Drive by Spyware/PITA Ware

[EagleKeeper]

Sat evening I picked up something on a system, possibly by trying to install a codec (???via CNN site???). The interesting thing was that when the attacks started, I have not been on the system for over 2 hrs.

I have tried the security cleaners described in the sticky thread.

Symptoms:

1) Something is trying to reset the browser home page - this is being blocked by SpyBot

2) Pseudo alerts are popping up frequently (30 seconds or so) that end up trying to open a Web Page when closed and/or Canceled.

Title:Spyware Alert

Security Warning!

Trojan.W32.Looksky detected on your machine. This virus is distributed via the Internet through e-mail and Active-X objects. The work has its own SMTP
engine which means it gathers e-mails from you local computer and re-distributes
itself. In worst case, this worm can allow attackers to access you computer,
stealing passwords and personal data.
This process should be removed from your system.

Type: Virus
System Affected: Windows 2000, NT, Me , XP, Vista
Security Risk (0-5) 5
Recommendations: Click Yes to remove it from your PC immediately

Yes & No buttons

Clicking No causing nothing to happen immediately.
About 1-2 minutes later an IE windows will popup attempting to go to "safewebnavigate.com"

Title: Windows Security Alert

Windows has detected an Internet attack attempt....
Somebody's trying to infect you PC with spyware or harmful
viruses. Run fill system scan not to protect your PC from
Internet attacks, hijacking attempts and spyware! Click here
to download spyware remover for total protection.

OK button
[/b]

Clicking Ok or the Window Termination X both cause a IE to popup trying to go to
the following site:
virusprotectionproonline.com


Luckily, the Clients network prevents access of these sites and at the hotel, I shut off the wireless to trap this information.


Searching the hard drive (including system and hidden files) detects no character strings that match the web sites.


AVG and McAfee do not detect any viruses

 

[SunnyD]

Ironically, I was getting popups randomly on sites that I usually never had before. I was thinking the same thing on my end, however AVS didn't detect anything, nor did KAV 7.0. They were infrequent, and very random. I basically stepped back and thought about the situation, and figured that it might be some sort of banner ad popup-exploit tied to some less savory advertisements.

In the end, I ended up wiping my machine and reinstalling Vista anyway, due to the "trial" license expiring (Yes, I own a retail license, I just haven't activated it yet due to updates and hardware changes that I go through regularly).

 

[mechBgon]

Could you run HijackThis and post a log? Also refer to this pic and tell me if you gots those entries (filenames will vary... if so, reboot into Safe Mode, run HJT again and nuke 'em). If you prefer, you can analyze your own HJT log at http://hijackthis.de and nuke stuffs accordingly; Safe Mode With Networking might be a good bet for that.


This would be a NewMediaCodec/VideoAccessCodec attack, and it is indeed "time-delayed" to help keep you from figuring out what's going on... when I'm testing them, I usually cheat by moving the clock ahead to trigger the infection symptoms. I'd be intensely interested in knowing where it came from, if you can trace down the site. NMC/VAC is very poorly detected, both at the installer-file stage and the component files of a complete infection. Components are downloaded using BITS. further info on the enemy

Another option is to use System Restore, if it's turned on.


Oh, and McAfee is utterly hopeless at detecting these. AVG isn't great either. Kaspersky or Microsoft OneCare (surprise!) have the highest chances of success, based on my observations, but still far from a certainty. Best not to download anything sketchy these days.

 

[SunnyD]

Yup, that sounds about right... all of the popups I had did point to these bogus anti-spyware sites that are listed. Only thing is I'm not sure what would have triggered the infection in my case. I haven't installed any codecs in a long time, nor do I recall being prompted to do so.

 

[EagleKeeper]

Sounds like I have some work cut out this evening.

 

[lxskllr]

I found a worm that had hidden itself in Vista. I kept getting registry entries added, though I couldn't find the file(svdhost.exe). Antivir would copy the file to quarantine, but couldn't remove due to the process being in use I assume. I found a way of showing super hidden files from the web(I didn't know such a thing existed) These are different from standard hidden files. Here are the instructions for showing these:

Revealing the super hidden files
Microsoft has added many features to Windows XP to protect the critical files of the operating system. The system file checker, for instance, continually monitors the system files to ensure that no application will replace your system files with a version that Windows XP was not designed to work with. The new super hidden files feature allows Windows to protect itself even further by hiding some of its most critical files from the user. If they can't get to it, they can't hurt it, right?

Revealing the super hidden system files is not very difficult at all. You can uncheck the box on the list on the View tab of Folder Options, but where is the fun in that? Use the Registry Editor to turn this feature off:

1. Click on the Start button and select Run.
2. Type in regedit in the box and click OK to start up the Editor.
3. Once regedit appears, navigate through HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
4. Right-click on ShowSuperHidden and select Modify.
5. Change the value to 1 and click OK to save your changes.

Now you will be able to see all of the files on your computer, including the super hidden system files.

This worked perfectly. I could then see the son of a bitch and rename it( I was going to try decompiling it, but even if I could I probably wouldn't know what I was looking at). I eventually deleted the file.

Contrary to what's implied in the instructions above, super hidden files aren't revealed by checking the folder view setting. It needs to be turned on in the registry.

 

[mechBgon]

Originally posted by: lxskllr
I found a worm that had hidden itself in Vista. I kept getting registry entries added, though I couldn't find the file(svdhost.exe). Antivir would copy the file to quarantine, but couldn't remove due to the process being in use I assume.

Could you pull a copy out of quarantine and send it to me? What was the name of the worm? Any idea how it got into the system?

 

[Medea]

Hmm, looksy is another infection that has been popping up like crazy recently. The link mechBgon shows you what you would see in a HJT log that is indicative of a looksy infection. However, I can almost guarantee that you've got more crap on your system.

What you've been using to try and get rid of it won't do the trick. You should do a HJT log. If you want assistance, PM me your HJT log, and I'll be glad to help.

 

[Sandbird]

Use system recovery software can also keep spyware away

 

[lxskllr]

Originally posted by: mechBgon

Originally posted by: lxskllr
I found a worm that had hidden itself in Vista. I kept getting registry entries added, though I couldn't find the file(svdhost.exe). Antivir would copy the file to quarantine, but couldn't remove due to the process being in use I assume.

Could you pull a copy out of quarantine and send it to me? What was the name of the worm? Any idea how it got into the system?

I already deleted all traces of it. It was nothing exotic, and I know exactly how I got it. Here is a page that describes it.

I recently discovered bittorrent ( yea, I know, where have I been ) I was trying to get some of the albums I have on vinyl transferred to my computer. I was going to do it recording to an mp3 player, but I figured bittorrent would be quicker. As it turns out, much of the music I wanted digitally isn't really popular, or widely available. I didn't get much music, but I wanted to use my new toy(bittorrent). I decided to download a crack to play Bioshock without the cd in the drive. Well I downloaded a .exe and ran it (alright stop laughing now :|) and I guess you can figure out what happened . So I got it by having my head up my arse. I absolutely knew better, but my brain must have short circuited. I've always prided myself on practicing safe computing, and have only gotten 1 virus previously (years ago when I was very much a noob), but I just blew it this time. I don't have anyone to blame but myself.