Oh woe's me!
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Oh woe's me!

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Thumbs down Oh woe's me!

    *GASP* Oh no! I should protect myself from the evils of spyware!!

    From - Thu Feb 24 13:41:32 2005
    X-Account-Key: account3
    X-UIDL: 5b3e88889470ac6c232da6a25de84f18
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 10000000
    X-Apparently-To: msmittens@msmittens.com via aa.bb.cc.dd; Thu, 24 Feb 2005 10:38:58 -0800
    X-YahooFilteredBulk: aa.bb.cc.dd
    Authentication-Results: aa.bb.cc.dd
    from=bbs-la.com; domainkeys=neutral (no sig)
    X-Originating-IP: [aa.bb.cc.dd]
    Return-Path: <yiodzyubsssuy@bbs-la.com>
    Received: from aa.bb.cc.dd (EHLO aa.bb.cc.dd) (aa.bb.cc.dd)
    by aa.bb.cc.dd with SMTP; Thu, 24 Feb 2005 10:38:58 -0800
    Received: from s160.itokyofl180.vectant.ne.jp (s160.ItokyoFL180.vectant.ne.jp [202.215.217.160])
    by aa.bb.cc.dd (Postfix) with SMTP id 104BE2B6DC7
    for <msmittens@msmittens.com>; Thu, 24 Feb 2005 13:38:54 -0500 (EST)
    Received: from 199.107.184.204 by 202.215.217.160; Thu, 24 Feb 2005 17:33:53 -0100
    Message-ID: <KPVEBQFWGOHIFDEMNFCZ@bellsouth.net>
    From: "Gladys Foley" <yiodzyubsssuy@bbs-la.com>
    Reply-To: "Gladys Foley" <yiodzyubsssuy@bbs-la.com>
    To: msmittens@msmittens.com
    Subject: [Bulk] The new threat
    Date: Thu, 24 Feb 2005 20:30:53 +0200
    X-Mailer: CommuniGate Pro WebUser Interface v.4.1.6
    X-Priority: 5
    X-MSMail-Priority: Low
    X-Antivirus: AVG for E-mail 7.0.300 [266.4.0]
    Mime-Version: 1.0
    Content-Type: multipart/mixed; boundary="=======AVGMAIL-421E1FDC5485======="

    --=======AVGMAIL-421E1FDC5485=======
    Content-Type: multipart/alternative; boundary=--2868619857532587

    ----2868619857532587
    Content-Type: text/plain
    Content-Transfer-Encoding: 7bit

    globalcontinuity.com Magazine announce:
    Spy-Control is the most important step you can take is to secure your system!
    Free Download Here: http://bobble.fightpyco.net

    Prevent the installation of hijackers spyware
    Restrict the actions of potentially dangerous sites in Internet Explorer
    Prevent Identity Theft
    and other potentially unwanted pests.

    Try our online scan now: http://violin.fightpyco.net




    n^e_v*e_r a'g-a_!-n http://anglophobia.fightpyco.net/discon

    ----2868619857532587--
    --=======AVGMAIL-421E1FDC5485=======
    Content-Type: text/plain; x-avg=cert; charset=us-ascii
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline
    Content-Description: "AVG certification"

    No virus found in this incoming message.
    Checked by AVG Anti-Virus.
    Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 2/22/2005

    --=======AVGMAIL-421E1FDC5485=======--
    So, let's visit their fine website. Oh my. I am in trouble. Look at what they say!!!:

    95% of computers with an internet connection are now infected most of the time, without your knowledge! Pop-ups, commercial websites and software like KaZaa are massively installing software which:
    • - Monitors your personal info (Chat Logs, Passwords, Emails, SSN)
      - Dramatically Slows Down your computer, until it crashes
      - Floods you with aggressive Pop-ups and Commercials
      - Hides on your PC un-revealed by Anti-Virus or Firewall Programs
      - Some cases even result in Credit Card Fraud or Identity Theft!
    And all those fine companies "agree" that this is the "best" spyware product out there. Why, I better scan myself with their "fine product". So I download it and go to install it. Hrmm.. Sygate says it needs to communicate with http://82.114.48.64/. Wonder what's there? An affiliate program?

    Post Affiliate Pro is a powerful system that allows you to easy set up and maintain your own affiliate program and pay your affiliates commissions for clicks or sales that they refer to your site.
    Using affiliate system on your site is one of the most efficient ways to achieve more traffic, sales and better link popularity without additional costs.
    Hrmm... Well, since it's so good I better let it do it... HA!

    I actually fired up Ethereal before this started and as you can see from the attached document, it was a rather interesting set of packets. Particularly Frame #10, where I get to see the cookie they left behind. After installing it I fired up HijackThis and got treated to this:

    O3 - Toolbar: Spy-Control Toolbar - {F03817A9-5CB0-47ac-A1B3-0CCC1AD0A253} - C:\Program Files\Spy-Control\ToolBand.dll
    O4 - HKLM\..\Run: [Spy-Control] C:\Program Files\Spy-Control\Spy-Control.exe /s
    For those unaware, ToolBand.dll is an identified Cool Web Search evil. Doing a scan brought up some interesting responses. Apparently the following are spyware:

    nsreg.dat
    istactivex.inf
    A~NSISu.exe
    What is curious is that the nsreg.dat is a Netscape Profile database (and wow, oddly enough I can't see Google caches anymore.. wonder how that happened). I haven't been able to fully research the other two but I have doubts. IMO, there is no reason for a spyware program to do this stuff and it's just maliciously abusing FUDing and the average user. No wonder people get so confused.

    Always be paranoid.. now off to see what other nasties it left behind after the uninstall.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Viruses, Trojans, and Worms, Oh My!

    Viruses, Trojans, and Worms, Oh My!

    Viruses, Trojans, and Worms, Oh My!!!

    I really hate these FUD parasites. They are the close relative of the stereotype 'ambulance chaser lawyer'. There was a company a few years ago making a Back Orifice detection/prevention/cleaning tool. After some research, it was found to be complete bollocks (nigil, tiger, help me out here? Did I do that right? Or is it Bullocks?!? I *love* cursing and using euphemisms that are not native to my east-coast-come-mid-west American accent.)

    Anyway, the guy who found this 'product' to be a steaming pile of crap created a site that explained all about B.O., how to protect yourself and remove it, and basically knocking this company and it's product. Their lawyer was tougher than his lawyer, and the comments got yanked. And they continued to sell this garbage. *sigh*
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Senior Member
    Join Date
    Jun 2002
    Posts
    394
    bollocks is good. or, if you are reeeally cool, bollox.

    "feck" is definately in my top ten. along with shite. (note the appended e).

    .

    i think this spyware crap is after getting way out of control and the people behind them should be dealt with like the writers of modern worms.

    worms, trojans, spyware, etc. they are all different, technically speaking. but they all have atleast this in common. they are all programs executing on your machine by someone else. that's stealing! cpu cycles.
    Hmm...theres something a little peculiar here. Oh i see what it is! the sentence is talking about itself! do you see that? what do you mean? sentences can\'t talk! No, but they REFER to things, and this one refers directly-unambigeously-unmistakably-to the very sentence which it is!

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    shiite is a fave of mine as well. Back in my Diablo II:LoD days, I had a paladin named Holy Shiite that always got me some laughs. If used right, people can't tell if you're talking about a member of a Muslim sect or if your a Texan cursing.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    Heh. Texans would've recognized it - we don't say Holy Shiite... we say Holy Sheeeeit!
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    As a follow-up, it did appear that my Mozilla/Firefox was also infected with a hijacker that didn't seem evident. What was particularly weird was the fact that IE wasn't infected (go figure!). And, it specifically infected Google caches. So if I did a search on my name and then attempted to view the cache I got this:

    Your search - cache:psBCkxPj6YYJ:http://www.msmittens.com/index.php?/...things-to-have!.html MsMittens - did not match any documents.
    Weirdly enough, it seems to be resolved now (I'm attempting to do a deep scan using Ad-Aware and CWShredder along with a quick view of Hijackthis). It seems clean but not sure if I'm missing something... ideas anyone?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Road Apples, Horse Hockey ... those are some of my favorites. 'Course, I ain't from the east coast.

    Thanks for the analysis, MsMittens. I always enjoy these. You're braver than me, letting that stuff get on your system on purpose! I have to spend enough time on other machines without having to clean up my own.

    It's easier just to keep it clean.

  8. #8
    Senior Member
    Join Date
    Jan 2005
    Posts
    100
    Weirdly enough, it seems to be resolved now (I'm attempting to do a deep scan using Ad-Aware and CWShredder along with a quick view of Hijackthis). It seems clean but not sure if I'm missing something... ideas anyone?
    So with me being still wet-behind-the-ears with Winders admin, would removing the program and doing the above pretty much clean the pipes of your machine - or would you need to review the registry as well? What about the MS-Spyware Beta?

    And for the side discussion:

    My wife and I lifted the term "Frell" from Farscape instead of using the f-bomb. We save the f-bomb for driving. Or just use our German-English combopulation of Scheit!

    'Course didn't Cartman's Mom say something like "Ok honeykins - go make bears!"
    \"An ant may well destroy a whole dam.\" - Chinese Proverb
    \"Not only can water float a craft, it can sink it also.\" - Chinese Proverb

    http://www.AntiOnline.com/sig.php?imageid=764

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    So with me being still wet-behind-the-ears with Winders admin, would removing the program and doing the above pretty much clean the pipes of your machine - or would you need to review the registry as well? What about the MS-Spyware Beta?
    The program was removed and I did check the registry prior to this. I was racking my brain somewhat as to why it did this. The one registry setting that I'll need to look for later would be the one that designates/identifies the default browser. I suspect that was the one that got compromised by this little tool.

    And I don't trust MS' product. I'm not a big fan of the all-in-one concept and would rather have options available to me other than what they want me to use (I'm a big fan of the CyberInsecurity of a Monopoly paper).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    MsM go here http://www.fightpyco.net/affiliate_overview.php? and try to sign up.

    Not Found

    The requested URL /affiliate_signup.php" was not found on this server.
    Apache/2.0.52 (Unix) DAV/2 PHP/4.3.10 Server at www.fightpyco.net Port 80
    Me thinks this is a scam.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •