Spyware Warrior

[Harry Letterman]

This was originally posted at Wilders in the NOD32 forum but it was subsequently moved to the Malware forum b/c I mentioned both Nod and ProcessGuard in the title.

http://www.wilderssecurity.com/showthread.php?p=1076492#post1076492


On Sep. 8 I was looking for information on Calcet, an over-the-counter triple strength calcium supplement that my mom uses for aches in her legs. I searched Yahoo and got these results. Result # 8 took me to a site called [url]www.DANGER[/url].mamaha.info/drugs/CalCet.htm Once the Mamaha page(s) started opening and IE 6 SP2 could not close them I manually rebooted my PC. Upon restart I immediately updated Spybot and scanned my system. There were 3 or 4 registry changes and I fixed them with Spybot (I saved the logs).

My Nod 2.7 was updated fully updated for Sep. 8 and I had performed a full scan a few days prior to the Mamaha incident. I also have the free edition (v3.150) of ProcessGuard (don't know if there are updates to this), SpywareBlaster, Spybot, Ad-Aware SE (free) and the Comodo Firewall Pro (v2.4.18.184, Database Version 3.0). My system is XP SP2 with the Windows firewall on. I have Nod (IMON, too) installed with the Blackspears settings, btw.

So, what happened here? I think that my Spybot & SpywareBlaster were not fully updated at the time of the Mamaha problem but why did Nod/IMON and ProcessGuard miss it (the registry changes)?
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"

[Harry Letterman]

Since Mamaha is definitely malware of some stripe I thought that I should check here as well.

My IE6 SP2 Security settings are here.

I just checked the "Extra Settings" thread for Nod and my IMON settings are exactly as recommended. I did switch some programs/apps from "higher compatability" to "higher efficiency".

Interestingly, about an hour ago when I was getting to Page 3 in the Extra Settings thread I decided that I had too many IE 6 windows open so went to close one or two by right-clicking and selecting "close" and then hundreds of new windows started to "cascade open". I manually rebooted and updated Spybot to 9/12 and updated SpywareBlaster. Spybot says I'm clean. I am running an In-depth Analysis with Nod now. I will post back with the results, probably later tomorrow.

One more thing: I added www.DANGER.mamaha.info/drugs/CalCet.htm to IE's Restricted Sites list back on the 8th.
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"

[suzi]

Hmm... Yahoo results might have changed. Number 8 is now for drugs.com wihch is a legit site.

If you want to PM me with the URL of the bad site, I'll check it. Better not to post it here because someone might want to try it.

I would not rely on Spybot to decide if you are infected or not. It's pretty well known in security circles that Spybot has not kept up well with new spyware for the last year or more. I suggest you post a HijackThis log and have it checked.

You should not run the Windows firewall when you have 3rd party firewall running. Two firewalls is bad and can actually lower your protection.

As far as NOD and Process Guard, I can't answer that, I'm not very familiar with either. Some malware can bypass firewalls, and some can disable AV's.

Searching for anything on the internet related to drugs, even nutritional supplements, is highly likely to bring up plenty of bad sites. Those kind of sites get links spammed to blogs, forums, and all over, which gives them high search engine rankings. Some run exploits, which is probalby what happened with the site you went to. It's much safer to stick to well known sites when searching for anything these days, but especially anything drug related. Even good, normal sites are being hacked these days, so nothing is 100% safe. Before clicking on links to unknown sites, it doesn't hurt to check the URL on SiteAdvisor and with LinkScanner.

http://linkscanner.explabs.com/linkscanner/default.asp

Even Googling the domain name can give clues. These Google results would definitely be a clue mamaha.info is not a good site:

http://www.google.com/search?hl=en&q=mamaha.info&btnG=Google+Search

You can see links to the site have been spammed to guestbooks and on very funky sites. Google says "This site may harm your computer" on some of them.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[suzi]

To add a site to the restricted site zone, all you need to put is mamaha.info -- not the entire URL. Or *.smamaha.info is good because that will include any subdomains.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[Harry Letterman]

[Harry Letterman]

Fwiw, I just finished an In-depth Analysis (scan) and Nod says that there are no threats.
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"

[suzi]

That's good news.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[Franklin]

Um,err I'll just say Sandboxie and Returnil.Both free.

Gimme a million such sites and I'll open them all at once from within a sandboxed Firefox with the Noscript addon whilst in Retrunil mode.

[Harry Letterman]

I started an HijackThis thread today.
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"

[Harry Letterman]

[suzi]

[Harry Letterman]

Suzi,

Honest, I DID read most of the sticky thread about what & how to post in an HJT thread before I started that thread but I saw the part about not replying to one's own post after I had already posted the reply. I'm feeling dizzy now.

At any rate, in the lower right corner of the HijackThis Logs forum I am told that I "cannot delete your posts in this forum."

Can you please help me with the deletion of my erroneous reply? Thank you.
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"

[suzi]

Done.

By the way, I'm told that link redirects to a site that tries to download a zlob trojan and fake scan by a rogue program. I didn't have a chance to check it myself yet.

It's possible that the site was hacked with an iframe link redirecting to an evil site. Lots of good, normal sites are being hacked for the purpose if redirecting to malware sites. It happens all over the web when web applications and webserver software are not kept patched and updated. Just like users who don't patch their OS with Windows updates, and don't keep their programs updated get infected with malware.

Here's a couple of examples of hacked good normal sites and what happens when an unprotected user lands on them.

http://sunbeltblog.blogspot.com/2007/09/city-of-marin-county-serves-porn.html

From earlier this year:
http://blogs.zdnet.com/security/?p=15
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[Harry Letterman]

Hi Suzi,

Thanks for deleting my post in the HJT Forum. I downloaded Spyware Terminator ("ST") earlier today and did a "Fast Spyware Scan" and it found 2 items (the links are to descriptions only):

AnalogX PacketMon
BrainNames

I haven't removed these yet 'cause I want to see what an HJT Helper has to say about my Log.

I've tried 3 times to do a Full Scan with Spyware Terminator but my system (XP) keeps giving me a Data Execution Prevention (DEP) window at 61%. ProcessGuard is set to allow everything and so is Spybot 1.5 and my Comodo firewall. I have posted about this problem at ST's Forum (my thread there).

[suzi]

Kudos to you for taking care of your mom. AnalogX PacketMon is a program that the user has to install. I've not heard of it being installed or used by malware. I'm not familiar with BrainNames, but Sophos has it listed as a PUA -- potentially unwanted application. ST calls it low risk.

http://www.spywareterminator.com/item/3510/BrainNames.html
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.