My Anti Spyware

Temporary fix for IE vulnerability

eEye has released a patch for the active IE vulnerability.

Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released. This workaround is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw. Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation [my emphasis].

Read more and download here

But small comment, don’t bother using this patch — Disable Active Scripting Support in IE is a valid mitigator.

SpywareQuake Automatic removal

Good news for us
Now you can remove Spyware Quake from your system using CounterSpy.

If you have problems with SpywareQuake you can use manual removal instructions: How to remove SpywareQuake or try free trial version CounterSpy.

How to disable Active Scripting support

Some days ago, was found IE vulnerability. Today no patches available. You can only disable Active Scripting support.
Read how to…

Open Internet Explorer and hit the “Tools” menu and click “Internet options”. Jump to the “Security” tab, chouse “Internet” and click to “Custom Level” button.

After that, you would see:

Scroll down and change Active Scripting to Disable and click “OK” button:

If you have trusted sites, then add them to the Trusted Group.

To add a trusted site, chouse”Trusted sites” and then click the “Sites” button.

Type trusted domain name and click “Add” button.

Click “Close” button and close “Internet options”.
Now your PC protected against a new exploits for the vulnerability.

BHO malware used IE vulnerability for install

BHO malware used IE vulnerability for install. Sans reported

There are several sites that have been compromised and now contain the exploit code. These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it. It is calc.exe that we want to focus on briefly.

This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process. The malware creates the following on install:

C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636

It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information.

Anyway, please keep your eyes and ears open for any new sites exploiting this vulnerability!

Don`t forget, you can block vulnerability, only disable Active Scripting support.

How to remove SpywareQuake

SpywareQuake is a rogue anti-spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version. The program is generally installed by a Trojan that automatically downloads and installs the program. More info here.
If you are infected with this program you will receive warnings in your task bar stating that you are infected with spyware and to run its special anti-spyware tool. This tool turns out to be the commercial version of SpywareQuake. These warnings are fake and are a goad to have you buy the commercial version of this software.

SpywareQuake Fake alert.

Your computer is infected!
Critical System Error!
System detected virus
activities. They may cause
critical system failure. Please,
use antimalware software to
clean and protect your system
from parasite programs.
Click here to get all available
sofware.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: SpywareQuake

Download smitRem and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

NOTE:

Currently smitRem alone will not remove this infection. We are including it in this fix because SpywareQuake has been seen to install with other portions of the Smitfraud infection.

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

If you do not already have Ad-Aware SE installed, follow these download and setup instructions. Also check for updates.

Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O2 – BHO … C:\Windows\SYSTEM32\hp*.tmp (the name changes)
O4 – HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Using Windows Explorer, locate and delete the following file:
C:\Windows\System32\stickrep.dll
C:\Windows\System32\mssearchnet.exe
C:\Program Files\SpywareQuake\

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again — this is normal.
Wait for the tool to complete and Disk Cleanup to finish — this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.

Reboot your computer back to normal mode.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck “Security Info” if present.
Download and run CCleaner.

CCleaner (Crap Cleaner) is a freeware system optimization and privacy tool. That removes unused and temporary files from your system – allowing Windows to run faster, more efficiently and giving you more hard disk space.

Reboot your computer.

Perform an online scan with Panda Active Scan. Do a full system scan. Make sure the autoclean box is checked!

Your computer should now be free of the SpywareQuake infection.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below

Spyware removal – Read Before Posting

New rogue anti spyware Spyware Quake

Sunbelt blog reported about new rogue Anti-Spyware application Spyware Quake – replacement for Spy Falcon and SpyAxe.

Spyware Quake is installed through the infamous VCodec trojan as well as various exploits.

WHOIS Information:

Domain Name: SPYWAREQUAKE.COM

Registrant:
SafeSurf LLC
Kevin Gerad (Whois Privacy and Spam Prevention by Whois Source)
U-12 Gamma Commercial Complex # 47 Rizal Highway cor. Manila
Olongapo City
null,98101
PH
Tel. +201.6753332

In addition to just a stealth install of Spyware Quake, an infected machine will exhibit other unwanted symptoms such as Internet Explorer browser hijacks, a stealth installed “Security Toolbar”, and pop-up advertising that is often adult in nature. Also commonly seen is pop-up advertising for WinFixer.

Now availbale How to remove SpywareQuake

If you can`t uninstall or remove, tell us about your problem.

100 confirmed sites now using the IE vulnerability

100 confirmed sites now using the IE vulnerability, as reported on security lists by Dan Hubbard (alert) at WebSense and Joe Stewart at Lurhq.

These can be very nasty. SunBelt analysed one site – www(dot)textrum(dot)se (since shutdown):
The exploit calls a file, updater.exe. It file is W32/Spybot (W32/Backdoor, Adware.NaviPromo.M)
Norman sandbox report:

Found Sandbox: W32/Backdoor; [ General information ]

* Anti debug/emulation code present.
* Creating several executable files on hard-drive.
* File length: 46644 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\Updater.exe.
* Creates directory C:\WINDOWS\SYSTEM32\kazaabackupfiles.
* Creates file C:\WINDOWS\SYSTEM32\kazaabackupfiles\download_me.exe.

[ Changes to registry ]
* Creates value “Windsupdate”=”Updater.exe” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”.
* Creates value “Windsupdate”=”Updater.exe” in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”.
* Modifies value “Dir0″=”012345:C:\WINDOWS\SYSTEM32\kazaabackupfiles\” in key “HKCU\Software\Kazaa\LocalContent”.

[ Network services ]
* Connects to “kronkrak.servequake.com” on port 6667 (IP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser7.
* IRC: Uses username CurrentUser7.

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I’ll be back…).
* Attemps to open C:\WINDOWS\SYSTEM32\Updater.exe NULL.
* Enumerates running processes several parses….
* Creates a mutex coolbot1.c4.

There is no patch available for this exploit. The only way to avoid it is
- turn off Active Scripting
- use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected).
Your standard protections should be in place — antivirus, firewall, antispyware.

RealNetworks Products Multiple Buffer Overflow Vulnerabilities

Some vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user’s system.

1) A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user’s system.

2) A boundary error within the handling of web pages can be exploited via a specially crafted web page on a malicious server to cause a heap-based buffer overflow. This may allow execution of arbitrary code on the user’s system.

3) A boundary error in the processing of MBC files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user’s system.

A weakness when executing other programs is caused due to incorrect use of the “CreateProcess()” API. This may allow execution of an arbitrary program on the system, if this can be placed in the program path.

The following products are affected by one of more of the vulnerabilities:
* RealPlayer 10.5 (6.0.12.1040-1348)
* RealPlayer 10
* RealOne Player v2
* RealOne Player v1
* RealPlayer 8
* RealPlayer Enterprise
* Rhapsody 3 (build 0.815 � 1.0.269)
* Mac RealPlayer 10 (10.0.0.305 – 331)
* Mac RealOne Player
* Linux RealPlayer 10 (10.0.6)
* Helix Player (10.0.6)
* Linux RealPlayer 10 (10.0.0 – 5)
* Helix Player (10.0.0 – 5)

Patch your RealPlayer now.

New Internet Explorer vulnerability

Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the processing of the “createTextRange()” method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected.

For block vulnerability disable Active Scripting support.

Top 10 spyware threats discovered for last 24 hours

Here are the top 10 spyware threats by Sunbelt Software:

01. DesktopScam
02. Hotbar – How to remove Hotbar
03. WhenU.SaveNow
04. Looking-For.Home Search Assistant
05. CmdService
06. BraveSentry - How to remove BraveSentry
07. 180search Assistant
08. iSearch.DesktopSearch
09. Vcodec – How to remove Vcodec
10. SpyFalcon – How to remove SpyFalcon

If you can`t uninstall or remove this spyware, tell us about your problem.