Full Disclosure mailing list archives
RE: Spyware installs with no interaction in IE on fully patched XP SP2 box
From: "Todd Towles" <toddtowles () brookshires com>
Date: Mon, 4 Oct 2004 09:51:04 -0500
Yep Themexp.org was my wallpaper stop for a while. But it was taken over by new owners a whlie ago about and it is turning south, into a adware/spyware/pop-up site. Kinda sad, it was a very good site.
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Geraldo Rivera Sent: Monday, October 04, 2004 8:47 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box themexp.org I should have logged all the files and reg entries I deleted, but it was late at night and I wasn't really thinking about that at the time. I just checked my IE history for some of the things I googled and I found a bunch of them: SahAgent.exe webrebates0.exe lu.dat preInsln.exe Systb.dll wupdater.exe eakrfu.exe wupdt.exe megasearch toolbar (www.megasearchbar.com) IEPlugin localnrd.dll multimpp.dllFrom: "Joel R. Helgeson" <joel () helgeson com> To: "Geraldo Rivera" <iamafraud () hotmail com>,<full-disclosure () lists netsys com> Subject: Re: [Full-disclosure] Spyware installs with nointeraction inIE on fully patched XP SP2 box Date: Sun, 3 Oct 2004 14:13:52 -0500 What was the site? Joel R. Helgeson Director of Networking & Security Services SymetriQ Corporation "Give a man fire, and he'll be warm for a day; set a man onfire, andhe'll be warm for the rest of his life." ----- Original Message ----- From: "Geraldo Rivera" <iamafraud () hotmail com> To: <full-disclosure () lists netsys com> Sent: Sunday, October 03, 2004 1:16 PM Subject: [Full-disclosure] Spyware installs with nointeraction in IEon fully patched XP SP2 boxLast night I went to a site that I have been to on and offfor years.The page loaded and then in IE's status bar I saw somethingsuspicious:"installing components...atpartners.cab". I could not closeout of IE,and I could not kill the iexplorer.exe process. It totallylocked upand I had to reboot my machine. When my machine came backup, I had atleast 6 different pieces of spyware/adware on my machine.IT took mealmost 2 hrs to clean up. I manually deleted a bunch ofcrap (stuff Ihad found through the run key in the registry, suspicious processes running, suspicious files in the usual dir's, and bysearching for allfiles modified at the time this happened). Even after all that, Ad-Aware found 143 entries (none were cookies, mostlyregistry entriesand a few dll's) and then Spybot found an additional 2registry entries.This machine is a fully patched XP SP2 box, with thedefault securitysettings for IE's Internet Zone. Does anybody know what method this crap could be using to install without any user interaction? _________________________________________________________________ Express yourself instantly with MSN Messenger! Downloadtoday - it's FREE!hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box, (continued)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Joel R. Helgeson (Oct 03)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Harlan Carvey (Oct 03)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box GuidoZ (Oct 03)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Geraldo Rivera (Oct 04)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Matt Andreko (Oct 04)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Mark Shirley (Oct 04)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Matt Andreko (Oct 04)
- RE: Spyware installs with no interaction in IE on fully patched XP SP2 box Carr, Robert (Oct 04)
- RE: Spyware installs with no interaction in IE on fully patched XP SP2 box Michael Simpson (Oct 04)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Alla Bezroutchko (Oct 05)
- RE: Spyware installs with no interaction in IE on fully patched XP SP2 box Todd Towles (Oct 04)
- RE: Spyware installs with no interaction in IE on fully patched XP SP2 box Todd Towles (Oct 04)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Willem Koenings (Oct 04)
- RE: Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Todd Towles (Oct 04)
- RE: Spyware installs with no interaction in IE on fully patched XP SP2 box Gossi The Dog (Oct 04)
- RE: Spyware installs with no interaction in IE on fully patched XP SP2 box Castigliola, Angelo (Oct 05)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Joel R. Helgeson (Oct 03)