Hey Everyone,

I realize its been forever since I have updated ATF and the only reason for that is real life sometimes gets in the way of my programming.
Just wanted to let everyone know that an update is in the works and will include cleaning for Safari and Chrome along with the three ATF already did.

There currently is no ETA on the update, sorry. It shouldn't be too long though.

Happy Surfing,

Atri

I received an email last week from a person who had picked up a particularly nasty vundo infection. I vnc'd into his machine and pulled some samples and found that they weren't hooking winlogon.exe like the usual vundo we see, instead they were hooked into lsass.exe.

I managed to get it ripped out of the users machine and get him back on his merry way.

Since then I have had time to test out this new variant and figure out how it was loading and have now added removal of it to Vundofix.

 
While I was testing I noticed that when I tried to reboot I was receiving errors about SuperMWindow not shutting down. I did a scan on the vundo dll and found that this was in fact caused by vundo. After searching Google I came to the conclusion that quite a few people were seeing SuperMWindow but no one knew what it was or how to remove it. Vundofix now takes care of this.

Vundofix and instructions on how to use it are available from http://vundofix.atribune.org

Good Luck and Safe Surfing, Atri

ATF-Cleaner 3 is here! It now support Windows 98/ME/2K/XP and Vista! In it's one year of existance ATF-Cleaner has had nearly 350,000 downloads and the number grows everyday.

 Get it and try it now! Download Here

I'd like to thank all of the forums helpers who recommend ATF-Cleaner and all of you who use it!

Thanks everyone, hope you enjoy the latest version. 

Atri 

With Vundo (virtumonde) still ever changing I have added a third detection, well sorta.

When the first vundofix was released it used CLSID's to find the files. When I recreated VundoFix I removed the CLSID's and went to a binary string method of finding the files. The next version of VundoFix had binary strings searching and pure registry searching.

It was working great but now it's time to make it even better, at the request of my fellow Microsoft MVP and security expert Tony Klein I have re added CLSID detection to VundoFix, 225 CLSID's total have been added. The older version of VundoFix only had 106 in it.

Hope this tool is helping lots of people still. If it doesn't work for you let us know.  We will do our best to get you cleaned up.

Vundofix and instructions are available here 

Atri 

UploadMalware.com is another project of ours, it is a resource for submitting files to Malware Experts and Anti-Malware Vendors worldwide.

If you've got a suspicious file and aren't sure what to do with it send it to us and include your email or a link to a forum thead and we will attempt to let you know what it is and what to do with it.

When UploadMalware receives your files we analyze them and submit them to almost 50 Anti-Malware vendors. More files  getting submitted means better  protection  for everyone and safer surfing.

Help us make the web a safer place to be. Send us those unknown files.

So here I was testing some dll's and changes I made to Vundofix.exe and out of nowhere appear these exe's with names that are 8 characters long and random.

After doing some analysis I found that it was adding the Winanti and Sysprotect sites as well as others to the Internet Explorer trusted zone.

Vundofix 6 has been updated and uploaded to remove these exe's as well as the entries in the trusted zone of Internet Explorer. 

We are in the process of moving to a new server. During this time some links may not work.

Please let us know if you find a link that isnt working.

Atri 

Advertisemen is a new adware out there. described here at Vivid Reflection. Richard from Vivid Reflection sent me the files via Upload Malware and I have now created a quick removal tool for advertisemen. RemAdvertisemen is available here.

 Download RemAdvertisemen to a convenient place and double click the remadvertisemen.exe.

Once it is running click the "Start Removal" button and wait for the "Done Removal! Please reboot your computer now." message. Once you see that Click ok and then reboot your computer.

Hope this helps :D Happy surfing,

Today I recieved this email:

 Subject: You have received a postcard !

Hello friend !
You have just received a postcard from someone who cares about you!

This is a part of the message:
"Hy there! It has been a long time since I haven't heared about you!
I've just found out about this service from Claire, a friend of mine who also told me that..."
If you'd like to see the rest of the message click  here to receive your animated postcard!

===================
Thank you for using www.yourpostcard.com 's services !!!
Please take this opportunity to let your friends hear about us by sending them a postcard from our collection !
==================

In the email was a url that downloads postcard gif.exe. what installs a mirc client that connects to the undernet irc network. Not only does it connect to undernet it also installs W32/Parite.B . Which will infect all exe and scr files on your computer.

IF YOU RECEIVE THIS EMAIL DO NOT OPEN IT!!! DELETE IT IMMEDIATELY 

If parite.b is installed on your computer be prepared to format. 

Update now!!!

Older versions of java should be uninstalled through add remove programs before installing the new version

Download the new version at  http://java.sun.com/j2se/1.5.0/download.jsp

Release notes for the update can be found at: http://java.sun.com/j2se/1.5.0/ReleaseNotes.html