There are reports about Winfixer being encountered through AOL ads, and the discussion about these on the Defender newsgroups has reminded me that there are some basic questions about this that I've never resolved. If someone could answer them I'd be grateful.

1. Does Spybot's immunisation (or SpywareBlaster) offer any protection against a Winfixer-type forced installation?

2. If one of those Winfixer-type pop-up panels appears, what is the best approach when confronted with it? (I ask because the advice I've read about this is inconsistent, and I know that to do the wrong thing may lead to the thing installing itself anyway.) Should I:
(a) Close the pop-up panel using the little 'x' in the top right corner?
(b) Leave the pop-up panel alone and close Internet Explorer?
(c) Leave everything alone and disconnect from the internet.
or .....
(d) Something else?

Thanks.

Hi Alan,

Sandi Hardmeier has blogged extensively about the WinFixer family in the past and also this latest set of events with AOL.

http://msmvps.com/blogs/spywaresucks/archive/2007/03/24/704666.aspx

Along with the pictorial descriptions which answer your second question, you'll notice that the 'ErrorSafe' domain is predominant among the many links in her blog. If you look at the lists of both Restricted Sites and Hosts file entries added by the Spybot S&D Immunization and tools, there are several ErrorSafe domain entries in both.

In fact, in order to investigate Sandi's posting to the level I wished, I literally had to remove the Spybot S&D Hosts file entries for a short time. So for your purposes, if you have both the Immunization and Hosts file additions in place, you should not even see these sites unless their hosting changes in some way.

Bitman

Alan D :

If you noticed in the GOTCHA! Winfixer and AOL (http://msmvps.com/blogs/spywaresucks/archive/2007/03/24/704666.aspx) blog by Sandi Hardmeier that was pointed out by bitman (http://forums.spybot.info/member.php?u=74), "Clicking on the red X close button results in another redirect, …".

When you encounter any suspicious pop-up, my advice is never click any buttons in the pop-up itself because even what appears to be a close button (white "X" in a red button in the upper right hand corner of the window) is programmable.

In Internet Explorer 6, right click in middle of the blue title bar at the top of the Internet Explorer window and select close.

In Internet Explorer 7 you should be safe to click the red "X" (Close Tab) in the open tab for the window that is displaying the pop-up.

Thank you so much (both of you) for such clear, intelligible answers.

Although I have the immunisation in place, I haven't used the Spybot hosts file up to this point - partly because I wasn't sure whether I should attempt to use the MVPS hosts file instead - though that seemed a more complex business than just clicking a button in Spybot.

May I ask a couple more related questions?

1. I gather that if you use a large hosts file, there may be a significant slowdown in XP. Am I likely to encounter this issue if I use the Spybot hosts file?
2. Can I just check that if I later use the 'remove' button, the single local hosts entry that I have at present will be restored? (I don't want to experiment and get myself into a tangle that I can't get out of.)
(It sounds as if this latter exercise is what you temporarily did, in fact, Bitman?)

I have never experienced any slowdown that I can relate to using Spybot’s HOSTS file.

To use Spybot's Hosts file feature go into Spybot > Mode > Advanced Mode > Tools > Hosts file. To add Spybot's Hosts file to your HOSTS file click on "Add Spybot S&D hosts list". Spybot will take a backup of your current HOSTS file (see Note #1) and then add its entries. Spybot marks the beginning and the end of the HOSTS file entries it adds with comments as follows:# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 babe.the-killer.bz
127.0.0.1 babe.k-lined.com
127.0.0.1 did.i-used.cc
127.0.0.1 coolwwwsearch.com
127.0.0.1 coolwebsearch.com
…
…
…
# This list is Copyright 2000-2004 Patrick M. Kolla / Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

When you use the “Remove Spybot S&D hosts list” button in Spybot, it removes the entries between those comments and leaves the other entries in your HOSTS file intact.

If you have already added Spybot's Hosts file, clicking the "Add Spybot S&D hosts list" will merge any new entries that have been added to its list during updates into the existing entries in the HOSTS file. If you use Spybot's Hosts file, I recommend that you "Add Spybot S&D hosts list" after every update to ensure that your HOSTS file contains the latest information.

You also can remove entries from the HOSTS file by highlighting the entries in the Hosts listing and then clicking the "Remove selected entries" button.

--------------------------------------------------------------------------

Note #1: Spybot’s HOSTS file backups are stored as hosts.yyyymmdd-hhmmss.backup (where yyyymmdd-hhmmss = year/month/day/dash/hour/minute/second of when the backup was taken). They are stored in the same directory as the systems HOSTS file:
Win 95/98/ME = C:\WINDOWS
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
The Spybot Hosts file facility also allows you select and restore the HOSTS file to any one of the backups taken when you added Spybot's Hosts file. This is done by selecting a backup from the pull-down selection list of backups (▼symbol on the right of the "Restore backup" button).

When no longer needed the backups can be manually deleted using Windows Explorer, navigating to the appropriate directory and deleting them.

I've never had an issue either, though I have heard of some rare issues with very large hosts files, usually caused by interaction with another anti-malware application.

I only bother with the hosts file because it's so easy to do in Spybot S&D, since messing with any other hosts file is a more manual and entirely separate process.

Bitman

Well, this morning I've taken the plunge and clicked the button, and Defender popped up to alert me of the change (which is reassuring in itself, actually). All seems well as far as I can tell.

When I do something 'unknown' for the first time, I'm always wary of unexpected complications, but I can see now in hindsight that Spybot has made this just about as simple as it could possibly be, and also (importantly) that it's entirely reversible.

Thanks again for all your help on this. I really couldn't have hoped for better advice.