If you think your pc is safe then think again!!!

[gll99]

Sorry that this is so long but a warning is in order and I cut a lot of stuff out.

I just spent the last few hours cleaning junk off my computer.
I have XP service pack one and all updates right up to date except sp2. I have it but am waiting to read about all the problems and solutions before I decide to install it.
I have a router firewall, zonealarm pro and a virus checker. I also have webroot spysweeper on at all times and run adaware and another adaware type program every week. Zonealarm is at highest security and custom set to only allow certain trusted sites like videohelp to get through with cookies,popups etc... I also tailored all access by applications with the tightest limitations. I also have the google bar with popup protection in my IE6 and very few sites can popup or even display ads (videohelp is one of the few exceptions).
Today while browsing a site with links to video freewares and shareware etc.. I start getting msg from zonealarm that program msbb.exe wants access to the internet. When I say no then lc.exe wants access. Again I say no then syncroad.exe wants access then winsync.exe, then webbates.exe and then bulleye.exe (names could be off a bit) and then some cryptic names.exe with mixtures of letters and numbers and on and on.
I check for active tasks and I find all these program names in memory so I delete them but as soon as I do so they reappear. Now I know theres a controlling program somewhere in memory that is reactivating these as soon as it senses that they are deleted.
Anyway this is going to be long so will shorten it. I cleaned my temp, checked the winxp/downloaded files directory. If you right click on files there you can check what is installed, ocx and numbered reg entries. I used all the info to search the registry by company name,ocx name and the long register keys that show up as part of the id info. I also closely checked my add/delete program folders using the control panel and found some suspicious names like windows sr 2.0 and even one called windows update (which it wasn't). That looked ok but it turned out to be one of the ad programs that installed itself with some freeware (don't know which). Many things I found pointed to these being progs being activated by java scripts. I don't know if this is through IE6 or not but it's very suspicious. Innocent looking buttons like "do you want to continue" could be hiding code that says do you want to install this app. Installing the freeware or shareware could then activate this previously installed code. I'm just guessing but there has to be a trick to get that many files and self protected code on a computer.
Some of the registry keys had 10 to 20 references either under the name of the company some long reference number or some names which I just happen to catch with wildcard searches or with part of the ocx name.
Even after I rebooted there was an attempt on startup to install an exe with a totally different name from the temp directory but I had already deleted the file. I'm still trying to find the requesting app but there is nothing in the bootup sequence that stands out. I hope it's not being done by a trusted program. My virus checks and trojan progs have found nothing but then again they missed some of this crap. One java related ocx has been on my system since April 2004 and passed all my security checks but when I looked at the info on it I fould that it's a dialer app vacpro.Canada_ver3.ocx dialer from www.advnt01.com (don't click on it). I've never heard of the place or been there so it had to come from a program or some malicious java code.
Another that they sneaked on my computer which has hidden reactivation file is IMU chatatwill and there was also another name to keep it active when deleted. I found quite a few links, ocx, reg keys etc... to persist this dialer. Again I think this is related to java code. Another one I thought was part of the google bar was called search assistant but when I tried to remove it it warned me I was going to miss out on special browser ads and specials etc.. It wasn't part of my google bar but another one of this
java imbedded code. After uninstall all of these progs left stuff in the registry and some of them had links to program directory exe,dll and ocx files. One app on delete from the control panel forced a questionnaire and opened a web page to send it as part of the delete sequence. There was no way to stop it. It was remove or stop the removal. If you say yes to remove then you also give permission to activate your browser. The jerks rubbed it in by displaying a web page with adaware and virus tools. Many of which I am already using.

Anyway what is the web coming to?

I'm not a noob at this! If you think you are protected and this can't happen to you then I say you probably know less about security than you think and you probably have some stuff on your pc too.

I am concerned that code is either gettng through the browser or more software is being designed with hidden code which is not being caught by current virus/trojan/adaware type software.

[thecoalman]

Today while browsing a site with links to video freewares and shareware etc...

[Rookie64]

I check for active tasks and I find all these program names in memory so I delete them but as soon as I do so they reappear. Now I know theres a controlling program somewhere in memory that is reactivating these as soon as it senses that they are deleted.

I had that happen a while back - had to use the full version of Spy Hunter to get rid of 'em

Spybot doesn't do much - you need a Parasite removal program to get rid of 'em.

Spyhunter got rid of them and I haven't had that problem again.

I am concerned that code is either gettng through the browser or more software is being designed with hidden code which is not being caught by current virus/trojan/adaware type software.

Had a couple trojans get through that Yahoo's Anti-Spy caught and removed...and quite a few tracking cookies.

Only sites I visted between checks were Blockbuster and Netflix...so they are coming from them.

I get the tracking cookies every time I got to either site but only had the trojans twice.

[thecoalman]

...and quite a few tracking cookies.

.

Cut them off at the source

[Rookie64]

...and quite a few tracking cookies.

.

Cut them off at the source

Thanks!

Don't know why I thought I needed to allow 'em in order to access my rental que.

That'll save me much time now 8)

[thecoalman]

If there's a specific site that won't work right and you want to allow cookies just from them there's a little icon thast shows up on the bottom of IE that looks like a do not enter sign. Click the do not enter sign and right click the site you want to allow, select allow cookies.

Such as this one, it won't log you in automatically unless you have cookies enabled.

[gll99]

Thecoalman wrote:

gll99 wrote:
Today while browsing a site with links to video freewares and shareware etc...

That site first tried to change my home page and did but my protection software warned me and restored it. That's what got me curious at first but then after all the requests for access started. Just clicking on a site should not have allowed it to change my home page. I knew then that something was playing with my settings.

Like I said I'm not new at this at all. Many of lhe links I follow are byproducts of this site (sites linking or providing links to other sites), doom9 and a couple of other trusted sites. I realise that places like dvdrhelp/videohelp can't check every program but there is something leaking in. Whether it's done while browsing or upon install or both I don't know yet but I am only leaving very narrow portals to a few select sites. All cookie protection is on in my browser as you showed as well as zonealarm and a few other things I didn't include in my note.
Two programs are dialers and I can see why most checkers would not catch them they could be legit progs (but are not). They put all sorts of different code bits everywhere (registry,ocx,dll,in diff directories and drives) so that they can re-install at bootup. I'm on cable so these dialers are useless but with the introduction of telephone networks on pc you never know. Bell Canada charged customers thousands of $$$ even though they know it's a scam on innocent people. Bell says that the people had to have said yes to the install and that the call was made from their number so the charges are valid. Cable agreements clearly show that we are liable for third party charges made to the account.

I found one entry in the reg that showed a rename sequence in progress to be used on shutdown or bootup. Most of the other stuff with similar tricks were all related to ads which were installed with freeware and shareware. Not dangerous but a pain and slows down the browser. Problem is that since I have the highest speed modem I hardly noticed anything. On dialup or my old 128kbs I would have seen it right away. If you install plugins (who doesn't) for audio progs, and video processing software etc.. be carefull. Some appeared related to plugins according to the registry entries. I can't name the progs without being sure because they have a solid reputation but someone may be introducing garbage with the free plugins and filters for these apps.

btw) I did find something changed in zonealarm. The access to individual dll, ocx etc had been turned on. I always put it to ? (ask me) unless I'm sure. After a reboot, when a new prog asks for access you have to use your password to deny or allow it. After that I suspect a second app can then change the settings in Zone. At least I think I discovered one possible leak. Access is in learning mode that way valid apps and dll's don't have to ask again. I would hate to change that it would be a pain to give permission every time a trusted prog wants access.

I think the real danger is thinking that your ok. I don't believe for a second that I have got everything. Until I understand which site and or prog is doing it and how it's done I won't rest easy. Much is Java related that much I know.

[thecoalman]

If your installing freeware apps that is probably the source, not that all freeware apps are bad. I would thoroughly research any freeware app defore installing and only DL it from the source site.

Personally if I don't pay for it it doesn't go on my machine for the most part. There's some exceptions. BTW I've had zeroe spyware on my comp in a year.

[Jayhawk]

I couldn't agree more that it's getting dangerous out there, and I expect it will get worse. The Backdoor. series is especially nasty. Still, for once I have to disagree (at least for my habits) with thecoalman regarding freeware. If it wasn't for freeware, I wouldn't have:

AVG
Spybot
AdAware
RegSeeker
RegCleaner
CDBurnerXP Pro
BHODemon
Google Toolbar
Copernic Desktop Search (incredible alternative to Windows Search)
DVD Shrink
DVD DeCrypter
MouseSoft Directory Sze
CodeStuff Starter
Email Stripper
McAfee Stinger (a great safe mode virus finder)
Bart's PE Builder
ScreenPrint32
and a few more

[d_unbeliever]

yah, many nasty sites and nasty programs out there...you enter a site and they will force you to install activex plug in in your computer...some of the freeware got loads of spyware programs too...hmmm...internet should evolve but i wish not on that direction...

[gll99]

thecoalman

BTW I've had zeroe spyware on my comp in a year.

Do you just depend on your software or do you scan your registry, program folders, winxp dir and sub directories , dll and ocx yourself? You need an extensive knowledge of winxp to know what to look for.
That's the only way I caught most of this stuff. My apps are up to date yet missed things installed in April and some as late as Sept 21 2004 which were somewhat dormant or at least not obvious until suddenly starting up yesterday. My software caught some stuff after that when I re-ran with all the updates but most I found through my own detective work. I do admit that a few names in the registry, a couple of dll and 1 ocx fooled me since I thought they were valid apps because of their names.

Even infected JPG files now can be a danger. I knew you could hide code in an image but an article in today's local newspaper say's that the capability of the imbedded code has grown worse. Using flaws in window xp and the ie browser, ordinary jpg with malicious code in them on a site can execute when you just visit the site. Microsoft's answer is to say upgrade with sp2 but according to the article that's not enough. Every time MS puts out a patch, some users reverse engineer it to see what MS is trying to protect and use that to build the malicious code and defeat the protection. The story says that all you need is a passing knowledge of VB6 and you can easily infect one of these jpg files,store it on a site and infect visitors computers. I don't know how true this is but stuff like that could destroy the usefullness of the internet.
People wonder why their computers and browsers are sluggish and unresponsive.
One thing to watch. If you start to see ads on web pages you visit that seem to be tailored to your interests then you are infected. My interests are vb programming and obviously DVD, video and audio processing and I started to notice that even unrelated sites I visited had information related to my interests. Even the search engine like google was weird. In the search lists when I searched for example vdub, I would get some sites links like "find vdud brick layers and manufacturers" and another site link option might be "steel makers handbook on vdub" or "see prices for vdub at amazon.com" etc...
I'll see if that has changed over the next few days. Anyway caution is in order something strange is going on in the video and programming world that I frequent the most.

[sterno]

Even the search engine like google was weird. In the search lists when I searched for example vdub, I would get some sites links like "find vdud brick layers and manufacturers" and another site link option might be "steel makers handbook on vdub" or "see prices for vdub at amazon.com" etc...

That's actually fairly common and it's not caused by anything on your machine. It's caused by places making sites designed specifically to show up in search engine results. A lot of times you'll see those entries have URLs like "some-long-name-that-cant-be-a-real-site.something.com".

[makntraks]

Not sure why but I am running a very vanilla W2K system, behind a router, NortonAV and no other protection.
I have clicked on every god forsaken link there is, and have ran some stank ass software and have NEVER had anything dis my OS...

makntraks

p.s. Could just be lucky though....
/me "knocks on wood" /

[thecoalman]

I couldn't agree more that it's getting dangerous out there, and I expect it will get worse. The Backdoor. series is especially nasty. Still, for once I have to disagree (at least for my habits) with thecoalman regarding freeware. If it wasn't for freeware, I wouldn't have:

AVG
Spybot
AdAware
RegSeeker
RegCleaner
CDBurnerXP Pro
BHODemon
Google Toolbar
Copernic Desktop Search (incredible alternative to Windows Search)
DVD Shrink
DVD DeCrypter
MouseSoft Directory Sze
CodeStuff Starter
Email Stripper
McAfee Stinger (a great safe mode virus finder)
Bart's PE Builder
ScreenPrint32
and a few more

Please note that I said there's a few exception most of which are in your list, you can add zonealarm to it too. I'm not putting down freeware, there's many excellent freeware apps available. The trouble is there is more bad ones than good.

Do you just depend on your software or do you scan your registry, program folders, winxp dir and sub directories , dll and ocx yourself? You need an extensive knowledge of winxp to know what to look for.

I'm no expert but every virus and spyware scan I have ever run comes up negative. Zonealarm stays pretty quiet on my computer, I get a zonealarm pop up occasionally when I install a new app as does everyone else. The last piece of crap on my computer was installed by my GF's daughter which zonealrm reported the next day as soon as I logged on.

[jakol]

i think my pc (main pc for editing) is safe.and its not running any virus/spyware blocker or firewall..why? its not connected to internet or my network

my other pc on the other hand( win 98/ and win 98se)has downloaded a bunch of crap and running a very old/useless antivirus program last updated back in 1996......and still running...infected maybe?..who cares it runs like a virus anyway if it starts to act up...i just reformat/disk recovery and its back to bussiness.

But i agree internet is getting dangerous.

[gll99]

jakol

It's a good idea to use two boxes. I have a spare left over after giving the rest to family members. Problem is that I hate to browse on a 233 k6 with about 96 p133 ram. Maybe when I upgrade my p4 1.6 to a p4 3+ then maybe I'll do that too.
There is still a problem when crossing over software unless you keep the capture/editing box to a bare minimum fully tested progs.
It may come to that soon though.

@thecoalman
The only change I made for now is to set the ie cookie option to prompt. I want to see the cookies that are attemting to load on my system. Found one suspect but had 2 sites open videohelp and one other. The cookie was for vbs.searchwww.com and when I checked the additional info it came up with the name popupsponsor3. Interesting. I closed the other site to see if it comes up again. If not I will close this site and visit the other one to see if it comes up. Then!!!! I will know one likely source. It's a trusted site too. I won't name them cause don't want to do that when I am not sure.

[ripit]

I have been forced that route too. My main system (fully loaded) is not and will never be conected to the internet. Luckilly my internet rig is an athlon xp2400 with 512mb. It limited on the rest of the hardware but it does all right. I'm actually running on an old celeron computer (really stripped down) because my internet rig got hacked and killed. I'm about to do a clean install tonight with a new hard drive (I needed another drive anyway). My bigest reason for using seperate rigs was so that I didn't have to run all those power sucking anti-everything softwares on a rig that I had gotten running so fast (mildly overclocked and all decent hardware). It was nice having my main rig running when the internet one got killed though (first time I ever had one get killed).
Does anybody have any sugestions on how to transfer files or do updates to software etc.? I have card readers on both and a 256mb cf (plus other smaller cards) so that has worked great for anything under 256mb. I usally just do a virus scan before I transfer it to the card. Any other sugestions?

[Jayhawk]

I have been forced that route too. My main system (fully loaded) is not and will never be conected to the internet.

Wow, I'd be interested to know how may other keep their main system off the internet. I'm pretty much the opposite. I use my main computer for everything from mail, paying bills on line, keeping track of investments, contributing to this forum, etc. I guess for me "main" is the most important one and I can't envision my life running very smoothly if my main computer is isolated from the rest of the world.

I do have a second system that I occasionally unplug when I'm playing with viruses (removal practice), trying out new programs or tweaks, researching sites that most people wouldn't think of going to. I have images of both systems, backup up weekly, and run virus protection, hardware firewall, spyware programs. I'm just not ready to let the evil-doers control my quality of life.

[ripit]

I guess that you could say that my main system is my lesser system since It gets used more. What I mean't by before by main was my most powerfull system. I use it for dvd/cd burning and various things with media, games and other things that require a lot of power and speed.
In a way the evil-doers are controling your quality of life. You have to get programs and or hardware to protect your computer (which costs money) and the end result is that you have lost some of the speed and power of your system as these things do use your systems resources. I kind of feel that I regained control when I isolated my fast rig. The evil-doers are no longer capable of slowing down my fast computer. I can enjoy the full speed and power of it without having to constantly monitor and or clean up all the crap they put on it so I win!!!!! This is a good setup for me because I do use the power of my fast system, and it is way overkill for an internet machine. My internet machine really cost me very little. I got a athlon xp2500 bundled with an invida ultra 400 chipset motherboard (a cheap ecs one) for 60$ and a 30$ power supply. Everything else was left over parts from upgrading. With a 25$ kvm switch, I have both computers hooked up to the same monitor, keyboard and mouse. A few key strokes and I can use either computer. Side by side cf card readers (already had those to because of my digital camera) let me scan files and then transfer them without a dangerious network cable.
They kind of have us both (and everybody else) jumping through hoops to stop them, but at least we are having some luck stoping it.
This was a good setup for me because of what I do with my computers and the fact that I had all the spare parts. Obviouslly I am not saying that it is the best setup for everyone.