New Dialer: ConnectSwitch

Discussion in 'SpywareBlaster & Other Forum' started by alphaZer0, Oct 21, 2003.

Thread Status:
Not open for further replies.
  1. alphaZer0

    alphaZer0 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    6
    Hello,

    I found a nasty dialer ConnectSwitch at this popup 64.237.52.181/2003/Fresh_MP3s.htm.

    Its a active-X control that install dialersoftware on the computer.
    Warning: it opens a endless chain of popups when u refuse the installation

    I have installed it on my testcomputer for this kind of purpose.

    It don't install a CLSID key but this: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5CBF8C22-E9A6-11D7-90FE-000AE4012DB4}

    I made the custom key in SpywareBlaster and it works just fine :cool:

    (Sorry about my poor english)

    Greetz

    alphaZer0
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi alphaZer0,

    Good find. Looking at the code on that page, it's this one: http://securityresponse.symantec.com/avcenter/venc/data/dialer.lohan.html

    So the CLSID of the main component is already in SpywareBlaster:
    {8B22270A-71D9-4AB9-B11A-2EA1E5292F42} (under MSConnect)

    Regards,

    Pieter
     
  3. alphaZer0

    alphaZer0 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    6
    H Pieter,

    Sorry, but its not the same.
    I have tested it over again without my selfmade protection and i get still this activex.
    With protection it works.

    Greetz

    AlphaZer0
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi alphaZer0,

    I'm not arguing about the ActiveX, that is a new one. But the dialer itself should not work with SpywareBlaster's protection.

    I'll PM you about the site where I found it thanks to your post.

    Regards,

    Pieter
     
  5. alphaZer0

    alphaZer0 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    6
    Hi Pieter,

    In the link You give i read:

    4° Adds the subkey:

    {8B22270A-71D9-4AB9-B11A-2EA1E5292F42}

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\


    I use the tool 'Active Registry Monitor' to find out what is changed to the system.

    I found the key i have published earlier:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5CBF8C22-E9A6-11D7-90FE-000AE4012DB4}


    Its a different key and its not blokked in SpywareBlaster

    If you dont believe me just test it. ( on your own risks) ;)


    Greetz

    alphaZer0
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I believe you, but don't worry: I will. ;)

    Regards,

    Pieter
     
  7. alphaZer0

    alphaZer0 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    6
    Thanks ;)

    alphaZer0
     
  8. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Nice catch! :D

    I'll have protection for this added in the next database update of SpywareBlaster.

    Thanks!

    Best regards,

    -Javacool
     
Thread Status:
Not open for further replies.