Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

This item slid past Nod & ProcessGuard

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion
View previous topic :: View next topic  
Author Message
Harry Letterman
Warrior Guru


Joined: 14 Jul 2004
Last Visit: 11 Dec 2012
Posts: 345
Location: Kenmore, Wa. (U.S.)

PostPosted: Thu Sep 13, 2007 7:45 pm    Post subject: This item slid past Nod & ProcessGuard Reply with quote

This was originally posted at Wilders in the NOD32 forum but it was subsequently moved to the Malware forum b/c I mentioned both Nod and ProcessGuard in the title.

http://www.wilderssecurity.com/showthread.php?p=1076492#post1076492


On Sep. 8 I was looking for information on Calcet, an over-the-counter triple strength calcium supplement that my mom uses for aches in her legs. I searched Yahoo and got these results. Result # 8 took me to a site called [url]www.DANGER[/url].mamaha.info/drugs/CalCet.htm Once the Mamaha page(s) started opening and IE 6 SP2 could not close them I manually rebooted my PC. Upon restart I immediately updated Spybot and scanned my system. There were 3 or 4 registry changes and I fixed them with Spybot (I saved the logs).

My Nod 2.7 was updated fully updated for Sep. 8 and I had performed a full scan a few days prior to the Mamaha incident. I also have the free edition (v3.150) of ProcessGuard (don't know if there are updates to this), SpywareBlaster, Spybot, Ad-Aware SE (free) and the Comodo Firewall Pro (v2.4.18.184, Database Version 3.0). My system is XP SP2 with the Windows firewall on. I have Nod (IMON, too) installed with the Blackspears settings, btw.

So, what happened here? I think that my Spybot & SpywareBlaster were not fully updated at the time of the Mamaha problem but why did Nod/IMON and ProcessGuard miss it (the registry changes)?
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"
Back to top
View user's profile Send private message
Harry Letterman
Warrior Guru


Joined: 14 Jul 2004
Last Visit: 11 Dec 2012
Posts: 345
Location: Kenmore, Wa. (U.S.)

PostPosted: Thu Sep 13, 2007 7:51 pm    Post subject: Reply with quote

Since Mamaha is definitely malware of some stripe I thought that I should check here as well.

My IE6 SP2 Security settings are here.

I just checked the "Extra Settings" thread for Nod and my IMON settings are exactly as recommended. I did switch some programs/apps from "higher compatability" to "higher efficiency".

Interestingly, about an hour ago when I was getting to Page 3 in the Extra Settings thread I decided that I had too many IE 6 windows open so went to close one or two by right-clicking and selecting "close" and then hundreds of new windows started to "cascade open". I manually rebooted and updated Spybot to 9/12 and updated SpywareBlaster. Spybot says I'm clean. I am running an In-depth Analysis with Nod now. I will post back with the results, probably later tomorrow.

One more thing: I added www.DANGER.mamaha.info/drugs/CalCet.htm to IE's Restricted Sites list back on the 8th.
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Thu Sep 13, 2007 8:12 pm    Post subject: Reply with quote

Hmm... Yahoo results might have changed. Number 8 is now for drugs.com wihch is a legit site.

If you want to PM me with the URL of the bad site, I'll check it. Better not to post it here because someone might want to try it.

I would not rely on Spybot to decide if you are infected or not. It's pretty well known in security circles that Spybot has not kept up well with new spyware for the last year or more. I suggest you post a HijackThis log and have it checked.

You should not run the Windows firewall when you have 3rd party firewall running. Two firewalls is bad and can actually lower your protection.

As far as NOD and Process Guard, I can't answer that, I'm not very familiar with either. Some malware can bypass firewalls, and some can disable AV's.

Searching for anything on the internet related to drugs, even nutritional supplements, is highly likely to bring up plenty of bad sites. Those kind of sites get links spammed to blogs, forums, and all over, which gives them high search engine rankings. Some run exploits, which is probalby what happened with the site you went to. It's much safer to stick to well known sites when searching for anything these days, but especially anything drug related. Even good, normal sites are being hacked these days, so nothing is 100% safe. Before clicking on links to unknown sites, it doesn't hurt to check the URL on SiteAdvisor and with LinkScanner.

http://linkscanner.explabs.com/linkscanner/default.asp

Even Googling the domain name can give clues. These Google results would definitely be a clue mamaha.info is not a good site:

http://www.google.com/search?hl=en&q=mamaha.info&btnG=Google+Search

You can see links to the site have been spammed to guestbooks and on very funky sites. Google says "This site may harm your computer" on some of them.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Thu Sep 13, 2007 8:14 pm    Post subject: Reply with quote

To add a site to the restricted site zone, all you need to put is mamaha.info -- not the entire URL. Or *.smamaha.info is good because that will include any subdomains.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Harry Letterman
Warrior Guru


Joined: 14 Jul 2004
Last Visit: 11 Dec 2012
Posts: 345
Location: Kenmore, Wa. (U.S.)

PostPosted: Thu Sep 13, 2007 8:32 pm    Post subject: Reply with quote

suzi wrote:
To add a site to the restricted site zone, all you need to put is mamaha.info -- not the entire URL. Or *.smamaha.info is good because that will include any subdomains.


That is actually just what I did - put mamaha.info in the Restricted Sites. I don't know why I worded the post that way.......
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"
Back to top
View user's profile Send private message
Harry Letterman
Warrior Guru


Joined: 14 Jul 2004
Last Visit: 11 Dec 2012
Posts: 345
Location: Kenmore, Wa. (U.S.)

PostPosted: Thu Sep 13, 2007 8:38 pm    Post subject: Reply with quote

Fwiw, I just finished an In-depth Analysis (scan) and Nod says that there are no threats.
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Thu Sep 13, 2007 8:43 pm    Post subject: Reply with quote

That's good news.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Franklin
Warrior


Joined: 17 Nov 2004
Last Visit: 23 Jan 2008
Posts: 143

PostPosted: Thu Sep 13, 2007 9:09 pm    Post subject: Reply with quote

Um,err I'll just say Sandboxie and Returnil.Both free.

Gimme a million such sites and I'll open them all at once from within a sandboxed Firefox with the Noscript addon whilst in Retrunil mode. Wink
Back to top
View user's profile Send private message
Harry Letterman
Warrior Guru


Joined: 14 Jul 2004
Last Visit: 11 Dec 2012
Posts: 345
Location: Kenmore, Wa. (U.S.)

PostPosted: Sat Sep 15, 2007 8:45 am    Post subject: Reply with quote

I started an HijackThis thread today.
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"
Back to top
View user's profile Send private message
Harry Letterman
Warrior Guru


Joined: 14 Jul 2004
Last Visit: 11 Dec 2012
Posts: 345
Location: Kenmore, Wa. (U.S.)

PostPosted: Sat Sep 15, 2007 9:03 am    Post subject: Reply with quote

Harry Letterman wrote:
Fwiw, I just finished an In-depth Analysis (scan) and Nod says that there are no threats.

suzi wrote:
That's good news.


Apparently, the Nod scan is inconsequential (info. from Wilders' Malware forum).

Also, some info as to who the host of the malware is (Wilders link).
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Sat Sep 15, 2007 11:01 am    Post subject: Reply with quote

Harry Letterman wrote:
I started an HijackThis thread today.


I see you posted a reply in the thread. That reduces your chance of your post being noticed by a helper. They look for posts with 0 replies to see who needs help.

I'd suggest you copy/paste the info from your second post into your first post -- use the edit button. Then you can delete your reply and it will again show 0 replies.

http://www.spywarewarrior.com/viewtopic.php?t=25477

Quote:
Once you have posted your HijackThis log, do not post again to that thread until you get a reply from a helper. Doing so removes your post from the zero reply list, and will result in you not getting answered quickly.

_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Harry Letterman
Warrior Guru


Joined: 14 Jul 2004
Last Visit: 11 Dec 2012
Posts: 345
Location: Kenmore, Wa. (U.S.)

PostPosted: Sat Sep 15, 2007 1:38 pm    Post subject: Reply with quote

Suzi,

Honest, I DID read most of the sticky thread about what & how to post in an HJT thread before I started that thread but I saw the part about not replying to one's own post after I had already posted the reply. I'm feeling dizzy now.

At any rate, in the lower right corner of the HijackThis Logs forum I am told that I "cannot delete your posts in this forum."

Can you please help me with the deletion of my erroneous reply? Thank you.
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Sat Sep 15, 2007 7:06 pm    Post subject: Reply with quote

Done.

By the way, I'm told that link redirects to a site that tries to download a zlob trojan and fake scan by a rogue program. I didn't have a chance to check it myself yet.

It's possible that the site was hacked with an iframe link redirecting to an evil site. Lots of good, normal sites are being hacked for the purpose if redirecting to malware sites. It happens all over the web when web applications and webserver software are not kept patched and updated. Just like users who don't patch their OS with Windows updates, and don't keep their programs updated get infected with malware.

Here's a couple of examples of hacked good normal sites and what happens when an unprotected user lands on them.

http://sunbeltblog.blogspot.com/2007/09/city-of-marin-county-serves-porn.html

From earlier this year:
http://blogs.zdnet.com/security/?p=15
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Harry Letterman
Warrior Guru


Joined: 14 Jul 2004
Last Visit: 11 Dec 2012
Posts: 345
Location: Kenmore, Wa. (U.S.)

PostPosted: Sat Sep 15, 2007 7:43 pm    Post subject: Reply with quote

Hi Suzi,

Thanks for deleting my post in the HJT Forum. I downloaded Spyware Terminator ("ST") earlier today and did a "Fast Spyware Scan" and it found 2 items (the links are to descriptions only):

AnalogX PacketMon
BrainNames

I haven't removed these yet 'cause I want to see what an HJT Helper has to say about my Log.

I've tried 3 times to do a Full Scan with Spyware Terminator but my system (XP) keeps giving me a Data Execution Prevention (DEP) window at 61%. ProcessGuard is set to allow everything and so is Spybot 1.5 and my Comodo firewall. I have posted about this problem at ST's Forum (my thread there).

suzi wrote:
...like users who don't patch their OS with Windows updates, and don't keep their programs updated get infected with malware.


I must admit guilt in this department. I had been very lax in keeping Windows, Office, XP & IE patched over the past couple months. My mom's Parkinson's Disease has gotten substantially worse recently and I am now her primary caregiver. I'm spending 8-12 hours a day at her house just taking care of her (meds, feeding, cleaning etc.). She will probably be moving into an assisted living facility, Grandview Village in Marysville, WA (state) in the next week or so.
_________________
“He saw reality too clearly. Faulty denial mechanism.
Failed to block out the terrible truths of existence. In the end, his inability to push away the awful facts of being in the world rendered his life meaningless.”

- from the film "Stardust Memories"
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Sat Sep 15, 2007 7:52 pm    Post subject: Reply with quote

Kudos to you for taking care of your mom. Smile AnalogX PacketMon is a program that the user has to install. I've not heard of it being installed or used by malware. I'm not familiar with BrainNames, but Sophos has it listed as a PUA -- potentially unwanted application. ST calls it low risk.

http://www.spywareterminator.com/item/3510/BrainNames.html
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group