TrojanDownloader.Win32.Apropo.d

Discussion in 'SpywareBlaster & Other Forum' started by onixxl, May 23, 2004.

Thread Status:
Not open for further replies.
  1. onixxl

    onixxl Guest

    SpywareBlaster has not stop the trojan identified by the Kaspersky Anti-Virus product. I can send you a file under rar-archive. Should I?
    SysAI.exe - TrojanDownloader.Win32.Apropo.d
     
  2. MCT

    MCT Registered Member

    Joined:
    Mar 10, 2004
    Posts:
    300
    Spyware Blaster, isnt a trojan defense system, it is a spyware defense, it adds info (killbits) to the registry, 2 stop sites from showing activex

    it also has cookie & restricted site protection

    hope this helps a bit :D
     
  3. onixxl

    onixxl Guest

    I think it's ActiveX-based trojan. It was self-downloaded using popup-window and I couldn't do anything. Can you advise me something to prevent such cases in future?
     
  4. MCT

    MCT Registered Member

    Joined:
    Mar 10, 2004
    Posts:
    300
    i would say a good antivirus is KEY nod32 is what i use

    also, make sure your browser isnt set 2 auto-accept activex or use mozilla/firefox which i also use and a good popup blocker(i like firefox's default popup blocker), & firewall, i use kerio Personal firewall

    hope this helps :D
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Make sure u have all the current Windows Updates.


    snowbound
     
  6. MCT

    MCT Registered Member

    Joined:
    Mar 10, 2004
    Posts:
    300
    ya, sorry, i forgot 2 mention that when replying 2 his post..

    :oops:
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  8. onixxl

    onixxl Guest

    2 all!
    Thanks for a piece of advice.
    First of all I’d like to say – My post should be read as a wish to improve SpywareBlaster.
    I’ve got all Microsoft updates, SpywareBlaster is running too. Anyway. I’ve been infected by this trojan.
    I’ve found that ****ing url. Plz, be very confident in your security before visit it.
    h**p://www.soundclick.com/bands/2/millerboymusic.htm
    It contains code like

    <!-- FASTCLICK.COM 468x60 v1.4 for soundclick.com -->
    <script language="Javascript"><!--
    var i=j=p=t=u=x=z=dc='';var id=f=0;var f=Math.floor(Math.random()*7777);
    id=237; dc=document;u='ht'+'tp://media.fastclick.net/w'; x='/get.media?t=n';
    z=' width=468 height=60 border=0 ';t=z+'marginheight=0 marginwidth=';
    i=u+x+'&sid='+id+'&m=1&f=b&v=1.4&c='+f+'&r='+escape(dc.referrer);
    u='<a hr'+'ef="'+u+'/click.here?sid='+id+'&m=1&c='+f+'" target="_blank">';
    dc.writeln('<ifr'+'ame src="'+i+'&d=f"'+t+'0 hspace=0 vspace=0 frameborder=0 scrolling=no>');
    if(navigator.appName.indexOf('Mic')<=0){dc.writeln(u+'<img src="'+i+'&d=n"'+z+'></a>');}
    dc.writeln('</iframe>'); // --></script><noscript>
    <a href="http://media.fastclick.net/w/click.here?sid=237&m=1&c=1" target="_blank">
    <img src="http://media.fastclick.net/w/get.media?sid=237&m=1&d=s&c=1&f=b&v=1.4"
    width=468 height=60 border=1></a></noscript>
    <!-- FASTCLICK.COM 468x60 v1.4 for soundclick.com -->
     
    Last edited by a moderator: May 23, 2004
  9. onixxl

    onixxl Guest

    <!-- FASTCLICK.COM POP-UNDER CODE v1.7 for soundclick.com -->
    <script language="javascript"><!--
    var doc=document; var url=escape(doc.location.href); var date_ob=new Date();
    doc.cookie='h2=o; path=/;';var bust=date_ob.getSeconds();
    if(doc.cookie.indexOf('e=llo') <= 0 && doc.cookie.indexOf('2=o') > 0){
    doc.write('<scr'+'ipt language="javascript" src="http://media.fastclick.net');
    doc.write('/w/pop.cgi?sid=237&m=2&v=1.7&u='+url+'&c='+bust+'"></scr'+'ipt>');
    doc.cookie='he=llo; path=/;';} // -->
    </script>
    <!-- FASTCLICK.COM POP-UNDER CODE v1.7 for soundclick.com -->
     
  10. onixxl

    onixxl Guest

    Today I've increased security of my ie6, installed Spyware Guard and tried to connect this site again. It offered me to start ActiveX script marked as safe.
    Report log of Spyware Guard:
    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 22:07:45 05.23.2004 a browser page change was detected.
    Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
    Value Name: Start Page
    Old Value: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    New Value: http://ya.ru/
    User Action Taken: KEEP NEW VALUE

    --------------------------------------------------------------------------------
    NEW BHO DETECTION ALERT
    On 22:13:56 05.23.2004 a new BHO installation attempt was detected.
    BHO: {7559B76E-0222-4d77-9499-CCE9EB4EDC2F}
    ProgramID: AdShield.AdShield
    File Location: C:\PROGRA~1\AdShield\AdShield\AdShield.dll
    User Action Taken: KEEP BHO
     
  11. onixxl

    onixxl Guest

    ProgramID: AdShield.AdShield
    File Location: C:\PROGRA~1\AdShield\AdShield\AdShield.dll

    Here it is.
    SpawareBlaster automatically configures ie setting to accept ActiveX scripts marked as safe.
     
  12. onixxl

    onixxl Guest

    Posts 8-11 is off the mark. Sorry))
     
Thread Status:
Not open for further replies.