My Anti Spyware

How to remove Look2Me - free removal tool

Removing spyware from a computer is becoming an increasingly difficult task. Look2Me adware operates in stealth and displays an excessive amount of pop-up advertisements. Most common are IE pop-up windows, but some pop-ups are tailored by shape and animation. Some of the advertisements push the user to install ErrorGuard or WinFixer

Look2Me hooks into the winlogon process as a notification package. If the user tries to unregister the notification package, it is immediately reinstated. Look2Me also removes the administrator group’s debug privileges and thereby disables the user from interfering. This, along with some other tricks, makes manual removal close to impossible.

For automatic removing use F-Look2Me, free tool from F-Secure.

1. Download f-look2me.zip (last updated April 11th, 2006)
2. Unzip f-look2me.zip
3. Run f-look2me.exe
4. Reboot the machine

F-Look2Me loads itself as a service to gain system privileges. The service renames infected files and patches the adware in memory. It also restores Debug Privileges for group Administrators. F-Look2Me requires administrator rights to run.

More sites for your block list

Add next sites to your block list:

IP: 70.86.246.35

17webplace(dot)com
aurealm(dot)com
authorsontour(dot)com
beepwear(dot)com
carterobregonlaw(dot)com
cma2004(dot)com
coloreal(dot)com
ideagenerationmethods(dot)com
indiahcsl(dot)org
interacttheatre(dot)com
poliblog(dot)com
praxispost(dot)com
salestaxsimplification(dot)org
samchampion(dot)com
sapsapphire-emea(dot)com
scienceserver(dot)com
sputnikbook(dot)com
thresholdofvisibility(dot)com
uscmchicago2005(dot)com

All of these sites will attempt (after evaluating your computer’s OS and service pack level) to run currently patched exploits on your system to install Spyware Quake.

Update:

urgentwindowsupdate(dot)biz
boostservice(dot)com
securitybulletin(dot)com
bestsecurityguide(dot)com
systemsecurityindex(dot)com
theguardservices(dot)com

If you don`t know how to block this sites, try next howto: How to use HOST file for block sites

Don`t open these sites.

Thanks to Sunbelt blog.

How to drop rights for safe surf

By default, when you first install Windows XP, all of the active user accounts created are administrator accounts, meaning they have full rights to install, modify or delete any program, file or system process running on the computer.

As result the many things a malware (spyware, adware) does:

* Creating files in the system32 directory.
* Terminating various processes.
* Disabling the Windows Firewall.
* Downloading and writing files to the system32 directory.
* Deletes registry values.

You have simple solution: running your browser, e-mail, and perhaps other regularly used Web-facing programs each under its own less-privileged account.

Microsoft provided one simple tool - DropMyRights

First, download DropMyRights, run, after that, you’ll want to take note of the directory where the program is installed.

Then go to the Windows desktop, right-click on it, select “New” and then “Shortcut.” Then, in the box underneath the text that reads “Type the location of the item,” type or browse for the directory where the “DropMyRights.exe” program was installed (for erxample, C:\Documents and Settings\***\MyDocuments\MSDN\DropmyRights\dropmyrights.exe, where *** your account name). Keep this windows open for the time being and don’t click any more buttons on it; we’ll come back to it in a moment.

At this point, you just need to know the location of each program you want to run under a non-administrator account, in order to create a clickable icon on the Windows desktop and/or the Windows taskbar that you can use to start the program in limited-user mode whenever you want. For example, if you want to set up Internet Explorer, enter the location of “iexplore.exe” directly after the text you already entered in the shortcut location window above. Using the example above, the text you would enter would be: C\:Documents and Settings\***\MyDocuments\MSDN\DropmyRights\dropmyrights.exe “c:\program files\internet explorer\iexplore.exe”). Then hit “next” and give your shortcut a name. If you’re devising a shortcut for Internet Explorer, you might just call it “IE.”

Now, right-click on the icon you just created and select “Properties.” The first tab that comes up should be “Shortcut,” and lower down on that window should be a tab that reads “Change Icon.” Click on that tab and you can change its icon so that anyone who clicks on it will think it is the default icon for Internet Explorer. A window of graphical icons will come up next; drag the scroll bar to the right and you should see the familiar IE icon. Select it and hit “okay,” and the shortcut you just created on desktop should change its icon accordingly. Also set the Run option for the shortcut to Minimized.

Now for run IE, click to the Shortcut.

Read more here and here.

Found new rogue antispyware - Spyware Soft Stop

Sunbelt blog reported about new rogue antispyware Spyware Soft Stop.

If you have the misfortune to run an executable named “sss_bot.exe”, you’ll get presented with a fake (and poorly worded) security message:

Warning!
Your computer is probably infected. Microsoft Corporation
recommends you to check your computer on the spyware
presents. Click here to download updates

If you can`t uninstall, remove or have problems with Spyware Soft Stop,
post in the Spyware Removal Forum about that.

YapBrowser and Yapsearch(dot)com

Sunbelt reported about YapBrowser, potentially dangerous application that pre-installs 180Solutions Zango and does nothing but apparently redirect you to a porn site. For example url “microsoft.com” is redirected to a porn page.
Also YapBrowser will be used for some very nasty spyware installs.

Don`t install YapBrowser!

Smitfraudfix - free tool for remove Desktop Hijack malware

This tool removes Desktop Hijack malware: AdwarePunisher, AdwareSheriff, AlphaCleaner, Antispyware Soldier, AntiVermeans, AntiVermins, AntiVerminser, AntivirusGolden, AVGold, BraveSentry, MalwareWipe, MalwareWiped, MalwaresWipeds, MalwareWipePro, MalwareWiper, PestCapture, PestTrap, PSGuard, quicknavigate.com, Registry Cleaner, Security iGuard, Smitfraud, SpyAxe, SpyCrush, SpyDown, SpyFalcon, SpyGuard, SpyHeal, SpyHeals, SpyLocked, SpyMarshal, SpySheriff, SpySoldier, Spyware Vanisher, Spyware Soft Stop, SpywareLocked, SpywareQuake, SpywareKnight, SpywareSheriff, SpywareStrike, Startsearches.net, TitanShield Antispyware, Trust Cleaner, UpdateSearches.com, Virtual Maid, VirusBlast, VirusBurst, Win32.puper, WinHound, Brain Codec, DirectVideo, EliteCodec, eMedia Codec, FreeVideo, Gold Codec, HQ Codec, iCodecPack, iMediaCodec, Image ActiveX Object, IntCodec, iVideoCodec, JPEG Encoder, Key Generator, Media-Codec, MediaCodec, MMediaCodec, MovieCommander, MPCODEC, My Pass Generator, PCODEC, Perfect Codec, PowerCodec, PornPass Manager, PornMag Pass, PrivateVideo, QualityCodec, Silver Codec, SiteEntry, SiteTicket, SoftCodec, strCodec, Super Codec, TrueCodec, VideoAccess, VideoBox, VidCodecs, Video Access ActiveX Object, Video ActiveX Object, VideoCompressionCodec, VideoKeyCodec, VideosCodec, WinAntiSpyPro, WinMediaCodec, X Password Generator, X Password Manager, ZipCodec…

Extract all the archive content.

Search infection:

• Open smitfraudfix dir, double-click smitfraudfix.cmd
• Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Clean:

• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click smitfraudfix.cmd
• Select 2 and hit Enter to delete infect files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:

• To restore Trusted and Restricted site zone, select 3 and hit Enter.
• You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Download: Smitfraudfix

Smitfraudfix homepage.

Strider URL Tracer

Microsoft research has released a new tool, URL Tracer, which reveals third party domains:

When a user visits a Web site, her browser may be instructed to visit other third-party domains without her knowledge. Some of these third-party domains raise security, privacy, and safety concerns. The Strider URL Tracer, available for download, is a tool that reveals these third-party domains, and it includes a Typo-Patrol feature that generates and scans sites that capitalize on inadvertent URL misspellings, a process known as typo-squatting. The tool also enables parents to block typo-squatting domains that serve adult ads on typos of children’s Web sites.

Download Strider URL Tracer

The Patch day!

Microsoft released the following Security patches:

Critical:

Cumulative Security Update for Internet Explorer

This patch should be applied as fast as possible, but due to a change in ActiveX functionality requires extra careful testing. Microsoft bundled all but one of this months Internet Explorer updates in this “Cumulative update”. This particular update patches no less then 8 remote code execution issues. In addition one information disclosure problem and an address bar spoofing vulnerability are fixed. Note that there are exploits public for at least one (CVE-2006-1245) and possibly two (CVE-2006-1388) of the advisories. While the exploits known to us only trigger a DoS condition, it is very much possible that more sinister exploits are already in use. Microsoft states that they are not aware of any exploits in the wild, which likely refers to remote execution exploits, not DoS exploit.

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in Windows Explorer Could Allow Remote Code Execution

A remote code execution vulnerability exists in Windows Explorer because of the way that it handles COM objects. An attacker would need to convince a user to visit a Web site that could force a connection to a remote file server. This remote file server could then cause Windows Explorer to fail in a way that could allow code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

if you can’t apply the patch right away, MS recommends:

* Disable the Web Client service
* Use the Group Policy settings to disable the WebClient service on all affected systems that do not require this feature.
* Block TCP ports 139 and 445 at the firewall

Important:

Cumulative Security Update for Outlook Express

A remote code execution vulnerability exists within Outlook Express involving its handling of Windows Address Book (.wab) files. Attackers can craft a suitable version of the .wab file and then convince the end user to open the file through either direct email, or through opening a link on a web site. The attacker would gain the
same administrative rights as the end user.

Moderate:

Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting

A remote code execution exists in FrontPage Server Extensions (FPSE) or Sharepoint Team Services (STS) which could allow an attacker to run client-side scripts on behalf of an FPSE user. If the user has administrative rights, the attacker would gain complete access of the server. Otherwise, it will be limited to the administrative rights granted to the end user. As there is a list of mitigating circumstances, and the default install of Windows Server, Microsoft is releasing this as a moderate issue. However, pay attention that this is a remote code execution problem and could be more critical in your particular circumstances.

For download the updates visit to the Windows Update website. You may also get the updates thru Automatic Updates functionality in Windows system.

Found new fake codec - emcodec

Emcodec is a Trojan horse that drops and executes a copy of Trojan-Zlob-J, a back door Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.

The Trojan is an installer for eMediaCodec that is a codec for Windows Media Player.

If you can`t uninstall or remove, post to spyware removal forum about your problem.

New home for Coolwebsearch / Trafficadvance

Coolwebsearch/Trafficadvance malware department have moved to a new hoster.
They all seem reside under 85.249.23.x now, again in St.Petersburg, Russia. If you prefer to block their domains, here’s a list. All of the indicated domain names end in .biz.

traffsale1 traffweb toolbarweb toolbarsale iframecash traffcool toolbarcool traffbucks toolbarbucks traffdollars toolbardollars traffbest toolbarbest traffnew toolbarnew traffmoney toolbarmoney vip01

Read how to block domains.

Thanks to Sans.org

New vulnerability in Internet Explorer

Hai Nam Luke has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.

The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (”.swf”) in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected.

For protect your PC Disable Active Scripting support.

Thanks to Secunia

How to remove Trojan Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A)

For last week Vundo at second place in the top 10 spyware by Sunbelt.

DesktopScam 1,646 3%
Virtumonde 1,194 2%
Vcodec 915 2%
Hotbar 872 2%
SpyAxe 833 2%
WhenU.SaveNow 832 2%
Looking-For.Home Search Assist… 810 2%
EliteMedia 749 1%
NewDotNet 746 1%
CmdService 728 1%

Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A) is an adware program that downloads and displays popup advertisements. It also offers to install other potentially unwanted software.

Standart symptoms:

computer work slow
pop ups from Adult Friend Finder
you have found rogue anti-spyware

If you found Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A) on your computer, read these steps. If you have problems with your computer and don`t know WHY, read also

Also you can use CounterSpy for automatic removal Vundo.

Download VundoFix and save the file to your desktop.

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Double-click VundoFix.exe to run it.

Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O2 - BHO: WTLHelper Object - {75DC57F8-D831-4AB8-86B7-4F826F4A0873} - C:\WINDOWS\system32\*****.dll
O20 - Winlogon Notify: ***** - C:\WINDOWS\system32\*****.dll

Where ***** is a random name, BUT all names are identical.

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Spyware removal - Read Before Posting