Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Hijacked! New Browser Exploits Plague Web
various sites | 07-09-04 | The Heavy Equipment Guy

Posted on 07/09/2004 5:27:22 AM PDT by backhoe

There is a new plague of viruses, trojans, and exploits hammering web users... and no one easy solution.

Be advised, I will add the most useful information I have found so far in the first reply, which I am doing for the sake of simple formatting ease.

First off, here's the most current info and links- follow and read all of it:


 
 
 Web Sites Still Infected
 
There are new, nastier browser hijackers flooding the web- the best help is here, but be warned, you have to do most yourself and learn to use some new tools. The old anti-virus software does not work on this new series of bugs:
http://forums.spywareinfo.com/index.php?s=d3c1a671159df31c9420ae4d671f1cd2&showforum=18
 
Microsoft Plugs IE; Warns All Browsers At Risk (Test Your Browser Here)
 
Freepers how do I get rid of this spyware crap that is on my computer?
Worm and Virus Wars- the August Edition
 
 

 

In my comments that follow is the first block of information, in the reply is the second, more detailed:


TOPICS: Extended News; Miscellaneous
KEYWORDS: getamac; internetexploiter; lookoutexpress; lowqualitycrap; microsoft; patch; securityflaw; trojan; virus; windows; worm
Navigation: use the links below to view more comments.
first 1-5051-96 next last
You will find the "find&fix" mentioned in the following at the SWI forum ( http://forums.spywareinfo.com/index.php?s=d3c1a671159df31c9420ae4d671f1cd2&showforum=18 )

File identified! This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:

1.) *Get ready to restart your computer. - Open the FINDnFIX\Keys1\ Subfolder And DoubleClick on the "FIX.bat" file. -You will get a prompt preparing for auto-restart in 15 seconds. -Let it restart! -------------------------------------------------------------------------- 2.) On restart, Go to Start/Search, and find: D3DJFPN.DLL (Should be in System32 folder) -When found, select the "D3DJFPN.DLL" file And use the folder's top menu: edit>......move to folder>... (From the search results) Scroll and Select the following path as destination: -> C:\ -> FINDnFIX... -> Click once to expand, and select the ->...junkxxx Subfolder as final destination, and move the "D3DJFPN.DLL" into that Subfolder.(C:\FINDnFIX\junkxxx) (you might get a prompt about 'read-only' file -Simply 'ok' it!) -------------------------------------------------------------- 3.) When done, Open the C:\FINDnFIX main folder and Run the -> "RESTORE.bat" file , It will run and generate new log (log1.txt) Post it here. =================================================== *Note: Do not change/move around or tamper with any of the file(s) folder(s) and path included in the 'FINDnFIX' folder. ===================================================

Last step(s):

-Open the FINDnFIX\Files2< Subfolder: Run the -> "ZIPZAP.bat" file. It will quickly clean the rest and will create a zipped copy of the bad file(s) in the same folder (named as-- junkxxx.zip) and open your email client with instructions: Simply drag and drop the 'junkxxx.zip' file from the folder into the mail message and submit to the specified addresses! Thanks!

(Please include the link in your mail to the board that assisted you, so any errors in the process could be traced back!)

When done, restart your computer and Delete and entire 'FINDnFIX' file+Subfolder(s) From C:\

As for the remains, run any and all removal tools once again as they should work properly now! In particular, CWShredder.exe and fully updated Ad-Aware!

==============================================================

1 posted on 07/09/2004 5:27:22 AM PDT by backhoe
[ Post Reply | Private Reply | View Replies]

To: All

Further info:




A user reply ( source: http://forums.net-integration.net/index.php?s=592e606fbc24738bf10ca59d0ae2cf05&showtopic=16917&st=15 )




Clint1
Posted: Jul 9 2004, 03:04 AM
Quote Post


New Member
Group Icon

Group: Member
Posts: 17
Member No.: 16730
Joined: 18-May 04




V_sPeC:

(Some words have to be misspelled so they'd get posted to that list).


This is a bit long, but worth it. ;-) I sent this email below
to Panda, PCcillin, and a few other AV software places that
had email addresses. It's rather horrifying to see that
EVERY AV software program and anti-spyware program
is missing a LOT of vir-uses/worms/Tr0jans. I thought
the list would like to know which is working better than
others, and how all canNOT rely on ONE program, but
MUST run online scans of your HD on a regular basis
a t all of these online scanners (links at bottom) of which
their AV programs you don't already use.

Some of you will remember my recent run-in with one or more
website attacks that placed 7 executables on my PC. I ONLY
FOUND them AFTER doing a HD search for files created on that
day!! I recognized ALL of the files found in the results,
except for 7. Not a single anti-malware or anti-spyware
program found them! Not SpyBot, AdAware, SpywareGuard,
SpywareBlaster, SpySweeper, BPS, HijackThis, CWShredder, etc.,
etc, NONE of them. I also mentioned that even with these
programs running in the background (the ones that CAN run in
the background which is several of them), they did not stop the
installation of these files on my HD. Also, PCcillin, Norton
(Symantec), and to this day some of the newer scanners I found
DID NOT and ARE NOT seeing these malware files. To add,
remember my "notpad" and "notepad" issue? As I expected, it
TOO was a Tr0jan downloader vir-us and was identified by only
TWO places.


(Orig. sent to Panda, then TrendMircro after that).

Hello, your online scanner missed some infected files I had
saved, that ARE infected. I think you may be interested in
adding them to your database and vir-us def's.

To make a long story short, in a recent severe hijack
"attempt", I got 7 executables downloaded to my HD. I
had all of these running in the background: SpywareGuard,
SpywareBlaster, SpySweeper, new version of SpyBot 1.3
(that has the "TeaTimer" additional security module running
in the background), Sygate firewall, a hardware firewall from
my router, XP's firewall, and PCcillin. ALL of these passed
not only the executables, but there was also some malware
registry keys added. I WAS warned by ALL of these
programs that a hijack or "attack" was being attempted, and
of malware attempting to be downloaded and I of course said
NO to them all, and denied firewall requests. Yet, this still
happened!

I cleaned the registry tags, and I thought it would be a good
idea to search my HD for all files created or modified during
this attack. It's a good thing I did that. I found 7 of
unknown origin that I KNEW were suspect. They were:

"m.exe" (was "vir-us:Trj/Zerolin.A" identified by Panda, Panda
deleted it, so I couldn't go back to Kaspersky's site to get it
scanned by them).

"setup.exe" (was "Tr0janDownloader.Win32.Small.gl" identified
by Kaspersky, "vir-us:Trj/Downloader.EC" identified by Panda,
and "TR0J_SMALL.GL" identified by PCcillin).

"dlltemp.exe" (was Tr0jan.Win32.Startpage.hk identified by
Kaspersky).

"dllhelp.exe" (was Tr0jan.Win32.Startpage.hk identified by
Kaspersky).

"IEengine.exe" (was Tr0jan.Win32.StartPage.he identified by
Kaspersky)

"dpe.dll" (NOTHING identified this).

"msxmidi.exe" (NOTHING identified this).

"e.exe" (NOTHING identified this).

A search for all of these executable names on Google found that
EVERY ONE of them was indeed a Tr0jan of some kind, or malware,
worm, etc. What I can't understand, is how so many 'laymen' PC
users KNEW of these files, yet so many antivir-us software
products at the time did NOT, and are STILL not aware of them!
I ran the TWO online vir-us scanners at Symantec's website, the
one at TrendMicro, and they found nothing, they missed ALL of
these files. PCcillin said their pattern file 895 is supposed
to cover TROJ_SMALL.GL and that was the pattern file I was
running at the time and it did NOT! It showed clean on all of
these files. As soon as they had pattern file 896 I installed
it, and only it identified "setup.exe" as TROJ_SMALL.GL, but
still did not identify the rest. They said that pattern file
897 (just installed) covers Zerolin.A, but it does NOT, they
are still passing m.exe which is the Zerolin.A! Since then
they have released pattern 899, and it too is still not
recognizing any of these other Tr0jans. Since then, 901
STILL does not identify any of these others.

I went to every AV site I could find (Panda, Norton, Trend,
McAfee, Fsecure, Kaspersky, NOD, etc.), and very FEW of
them had any info in their databases on these malware files*!
At most, each site would only have info on ONE of these
malware files. Even at your site and Kaspersky that ARE
identifying some of the files, there is no info on them!
*Doing a search on Google for Zerolin.A DOES have a hit for
Symantec, but it is NOT found at their website's search!
http://www.symantec.com/region/se/corporat...stan200402.html
This makes no sense that they would have this in their
database of KNOWN "baddies", yet cannot detect it!

At the time this attack occurred, I did not know you [Panda] or
Kaspersky had an online scanner. I went there today and
you can see the results above. So, I think you may want to
add those tagged by Kaspersky (#2, 3 and 4) into your
database, and as for the last 3 no one identified, can I
send those to you as well so you can investigate them and find
out exactly what they are? I'm sure you'd also want to put
their def's in your database as well. I can zip and email you
these files, or zip and upload them to my website. Since
they are malware, I cannot upload them to my server in their
present condition, they must be zipped, and I also cannot send
.exe files for obvious reasons, they also have to be zipped to
be emailed.

Here's an update. I found some more online scanners, and just
as I expected, dllhelp.exe and dlltemp.exe WERE identified as
Win32.Startpage.DT by Computer Associates' AV scanner.
"BitDefender" and RAV Antivir-us also found a file I forgot
about in a DIFFERENT online attack. This was when I got
warnings that Notepad.exe was trying to be accessed. I again
denied it, but it still got on my HD. The file "Notepad.exe"
was REPLACED by "notpad.exe" (that's without the "e"), and a
file called "NOTEPAD.EXE" (all caps) was in its place. It had
a different icon (generic blue & white MSDOS type executable
icon), and it was 3k in size where Notepad.exe, the real file,
is 64.5k in size. I of course suspected this and knew it was a
bad file. I put it in another folder until I could find something
that identified it. BitDefender's & RAV's online scanner were
the ONLY AV software that correctly saw this file, and
identified it as "Tr0jan.Downloader.Small.JC". Additionally,
RAV was the only one that saw some GFI email test
emails I had saved to test OE. These are BENIGN, but they
mimic exploits and other vir-us behavior. These were
"HTML/IFrame_Exploit". Panda saw only ONE of these files
(and deleted it like I mentioned), but RAV saw all of the other
emails. So, these are some additional files you should also
add to your vir-us def's and online scanner.
----END OF EMAIL TO PANDA & TREND


So, here's a list of several free online scanners I found.
Some are only vir-us/worm/Tr0jan scanners, some are only
"exploits" scanners, and some are both. Note that you need
to turn off any PopUp blocker at most of these sites, and
some you have to disable your running AV software. I highly
recommend (if you haven't, and you SHOULD if you haven't)
install the new version of SpyBot v1.3 that has this new
"TeaTimer resident" IE protection. This is something new on
this latest version that runs in the System Tray IN ADDITION
TO SpyBot's "Immunize" area that also provides real time
protection (but the Immunize area does not have to be running
in the background). The reason I recommend it is because
most of these sites will place a registry tag in your registry
that's NOT needed. TeaTimer saw this and asked me if
I wanted to deny it, and I did, and they still ran correctly.
Also, some of these places ask for an email address/info
about you, and all but one that does ask for it is not necessary,
you can give a made up address. The one place that does
require a valid one I don't recall, but you'll know it on the next
page where it states "link will be emailed to you". Some of
these will not run if you block their cookie, so keep that in mind.
Some of theses sites also scan email, and they found several
emails in my inbox with an "HTML Frame exploit" type of
malware. (These were NOT the GFI test emails I spoke of
above that I placed in a folder, but valid emails in my Inbox).

1. http://info.ahnlab.com/english/
(TWO areas at lower left)
2. http://www.auditmypc.com/
3. http://www.bitdefender.com/scan/Msie/index.php
(May be IE only, and you have to accept a cookie to run it).
4. http://www.commandondemand.com/eval/index.cfm
5. http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
6. http://www.dslreports.com/scan (Many tools there)
7. http://www.freedom.net/viruscenter/onlineviruscheck.html
8. http://www.emailsecuritytest.com/
(Best place for checking Outlook and OE security).
9. http://grc.com/default.htm
(One of the best places on the net for checking and fixing
vulnerabilities).
10. http://www.kaspersky.com/scanforvirus
(Appears to be able to only scan one file at a time, so
it's good for checking individual suspicious files).
11. http://www.pandasoftware.com/activescan/co...n_principal.htm
12. http://www.pcflank.com/
(Another great place like GRC, yet it didn't find any of
my bad files).
13. http://www.pcpitstop.com/antivirus/default.asp
(Many other tools there @left margin).
14. http://www.pestscan.com/Scan.asp
15. http://browsercheck.qualys.com/
(A great place for checking AND fixing browser vulnerabilities).
16. http://www.ravantivirus.com/scan/indexn.php (Individual file scan)
17. http://www.ravantivirus.com/scan/indexie.php (Full scan)
18. http://www.dials.ru/english/www_av/ (Individual files)
19. http://stealthtests.lockdowncorp.com/ (Mainly just an FYI site,
they do have valid good scans, but try they and "scare" you into
buying their product, so keep that in mind).
20. http://scan.sygate.com/
21. http://security.symantec.com/ssc/home.asp
22. http://security.norton.com/sscv6/default.asp
23. http://housecall.trendmicro.com/
24. http://www.Tr0janscan.com/ (Still down)

Again, EACH of these scanning sites that scan for malware, have
their good, and bad points. One may only find ONE bad file,
yet it will be a file that none of the other sites will see! You
may be surprised what they will turn up. Careful with what you
let them delete. Since I was aware of all files these places found
(except for two emails in my inbox), I did not let them do anything
to these files since I saved them for testing purposes. If you are
not sure about what to delete if they find anything, then you should
post it. Like I mentioned before; anti-spyware programs for example
can and will tag VALID NEEDED things *as* SpyWare, and can mess
up a computer.
-Clint

END


(Since this email, TrendMicro replied and asked me for the files and they are going to add them to the virus def's. As of pattern file 931, they still have not! This below is another related post I posted BEFORE that email above to the same list) :


I think many will find this interesting, and helpful if this
ever happens to you. This is what happened to me during a
visit to a website. It's a bit long, but necessary for all the
details.

I had ALL of the following RUNNING IN THE BACKGROUND:
SpywareGuard, SpywareBlaster, SpySweeper, SpyBot (the newest
version of SpyBot v1.3 that has a new feature that can run in
the system tray for added protection), my hardware firewall,
and of course my software firewall and AV software. All of
sudden I got this onslaught of "attacks" where SpywareGuard,
Sygate (firewall), SpySweeper, PCcillin (Trend Micro AV),
SpywareBlaster, and that new version of SpyBot, ALL gave alerts
that my search settings were being changed and my home page
being changed, and about a worm by PCcillin. The Sygate
warning was about some file trying to be accessed, but there
were so many dozens of alert windows popping up I didn't have
to time to read it! There must have been 50 or 60 alerts in a
matter of 2-3 minutes and I could not exit out of them! I of
course kept denying all of them, and telling the anti-spyware
programs to deny the changes, and with every denial came
another popup warning. No harm was done except for rendering
my address bars unusable*.

When I closed all browser windows and ran the anti-spyware
programs; SpyBot only found 2 or 3 things and they were
registry keys regarding browser hijackers. AdAware found
THIRTEEN pieces of malware. Most were the criminal parasite
@!#$! at "Cool WWW Search" and some cr-p from e-finder, but
some were p-0-rn links that were ADDED TO MY FAVORITES
FOLDER WITHOUT my knowledge!! SpySweeper found
nothing (but it did find something several hours earlier that
both AdAware and SpyBot missed, fairly harmless). Then I
let the programs (all were running at the same time) remove
the malware, but not before I copied all the registry keys and
made a backup of the entire registry, plus I always opt for the
programs to where applicable save backups of what was
removed/changed.

*I thought all was well, but when I typed a URL in my address
bar under the Quick Launch toolbar (I wanted to find out about
e-finder.cc), I got these errors I've never before seen!
*******tests/1.gif

/tests/2.gif

/tests/3.gif
Every time I typed or pasted an address in the address bar and
hit [enter] this is what was happening! Obviously from this I
surmised that some associations somewhere regarding outside
search functions was screwed up. I realized that the address
bar WOULD work IF and only if the http:// was added first! It
was then I realized it was a URL prefix issue that had gotten
corrupted. I searched the registry for anything regarding
prefixes and found a couple of keys. I then remembered two
tags that SpyBot "fixed", or so I thought. I went to check
them again and what SpyBot did was REMOVE them completely,
instead of fixing them:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UR
L\DefaultPrefix]
(something missing here)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\U
RL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"= (something missing here)

Below the first key above (in the right pane of the registry I
should say) should be http:// and that "www" area in the
second key should have http:// after that equal sign, which
would show in the right pane. I wanted to see if some piece of
software would fix this all on its own, and in some searches
regarding these 7 mysterious files that showed up**, I found
"HijackThis", another anti-spyware program. It saw those
keys and it did indeed FIX them without me having to re-enter
the correct data again. So, that's another great program to
use, it's free to download and I suggest you guys try it! It
really works.
http://www.spychecker.com/program/hijackthis.html .

What SpyBot tagged on those keys was "!www" and "http!"
or something like that. Instead of removing the ! marks (if
that's what it was tagging), or maybe it just added the ! marks
for emphasis and in that case instead of removing the bogus
parts, it removed the whole area at the right pane in the
registry. So, it's a good idea to always make notes and
backups of EXACTLY what malware SpyBot or any other
anti-spyware program is changing or removing.

**Now, regarding these new files mysteriously added to my
HD....remember that these SEVEN FILES were added to my
HD EVEN WITH ALL of these anti-spyware programs running,
and TWO firewalls!!! When I realized I had the address bar
problem, I thought I'd better check for any newly added files
on my HD, so I opened the Windows folder and System32
folder and arranged icons by date, so the newest files would
be in one spot at the end of the folder. In the Windows
folder, I found these files: dllhelp.exe, dlltemp.exe, e.exe,
m.exe, dpe.dll, and msxmidi.exe (of which some sites are
saying it's a vir/us). All except the dll file were the
default blue and white icons for "applications" or executables.
Right clicking each of them and checking properties gave no
information as to what they were, nor what app used or opened
them. But they ALL were "created on:" the same day within an
hour of each, some created at the EXACT same minute and second
during these attacks I mentioned. So during some searches on
each of these files, I found out all of them are indeed spyware
of some kind (except for e.exe, couldn't find anything on it),
and I also found that something called "IEengine.exe" may be in
my IE folder, and it WAS, and it was also created at the same
time as these other 6 files. NONE of these files did ANY of
the anti-spyware programs find! If I would not have
investigated the matter further by checking for any new files
added to my HD, these 7 files would still be on my PC. I had
no references anywhere to "mypoiskovik", not even in the
registry. Even though some of these files are associated with
that bug, it does not appear to be the actual Mypoiskovik bug.

As for the file called msxmidi.exe, I don't understand why
people are saying "my Norton AV identified it as a vir/us". I
ran the vir/us scan at Norton's website, and it didn't see it
and that's what people were using to identify it as a vir/us!
(What is strange is Norton DID find 3 "vir/uses" on my PC,
but I put them there. They were "exploits" and not vir/uses.
What's great about this is they were only TEXT FILES and
NAV still identified them! That's pretty good. What these
files are, is I have some codes in Notepads that I execute
on every new Windows install to make sure they can't run.
They are harmless, but they COULD be very bad if designed
to run a bad code. What I made will only execute the Windows
calculator when you click the .html file. You put the code in
a Notepad file, then rename the extension to .htm or .html,
and click the file and see if the calculator is launched. It's
a similar thing here on one of the following pages:
http://browsercheck.qualys.com/ I think XP by default
is protected against that).

Ok, so I then went to XP's Native search and searched for all
files created on this day, and was sure to go to "folder
options" first and check/uncheck boxes to show hidden files and
show "protected operation system files" as well. I went
through the entire results list and didn't find any more files
created on this day of which I did not know the origin. So,
apparently it was "only" these 7 files that were added.

It's OBVIOUS that having every anti-malware program you can
find and even having them running in the background is NOT
enough to protect you, and additionally, running the programs
to find malware is STILL not enough to protect you! They can,
and DO make changes that (like SpyBot did) can mess up your PC
if you don't make notes of the changes, and in the case of all
of them miss these 7 executable files.

I could have run XP's restore function, or ran the undo/restore
feature of SpyBot, or run my backup of XP's "Files and Settings
Transfer Wizard" ("settings only") of which any of these would
have probably fixed the URL prefix issue, and I would have done
that if I would not have been able to find out the cause. But,
I wanted to find out the cause, and none of these would have
identified nor removed the 7 executables.

From this I think it's safe to say that when you get infected
with any kind of malware, it's a good idea to try what I did.
Search for any files that were recently created and if you are
not familiar with them (if they are not obvious like a your AV
software updates or the like), and you have to use the
"advanced" search options of Windows to do this. Then put
these file(s) names you may find in any search engine to find
out about them. And, to always be sure you don't totally
delete anything that the anti-malware programs find, to only
quarantine them and to make notes of exactly what they are
doing. Also, if anyone ever has this address bars issue that I
had, check those registry keys.
======END


A side note.....when I mention things like "all of these are running in the background", I only execute all of the programs when I go to a crack/hack type website for added protection. And, AGAIN, I've had bad crap dumped on my PC when going to legit BUSINESS websites! This is usually from there #@$% ad banners by hitbox, doubleclick, humanclick, etc. I guess it's best to have all of these running all the time, but I don't like to have a lot of things running in the BG, it sucks too much RAM and resources. However, apparently these days you must have all of them running always for maximum protection. I still only have TeaTimer running in the BG, but I may change that approach soon to include all that can be running.

It's also worth repeating again, that not one of these anti-malware programs will find everything! One may find nothing, another may find 1 or 2, and still another may find a dozen or more malware files! This is during the exact same time, say day, running one right after the other. I don't close out the programs, I keep them open so they won't delete anything, and so I can then check the other programs to see if they find the same things. THEY NEVER DO. Then I'll let each program (at my discretion) delete/fix the bad files or tags.


2 posted on 07/09/2004 5:28:53 AM PDT by backhoe ("It's so easy to spend someone else's money." [ My Dad, circa 1958])
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe

Another great reason to bring back public flogging. Virus writers.


3 posted on 07/09/2004 5:37:25 AM PDT by Vigilantcitizen
[ Post Reply | Private Reply | To 2 | View Replies]

To: backhoe
My brain hurts.

NFP

4 posted on 07/09/2004 5:37:57 AM PDT by Notforprophet
[ Post Reply | Private Reply | To 2 | View Replies]

To: backhoe

Is it really that hard for someone to develope a program that would not let ANY program ever get downloaded without a permission alert? Especially when your surfing the net?


5 posted on 07/09/2004 5:39:59 AM PDT by sirchtruth (Do you just think I fell off a turnip truck?)
[ Post Reply | Private Reply | To 2 | View Replies]

To: backhoe

bookmarked


6 posted on 07/09/2004 5:40:42 AM PDT by Ruy Dias de Bivar (DEMS STILL LIE like yellow dogs.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Vigilantcitizen
Another great reason to bring back public flogging. Virus writers.

Amen to that. With a Cat O Nine Tails. In the village square. Then chain 'em to the whipping post for a few days in the hot sun and make them write on a blackboard over & over

"I will never vandalize other peoples computers again..."

This garbage is not funny, not cute, not clever- it's childish nastiness that needs to be so severely punished that few will risk it.

7 posted on 07/09/2004 5:41:31 AM PDT by backhoe
[ Post Reply | Private Reply | To 3 | View Replies]

To: sirchtruth

For goodness sake, I've got NAV 2004 with all the updates and things still get thru...it friggin amazing!


8 posted on 07/09/2004 5:43:06 AM PDT by sirchtruth (Do you just think I fell off a turnip truck?)
[ Post Reply | Private Reply | To 5 | View Replies]

To: backhoe

For later reading


9 posted on 07/09/2004 5:43:07 AM PDT by steve in DC
[ Post Reply | Private Reply | To 1 | View Replies]

To: Notforprophet
My brain hurts.

Mine, too... I've wasted hours for weeks trying to chase down this nonsense. I am dead serious about public flogging.

10 posted on 07/09/2004 5:45:14 AM PDT by backhoe
[ Post Reply | Private Reply | To 4 | View Replies]

To: backhoe

My computer was assaulted by this vicious beast just a couple weeks ago, and it took an eight-day battle until I finally tracked down the hidden .dll reloader file and deleted the wretched thing using c//: prompt commands in MS-DOS mode...


11 posted on 07/09/2004 5:45:33 AM PDT by AntiGuv ()
[ Post Reply | Private Reply | To 2 | View Replies]

To: backhoe

Valuable info for all of us to use later.


12 posted on 07/09/2004 5:45:37 AM PDT by MinorityRepublican
[ Post Reply | Private Reply | To 2 | View Replies]

To: backhoe

I like my Mac.


13 posted on 07/09/2004 5:45:39 AM PDT by Izzy Dunne (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: backhoe
I am very wary of these online fixes. Some of the so-called online "click here to remove spyware" sites actually put spyware on your computer. I stick with what I know works and is safe.

First be sure to get all the latest security updates and patches for your Windows operating system directly from Microsoft. Second run a good firewall particularly if you have an always on broadband connection or wireless system. Have a frequently updated anti-virus progam running--I'd stick with one of the two major ones. Third, use a reliable spyware remover weekly. Ad-Aware and Spy-bot Search and Destroy are both free, don't add any spyware themselves and available for simple download

14 posted on 07/09/2004 5:46:03 AM PDT by The Great RJ
[ Post Reply | Private Reply | To 2 | View Replies]

To: backhoe


But I get the gist of what was being said.
There is no way to stop it. You just have to invest in a good Adware/virus program...in fact maybe two or three and scan every day.
15 posted on 07/09/2004 5:46:41 AM PDT by Dallas59
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe

I have an antivirus program written by Sarah Brady. You go into your registry and input the following command line:

//THISISANANTIVIRUSFREEHOUSEHOLD/WEMEANYOUNOHARM/PLEASEDONTHURTUSORCONTAMINATEOURCOMPUTER/THANKYOU


16 posted on 07/09/2004 5:47:00 AM PDT by Larry Lucido
[ Post Reply | Private Reply | To 2 | View Replies]

To: sirchtruth
Is it really that hard for someone to develope a program that would not let ANY program ever get downloaded without a permission alert?

It's been there for years, pal. It's called Safari.

17 posted on 07/09/2004 5:47:30 AM PDT by Izzy Dunne (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: backhoe

I have been wondering about "e.exe" - it keeps showing up on my hard drive.
Time to delete it yet again.


18 posted on 07/09/2004 5:47:33 AM PDT by R. Scott (Humanity i love you because when you're hard up you pawn your Intelligence to buy a drink.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: backhoe

bump!


19 posted on 07/09/2004 5:48:53 AM PDT by The Mayor (The true measure of our wealth is the treasure we have in heaven)
[ Post Reply | Private Reply | To 1 | View Replies]

To: sirchtruth
Is it really that hard for someone to develope a program that would not let ANY program ever get downloaded without a permission alert? Especially when your surfing the net?

The great problem is all the holes in the OS and browser that permit "seamless" transitions in exchanging data- my guess would be that what you suggest could be done, but at the expense of slowing everything to a crawl.

My workaround was to switch to Firefox, but you can't get rid of IE- it's hooked into the OS, dang it.

20 posted on 07/09/2004 5:49:10 AM PDT by backhoe
[ Post Reply | Private Reply | To 5 | View Replies]

To: backhoe; Swordmaker
I sure am glad I have a Mac! I just got another G4 Powerbook, to use on my Airport extreme system at home, and do video on the road... and so I can surf, and post, and not have to worry about this junk...

It sure is a shame to see the PC community in such a whirl... but they can fix it, I'm sure! Just call Bill G!

21 posted on 07/09/2004 5:49:26 AM PDT by pageonetoo (Rights, what Rights'. You're kidding, right? This is Amerika!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: The Great RJ

If you get stricken with the about:blank CWS variant horror, you will be scouring the web for online fixes too. LOL!

The Windows updates/patches and firewalls are useless to stop it. Ad-Aware and SpyBot S&D are useless to remove it. Each one will find some components (though not all - and not the same ones between them) but they will come right back.

The only way to get rid of it is to corner the hidden .dll reloader file, and that's borderline impossible to do when Windows is running.


22 posted on 07/09/2004 5:50:21 AM PDT by AntiGuv ()
[ Post Reply | Private Reply | To 14 | View Replies]

To: Izzy Dunne
I like my Mac.

I can certainly see why!

23 posted on 07/09/2004 5:50:25 AM PDT by backhoe
[ Post Reply | Private Reply | To 13 | View Replies]

To: sirchtruth

I think the worm and trojan horse being downloaded from the remaining infected web sites are downloaded from that web site's server at the same time you download the web site content that you'd see on your monitor.


24 posted on 07/09/2004 5:52:14 AM PDT by Eagle9
[ Post Reply | Private Reply | To 5 | View Replies]

To: backhoe

good work


25 posted on 07/09/2004 5:52:19 AM PDT by bitt (take a week off from the local rag - and tell them why!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dallas59

The adware and anti-virus programs will not stop the latest CWS or iSearch variants. If you get one, you'll know it because your browser will be hijacked.

General fyi: the Congress is currently debating between two bills designed to criminalize spyware/adware/malware and they should get something passed soon. Not nearly as soon as they should've, though!


26 posted on 07/09/2004 5:52:54 AM PDT by AntiGuv ()
[ Post Reply | Private Reply | To 15 | View Replies]

To: AntiGuv

I traced my problem ( I hope! ) to a notepad.exe file, actually 3 of 'em, dated 06-26-04.


27 posted on 07/09/2004 5:53:46 AM PDT by backhoe
[ Post Reply | Private Reply | To 11 | View Replies]

To: backhoe

Bump for bookmark


28 posted on 07/09/2004 5:53:59 AM PDT by listenhillary ($0.273972603 a day = $100 a year to FR., Listenhillary, MD.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: bitt; The Mayor

Thanks for looking!


29 posted on 07/09/2004 5:55:09 AM PDT by backhoe (-30-)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Dallas59

>>You just have to invest in a good Adware/virus program...in fact maybe two or three and scan every day.<<

I updated My FR homepage because I get asked these questions every day.

The biggest prevention is Firefox. The next is spyware blaster. The last is an ad remover as some infections come in that way. I use Ad-Muncher and I've tried them all. http://www.admuncher.com

Try it for 30 days for free. I bought two copies, worth every penny.

-Mal


30 posted on 07/09/2004 5:55:25 AM PDT by Malsua
[ Post Reply | Private Reply | To 15 | View Replies]

To: sirchtruth
Is it really that hard for someone to develope a program that would not let ANY program ever get downloaded without a permission alert? Especially when your surfing the net?

Because of the way that windows is designed, yes.

Windows base design still assumes that any executables or script code was placed there by the user.

This is due to the original design as a single user stand alone system. This design flaw still permeates the entire windows architecture.

31 posted on 07/09/2004 6:02:15 AM PDT by DarthFuzball ("Life is full of little surprises." - Pandora)
[ Post Reply | Private Reply | To 5 | View Replies]

To: backhoe

Just switched to Firefox. It is great.


32 posted on 07/09/2004 6:04:01 AM PDT by sd-joe
[ Post Reply | Private Reply | To 20 | View Replies]

To: backhoe
If you have what I think you had, the notepad.exe corruption is not the root of your problem. In fact, I traced that little part of the issue within two hours and simply deleted everything in all my Temp folders to be done with it. It's very annoying now that I have to use Wordpad manually for things that were previously automatic to Notepad (like viewing source code).

Anyhow, if you want to ascertain whether you still have a problem, you should run a Find (Files or Folders) search for *.dll on your C Drive. Once that comes up, put your .dll files in order by the date modified. Look at the recently modified files to see if there are any random meaningless names. (For the record, my last one generated before I finally cleaned things up was Kbddjk.dll) If you find one (and you can just search for the .dll names on Google to see if they're legit - most of them can be found here: www.dll-files.com) then you haven't resolved the problem.

Alternatively, you can download HijackThis and search for suspicious BHOs which are another sign of malware activity. Examining the .dll files is the quickest way to go though.

33 posted on 07/09/2004 6:05:47 AM PDT by AntiGuv ()
[ Post Reply | Private Reply | To 27 | View Replies]

To: backhoe
This link is to a Microsoft Critical Security alert. It's in the last line of the article you linked, Web Sites Still Infected.

What You Should Know About Download.Ject

34 posted on 07/09/2004 6:06:07 AM PDT by Eagle9
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe
Great post full of useful info!!!

It might be helpful to explain first what's going on, in general, for those that are completely un-aware?

Trojan/Virus
Spyware/Hijack

are used interchangeably and it's may not be clear to the more casual user exactly what is being discussed.

I suspect most don't know about browser hijacking and what browser helper objects are?

Thanks again for the info.
35 posted on 07/09/2004 6:06:33 AM PDT by Smartaleck
[ Post Reply | Private Reply | To 2 | View Replies]

To: AntiGuv; Eagle9

Info's appreciated- thanks!


36 posted on 07/09/2004 6:09:17 AM PDT by backhoe (-30-)
[ Post Reply | Private Reply | To 33 | View Replies]

To: backhoe

spent 6 hours on a customer pc, finally tracked CWS problem to "peper", there is a fix tool thru google...

never=ending problems this week - I don't do banking on a pc, and might stop buying on a pc, too...


37 posted on 07/09/2004 6:10:15 AM PDT by bitt (take a week off from the local rag - and tell them why!)
[ Post Reply | Private Reply | To 29 | View Replies]

To: backhoe

I've been running spybot and BlazeFind.bridge?? keeps coming up, (I'm really a babe in the woods here so bear with me) and when I ask spybot for a definition none comes up. Is it trojan and can I delete all this stuff?


38 posted on 07/09/2004 6:12:31 AM PDT by Tuscaloosa Goldfinch
[ Post Reply | Private Reply | To 2 | View Replies]

To: AntiGuv
It's very annoying now that I have to use Wordpad manually for things that were previously automatic to Notepad (like viewing source code).

Among all those links and forums, there is a download of a zipped, clean notepad file-- that's what I used to replace my 2 copies in winnt & system32.

39 posted on 07/09/2004 6:13:09 AM PDT by backhoe (-30-)
[ Post Reply | Private Reply | To 33 | View Replies]

To: Tuscaloosa Goldfinch
BlazeFind.bridge??

Bear in mind I am no expert- but that sure doesn't look like any legit file to me!

40 posted on 07/09/2004 6:15:48 AM PDT by backhoe (-30-)
[ Post Reply | Private Reply | To 38 | View Replies]

To: backhoe

Some of the stuff I've deleted with the spybot stuff is back the next time I run spybot. arrgh!


41 posted on 07/09/2004 6:20:12 AM PDT by Tuscaloosa Goldfinch
[ Post Reply | Private Reply | To 40 | View Replies]

To: backhoe

Oooh - that's good to know! I was planning to go looking for one but haven't yet got around to it. Need to do that soon.. Don't suppose you have a link handy? (If not, there's no need to go to any trouble tracking one down for me. I can do that myself if you don't have a link on hand.)


42 posted on 07/09/2004 6:20:44 AM PDT by AntiGuv ()
[ Post Reply | Private Reply | To 39 | View Replies]

To: Tuscaloosa Goldfinch

Like what? I'm guessing "DSO Exploit" is one of them, and maybe "Possible Browser Hijack" - either one of those may require manually editing the registry.


43 posted on 07/09/2004 6:21:55 AM PDT by AntiGuv ()
[ Post Reply | Private Reply | To 41 | View Replies]

To: backhoe; .45MAN

Thank you for your tireless efforts in helping us all out with this irritating threat to privacy.

We (.45MAN and I) appreciate the emails and updates that you have been so thoughtful to send.

((((((Backhoe)))))))


44 posted on 07/09/2004 6:23:31 AM PDT by dansangel (*PROUD to be a knuckle-dragging, toothless, inbred, right-wing, Southern, gun-toting Neanderthal *)
[ Post Reply | Private Reply | To 2 | View Replies]

To: backhoe

bump


45 posted on 07/09/2004 6:23:45 AM PDT by Dust in the Wind (I've got peace like a river . . .)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Tuscaloosa Goldfinch
Blazefind is a search redirect hijack. You should get rid of it. See here: Adware.BlazeFind.
46 posted on 07/09/2004 6:24:49 AM PDT by AntiGuv ()
[ Post Reply | Private Reply | To 38 | View Replies]

To: AntiGuv

if you are using spybot, apparently DSO exploit is showing up on every scan, you are cleaned off, but the glitch will be repaired in the next update...

bridge..etc is a malware.

Ad-aware users should configure their scans:
go here, great resources

http://forums.spywareinfo.com/index.php?showforum=18


47 posted on 07/09/2004 6:26:33 AM PDT by bitt (take a week off from the local rag - and tell them why!)
[ Post Reply | Private Reply | To 43 | View Replies]

To: bitt

The DSO Exploit vulnerability can be corrected in the registry fairly easily, but I don't have time to put up instructions right now. I have to go to work.

If anyone wants I can post instructions this afternoon. I would need to know the exact registry keys that are flagged by SpyBot (and there may be multiple entries).

The slightly less common "Possible Browser Hijack" flag in SpyBot that it can't fix can also be corrected in the registry.


48 posted on 07/09/2004 6:29:58 AM PDT by AntiGuv ()
[ Post Reply | Private Reply | To 47 | View Replies]

To: AntiGuv

Yep, DSO exploit, commission junction, media plex, a whole bunch of "i.e. plugin" stuff (I haven't deleted that, btw, afraid to!)


49 posted on 07/09/2004 6:31:46 AM PDT by Tuscaloosa Goldfinch
[ Post Reply | Private Reply | To 43 | View Replies]

To: AntiGuv

re: blazeware-- many thanks. Will do immediately.


50 posted on 07/09/2004 6:33:36 AM PDT by Tuscaloosa Goldfinch
[ Post Reply | Private Reply | To 46 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-96 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson