• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

New exploit in Windows XP?

C

cubby1223

Lifer
I can across this on someone else's machine, a program running on startup, qkshield.exe, which is titled quikshield, and is one of those programs that puts a message on your screen that essentially says, give us your credit card number to make us go away. Well, fortunately it was an easy program to get rid of, just end the task in task manager and delete the file, the program stays away for good.

Little background, this computer is up to date with all the patches from Microsoft, and is running McAfee anti-virus in the background, with current virus definitions and active virus protection. I searched the internet to find some information about quikshield, and went to their website, and right before my eyes I watched the software reinstall itself on the computer... but atleast it was easy to get rid of it again.

Is this possibly a new exploit? Or should I be looking for any other specific crap on the computer? I used another anti-virus software too besides McAfee just to check, and nothing was found. Nothing in ad-aware, hijackthis, ewido, etc.

The websites are (*do not visit them*)
www . quikshield . com
www . quickshield . com

I blocked those sites using the hosts file and left the computer as is. Something I've never seen before and really don't know how to properly prevent it from reinstalling.
 
Nothing happens in my xp64/ie-32 virtual machine besides some ActiveX popup, and I'm not clicking that. 😉

Why don't you go to Tools->Manage Addons and disable the associated ActiveX (COM) plugin, then unregister the plugin with regsvr32 /u <filename>.
 
I checked the add-ons and didn't see anything unusual. I don't know, it must be there, or the activex settings are too loose. I suppose that's always a possibility. I'll look into it when I get a chance. Sometimes I'm on put a tight time deadline and cannot think of everything on the spot. 🙂
 
New scams and malware are created every day. This isn't something that's necessarily exploiting a security hole that nobody is aware of yet, it just uses ActiveX to install something. A properly patched system shouldn't automatically install it, it should prompt you, but the settings can be changed. Go look at the security settings in IE.

It's not really clear whether it's actually malware, though it's obviously unethical to automatically install your application and then annoy users to get them to pay for it. It's available for download at download.com and tucows.com and others, with no indication that it's anything but a legitimate application with a free evaluation period. The few spyware tracking sites I found mention of it said it was legitimate.

They do provide uninstall instructions.
 
I just went to the site and IE did not install the software by default, though I was notified:

"This site might require the following ActiveX control: 'QuikShield Security' from 'United Software'. Click here to install..."

Of course I didn't click the ActiveX bar.

Check your security settings in IE they must be set pretty loose.

I had an uncle that called me not that long ago about something just like this (might have even been the same software) and he was silly enough to actually enter his credit card info to make the pop up go away... so crap like this does work on some people. When he called me I visited and uninstalled, and changed his account from administrator to user.
 
It sounds like you've given the employees Administrator accounts. If possible, switch them to Restricted-User or Limited accounts.

Also:

1) run Microsoft Baseline Security Analyzer (download) and see if the system's missing some Office patches or has other issues.

2) check for outdated versions of any add-on software (QuickTime, Flash Player, Sun Java, and any alternate browsers that are installed)


but most of all, take the ammo out of the weapons... no Admin powers unless unavoidably necessary.
 
It's good to know that this is not something that is not going to automatically install on everyone's computer. I had a limited time to work on the system, as I do house calls for people as part of the business. And actually the computer is now in Minnesota while I'm still here in Illinois, I'm not going to see that computer for a long time.

But it's always good knowledge to know about the different software problems out there, as if I see something on one computer, I'm probably going to see it on someone else's, so I better know how to fix it on the spot next time.

It's like that Aurora software that hit over a year ago, I spent over 3 hours working to get it off the first computer. Now even last week I looked at another that had Aurora, and it was a snap to remove.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top