First virus for StarOffice and OpenOffice

Kaspersky Lab have reported, first a macro virus - Virus.StarOffice.Stardust.a for StarOffice and OpenOffice has been found.
Stardust is a macro virus written for StarOffice. Macro viruses usually infect MS Office applications. It’s written in Star Basic. It downloads an image file (with adult content) from the Internet and then opens this file in a new document.

YapBrowser is back online

Some time ago we`ve reported about the adware:

YapBrowser, potentially dangerous application that pre-installs 180Solutions Zango and does nothing but apparently redirect you to a porn site. Read more: YapBrowser and Yapsearch(dot)com

now yapbrowser site back online.

The website claims:

YapBrowser is a browser which will make searching for any information online much simpler. Download YapBrowser for free and forget about getting to sites containing harmful exploits. Your computer will be free from viruses breeding online. Attention! You can download a 100% free adult version of YapBrowser. Using it you will be able to search for and browse adult content for free. There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities. Now you can download it for no cost at all. So it is an adult version this time around and the user is getting a warning upfront and you guessed it- it’s free and now backed by a 100% guarantee you won’t experience a system infection.

Read more about yapbrowser on Spyware Guide: Return of The Yap Browser

New Winamp Fixes Major Security flaw

AOL’s Nullsoft division released a new version of its popular Winamp music and video player on Thursday, in part to fix a “major” security flaw in the program, according to the accompanying advisory.

Winamp 5.22 includes a huge list of stability updates and at least a couple of security tweaks, though the advisory doesn’t get too far into specifics on the latter front.

We have seen active exploitation of Winamp flaws in the past,

Winamp Remote Code Execution
Winamp exploit used to push spyware
Multiple vulnerabilities in WinAmp - Affected all versions (including 5.13)

so please do not put off downloading and installing this new version now, if you use Winamp.

Spam emails and fake Microsoft patch

Internet Storm Center have received samples of an e-mail which is being actively spammed at the moment. The e-mail purports to be from Microsoft and it is notifying the recipient of “a new vulnerability [that] has been discovered in the Microsoft WinLogon Service”. It further states that the vulnerability can allow an attacker access to the unpatched system.

Of course, the user is advised to install the patch which can be downloaded from the included link.

As the e-mail body is an HTML message, the displayed link (http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe) is not where the user will really be sent:

http:// www.redcallao.com/ [REMOVED] / winlogon_patchV1.12.exe

AV detection although a better then first time when we tried it, is still pretty bad. Only 8 products from VirusTotal detected this:

AntiVir 6.34.1.34 05.29.2006 Heuristic/Crypted.Modified
BitDefender 7.2 05.30.2006 Trojan.BeastPWS.C
Kaspersky 4.0.2.24 05.30.2006 Trojan-Spy.Win32.Delf.jq
NOD32v2 1.1566 05.30.2006 Win32/Spy.Delf.NBR
Panda 9.0.0.4 05.29.2006 Suspicious file
Sophos 4.05.0 05.30.2006 Troj/BeastPWS-C
Symantec 8.0 05.30.2006 Infostealer

Update:

Kaspersky Lab also reported about  fake Microsoft patch. They released an urgent update for Trojan-PSW.Win32.Sinowal.u.Sinowal is a family of password stealing Trojans which steals usernames/passwords entered via forms in an internet browser. It particularly targets certain banking domains and also has the ability to steal other locally stored passwords.

Sinowal has a special trick: when an infected user visits certain banking domains Sinowal inserts some of its own HTML code into the page. This is done to create a customized pop up which asks the user for personal info.

Sinowal variants are normally downloaded by Trojan-Downloaders which are installed by visiting certain websites which exploit security vulnerabilities in the browser or operating system.

Today the authors decided to try something different by spamming .de email addresses with an email that pretends to be from Microsoft Windows Update.

The email looks like this:

From: MS Windows Update [msrobot_donotreply|trickthespider|windowsupdate.com]
Subject: Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Sehr geehrte Benutzer Microsoft Windows XP!

Gestern haben unbekannte Hacker den neuen Wurm-Virus eingesetzt. Nachdem er ins system reingreift, wird er von sich selbst nach Ihrer mailadressenliste ausgesendet, und alle Ihren Kontakte werden angesteckt. Nach der Ansteckung fängt das System instabil zu arbeiten, und der Komputer “hängt” genau nach einer Minute nach dem nächsten Hochfahren.

Um die Benutzer des Systems Microsoft Windows XP zu schützen, haben unsere
Sicherheitsspezialisten eine Erneuerung fur das System entwickelt.

Sie sollen die an den E-Mail angehängte Datei offnen damit das System erneut
wird und vollständig von neuem Wurm geschützt wird.

Mit freundlichen Grüßen,

Windows Update

As you hopefully know Microsoft never sends executables along with their emails. So social engineering attempts like these can be spotted easily, at least in theory.

And don’t forget, if you got infected with Sinowal, even if you have cleaned your system you still have to change your passwords.

ZonedOut - Free tool for manage Internet Explorers Zones

Need a way to Manage Internet Explorer’s Zone’s? If so, then ZonedOut is for you. Add, Delete, Import, Export, Build a WhiteList and More.

ZonedOut is a complete Internet Explorer Security Zone Manager Manage Zone Sites at the Current User and Local Machine level in style.

Program includes a help file with General Usage notes, An outline of Commands, and the Freeware License Agreement. It is very import to read this help file.

Read the article What is “Internet Zone” ? How to use “Internet Zone Settings” for more info about Internet Zone`s.

Click here to download ZonedOut.

Banwarum Worm Offers Tickets for the WORLD CUP

The new mass mailing worm called Banwarum (also known as Zasran and Ranchneg) that is using World Cup themed email messages. The worm sends itself as a password protected archive and includes in the email the password for it. The emails sent by the worm are in German and some of them offer tickets for the football games in Germany next month.

There are already three functionally similar variants of this worm. FSAV detects .A and .B variants of the worm with update version number 2006-05-24_04 and variant .C with update version number 2006-05-25_01. One of the emails sent by the worm looks as follow:

Hi man,

ich hab gesehen, das du zu WM wolltest, frag nicht wer ich bin und warum ich es mache. Hier hast du 5 Stueck, das ist eine spezielle Online Version, drueck es aus und unterschreib. Password zu dem Archiv lautet (psw)

Mfg Niemand

This means in English:

Hi man,

I saw that you want to go to the World Cup. Don’t ask who am I and why I am doing this. Here you have 5 pieces, which are a special on-line version, print it and sign. Password to the archive is (psw).

With friendly greetings Nobody

Thanks to F-Secure.

Yahoo IM worm hijacks Internet Explorer Installs fake browser

A worm that installs a ‘Safety Browser’ and plays screeching music is circulating via IM.

The annoyance starts with a link apparently sent by a friend in Yahoo’s IM program.

IM security company FaceTime Communications described the malware, which it calls “yhoo32.explr”,

The malware infects the PC with two elements. The first element is a web browser called “Safety Browser.” This stand-alone application has no uninstaller and disguises itself with an Internet Explorer logo in some instances. The application also hijacks the personal homepage in Internet Explorer and points users to Safety Browser’s homepage (demoplanet.tv). The hijack also plays looped music that cannot be stopped when the user starts up the PC or Safety Browser. The second element is the self-propagating worm. This worm installs an .exe file that spreads the infection through Yahoo Messenger to everyone on the Contacts List.

as “insidious” in a security advisory last week.

When the link is clicked, a worm installs the so-called ‘Safety Browser’, a program that leads the user to pages mined with adware and viruses, FaceTime said. The Safety Browser uses an Internet Explorer logo to make it look more legitimate.

Malware spread through instant-messaging programs is on the rise. However, FaceTime said this malware appeared to be the first to install a browser without the user’s permission.

The bug also hijacks Internet Explorer’s home page, directing users to the Safety Browser’s site.

After it is launched, the worm sends itself to others on the user’s instant-messaging contact list.

The malware is engineered to overwrite instant messages typed by a user, the infected message can be changed on the fly, the company said.

Read more here.

Kaspersky lab released detection for malware exploiting the MS Word vulnerability

Some days ago we have reported about vulnerability in the Microsoft Word.

Malware which spreads via email is exploiting the vulnerability as a specially crafted MS-Word .DOC attachment.If the attachment is launched, this triggers a process which results in a backdoor being installed.

Kaspersky lab released detection for the malware, a dropper and backdoor. As ever, users should update their databases as soon as possible. Kaspersky products will detect the dropper as Trojan-Dropper.MSWord.1Table.bd, and the backdoor as Backdoor.Win32.Gusi.a.

I just go to Amazon and Citibank, so why am I seeing pop-ups for Adult Friend Finder?

A typical lament: “I just go to Amazon and Citibank, so why am I seeing pop-ups for Adult Friend Finder?” Parents, we have an answer – your teenager.

One of the benefits of testing so much of the Web is that we’ve developed a good sense of where the bad guys concentrate. And smiley sites are one of those dark alleys. For those of you who don’t know, smileys (aka emoticons) are graphic punctuation marks that people use to add emotion to their text communications, whether IM (Instant Messaging), SMS (mobile phone texting) or plain old e-mail. Now, who does the most IM’ing in your house? Yup, it’s your teen. What follows are five smiley sites that will leave you and your computer frowning. But first, a little background.

ComScore Networks estimates that a whopping 69 million Americans use instant messenger software. AOL, Yahoo! and MSN are the most common providers.

Unfortunately, many smiley packs, often accessible as a free download, contain unrelated programs that harm users’ computers. SiteAdvisor tests show that spammers and adware distributors often find new users by offering “free” smileys. Fortunately, there’s still reason to smile. Free smiley downloads are available without Web safety threats. More on those later.

Navigating the Spyware Minefield

How do your kids get smileys in the first place? The major IM providers include a default set, but these get old fast. You can imagine the exchange: Jane IM’s John: “Cool smiley. Where did you get it?” John IM’s back. “Don’t remember. It was free on Google.” Jane searches Google for “free smiley.” The next thing you know, Jane’s installing a piece of adware with the pack of emoticons. Just how risky is that search?

Of the 20 links on this result page, eight (40%) point to sites that SiteAdvisor rates yellow or red. If Jane picks a random site from this list, she faces a 40% risk of infection. Do two such searches and the risk increases to 64%. Three times, 78%. So for useres making a series of unsafe searches, it’s not unusual to find the family computer hosed.

Read more here.

Good tool for manage your HOSTS file

HOSTS Secure is a utility that you can use to automatically download, unzip,
and install the MVPS HOSTS file.

The Hosts file contains the mappings of IP addresses to host names. This file is loaded into memory (cache) at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local machine. Another feature of the HOSTS file is its ability to block other applications from connecting to the Internet, providing the entry exists.

You can use a HOSTS file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the Server that supplies these little gems.

Features include a scheduler to keep the file
up to Date.
Note: requires “.Net Framework 1.1″

Read more: how to use hosts file for block ads.

How to remove guardupdate.com, startupguarduptodate.com, guarduptodate.com homepage hijackers

Symptoms:

• Homepage hijacked and you got redirect to guardupdate.com, startupguarduptodate.com, guarduptodate.com.
• Many more popups.
• Yelloe triangle pops up in the bottom of the task bar flashing and saying that your PC have infected.

Print out these instructions as we will need to close every window that is open later in the fix.

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download and unzip Avenger to your desktop.

Download CCleaner.

Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

Run Avenger. Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following bold text:

Files to delete:
C:\WINDOWS\system32\intell321.exe
C:\windows\SYSTEM32\winrlo32.dll

Then click on ‘Done’. Click the Traffic Light icon to start the program. Then press OK at the prompts to reboot your PC.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - D:\windows\system32\hp****.tmp
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O20 - Winlogon Notify: winrlo32 - D:\windows\SYSTEM32\winrlo32.dll
(where **** random letters)

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press “Enter” to delete infected files.
You will be prompted : “Registry cleaning - Do you want to clean the registry ?”; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user.

Restart your PC. Boot again in safe Mode.

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.

Run CCleaner.

Reboot your computer.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below

Spyware removal - Read Before Posting

How to block Microsoft Word vulnerability, recommended defenses.

Microsoft will release a patch against this problem in June, but even after that there are likely to be other attacks using other exploits. So let’s think a bit beyond the next couple of days on how to defend your network.

• User education is of course key, but likely insufficient. Attacks like that will use very plausible messages. Create some examples to re-emphasize this fact. “What if you receive a message from a customer you know, referencing a project you are working on, that includes a Word document”. Teach users to double check out of band. “Do not open the document before calling the customer”.
• Do not trust Antivirus alone. Defending against 0-day is all about defense in depth. Antivirus is likely going to fail you for an exploit like that. Consider a system that quarantines attachments for at least 6-12 hours to allow anti virus signatures to catch up. This may not be acceptable for a lot of organizations, but in particular right now, with a known exploit, it may be a reasonable step.
• Limit users’ privileges. The particular sample we received will not run as a non-administrator user. It will be MUCH easier to clean up after an exploit like that if the user had no administrator rights.
• Monitor outbound traffic. Your IDS and your firewall are as valuable to protect your network from malicious traffic entering as they are in protecting you against your corporate secrets leaving your network. Consider deploying “honey tokens”, files with interesting names that contain a particular signature your IDS will detect.
• Block outbound traffic. Try to limit sites accessible to users and use techniques like proxy servers to isolate your clients further. Proxy filter logs will also work great as an IDS to detect suspect traffic.
• Limit data on desktops. Try to teach users to limit data they store “in reach”. This is a difficult balance. But a file on a remote system, which would require additional authentication, will likely not be accessible by a bot as in this case. Locally encrypted files will work too (as long as they stay encrypted until used). Encrypted file systems will not help as they will be accessible to the user opening the word document.

Again. None of these techniques are perfect. Each one can be circumvented. But the more layers you can wrap your users in the better. Think what will work well in your organization. Personal firewalls on desktop? Traffic control with flowtools or ntop? What are the tools you already have that can be used for this purpose.

There are also some rather more radical “solutions” possible if you absolutely need to be sure that you can continue working independently of this vulnerability (and the inevitable variants to follow soon):

• consider additional filtering, for example using software which converts Word DOC format to something which cannot carry the virus, e.g. RTF. Consider using the free wvWare library. You will lose formatting but that might be an acceptable bargain for e-mail incoming from outside your organisation.

• consider the possibility of disabling Word and replacing it with OpenOffice until Microsoft releases patches.

Another option might be to use the Microsoft Office viewer applications instead as your default, such as Word Viewer. You can get more information about and download the viewer programs from Microsoft. The Word Viewer application is not vulnerable to this specific exploit.

Thanks to Internet Storm Center

Found exploit using new Microsoft Word vulnerability

Internet Storm Center reported about a new Word vulnerability being used. Exploit, using the vulnerability, has been sent as email attachment to specific individuals.

The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed. After extracting and launching the trojan, the exploit then overwrote the original Word document with a “clean” (not infected) copy from payload in the original infected document. As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new “clean” file is opened without incident.

The exploit communicates back to localhosts[dot]3322[dot]org via HTTP. It is proxy-aware, and “pings” this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute. It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows“. Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.

Update:

When the exploit is launched, early on in the process, it drops a bot, possibly Rbot or some variant.

Once the bot is in place, it begins an extensive recon of the system; installed patches, installed AV, contents of My Documents, startup file contents, IE config ..

Update - 05/23/06:

Microsoft and eEye have each released advisories related to the issue this evening.

Microsoft’s security advisory can be found here.

eEye’s advisory can be found here.

The information about vulnerable exploits differs a little between the two advisories.

Microsoft says the vulnerability only affects Word 2002/XP and Word 2003 and that Word 2000 is not vulnerable. The Microsoft advisory contains information on workarounds including not using Word as the default mail editor in Outlook and running Word in ‘Safe Mode’ to disable the functionality that is affected by the vulnerability and exploit.

eEye says that the vulnerability affects Word 2000 as well. The eEye advisory mentions that they believe there are two variants of this exploit. Thus, it may be that the first variant only affects Word 2002/XP and 2003 and the second variant affects all three versions.

How to remove Spyware Sheriff and Antispylab

Spyware Sheriff is an rogue antispyware application that uses Trojans and other malware into tricking or scaring you into purchasing it. If you are infected with this malware, your Internet Explorer home page will be reset to about:blank and display a fake Windows Security Center alert stating that you are possibly infected.

When you click on the button on this page it will bring you to the site antispylab.com which attempts to sell you either Spyware Sheriff, Adware Sheriff, or Regfreeze Antispy.This program will also create fake security alerts in the Windows taskbar stating that there are various security risks with your computer ranging from spam and hack attempts to Trojan infections. When you click on these alerts they will bring you to the antispylab.com site as well. There have also been reports of this infection crashing the legitimate Microsoft process lsass.exe.

When this process crashes, your computer will begin a countdown which at the end will shutdown your computer.

Read more about Spyware Sheriff: New rogue antispyware - SpywareSheriff

As your first step, please download HijackThis.

Important: Create a specific folder on your hard drive called HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis.
Download HijackThis.exe into this folder.

Print out these instructions as we will need to close every window that is open later in the fix.
Download SmitfraudFix. Extract the content (a folder named SmitfraudFix) to your Desktop.

Download and unzip Avenger to your desktop.

Download CCleaner. Double click on the file for install.

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Reboot again your computer in Safe Mode.

Start up Avenger.
Check the ‘Input script manually’ option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following bold text:

Files to delete:
C:\WINDOWS\system32\winapi32.dll

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Reboot your PC again in Safe mode.

Run HijackThis, Choose “Do a system scan only” and checkmark the box next to the following entries:

O2 - BHO: winapi32.MyBHO - {26C43C19-A1CE-456E-9CBF-77FFB9E92681} - C:\WINDOWS\system32\winapi32.dll (file missing)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

close all other windows and browsers, then click “Fix Checked”.

Reboot your computer .

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report“. This will create a text file. Make sure you know where to find this file again.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Restart your computer in normal mode.

Run the Panda online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Your computer should now be free of the Spyware Sheriff and Antispylab.com infection.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below:

Spyware removal - Read Before Posting

Last update: 06/15/06

How to remove Spyware Soft Stop

Spyware Soft Stop is a rogue antispyware.
Once installed this program will issue fake taskbar alerts, which look like Windows Security alerts, stating that you are infected with various viruses and advising you to click on the icon to remove them.

For remove this program you should download following:

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download and unzip Avenger to your desktop.

Download CCleaner.

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: Spyware Soft Stop

Run Avenger. Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following bold text:

Files to delete:
C:\WINNT\system32\vxgame6.exe3584.exe
C:\WINNT\system32\kernels8.exe
C:\WINNT\SYSTEM32\notifysb.dll

Then click on ‘Done’. Click the Traffic Light icon to start the program. Then press OK at the prompts to reboot your PC.

Boot your computer in Safe Mode.

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels8.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINNT\system32\vxgame6.exe3584.exe
O20 - AppInit_DLLs: C:\WINNT\system32\svchqk.dll
O20 - Winlogon Notify: s_reg - C:\WINNT\SYSTEM32\notifysb.dll

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.

if you desktop also have been hijacked, go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck “Security Info” if present.

Run CCleaner.

Your computer should now be free of the Spyware Soft Stop infection.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below

Spyware removal - Read Before Posting

New rogue antispyware - SpywareSheriff

SpywareSheriff, a new rogue antispyware application that is starting to infect a lot of users. This particular infection is harder to remove than other variants such as SpywareQuake and SpyFalcon. This is because it uses a lot of random names for the files. It is, though, easy to tell when you are infected with this malware.

When infected your Internet Explorer home page will be set to about:blank that opens the screen shown below. If you attempt to change your home page to another site, it will reset it to the one below.

Then when you click on the page, it will take you to the url http://antispylab.com/
You will also periodically get fake taskbar messages that state the following among others:

Alert! Trojan.Virus.Z.32.exe launch attempt detected…
It is recommended that you run a full system scan now to
reveal other possible threats. Click here to download spyware
remover.

Internet attack attempt detected…
Somebody’s trying to infect your system with spyware or
harmful viruses. Run system scan now to secure your PC from Internet
attacks and hijacking attempts!
Click here to download spyware remover now…

Alert!
Trojan.Virus.Z.32.exe launch attempt detected and blocked!
It is recommended that you run a full system scan to reveal other
possible threats.
Click here to visit Security Center web site and protect your system
against spyware and harmful viruses…

Credit card hijacking attempt detected…
This is a result of harmful spyware activity.
Scan your PC now to reveal and remove malicious spyware.
Visit Windows Security site to download antispyware…

The application is distributed at antispylab(dot)com or spywaresheriff(dot)com.

If you can`t uninstall or remove, we can help, post in the Spyware Removal Forum about that.

Thanks to Bleeping Computer Blog

New ransomware found

A new piece of ransomware, called Ransom.a by most AV vendors, has been spotted in the wild.

Evidence received so far suggests that this Trojan can be found on P2P networks.

The malware poses as a Windows Mobile application, despite that description it will only work on Win32.

When the user is infected and reboots his machine, he will be greeted with a full screen message when he logs on.
The screen tries its best to stay on top of all windows and is highly annoying, it also shows pornographic images.

The message which is presented to the user is quite long, but in short:

Pay $10.99 via Western Union otherwise you will keep getting this screen.
One file per 30 minutes will be deleted from the hard drive. Deleted files will be restored when you have paid up and entered the proper unlock code.
Antivirus software can not detect this virus, nor can it detect the hidden folders in which the deleted files are stored.
When entering a false unlock code there’s also a message stating that the hard drive will crash in 3 days.

However there’s a catch: None of these destructive routines actually work!

I think we have an interesting development going on here, I think there are two different types of ransomware.

Real ransomware, which encrypts your data or does other nasty stuff.
And malware which claims to do all sorts of nasty stuff but actually doesn’t. It’s bluffing, like bluff poker.

How is an average user going to check if all of his files are still there? He’s not.
Losing a file every 30 minutes is a scary thought, made up by the criminal in an effort to pressure the user to act quickly and pay up.

Ransomware has gotten quite some media attention and now criminals are trying to simply bluff people into giving up their money, instead of having to write difficult code.

I just hope that people have remembered the most important thing about ransomware: Do not pay up, contact AV vendors for help.

Internet Explorer “object” Tag Vulnerability

Michal Zalewski has discovered a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the processing of certain sequences of nested “object” HTML tags. This can be exploited to corrupt memory by tricking a user into visiting a malicious web site.

Successful exploitation may allow execution of arbitrary code, but has not been proven.

NOTE: During analysis, Secunia discovered a variant of this vulnerability and confirmed code execution on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected. Details about this variant will not be publicly disclosed at present, but have been sent to Microsoft, who are currently working on a patch.

For protect your PC, do not visit untrusted web sites.