This item slid past Nod & ProcessGuard

On Sep. 8 I was looking for information on Calcet, an over-the-counter triple strength calcium supplement that my mom uses for aches in her legs. I searched Yahoo and got these results. Result # 8 took me to a site called www.[color=red]DANGER[/color].mamaha.info/drugs/CalCet.htm Once the Mamaha page(s) started opening and IE 6 SP2 could not close them I manually rebooted my PC. Upon restart I immediately updated Spybot and scanned my system. There were 3 or 4 registry changes and I fixed them with Spybot (I saved the logs).

My Nod 2.7 was updated fully updated for Sep. 8 and I had performed a full scan a few days prior to the Mamaha incident. I also have the free edition (v3.150) of ProcessGuard (don't know if there are updates to this), SpywareBlaster, Spybot, Ad-Aware SE (free) and the Comodo Firewall Pro (v2.4.18.184, Database Version 3.0). My system is XP SP2 with the Windows firewall on. I have Nod (IMON, too) installed with the Blackspears settings, btw.

So, what happened here? I think that my Spybot & SpywareBlaster were not fully updated at the time of the Mamaha problem but why did Nod/IMON and ProcessGuard miss it (the registry changes)?

 

I am trying to figure out why this was buried down here?

 

Pretty simple actually. The member has a question concerning Nod and Process Guard which can best be discussed in the location it resides. There are also other questions that need to be considered given what transpires when visiting the link presented. So if you don't mind we'll continue with the assistance in this "buried down here" location


Hello Bizadi,

One question I have before commenting further.

How is your IE6 Sp2 setup. Reason I ask is because each and everytime I visit that link I eventually have to select Run, Save or Cancel concerning a file they want to install. If I select Save....Imon pops up each and every time regardless.

 

good enough for me.

 

Tools > Internet Options > Security > Internet > Custom Level >

.NET Framework-reliant components

• 
  Run components not signed with Authenticode - Enable

• Run components signed with Authenticode - Enable

ActiveX controls and plug-ins

• Automatic prompting for ActiveX controls - Disable

• Binary and script behaviors - Enable

• Download signed ActiveX controls - Prompt

• Download unsigned ActiveX controls - Disable

• Initialize and script ActiveX controls not marked as safe - Disable

• Run ActiveX controls and plug-ins - Enable

• Script ActiveX controls marked safe for scripting - Enable

Downloads

• Automatic prompting for file downloads - Disable

• File download - Enable

• Font download - Enable

Miscellaneous

• Access data sources across domains - Disable

• Allow META REFRESH - Enable

• Allow scripting of Internet Explorer webbrowser control - Disable

• Allow script-initiated windows without size or position constraints - Disable

• Allow Web pages to use restricted protocols for active content - Prompt

• Display mixed content - Prompt

• Don't prompt for client certificate selection when no certificates or only one certificate exists - Disable

• Drag and drop or copy and paste files - Enable

• Installation of desktop items - Prompt

• Launching programs and files in an IFRAME - Prompt

• Navigate sub-frames across different domains - Enable

• Open files based on content, not file extension - Enable

• Software channel permissions - Medium safety

• Submit nonencrypted form data - Enable

• Use Pop-up Blocker - Enable

• Userdata persistence - Enable

• Web sites in less privileged web content zone can navigate into this zone - Enable

Scripting

• Active scripting - Enable

• Allow paste operations via script - Enable

• Scripting of Java applets - Enable

User Authentication

• Logon - Automatic logon only in Intranet zone

 

Hi Bubba,

Before you start "tearing into" me for my seemingly stoopid IE 6 Security settings I want to note that this is the first time in probably 1.5 years that anything has made it thru my defenses. I typically visit the same sites and nothing has been a problem so far, although I admit to being dubious of the Mamaha site name (if nothing else). My Spybot and SpywareBlaster had not been updated but both were maybe 1 month out-of-date.

I do have Firefox but have never been able to warm up to it. Same with IE 7 but it was about 1.5 years ago that I tried it. Btw, I now have version 3.400 of ProcessGuard (free). Perhaps you could review what my correct IMON settings should be (I have only glanced at the new "simpler" Blackspear thread in the Nod forum).

What else - I DO use Java Runtime Environment and see that it wants to update now. I have tried HOSTS file "managers" in the past and found them to be incredibly frustrating so I admit to being gunshy of them. My 'net connection is dial-up (PeoplePC, but not their software). I am the only user of this PC.

If I have not said it, Thank You for tackling this issue. Also, sorry for including PG in the thread title - I did not realise that that was an issue for posting.

 

Thread titles are easily changed and if that's your wish We'll be glad to make this strictly an IMON problem and I'll adjust the title accordingly. I picked IMON because IMHO you do need to focus on those settings since IMON properly set defeats any and all that site wanted to dish out.

Unless I overlooked something....nothing causes me to offer any suggestions....especially if you are comfortable with them.

I am still puzzled that the install file was able to Run without user intervention

Bubba

 

I just checked the "Extra Settings" thread for Nod and my IMON settings are exactly as recommended. I did switch some programs/apps from "higher compatability" to "higher efficiency".

Interestingly, about an hour ago when I was getting to Page 3 in the Extra Settings thread I decided that I had too many IE 6 windows open so went to close one or two by right-clicking and selecting "close" and then hundreds of new windows started to "cascade open". I manually rebooted and updated Spybot to 9/12 and updated SpywareBlaster. Spybot says I'm clean. I am running an In-depth Analysis with Nod now. I will post back with the results, probably later tomorrow.

One more thing: I added www.[color=red]DANGER[/color].mamaha.info/drugs/CalCet.htm to IE's Restricted Sites list back on the 8th.

 

Just finished the In-depth Analysis and Nod says that there are no threats.

 

The malicious link has changed to #9 on the link above... the host of the malware is h**p://www.sex2person.info/xxxxxx/... Its a java script detected by a some AVs on VT... save the webpage, upload it to VT and you can see which AVs detect it. I will forward it to the AVs which do not have the detection yet.

*note: link has been intentionally broken and xxxx's signify other characters... will only be given to Mods or those who work in a AV firm upon request (link posted encase users wish to add it to Host file)

 

I am assuming firefox and opera do not allow this sort of malware from running. Does the safari browser for windows not allow it either? And how should IE7 be set up to prevent this from running? I checked out some of those script blockers (script sentry, etc- but they all seemed very old and outdated, like from 2001-02). Is there anything more recent to work in IE7?

 

If I not mistaken Process Guard doesn't monitor the registry and if there wasn't any executable dropped and executed then there is nothing that PG can detect.
If the exploit is not detected by signatures or heuristics Nod32, or any other AV, cannot do anything.