njustice
-
Content Count
51 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by njustice
-
-
Windows XP has a feature that monitors files that are used when you boot and also applications that you start. It puts a log of these in the Prefetch folder under C:/Windows. And....so it goes to this folder and "prefetches" those files for faster startups. A nice feature, but that cache folder can fill up rather fast with "junk" files (old stuff you rarely use any more)---it needs to be cleaned out at least once a month--more often if you are a heavy user. One "technique" I used recently was having a shortcut to the Prefetch folder on my desktop (named, of all things, "Clean Prefetch"---original, huh? ). That would open the folder and I would manually delete all the files.
Anyway....here's one better---make a shortcut to a simple batch file that will erase all the contents of the Prefetch folder with just one click. Here's how:
1. In Notepad, type the following (or just cut & paste the text below):
del C:\Windows\Prefetch\*.* /Q
2. Click on "Save As", then in the scrolldown menu "Save as type", select "All files".
Saving the file to the C:/ drive (or folder of your choice), name the file: DeletePrefetch.bat and hit OK.
3. Now make a shortcut to that file either on the Desktop or in Programs (do NOT use "Copy"...if you do that, you won't be able to rename it without screwing up the file). When you are ready to clean out the Prefetch, just click on the shortcut and it's done. One click shopping.
-
-
Posted by Eric Howes on DSLReports.com: (partial quote)
http://www.dslreports.com/forum/remark,119...04374~mode=flat
Hi All:Some of you may have seen one of today's new stories about a stealth installation exploit that Ben Edelman wrote up and published on his web site:
»www.benedelman.org/news/111804-1.html
Included with Ben's write-up is an eye-opening video.
I thought you all might like some additional information about the exploit that Ben documented.
This is a developing story and our information is still incomplete, so the information presented here may need to be revised in the light of new developments.
It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:
sp2fucked.biz
splitinfinity.info
xpire.info
Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:
69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz
Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.
The software installed on users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed, as in Ben's test. The packages that we've seen installed via this exploit include:
180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar
The screenshot included with this post comes from the video that Ben made, and it gives a sense for the great variety of junk that can be installed.
Be sure to watch Ben's video linked on this page:
http://www.benedelman.org/news/111804-1.html
This exploit has been showing up in HijackThis logs in various places on the web, including here at Spyware Warrior:
http://spywarewarrior.com/viewtopic.php?p=41144
http://forums.spywareinfo.com/index.php?sh...showtopic=34220
http://forums.tomcoyote.org/index.php?showtopic=21650
Reports about the exploit:
http://www.gossamer-threads.com/lists/full...isclosure/27857
http://seclists.org/lists/fulldisclosure/2...4/Oct/1031.html
http://sourceforge.net/mailarchive/forum.p...&forum_id=24754
Comments from Wayne Porter:
http://www.revenews.com/wayneporter/archiv...00285.html#more
And as Eric stated here:
I might add that I stumbled upon this because of a post by Andrew Clover (of doxdesk.com fame) in response to the Aluria/WhenU controversy:And last but extremely important - make sure that people know how to protect their computers from these exploits and possibly being used in a malicious attack.
IE-SPYAD and AGNIS from Eric Howes will protect from the domains and IP addresses shown in Eric's post.
http://spywarewarrior.com/viewtopic.php?t=7625
http://spywarewarrior.com/viewtopic.php?t=7626
Download links here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm
A good firewall, (and not just the Windows firewall) is also necessary to prevent unauthorized use of a computer to participate in a denial of service attack.
Folks, please help spread the word about this! Post this on any and all forums and sites related to security and spyware/malware!
-
Me too....I have 5 or 6 skins. The default I made.
-
Helped in Chat.
Sorry rock....didn't see your post as I was in add reply screen.
-
Hello,
Close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Click "Fix Checked"...
reboot.....rescan....post new log.
-
Thank you everyone....I totally agree with tictoc alot of great banners kudo's to everyone.
-
Hello Oni, sorry for the delay.
Go to add/remove programs and uninstall if found: couponsandoffers, 180 Solutions(if present), WeatherBug, 2findm~1, 16HIDE~1 and SpeedHack(if not recognized).....reboot if prompted.
Close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items if present:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: GreyMore - {627DA590-A05C-ADAD-277A-A75F6CD7554C} - C:\PROGRA~1\16HIDE~1\acid sect.dll (file missing)
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [synchronization Agent] C:\Documents and Settings\canf\Desktop\SpeedHack\Speed hack.exe<---what is this, if you don't know remove it.
O4 - HKLM\..\Run: [saap] c:\progra~1\2findm~1\partner\saap.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: ÃøÖ·´óÈ« (HKLM)<---no info on this....removing won't hurt.
O9 - Extra 'Tools' menuitem: ÃøÖ·´óÈ« (HKLM)<---no info on this....removing won't hurt.
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
Click "Fix Checked"...Reboot to SAFE mode (F8 on bootup)
How to start the computer in Safe mode
Show hidden files and folders-->
and delete the following folders/files in red if found.....
C:\PROGRAM FILES\16HIDE~1<---folder will start with 16HIDE
C:\Documents and Settings\canf\Desktop\SpeedHack<---see note above
O4 - HKLM\..\Run: [saap] c:\program files\2findm~1<---folder will start with 2findm
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe
C:\Program Files\couponsandoffers
reboot.....download the latest version of HijackThis HERE....post new log.
-
Download Spybot from
http://www.safer-networking.org/index.php?page=download
after installing......hit.."Search for Updates".....get them all.......(Download Updates)........then "Check for Problems".......after the scan is complete..allow Spybot to remove everything listed in RED...reboot your computer.
NOTE: Spybot will flag 5 DSO Exploit's...this is a bug in the program and will be fixed in the next version, you can ignore these.
-------------------------------------------------------------------------
Then Download Ad-aware SE from: http://www.majorgeeks.com/download506.html
Install the program and launch it.
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.
Next, we need to configure Ad-aware for a full scan.
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
* Automatically save log-file
* Automatically quarantine objects prior to removal
* Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
* Scan Within Archives
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL’s
* Scan my Hosts file
* Under Click here to select drives + folders, choose:
* All of your hard drives
Click on the Advanced button on the left and select:
* Include additional process information
* Include additional file information
* Include environment information
Click the Tweak button and select:
* Under the Scanning Engine:
o Unload recognized processes & modules during scan
o Include additional Ad-aware settings in logfile
* Under the Cleaning Engine:
o Let Windows remove files in use at next reboot
Click on Proceed to save the settings.
Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
* Use Custom Scanning Options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
Save the log file when it asks and then click Finish
When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Reboot your computer.
-------------------------------------------------------------------------
Do an online virus scan HERE and HERE.....reboot after each scan, let us know what couldn't be cleaned(include file path).
-------------------------------------------------------------------------
Download latest version of 'Hijack This!'. HijackThis 1.98.2
Post a new log....
-
Download CWShredder
http://www.downloads.subratam.org/CWShredder.exe
Run it......press "Fix", follow its prompts & instructions.. press 'Next', and allow it to fix all it finds.
reboot......post a new log.
-
Hello Oni,
Before downloading the latest version could you please make a permanent folder off the desktop and put HijackThis.exe in that folder.
How to make a permanent folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which while highlighted you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder.
Please put your HijackThis.exe there......post a new log.
-
-
Cool JSKY....thanks!!!
-
I tried it....found five new items(see link for picture below).
First entry: <---Kaspersky, says it's clean.
C:\hp\drivers\video\Sis651\AGP\Win2K_XP\LAYOUT.BIN
Windows Spy
Type: Key Logger
Threat Level: Severe
Second entry:<----hmmmm, false positive?
Host file redirection of 127.0.0.1 adwords.google.com
Possible Hosts File Hijack
Type: Spyware
Threat Level: High
Third entry:<----Ok.....I can believe it!
BidClix.com
Type: Cookie
Threat Level: Low
Fourth entry:<---Geocities is flagged?
GeoCities
Type: Cookie
Threat Level: Low
Fifth entry:<----Huh....Hotmail?
Passport.com
Type: Cookie
Threat Level: Low
All in all....I will uninstall it.
-
Thank you all for your opinions it means so much to me.
-
and today's offering is
OOOOh! TicToc! I love the top font! What is it?
Me too....very kewl!
Good job tictoc....although the slogan font could be a little smaller and maybe changed to suit the site name font....IMHO!
-
Hello everyone, below is the design for our Pctorium business sign, it's two sided so you can see it from both directions. It will have a flower bed beneath it and a low profile decorative brick border. Of course the phone number shown is ficticious, but if you'd like the number feel free to ask I'd love to talk with you on the phone.
Any tips or suggestions welcome!
-
edit: to include all three...
I like this one too, if njustice could email or tell me where he got the image of the keyboard I may be able to play with that.
Michael
Hi arachnoid the image is a picture tube in PSP. I've been trying to figure out how to take this site and put it on the keyboard screen......not a easy task.
-
Last one....thank you cow....I think!!!
edit: to include all three...
-
Another one....
-
Thank you MistaMatt...
-
Thought I'd throw mine into the hat....great work everyone!
Do I Really Need A Firewall
in Spyware/Adware Information
Posted
Like jimras said, if using braodband it's best (no essential) to have a router in place. If using dial-up get a firewall so you know whats coming in and out. Even if using a router a software firewall lets you know if something is trying to get out from your pc.