Anybody heard of these?

Discussion in 'other security issues & news' started by Clayhead, Dec 3, 2005.

Thread Status:
Not open for further replies.
  1. Clayhead

    Clayhead Registered Member

    Joined:
    May 11, 2004
    Posts:
    7
    Location:
    Stoke on Trent
    I've got 3 popups that manage to make it through my popup stopper, they all have more or less the same message and that is that I have spyware on my computer (despite the anti spyware I have installed) and that I need to go to their websites to download the latest programmes.
    The sites are
    www,regfix.com
    www,pcspywarescan.com
    www,scanfix.net
    Does anybody have any ideas as to what thes sites are? I'm not going to go just incase it causes problems.
     
    Last edited by a moderator: Dec 3, 2005
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Just out of curiousity can u tell us what anti-spyware apps u are presently using?



    snowbound
     
  3. Clayhead

    Clayhead Registered Member

    Joined:
    May 11, 2004
    Posts:
    7
    Location:
    Stoke on Trent
    I'm using an anti spyware I got from my ISP, it came direct from btyahoo.
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Thanks, i'm almost sure i have seen those sites listed here before and if i'm not mistaken it was caused by a rogue anti malware app or some other kind of malware. I'll keep diggin to see if i can turn up something.


    snowbound
     
  5. Clayhead

    Clayhead Registered Member

    Joined:
    May 11, 2004
    Posts:
    7
    Location:
    Stoke on Trent
    Thank you
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Your welcome. :)

    In the meantime u might want to post a HijackThis log over at this site,

    http://gladiator-antivirus.com/forum/index.php?showtopic=10517

    just to make sure u aren't infected with some type of malware.

    The experts there will analyse your log and give u recommendations on any infections found.


    snowbound
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    If they are, it also leads one to ask are you behind a firewall?

    Regards,

    CrazyM
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I used Firefox v1.5 with AdBlock extension :
    - 1st link no popup
    - 2nd link no connection
    - 3rd link no popup
    I don't remember seeing popups since I use Firefox. Weird but good.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Snowbound is correct - all of these are traced back to Fake Microsoft Messenger Alerts. See this thread:

    Response to "Messenger service"
    http://www.helpscreen.com.au/index.php?msgid=1788006693&cid=7

    I heard of a recent situation where the user believed a similar message, so, I decided to test two of the sites
    to see how they work.

    1) pcspywarescan.com

    Clicking on that URL redirects to myspywarecleaner.com:

    __________________________________________________________
    http://www.rsjones.net/img/spywarclean1.gif
    ___________________________________________________________

    Spyware Cleaner is listed on the rogue anti-spyware site:
    http://www.spywarewarrior.com/rogue_anti-spyware.htm:

    Most recent additions: Spyware Cleaner (11-17-05)
    False positives work as goad to purchase
    ----------------------------------


    The executable is associated with other Spyware cleaners at tasklist.org:

    Filename: freescan.exe
    Name: Spyware Begone
    Description: Spyware BeGone - free spyware removal utility. Not recommended
    -------------------------------------------

    I downloaded and ran the Scan- My Sonic DVD program is included as "Extreme Risk Spyware":

    _____________________________________________________________
    http://www.rsjones.net/img/spywarclean2.gif
    ____________________________________________________________




    2)scanfix.net

    Again, this is a re-direct, this time to repairregpro.com:

    http://www.rsjones.net/img/regrepair1.gif
    _____________________________________________________________

    The name of the program, Repair Registry Pro is a spoof on a legitimate program, Registry Repair Pro:

    http://registry-repair-software-review.toptenreviews.com/registry-repair-pro-review.html

    One poster in another forum listed his Messenger Popup:

    -------------------------------------------------
    Message from Microsoft to System

    STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

    Windows has found 48 Critical System Errors.

    To fix errors please do the following:

    1. Download Repair Registry Pro from: refixup.com
    2. Install Repair Registry Pro
    3. Run Repair Registry Pro
    4. Reboot your computer

    FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!

    ___________________________________________________________

    I ran the scan - (Ouch! found 1153 errors)


    http://www.rsjones.net/img/regrepair2.gif
    _________________________________________

    Naturally, you will want to get the newer version:

    http://www.rsjones.net/img/regrepair3.gif

    _____________________________________

    Following the Registration links eventually gets to the order form where you enter your credit card info, etc.
    ---------------------

    All of this looks legitimate and could easily fool the unsuspecting user. Best practices, of course are to use trusted scanners. Some posters here list scanning sites in their signature - bigc and a few others, for example.


    regards,

    -rich

    ________________
    ~~Be ALERT!!! ~~
     
  11. Clayhead

    Clayhead Registered Member

    Joined:
    May 11, 2004
    Posts:
    7
    Location:
    Stoke on Trent
    Thanks for the advice everyone, it is very much appreciated.
    They are coming through windows messenger, or at least they were, I double checked my firewall and they now appear to have stopped, however, I'm still going to go to gladiator and post a hijack this log.

    Cheers everyone.
    :D
     
Thread Status:
Not open for further replies.