Hit by a nasty new piece of Spyware

Amused

Elite Member
Apr 14, 2001
57,118
18,646
146
My laptop was hit by the antispywareupdate crap a few days ago while on MySpace.

It changed my desktop to a blue screen with white and yellow text and a link to antispyware.net. A yellow triangle would appear in my systray and pop up warning ballons and internet popups would appear regularly.

This is not the old version that can be removed using the tools talked about with this spyware. None of them worked. No combination of them worked in any fashion.

I finally had to just reload XP.

My security settings were ideal, I had all windows updates and I was running Norton 2007 fully updated.

It came as a yellow active x notice below the IE toolbar and gray dialog box asking me if I wanted to run the active x. When I hit the red X to close the dialog box, that's when it hit.

If you get an yellow active x warning below the IE tool bar and a gray dialog box, the best bet is to just pull the plug. Because it didn't seem to load until I tried to close the gray dialog box.

Folks, this is coming from trusted sites through ads.

I'm sure this has been talked about, but this is something new. Nothing fixes it. I sent two days finding the fixes for this and they all failed, which means they found a way around the fixes.

How can these companies stay in business???
 

Amused

Elite Member
Apr 14, 2001
57,118
18,646
146
Originally posted by: mechBgon
My security settings were ideal,

If your security settings were ideal, that wouldn't have happened. Maybe look at some additional security layers to go along with your present ones. :thumbsup:

How can these companies stay in business???

They're criminals. One report says that the computer-malware crime world now makes more money than the illegal drug trade worldwide.

Actually, they were. (with the exception of always using an admin account) I am also behind a router and using a firewall. I am telling you this is making it past them somehow. I have NEVER had a virus or spyware on my systems in the 20+ years I've been doing this.

Yeah, they are criminals, but when was the last time they were prosecuted? When was the last time someone followed the money and shut one of these down?

Antispywareupdates has been up to this since 2005 at least.
 

John

Moderator Emeritus<br>Elite Member
Oct 9, 1999
33,944
2
81
Originally posted by: Amused
This is not the old version that can be removed using the tools talked about with this spyware. None of them worked. No combination of them worked in any fashion.

Which tools did you try?

I finally had to just reload XP.
Did you try System Restore? You may want to consider making images of your drive.

My security settings were ideal, I had all windows updates and I was running Norton 2007 fully updated.
Norton fails to detect a lot of malware. You may want to consider adding Threatfire, Sandboxie, Online Armor, or use a limited account w/ SRP.

 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: Amused
Originally posted by: mechBgon
My security settings were ideal,

If your security settings were ideal, that wouldn't have happened. Maybe look at some additional security layers to go along with your present ones. :thumbsup:

How can these companies stay in business???

They're criminals. One report says that the computer-malware crime world now makes more money than the illegal drug trade worldwide.

Actually, they were. (with the exception of always using an admin account) I am also behind a router and using a firewall. I am telling you this is making it past them somehow. I have NEVER had a virus or spyware on my systems in the 20+ years I've been doing this.

I like to investigate this type of thing, so if you happen to find a lead on where exactly it's coming from, drop me a PM and I'll work on finding out the modus operandi. The protection of a non-Admin account is huge, to the point where it basically trumps all the other stuff combined (patching, antivirus, trying to avoid risky sites, etc)... many times I've sent a super-vulnerable Win2000 box into danger, and with a non-Admin user account, you basically watch malware and exploits smash themselves into the bars of the cage. Good stuff :thumbsup:

Yeah, they are criminals, but when was the last time they were prosecuted? When was the last time someone followed the money and shut one of these down?

Antispywareupdates has been up to this since 2005 at least.

I read one report that said they've got leads on the guys, but the government of the country they live in is reluctant to go after them. I mean heck, there goes a chunk of their GNP, right? :evil:
 

Amused

Elite Member
Apr 14, 2001
57,118
18,646
146
Originally posted by: mechBgon
Originally posted by: Amused
Originally posted by: mechBgon
My security settings were ideal,

If your security settings were ideal, that wouldn't have happened. Maybe look at some additional security layers to go along with your present ones. :thumbsup:

How can these companies stay in business???

They're criminals. One report says that the computer-malware crime world now makes more money than the illegal drug trade worldwide.

Actually, they were. (with the exception of always using an admin account) I am also behind a router and using a firewall. I am telling you this is making it past them somehow. I have NEVER had a virus or spyware on my systems in the 20+ years I've been doing this.

I like to investigate this type of thing, so if you happen to find a lead on where exactly it's coming from, drop me a PM and I'll work on finding out the modus operandi. The protection of a non-Admin account is huge, to the point where it basically trumps all the other stuff combined (patching, antivirus, trying to avoid risky sites, etc)... many times I've sent a super-vulnerable Win2000 box into danger, and with a non-Admin user account, you basically watch malware and exploits smash themselves into the bars of the cage. Good stuff :thumbsup:

Yeah, they are criminals, but when was the last time they were prosecuted? When was the last time someone followed the money and shut one of these down?

Antispywareupdates has been up to this since 2005 at least.

I read one report that said they've got leads on the guys, but the government of the country they live in is reluctant to go after them. I mean heck, there goes a chunk of their GNP, right? :evil:

Then it's time to invade. :|

I have no idea, just that it came through an ad on MySpace. Haven't been hit with it since. Unfortunately, MySpace is a major social arena for this town and working in the bar business I kinda need to stay in touch.

I may just try the non-admin account idea.
 

John

Moderator Emeritus<br>Elite Member
Oct 9, 1999
33,944
2
81
Originally posted by: Amused
HJT
Smitfruad
Combofix
What were the versions? SFF is up to v2.30 and Combofix was 1544 KB in size on the 4th. Here's another excellent rogue removal tool that is constantly being updated for the latest threats.

I would have also recommended that you try SUPERAntiSpyware which is one of the most thorough adware/spyware/trojan scanner on the market. If it doesn't detect something you can email a log to the support team and they will add it to the database in no time. MBAM is another fine tool.

* edited SFF to show v2.30 and not 3.0
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: Amused
Originally posted by: mechBgon
Originally posted by: Amused
Originally posted by: mechBgon
My security settings were ideal,

If your security settings were ideal, that wouldn't have happened. Maybe look at some additional security layers to go along with your present ones. :thumbsup:

How can these companies stay in business???

They're criminals. One report says that the computer-malware crime world now makes more money than the illegal drug trade worldwide.

Actually, they were. (with the exception of always using an admin account) I am also behind a router and using a firewall. I am telling you this is making it past them somehow. I have NEVER had a virus or spyware on my systems in the 20+ years I've been doing this.

I like to investigate this type of thing, so if you happen to find a lead on where exactly it's coming from, drop me a PM and I'll work on finding out the modus operandi. The protection of a non-Admin account is huge, to the point where it basically trumps all the other stuff combined (patching, antivirus, trying to avoid risky sites, etc)... many times I've sent a super-vulnerable Win2000 box into danger, and with a non-Admin user account, you basically watch malware and exploits smash themselves into the bars of the cage. Good stuff :thumbsup:

Yeah, they are criminals, but when was the last time they were prosecuted? When was the last time someone followed the money and shut one of these down?

Antispywareupdates has been up to this since 2005 at least.

I read one report that said they've got leads on the guys, but the government of the country they live in is reluctant to go after them. I mean heck, there goes a chunk of their GNP, right? :evil:

Then it's time to invade. :|

Problem: they have nukes :D

The recent update to Adobe Reader, to version 8.1.2, fixed a vulnerability in previous versions which it turns out the bad guys had been exploiting (using rigged advertising banners) for weeks prior. This sort of thing is where the arbitrary nature of a non-Admin user account is nice (and Software Restriction Policy on top, if your Windows version supports SRP as well).
 

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
Never allow anything activex to be installed on demand.
Activex has way too much control over the system .
I have all activex options disabled except run activex plugins, so nothing can be installed without me changing the options. You can't even click the box that pops up to override it.


The spyware writers like to make windows that look exactly like a normal window that might pop up, closing it or clicking cancel actually installs the activex control.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
It's worth pointing out that the bad guys can call anything an "ActiveX Image Object" or whatever, just like they may call it a "Flash Player Update" when you're using a non-ActiveX-capable web browser. What it really is, of course, is a Trojan Horse. Capturing these stupid Trojans used to be part of my morning routine while eating my breakfast, so I wouldn't be surprised if they started posturing them as something else, if/when this gig gets old.

From the description in the original post, my guess would be that Amused got hit by a multi-pronged exploit attack which did attempt to use a real ActiveX control as one of the prongs. The MS06-014 vulnerability, patched in 2006 as the name implies, seems to be a staple item of these attacks. If he's fully patched, then even if it ran, it would fail... but that might be just one of several attacks going on under the surface. QuickTime Player, Flash Player, Adobe Reader, RealPlayer, Sun Java, WinAmp, WinZip... plenty to work with on most peoples' systems.
 

Amused

Elite Member
Apr 14, 2001
57,118
18,646
146
Originally posted by: mechBgon
Originally posted by: Amused
Originally posted by: mechBgon
Originally posted by: Amused
Originally posted by: mechBgon
My security settings were ideal,

If your security settings were ideal, that wouldn't have happened. Maybe look at some additional security layers to go along with your present ones. :thumbsup:

How can these companies stay in business???

They're criminals. One report says that the computer-malware crime world now makes more money than the illegal drug trade worldwide.

Actually, they were. (with the exception of always using an admin account) I am also behind a router and using a firewall. I am telling you this is making it past them somehow. I have NEVER had a virus or spyware on my systems in the 20+ years I've been doing this.

I like to investigate this type of thing, so if you happen to find a lead on where exactly it's coming from, drop me a PM and I'll work on finding out the modus operandi. The protection of a non-Admin account is huge, to the point where it basically trumps all the other stuff combined (patching, antivirus, trying to avoid risky sites, etc)... many times I've sent a super-vulnerable Win2000 box into danger, and with a non-Admin user account, you basically watch malware and exploits smash themselves into the bars of the cage. Good stuff :thumbsup:

Yeah, they are criminals, but when was the last time they were prosecuted? When was the last time someone followed the money and shut one of these down?

Antispywareupdates has been up to this since 2005 at least.

I read one report that said they've got leads on the guys, but the government of the country they live in is reluctant to go after them. I mean heck, there goes a chunk of their GNP, right? :evil:

Then it's time to invade. :|

Problem: they have nukes :D

The recent update to Adobe Reader, to version 8.1.2, fixed a vulnerability in previous versions which it turns out the bad guys had been exploiting (using rigged advertising banners) for weeks prior. This sort of thing is where the arbitrary nature of a non-Admin user account is nice (and Software Restriction Policy on top, if your Windows version supports SRP as well).

Do I look like I care??? :|

;)

Ah, well while I update XP and my AV religiously, I am not as religious about some of my plugins other than Java. I guess I should start being more faithful in updating them, eh?
 

gsellis

Diamond Member
Dec 4, 2003
6,061
0
0
Originally posted by: mechBgon
The recent update to Adobe Reader, to version 8.1.2, fixed a vulnerability in previous versions which it turns out the bad guys had been exploiting (using rigged advertising banners) for weeks prior. This sort of thing is where the arbitrary nature of a non-Admin user account is nice (and Software Restriction Policy on top, if your Windows version supports SRP as well).
FYI, it is reported that installing the new version over an older version does not remove the vulnerability. You need to uninstall reader and install the new one. Sigh. Sounds like bad packaging and planning to me.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: gsellis
Originally posted by: mechBgon
The recent update to Adobe Reader, to version 8.1.2, fixed a vulnerability in previous versions which it turns out the bad guys had been exploiting (using rigged advertising banners) for weeks prior. This sort of thing is where the arbitrary nature of a non-Admin user account is nice (and Software Restriction Policy on top, if your Windows version supports SRP as well).
FYI, it is reported that installing the new version over an older version does not remove the vulnerability. You need to uninstall reader and install the new one. Sigh. Sounds like bad packaging and planning to me.

Ugh, that's bad news. +1 for the Secunia PSI, which I believe will flag the issue until the vulnerable piece is gone.

I am not as religious about some of my plugins other than Java. I guess I should start being more faithful in updating them, eh?

It'll definitely reduce the bad guys's options :thumbsup:

edit: one more bookmark for my "Interesting malware" collection today: http://www.theregister.co.uk/2...e_iframe_piggybacking/
 

Amused

Elite Member
Apr 14, 2001
57,118
18,646
146
OK, so if they have gotten this good, I finally need the ability to back up my entire install and be able to do a quick format and restore.

Anyone know of an external HD and backup/ghost program that works with a RAID-0 array?

And can I use the HD to store two images, one for my DT and one for my LT?

Thanks guys!
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
Originally posted by: Amused
And can I use the HD to store two images, one for my DT and one for my LT?
The painless way to do this with Windows boxes is Windows Home Server. It automatically keeps ongoing backups of all the Windows boxes on your network and quickly performs a bare-metal restore to various restore points.
 

Amused

Elite Member
Apr 14, 2001
57,118
18,646
146
Originally posted by: RebateMonger
Originally posted by: Amused
And can I use the HD to store two images, one for my DT and one for my LT?
The painless way to do this with Windows boxes is Windows Home Server. It automatically keeps ongoing backups of all the Windows boxes on your network and quickly performs a bare-metal restore to various restore points.

That doesn't sound simple or cheap, though.

Got a simple and fairly cheap solution?

If it is simple and cheap, explain. :)
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Acronis TrueImage is about $35 at Newegg. I use an old version and it's pretty easy & quick to do full-system recoveries with.
 

Amused

Elite Member
Apr 14, 2001
57,118
18,646
146
Originally posted by: mechBgon
Acronis TrueImage is about $35 at Newegg. I use an old version and it's pretty easy & quick to do full-system recoveries with.

Works with RAID-0 arrays?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: Amused
Originally posted by: mechBgon
Acronis TrueImage is about $35 at Newegg. I use an old version and it's pretty easy & quick to do full-system recoveries with.

Works with RAID-0 arrays?

I think it would depend on whether it has the necessary drivers to access the array at boot time, so that could depend on your hardware too. Maybe give the trialware a whirl :)
 

soonerproud

Golden Member
Jun 30, 2007
1,874
0
0
Originally posted by: mechBgon
Acronis TrueImage is about $35 at Newegg. I use an old version and it's pretty easy & quick to do full-system recoveries with.

I use DriveImage XML and BartPE with the DIXML plugin. The biggest downside to using this free solution is you don't have the ability to do automated backups. If you are broke and do not mind backing manually on a regular basis, DIXML does an excellent job for the price.

Not certain if it works with raid, but it may be worth finding out.
 

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,596
6,069
136
Personally, I have a ActiveX/VBscript blocker proggie with a whitelist. If I need to access a particular site (say CNN's videos) I just add it to the whitelist. Not a perfect solution but it seems to work.
 

Amused

Elite Member
Apr 14, 2001
57,118
18,646
146
Originally posted by: gigexx007
This here is 4 all U sinners in computer-land looking 4 anti-spyware softees from reliable companies that DO-NOT splash U with un-solicited spam-ramming!

I do use anti-spyware software, but had a hard time locating a company I could trust and could feel good sponsoring, and found one called antispyware.com

Their main prod is legit and if U download gets U a FREE SCAN!

I strongly urge U that if U need and anti-spyBRUTE give this one a chance...



You can find it at:

WTF???

I can't even start a spyware thread without being hit by the sh!t in my fscking thread!!!
 

gsellis

Diamond Member
Dec 4, 2003
6,061
0
0
Thanks Mechbgon for fixing this thread. Or should I say, spam killing?

/gigexx007 post is removed.