the file with the virus if
> access to that file were not denied.
> Does that infected file generate this problem? Why are Symantec and I
> denied access to it? How can we disolve that denial? Why could Symantec
> not quarantine that file so that no code from it could ever run?
> Anyhow, I ran Spybot and the Symantec FixVundo utility on 11/27/2005.
> FixVundo created a log which includes:
> "Trojan.Vundo has been successfully removed from your computer!
> Here is the report:
> The total number of the scanned files: 183114
> The number of deleted files: 0
> The number of viral processes terminated: 3
> The number of viral processes suspended: 3
> The number of viral threads terminated: 7
> The number of registry entries fixed: 2"
> When I next rebooted after running FixVundo, the virus alert
> immediately appeared as it had before.
> The Spybot search and destroy function delivered a list of what it
> thought were suspicious cookies. All of those looked innocuous to me
> except some in a folder with WinFix in its folder name. I let Spybot
> kill the cookies in that folder. However, I do not intuit that cookies
> can execute a pop up intrusion.