Auto-installing spyware

The only 100% protection a user can achieve is by cutting the cord....however....the chances of being of exploited can be diminished when users understand how they are being exploited....whether it's via a browser, e-mail, clicking all downloads....etc. The answer is not always an alternative !

 

When I went to the original page indicated in the first post, I noticed the warning bar across the top of IE (screenshot), so I checked the Privoxy log and it had this to say:

Jan 29 07:48:31 Privoxy(02616) Request: www.gamesloth.com/games/miniputt.html
Jan 29 07:48:32 Privoxy(0174 Request: www.gamesloth.com/games/style.css
Jan 29 07:48:33 Privoxy(02764) Request: www.gamesloth.com/games/aframe.html
Jan 29 07:48:33 Privoxy(02780) Request: www.gamesbanner.net/work/show.php4?from=chrs1335&rnd=7980
Jan 29 07:48:33 Privoxy(02784) Request: miniputtgames.com/miniputt1.shtml
Jan 29 07:48:33 Privoxy(02412) Request: popinads.com/popin.php?id=chrs1335&subid=3174&delay=0&dir=4 crunch!
Jan 29 07:48:34 Privoxy(02824) Request: mmm.media-motor.net/install.php?allowsp2=0&protect=no&ttmr=0&retry=0&aff=gsloth&mincook=1440&testforcook=1&lfir=1
Jan 29 07:48:34 Privoxy(02820) Request: www.gamesloth.com/games/style.css
Jan 29 07:48:35 Privoxy(02936) Request: public.windupdates.com/prompt.php?h=829f69c63722f2a7b90c050f4d6ce22d355a438
cc6f510216d4ae2c23a266258caaf20a226c67b25
96506263c020608e61d768c01f8fab3cb614a1585c140ae4d13
c11300b8d3ba528d0db8fa4ef7813aceeb&k=dc69d02639a84
a58c1501951dabb54db
Jan 29 07:48:37 Privoxy(03120) Request: www.gamesloth.com/subscribe.php
Jan 29 07:48:37 Privoxy(02644) Request: popunder.paypopup.com/popup.php?id=chrs1335&pop=exit&t=3&subid=10691&blk=2
Jan 29 07:48:37 Privoxy(0278 Request: static.windupdates.com/prompts/a074a174/dc69d02639a84a58c1501951dabb54db.js
Jan 29 07:48:38 Privoxy(02956) Request: www.gamesloth.com/style.css
Jan 29 07:48:38 Privoxy(03172) Request: www6.paypopup.com/popup.php?id=chrs1335&pop=exit&t=3&subid=10691&blk=2
Jan 29 07:48:38 Privoxy(03956) Request: www.ugotgames.com/images/miniputt-topper.jpg
Jan 29 07:48:38 Privoxy(03236) Request: miniputtgames.com/ps2.jpg
Jan 29 07:48:38 Privoxy(0220 Request: www.gamesbanner.net/work/show.php4?from=miniputtgames&rnd=7146
Jan 29 07:48:38 Privoxy(03244) Request: www3.addfreestats.com/cgi-bin/afstrack.cgi crunch!
Jan 29 07:48:40 Privoxy(03372) Request: public.windupdates.com/logging.php?p=7277806148afcec9e08d7fafbaebc4128ed35d35363
ee729d81ea182b9337ea7e67d3ac9c026f90f12:38383
96136363936363634316361323934623831353334313
539373638303830&b=Internet%20Explorer:6.0%20SP
2%28SV1%29:winxp:flash&s=http%3A//miniputtgames.com/miniputt1.shtml
Jan 29 07:48:40 Privoxy(03296) Request: config.privoxy.org/send-stylesheet cgi call
Jan 29 07:48:40 Privoxy(03296) Request: config.privoxy.org/send-stylesheet crunch!
Jan 29 07:53:14 Privoxy(03140) Request: miniputtgames.com/w3c/p3p.xml
Jan 29 07:53:38 Privoxy(00272) Request: miniputtgames.com/privacy.htm
Jan 29 07:54:15 Privoxy(0382 Request: public.windupdates.com/prompt.php?h=829f69c63722f2a7b90c050f4d6ce22d355a438cc6f5
10216d4ae2c23a266258aaf20a226c67b2596506263c0
20608e61d768c01f8fab3cb614a1585c140ae4d13c1130
0b8d3ba528d0db8fa4ef7813aceeb&k=dc69d02639a84a58c1501951dabb54db
Jan 29 07:54:25 Privoxy(02660) Request: www.gamesbanner.net/work/show.php4?from=miniputtgames&rnd=4665
Jan 29 07:54:25 Privoxy(01776) Request: www3.addfreestats.com/cgi-bin/afstrack.cgi crunch!
Jan 29 07:54:27 Privoxy(03764) Request: public.windupdates.com/logging.php?p=7277806148afcec9e08d7fafbaebc4128ed35d35363ee
729d81ea182b9337ea7e67d3ac9c026f90f12:383839613
6363936363634316361323934623831353334313539373
638303830&b=Internet%20Explorer:6.0%20SP2%28SV1%29:winxp:flash&s=http%3A//miniputtgames.com/miniputt1.shtml
Jan 29 07:55:07 Privoxy(01860) Request: www.miniputtgames.com/
Jan 29 07:55:13 Privoxy(0274 Request: www.ugotgames.com/images/miniputt-topper.jpg
Jan 29 07:55:13 Privoxy(01072) Request: www.ugotgames.com/images/miniputt2thumb.jpg
Jan 29 07:55:13 Privoxy(0264 Request: www.ugotgames.com/images/miniputt3thumb.jpg
Jan 29 07:55:13 Privoxy(02752) Request: www.ugotgames.com/images/miniputt1thumb.jpg
Jan 29 07:55:13 Privoxy(02096) Request: www.miniputtgames.com/images/holiday_mini_putt.jpg
Jan 29 07:55:13 Privoxy(02096) Request: www.miniputtgames.com/images/holiday_mini_putt.jpg
Jan 29 07:55:13 Privoxy(02772) Request: www.ugotgames.com/images/multi-miniputt-thumb.jpg
Jan 29 07:55:13 Privoxy(0174 Request: www.ugotgames.com/images/multi-minigolf2-thumb.jpg
Jan 29 07:55:13 Privoxy(0400 Request: www.miniputtgames.com/ps2.jpg
Jan 29 07:55:13 Privoxy(02796) Request: www.gamesbanner.net/work/show.php4?from=miniputtgames&rnd=7859
Jan 29 07:55:19 Privoxy(03120) Request: www3.addfreestats.com/cgi-bin/afstrack.cgi crunch![/I]

Getting the ActiveX warning was all it took to let me know something hinky would have gone on had I not had ActiveX blocked. (IOW, I wouldn't have gone any farther on that site even if I had stumbled across it by accident - not played any of the games, not clicked any of the links on the page, etc.).

Another post forthcoming in a minute. Pete

 

WARNING: DO NOT visit the site using IE with low security settings in the first post of this thread, that's the best way of not getting infected, just don't visit the site and that site can't infect you.
This is just a piece of safety advice for those people using IE with low security settings.

 

Anyone using IE on Low Security settings definetly needs to cut the cord

@Pete....I fixed your post so that it would not blow the margin.

 

Thank you, sir.

I forgot to include the screenshot anyway (and I hope THAT doesn't blow the page-width again!):

 

I visited that page from my xp install inside of vmware. I'll post the adaware log as an attachment.

 

When I clicked on the bar, I got a report - I'm not sure why that site wound up in the "Restricted" Zone.

Either IE placed it there due to the use of the ActiveX stuff, or one of those sites that attempted access were already in my hosts file. Pete

 

this is funny... check out this log from my unprotected windows install. This was just a few minutes.. i started lagging out after that.

 

Spybot Search and Destroy found nothing.

Ad-Aware found CWS:

Vendor:CoolWebSearch
Category:Malware
Object Type:RegValue
Size:4 Bytes
Location:software\microsoft\internet explorer\main "Enable Browser Extensions"
Last Activity:29-01-2005
Risk Level:Low
TAC index:10
Comment:
Description:Malware, Hijacker. Hijacks Browser pages, default search-engine and HOSTS file.Installs unsolicited, runs stealth.(Also known as CWS hijack)


And while the scan was going on Nod32's AMON pounced:

Time Module Object Name Virus Action User Info
29/01/2005 23:20:32 PM AMON file C:\DOCUME~1\PCUSER~1\LOCALS~1\Temp\AAWTMP\C52607312\30C7D2\new_uninstall.exe Win32/TrojanDownloader.Swizzor.CK trojan error while deleting


This was from clicking on the link in the HJT Log... after which MJ's Registry Watcher goes ballistic...

 

I wanted to thank all of you who responded promptly to my questions, and to those who gave the helpful suggestions on securing my browser. I had loosened some of my security settings because I got annoyed by having to give permission for active content to run; most of the time it was from sites I know to be safe.

 

Here's something quick I wrote (For Proxomitron)

Code:

[Patterns]
Name = "Windupdates Remover [Kye-U]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js))"
Limit = 512
Match = "$AV(http://\w.windupdates.com/*)"
        "|<!-- AUTO PROMPT START*AUTO PROMPT END -->"

This should get rid of the problem