Can't find the spyware
Linc
OwnerDetroit Icrontian
A script error keeps popping up out of the blue on my system. I click yes to debug and get the screen shot below.
I deleted all cookies, cleared all temp internet files, as well as updated and ran both AdAware and Spybot S&D. The stupid thing won't quit popping up every few mintues. Know what's going on or where this POS is coming from?
I deleted all cookies, cleared all temp internet files, as well as updated and ran both AdAware and Spybot S&D. The stupid thing won't quit popping up every few mintues. Know what's going on or where this POS is coming from?
0
Comments
It lets you find those little things that run.
And smash them flat.
xlonhcld.xlontech.net turns up as a SOF thingamabob in Google. I think they host a Demo or plug-in site. (They appear to be down right now).
Try Hijackthis!, then maybe look for suspicious items in your online games folders.
Good Luck!
Empty your email trash, your temp internet folders, and update defs and scan. I know of two major trojan\worms that hit other parts of world and have been reported more recently in US that use GIFs to hide in. I know of at least 20 variants in last year that do this. Most are trojan\worm double-packed payloads. If you are on broadband, a virtual trip to http://www.antivirus.com/ and a Housecall scan (this is a Trend Microsystems thing, they are decent at this-- VERY decent)might be in order just to make sure your AV has not been broken without your knowing it.
Fair warning, it is likely that NAV 2003 has been compromised insofar as virus writers knowing what its program is called and where it is installed typically. If you reload NAV 2003, try installing it in some other folder than default and on some other DRIVE than default. I STRONGLY unrecommend NAV 2004 ATM, it indeed has a confirmed registration and reauth (DRM) bug, I REPEAT their DRM is faulty and has a major bug. Trend Micro's PC-Cillin, possibly MacAfee Viruscan 8.0, and Kaspersky Lab's AV products are best bets right now. I have a Trend Micro PC-Cillin 2004 on the way now for myself from Digital River (Trend Micro and quite a large many other folks use them to process and sometimes direct fulfill things) and will sell and recommend that here locally.
If it were not to the DRM in NAV 2004, would recommend that, but there is SOMETHING in that that is causing boxes with legal versions to decide they need to be reauthed and there are a limited number of reauths allowed per serial number at Symantec's end by policy. This issue is in their support base and support forums, and their fix is to reload after a manual uninstall, but you only get so many of those before the thing is unusable. Lloyd Case, of Extremetech staff (he evals hardware for them and is one of the lab lead people), got hit with it and he is using the latest McAfee right now.
Sorry, Symantec, you did an Intuit on us and BROKE YOUR DRM INTERLINKING TO BOOT-- DO NOT BUY NAV 2004!
John.
I'd previously ran antivirus (NAV 2002), but I did it again anyway... still didn't pick up anything.
I got HijackThis and ran it, but didn't really see anything that looked suspicious.
Using the ScriptDebugger, I found where that stupid site was being called from... a file named something like UAP_AIM.adp (That's just an approximation of the first three letters and extension... I don't remember it that well any more).
Anyway, I noticed the letters "AIM" in there, so I thought maybe it was an IM software error. I closed AIM and the script errors stopped. I restarted... and then about 15 minutes later the bugs started again. I noticed that it started just as AIM went to change advertisements in the buddy list window. The ad window then went blank after the errors started.
Stupid AIM.
I downloaded the latest version (I was only about 2 months behind) and the errors have since stopped. I think I'll chalk that one up to bad ad-handling by AIM. Thanks for all the help!
Using Trillian seems to be the only fix at the moment...
Much as I hate to say it, I would run NAV once in Bloodhound mode, heavy heuristics and not normal, and set it so scan all files and not smartscan, AFTR Liveupdating. Bloodhound is the behavior discrimination for unknown malware built into NAV, and frankly both 2003 and 2004 have better heuristics (software\app behavior analysis and detection of malware whic is unknown to the AV scanner itself) builtin which might be why you are not finding it with NAv, especially if you left it in default scanning mode. Unfortunately, with NAV 2002, some viruses know how to disable it as the first thing they do. Over a hundred variants of them so far, that I know of. Blaster can do this, for example, and several others, many of recent vintage. I would do this, though it will be work.... go to an uncompromized box, get the fixers from Symantec for:
Blaster, SoBig, MiMail and in fact any you have enough floppies to hold. Write protect the floppies, run one by one, then tell us which ones have hits. Or, do a housecall scan, and I can tell you what Symantec fixer to run. If you have a worm that has been there a while, best fast overall time thing is to reload completely from scratch, get and install a very modern release AV, update it, then go Windows Update and THEN security pack your box thoroughly, AND firewall it, as firewalls can give you app names you can hunt with FIND Files And Folders, or Search,among other things, especially those viruses with trojans embedded as the firewall will default block them and the logs can tell you what port and what app was used.
A GOOD firewall, like Sysgate Pro, can serve as an infection alarm, and in some cases wioth other info, can tell you what it is and what to do about it, but since trojans and hybrid worm\trojans do listen or call out, a firewall that logs port open attempts and apps that open them can give you ways to start hunting down malware with basic info that in some cases can be typed as direct query into Virus Encyclopedias like Symantec's and get pin point direct removal info on impact and on how to remove very precisely.
From the main site of symantec.com, there is now a link to security response center. Look on lower right of page, for list of hot fixers, then click the link for all fixers and see how many fixers Symantec deved for folks with low-grade AV protection, and these are free. One security pro's favorite toolbox wrench is a set of floppies or CDs with a fixer archive on it, kept up to date. To fight viruses well, you need to know some things about them, and virus killing is part an art as you need to know what the viruses replacve and rename to fix without a reload.
All the above software has limited scope knowledge of malware, there is no one software pack universal fix, it is a RUN ALL thing and not a run best only thing. Essentially, one of two things happened: Either an advertiser had a compromised box when ad was developed, or a fake ad was pushed into the IM network by someone trying to distribute malware. BUT, this is not a real GIF only that was sent, it has code inside it that is malware.
John.
...or just update AIM, like I said...
Ageek, I really think you're overreacting. This looks to me like the AIM service simply changed something when it upgraded and older versions don't handle the new ads well.
I AM 50 today, and have been doing hands-on for a very long time, and had a friend catch one of the first 2000 viruse on a DOS EMULATOR hosted repository of data, corrupt his early MacAfee vriuscan, copy itself onto 400 executables in archives, and that was a wakeup call for me in 1990, so I am more saying wakeup to the world as it now is, not over-reacting. I have reloaded one friend's box 5 times in the last 6 months, for him. He runs NAV 2003 Pro (enterprise subversion, and has a firewall, Sygate Pro, now, also, and it told him he had issues in time to fix the last infection almost 10 minutes later).
You can say I am overreacting, but half the bad HD problems I have been paid or traded things for to fix were fixed by zero-packing and revalidating a HD, to get a virgin clean HD to reload on, after folks tried normal realoads 5-10 times with O\S installer locks. 90% of the BAD HDs were NOT bad. I would say to look at the docs for the beta for XP SP2, notice that it is a security gap filler for the most part. Note that the holes include IM handling in XP, RPC fillins, turning things off that were turned on, and the inclusion of a stateful packet firewall updating in SP2 beta. I am not saying install beta, unless you have rollback and backup set up beforehand, but am saying that reading about what emphasis they are putting on these things is insturctive in showing what Microsft has had reported verifiably to them as heavy problesm which ARE being exploited now so much that Microsft says they need to be fixed before Longhorn comes out.
John.
Sorry, didn't notice that. Too many un-necessary long posts to read it all....