fucking spyware/malware

[linuxgeek]

and fucking download.com for not checking what is uploaded to their site before making it accessable for download.

Went to download.com to pull down a newer version of DivX. I pulled it down and ran the install and the damn thing is a spyware/malware bomb.

I've gotten most of it cleaned up but I've found one that Spy Sweeper, Ad-Aware, SpyBot, SpySubtract, & CWShredder appear unable to effect--CoolWWWSearch.<variant>. I've had up to 7 variants of it detected, but none of them appear able to kill it.

This puppy is also prove that the spyware shmucks are starting to expand their thinking. This one effects IE, Opera, & Mozilla. It likes randomly starting IE and taking it to an adsite. Both Opera & Mozilla it will pop open a new page when you start them and take you do an adsite.

The common theme of the majority of the ads is a site claiming your computer has been effected by spyware and giving you a button to select to download their anti-spyware software.

 

[huskie]

What's their purpose?? I mean how can they make money off this?

 

[ShamelessFlirt]

Go old school on em and look in your downloaded programs folder and see what's there. Sometimes you just have to take matters into your own hands.

 

[Atikaya]

have you ever had the suspicion that Virus firms like Mcafree and Norton started this shyt? i mean they are the only people that gain from it and their business model will only survive if virus, spywares exist

 

[ShamelessFlirt]

Oh, and try pest patrol.

 

[linuxgeek]

What's their purpose?? I mean how can they make money off this?

I have no intention of checking out their supposed anti-spyware product, but I suspect it is a tool specifically for removing that which currently is my bane. I expect the tool has a dollar amount attached to using it.

 

[linuxgeek]

Go old school on em and look in your downloaded programs folder and see what's there. Sometimes you just have to take matters into your own hands.

from what I can tell, the divx-1.0.8.exe didn't put out any temp files when I ran it, it just started implanting.

I'm considering bringing up a WinXP box, take a snapshot of the system directory & registery and then infecting it so I can compare to see what changed.

 

[huskie]

I have no intention of checking out their supposed anti-spyware product, but I suspect it is a tool specifically for removing that which currently is my bane. I expect the tool has a dollar amount attached to using it.

I just don't get it??

hey.. off topic question. every morning I drive to work headings apx. south east. I see a star at about 35 deg. what's the name of this star or planet?

 

[linuxgeek]

I sent a nastygram to download.com. So I'm waiting to see what they have to say for themselves.

 

[ruminator]

Be careful on the manual registry cleanup or with the uninstall on one of the variants.

It wiped out the ability to connect when I took one of the variants out.

Do you ever use Hijack this! ?

 

[linuxgeek]

I just don't get it??

hey.. off topic question. every morning I drive to work headings apx. south east. I see a star at about 35 deg. what's the name of this star or planet?

To me, it comes down to one word--extortion.


If it is in the same place changing location with the season instead of daily, it is likely a star. I would have to do some rearch to get an idea which star.

 

[linuxgeek]

Be careful on the manual registry cleanup or with the uninstall on one of the variants.

It wiped out the ability to connect when I took one of the variants out.

Do you ever use Hijack this! ?

yeah. It seemed to kill 2 of the 7 variants.

 

[ShamelessFlirt]

from what I can tell, the divx-1.0.8.exe didn't put out any temp files when I ran it, it just started implanting.

I'm considering bringing up a WinXP box, take a snapshot of the system directory & registery and then infecting it so I can compare to see what changed.

There's an online sandbox someplace, meantime check this ...

http://www.houghi.org/jargon/sandbox.php

 

[ruminator]

yeah. It seemed to kill 2 of the 7 variants.

CW Shredder was the best until the fucker started mutating and then CWS couldn't beat it.

Whatever I had kept reinstalling itself every time I got it under control.

IIRC, it also destroyed the Winsock files and that was another headache.

Is that the bunch that finally got taken to court for the scam?

In a manual Hijack This, it lists all the different files but necessary files are there too. I usually back out due to inexperience with all the files but someone who knows what belongs there could do better.

 

[sticky_keyboard]

I just don't get it??

hey.. off topic question. every morning I drive to work headings apx. south east. I see a star at about 35 deg. what's the name of this star or planet?

I believe it's Venus, but I could be wrong.

The Space Station was visible this morning, but I missed it because of cloud cover.

Spyware is driving me nuts, too. It's insideous.

 

[ShamelessFlirt]

here ...

https://forum.literotica.com/showthread.php?s=&postid=6327779&highlight=sandbox




It's a sandbox.

A sandbox is a restricted environment in which certain functions are prohibited. For example, deleting files and modifying system information such as registry settings and other control panel functions may be prohibited. Sandboxes are used when executable code has come from an external source that is not entirely trusted.





http://www.safelaunch.com/

 

[ruminator]

I believe it's Venus, but I could be wrong.

The Space Station was visible this morning, but I missed it because of cloud cover.

Spyware is driving me nuts, too. It's insideous.

As long as it's not Uranus he should be ok.

 

[Harbinger]

The coolwebsearch virus and its variants are some of the nastiest things to come down the information highway, from what I've been told. My understanding is that they are being written (several a week) by some highly professional programmers for the purposes of spamming and extortion, is other words for money. Not a bunch of amatuers at work here. They are very good at avoiding detection and keeping themselves alive. Some versions can even disable your antispyware programs and prevent them from running. I have a friend whose business is software security for small businesses, and he said some of the coolwebsearch variants were so robust and insidious that they were virtual unremovable. Then your best step is scorched earth, apparently.

CoolWebSearch info

 

[ShamelessFlirt]

See if this helps ...


http://www.scumware.com/apps/scumwa...ware,-Spyware,-Adware-&-Malware-Applications/

 

[ruminator]

The coolwebsearch virus and its variants are some of the nastiest things to come down the information highway, from what I've been told. My understanding is that they are being written (several a week) by some highly professional programmers for the purposes of spamming and extortion, is other words for money. Not a bunch of amatuers at work here. They are very good at avoiding detection and keeping themselves alive. Some versions can even disable your antispyware programs and prevent them from running. I have a friend whose business is software security for small businesses, and he said some of the coolwebsearch variants were so robust and insidious that they were virtual unremovable. Then your best step is scorched earth, apparently.

CoolWebSearch info

Yup, yup, yup.

They have also gained the ability to disable the system when removed.

 

[ShamelessFlirt]

Did you try the latest cwshredder from 10-18?


http://www.majorgeeks.com/downloadget.php?id=4086&file=9&evp=6742c4ccda2599a3d6c5901960cc6e24

 

[Harbinger]

Did you try the latest cwshredder from 10-18?


http://www.majorgeeks.com/downloadget.php?id=4086&file=9&evp=6742c4ccda2599a3d6c5901960cc6e24

Here's the scary part....

Variant 39: CWS.Realyellowpage
Approx date first sighted: March 16, 2004
Symptoms: IE pages changed to real-yellow-page.com, drxcount.biz, list2004.com or linklist.cc, hijack inexplicably returning on reboot with no file seemingly responsible
Cleverness: 10/10
Manual removal difficulty: Extremely Difficult
This variant is a nightmare. If you come across an infected machine that keeps changing back to the aforementioned sites over and over again for no visible reason, you've probably seen this one. It's like whoever is reponsible for this hired some blackhat coder and told him to make the most complex, invisible and devious hijacker he could think of. And he did. The file is randomly named, and normally hooks into the IE process, loading itself as a module into it. And then it hides the host process from the process list. Yes, you read that right, the process hosting the dll disappears from the task list and most process viewers/managers we tried.

Right now, CWShredder does not remove this variant. As soon as we figure out how to do it, we will update CWShredder for it.

 

[linuxgeek]

yeah, pulled down the latest greatest of all the antispyware.

Sorched earth was going to be my next move. Just pisses me off cause I just brought the machine on line in the last week after blowing off moving to it for over a month. Fortunately, I keep my data on a separate physical drive from the operating system just for when scorched earth proceedures become the operation needed.

Sadly, I use to consider download.com a safe site to pull things from. So much for that theory.

 

[ShamelessFlirt]

Here's the scary part....

Variant 39: CWS.Realyellowpage
Approx date first sighted: March 16, 2004
Symptoms: IE pages changed to real-yellow-page.com, drxcount.biz, list2004.com or linklist.cc, hijack inexplicably returning on reboot with no file seemingly responsible
Cleverness: 10/10
Manual removal difficulty: Extremely Difficult
This variant is a nightmare. If you come across an infected machine that keeps changing back to the aforementioned sites over and over again for no visible reason, you've probably seen this one. It's like whoever is reponsible for this hired some blackhat coder and told him to make the most complex, invisible and devious hijacker he could think of. And he did. The file is randomly named, and normally hooks into the IE process, loading itself as a module into it. And then it hides the host process from the process list. Yes, you read that right, the process hosting the dll disappears from the task list and most process viewers/managers we tried.

Right now, CWShredder does not remove this variant. As soon as we figure out how to do it, we will update CWShredder for it.

I've gone into the downloaded programs folder and removed programs to kill things like this. I boot with a 3rd party program like ERD (or safemode if one isn't available) so nothing is in memory. Somehow I doubt I've been fortunate enough to kill the above variant but I have been lucky enough to not find one I couldn't kill.

 

[linuxgeek]

the CWS variants which have been detected last run:

oslog
bootconf
msconfd
tapicfg
xmlmimefilter

I apparently tossed my notes for the other ones which have managed to be removed.