Keyboard F9 key invokes unwanted internet "Search-aide"

[mto]

Are you on a dial up or broadband? And you're running XP, right?



"Joe Funk" <joefunk50@shaw.ca> wrote in message
news:RzfTa.483878$3C2.13143874@news3.calgary.shaw. ca...
> Sure - here's the running processes (look at all the security software!):
>
> Spybot-S&D process list report, 7/22/2003 11:20:20 AM
>
> PID: 0 ( 0) [System]
> PID: 4 ( 0) System
> PID: 364 ( 4) \SystemRoot\System32\smss.exe
> PID: 428 ( 364) CSRSS.EXE
> PID: 452 ( 364) \??\C:\WINDOWS\system32\winlogon.exe
> PID: 496 ( 452) C:\WINDOWS\system32\services.exe
> PID: 508 ( 452) C:\WINDOWS\system32\lsass.exe
> PID: 560 (1028) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
> PID: 660 ( 496) C:\WINDOWS\system32\svchost.exe
> PID: 704 ( 496) C:\WINDOWS\System32\svchost.exe
> PID: 832 ( 496) SVCHOST.EXE
> PID: 868 ( 452) C:\WINDOWS\System32\taskmgr.exe
> PID: 872 ( 496) SVCHOST.EXE
> PID: 1028 (1008) C:\WINDOWS\Explorer.EXE
> PID: 1084 ( 496) C:\WINDOWS\system32\spoolsv.exe
> PID: 1312 (1028) C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
> PID: 1328 (1028) C:\Program Files\Panicware\Pop-Up Stopper Free
> Edition\PSFree.exe
> PID: 1340 (1028) C:\Program Files\VisualZone\VisualZone.exe
> PID: 1348 (1028) C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
> PID: 1468 ( 496) C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
> PID: 1480 ( 496) C:\WINDOWS\System32\cisvc.exe
> PID: 1520 ( 496) C:\WINDOWS\System32\inetsrv\inetinfo.exe
> PID: 1548 (1480) C:\WINDOWS\System32\cidaemon.exe
> PID: 1664 ( 496) C:\WINDOWS\system32\ZONELABS\vsmon.exe
> PID: 2028 (1480) C:\WINDOWS\System32\cidaemon.exe
> __________________________________________________ _
>
> And here's the startup list:
>
> Spybot-S&D Startup list report, 7/22/2003 11:21:36 AM
>
> Located: HK_CU:Run, PopUpStopperFreeEdition
> file: "C:\Program Files\Panicware\Pop-Up Stopper Free
Edition\PSFree.exe"
>
> Located: HK_LM:Run, AVG_CC
> file: C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
>
> Located: Startup (common), VisualZone.lnk
> file: C:\Program Files\VisualZone\VisualZone.exe
> MD5: EDEB15D21942887CAB632F597127ED24
>
> Located: Startup (common), ZoneAlarm.lnk
> file: C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
> MD5: 53848739EBFC3931C4C232526F1C3F7A
> __________________________________________________ _
>
> I don't know what a packet sniffer is.
> I've noticed in the ZoneAlarm logs that my explorer.exe regularly
tries
> to access the internet. I disallowed it when I first installed ZoneAlarm
> because it didn't seem likely that explorer.exe would need to be talking
to
> anybody out there.
> I'm glad you asked because I've always thought it eerie that there's
so
> much activity in them there ports. In the 5 hours since I turned on my
> computer, I see that ZA has blocked 106 messages attempting to go either
in
> or out. I wish I knew more about what the **** those busy incoming probes
> are up to, and why so many Services are interested in accessing the net.
> Joe
>
> "mto" <nobody@nowhere.com> wrote in message
> news:vhqu0plk0clbdc@corp.supernews.com...
> > Can you guys get a list of your running programs and start up programs
> from
> > SpyBot and post them?
> >
> > Do any of you have packet sniffer detection installed? Seeing anything
> > unusual? What about a program trying to access the net through your
> > firewall?
> >

[mto]

NOTE you have to hit enter after type cd C:\ after the little > - sorry
about that

"mto" <nobody@nowhere.com> wrote in message
news:vhr127gmfeep5e@corp.supernews.com...
>
> "Joe Funk" <joefunk50@shaw.ca> wrote in message
> news:z9fTa.485222$ro6.11660257@news2.calgary.shaw. ca...
> > Yes, indeed. It just confirms the ARIN results in your post of 9:43
> > yesterday evening. "A+Net Internet Services" and aplus.net
> > are the same folks. I'm not familiar with IP researching like you're
doing
> > with ARIN, Whois, tracert, and ping. It sure reveals a lot of tangled
> webs,
> > doesn't it?
>
> Ping and tracert are some of the handiest tools around - open up that
> command prompt in Windows, type cd C:\ after the little > then type "ping
> whatever URL or IP number you want to ping" - no quotes obviously - and
hit
> enter. If you typed in a URL it will give you the IP number for the site.
>
> Tracert works the same except that it traces the route from your computer
to
> the target server. Very handy should your favorite website suddenly
> disappear.
>
> > As this incident occurred on my home computer, and I brought this on
> > myself by fooling with Kazaa, I'm not sure how righteous I'll get.
> Certainly
> > it would be right to inform others, but I won't be prosecuting anyone.
> > Thanks for the advice on Spybot-S&D and Total Uninstall, which I'm
> > learning how to use.
>
> HMMM - now if that isn't giving idiots permission to make a victim out of
> you. Getting you to download a program that does something other than
> advertised is just the same as inviting a robber into your home thinking
he
> is the kid next door. You of course aren't going to individually
prosecute
> anyone - you would need as much money as God LOL.
>
>

[James E. Morrow]

Jay T. Blocksom <usenet01+SPAMBLOCK@appropriate-tech.net> wrote in
news6bqhvshamp5cs4sa584jlu779tgl5kkja@news.rcn.com:

> -> whois -h whois.names4ever.com search-aide.com
> -->
> --> Registrant:
> --> Opensoft Corp. Vanuatu
> --> 2nd Floor, Windsor house PO Box 257
> --> Port Villa, na na
> --> Vanuatu
> -->
> --> Domain Name: search-aide.com
> -->
> --> Administrative Contact, Billing Contact:
> --> Amir Rejwan (ST4PB) amir_rejwan@yahoo.com
> --> Opensoft Corp. Vanuatu
> --> 2nd Floor, Windsor house PO Box 257
> --> Port Villa, na na
> --> Vanuatu
> --> Phone: (678)50314892
> -->
>


Ah, yes exotic Vanuatu. Notorious home of South Pacific fraud. The
place was once famous for sex dialer scams. Users were not told they
were making a very long distance call to a far far away island at high
rates. Anything from Vanuatu is not on the up and up.


--
James E. Morrow
Email to: jamesemorrow@email.com

[Chris McFarland]

Tonight I'm logging all of my outgoing traffic to look for anything
suspicious. Although my guess is that nothing besides the hijack of the F9
key occurred, the current lack of hard info on Kazaap makes me nervous. If I
find anything else of interest I will report it here.

Joe, in response to Jay's comments, I can only reiterate his advice. Wiping
the machine is the only way to be sure. Fortunately my situation allows me
to ride this out and see what else others find before I nuke it all.

Chris


"Jay T. Blocksom" <usenet01+SPAMBLOCK@appropriate-tech.net> wrote in message
news6bqhvshamp5cs4sa584jlu779tgl5kkja@news.rcn.com...
> On Mon, 21 Jul 2003 19:29:52 GMT, in <alt.privacy.spyware>, "Joe Funk"
> <joefunk50@shaw.ca> wrote:
> >
> [snip]
>
> > ... no luck so far ... here's a recap of what I've tried ...
> >
> [snip]
>
> OK, a couple of thoughts...
>
> First, while a Google/All-The-Web search on Infosoft AND "Search-Aide"
comes
> up empty, searching on just "infosoft" produces links to at least a dozen
> (probably several dozen, but I didn't bother to chase them all down)
> *different* companies/organizations/entites using that name, scattered all
> over the globe; and most of them look pretty "iffy" at best. The one
"mto"
> apparently presumed it was ("InfoSoft International" of Boston, MA) is
> indeed a relatively reputable outfit (or "was" -- they've since been
> acquired by Houghton-Mifflin, so they no longer really have any "'net
> presence" under their own identity). However, it is near-certain that
this
> is *NOT* the "InfoSoft" responsible for hijacking your browser (and/or
> planting a trojan, or worse).
>
> > However I did find the source html on my hard drive. After hitting
F9
> > I found aide.html in
> > my ..\Temporary Internet Files folder. (That file's Properties showed
the
> > address http://www.search-aide.com/aide.html .)
> [snip]
>
> This is much more enlightening -- and much more damning. A WHOIS lookup
on
> "Search-Aide.com" produces:
>
> --> whois -h whois.names4ever.com search-aide.com
> -->
> --> Registrant:
> --> Opensoft Corp. Vanuatu
> --> 2nd Floor, Windsor house PO Box 257
> --> Port Villa, na na
> --> Vanuatu
> -->
> --> Domain Name: search-aide.com
> -->
> --> Administrative Contact, Billing Contact:
> --> Amir Rejwan (ST4PB) amir_rejwan@yahoo.com
> --> Opensoft Corp. Vanuatu
> --> 2nd Floor, Windsor house PO Box 257
> --> Port Villa, na na
> --> Vanuatu
> --> Phone: (678)50314892
> -->
> --> Technical Contact:
> --> A+Net DNS Administrator (AD384-ORG) support@aplus.net
> --> A+Net Internet Services
> --> 10350 Barnes Canyon Road
> --> San Diego, CA 92121
> --> United States
> --> Phone: (858) 410-6900
> -->
> --> Record last updated on 2003-07-14 15:24:41.733
> --> Record created on 2003-07-14 11:15:16.263
> --> Record expires on 2004-07-14 18:28:29.000
> -->
> --> Domain servers in listed order:
> --> ns1.abac.com 216.55.128.4
> --> ns2.abac.com
> -->
> --> Registration Service Provider: (APRO)AplusNet
> --> apro@names4ever.com
> --> (858) 410-6900
> --> http://www.aplus.net
> -->
> --> Registrar: NAMES4EVER, http://www.names4ever.com
>
> Wonderful... Domain created barely a week ago (but at least this gives
you
> a time-frame for when you were probably infected), via a VERY spammy
> registrar (I've never seen a legitimate domain registered through them,
tho'
> I suppose such might exist), using a Yahoo drop-box for the domain contact
> (and probably other bogus contact info; Vanuatu does exist -- see
> <http://www.cia.gov/cia/publications/factbook/geos/nh.html> -- but I
somehow
> doubt it's a hotbed of legitimate software development <~>).
>
> I think we've found (sort of) the perp.
>
> > After running the utilities listed above, SpyBot-S&D says I'm now
> > clean - no spybots, tracking cookies, hijackers, keyloggers, malware or
> > trojans.
> [snip]
>
> All well and good, BUT... After your mention of having loaded known
trojan
> apps (like Kazaa, for example), and given the fact that this is XP (which
is
> inherently less secure than any other version of Windows), I would not
count
> on that. Yes, you *may* be (relatively) clean at this point; I just
> wouldn't bet on it.
>
> > So now I'm trying to track down what I suppose is the real culprit:
> > some little exe, dll, vbs, js, or wsh file on my computer that hooks
onto
> > F9. Am I on the right track?
> >
>
> Chris McFarland had some reasonable-looking pointers for you on that
front.
> And for your sake, I hope he's right. But until and unless we (or more
> accurately, the folks behind AdAware and/or Spybot S&D) can positively
> identify this particular parasite and KNOW what exactly is needed to fully
> excise it, the only really certain way to be sure it's gone is a full
> re-format ground-up reinstallation of EVERYTHING (including, hopefully, a
> better version of Windows) -- not to mention the fact that, given your
> apparent usage habits, it's likely that this is not the only trojan to
have
> found its way onto your system.
>
> I know that's not the news you wanted to hear; but it's the only thing I
can
> tell you that I would be really confident in.
>
> --
>
> Jay T. Blocksom
> --------------------------------
> Appropriate Technology, Inc.
> usenet01[at]appropriate-tech.net
>
>
> "They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety."
> -- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
> NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to
mail.
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
> Unsolicited advertising sent to this E-Mail address is expressly
prohibited
> under USC Title 47, Section 227. Violators are subject to charge of up to
> $1,500 per incident or treble actual costs, whichever is greater.
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

[Jay T. Blocksom]

On Tue, 22 Jul 2003 18:13:51 GMT, in <alt.privacy.spyware>, "Joe Funk"
<joefunk50@shaw.ca> wrote:
>
> Sobering thoughts, Jay, to a computer slob like myself. "My name is
> legion." ;>)
> I've long been wondering about my home computer's security, and
> trojans in particular. This (so far apparently) mild scrape has been
> educational.
[snip]

For your sake, I hope it is only that. But as I sort'a said before, you
need to change your fundamental approach to the system (and the 'net as a
whole) if you want to avoide similar (or worse) problems in the future.

> I'm trying out 8 little free or shareware security programs just to keep
> the wolves at bay. Perhaps I'll end up buying a total-solution package
> like Norton or McAffee,
[snip]

Don't do that.

> ...but my experience has been that they're overly intrusive
> and they sap resources.
[snip]

Among other problems.

Really, there is probably only one thing you need to buy, and that's a
decent hardware-based firewall. Virtually everything else is a matter of
setting the system (and the firewall) up correctly, and NOT loading stuff
that can/does cause problems (a very long list, that -- which starts with
certain versions of Windows itself).

> I don't want to re-format and re-install, but isn't that supposed to
> be a twice-yearly chore with Windows anyway?
[snip]

That is a popular myth.

As bad as Windows is in many ways (and that's pretty bad); there is no
reason this should be considered "normal" *IF* you use quality hardware, set
the system up correctly to start with, and don't let the user fsck it up
once it's in the field. The only time I've reformatted one of my systems
was when I was either changing the disk out (usually to add capacity) or
rebuilding the system from scratch in order to to set it up for a different
user or application[1]. On this particular box, that last happened on
06-25-1999 (tho' in all candor, it's likely to happen again real soon now,
due to a chronic disk-space crunch; I just bought a 120GB drive for my
server, which will then donate its current 30GB model to my workhorse).

However, your system quite obviously was NOT set up correctly at the get go;
and you DID fsck it up by loading known malware (obviously, I don't know how
the hardware issue impacts you). So you may indeed need to start over, from
the metal.

> Also disturbing is the idea of dumping Kazaa permanently.
[snip]

That should be a no-brainer.


Footnotes:
[1] Ooops -- I just remembered... Back around '94 or so, I had a bad disk
controller which would semi-randomly "double-up" two bytes at a time during
disk writes whenever the bus got "too busy", which would in turn cause the
rest of that sector to be "offset" by two bytes, truncating the final two
bytes of the sector (since there was no longer room for them). At it's
core, it was apparently a buffer-flush problem; but I never completely
confirmed that. This of course would corrupt the file it was writing (or
re-writing). Drove me nuts for awhile 'til I figured out what was going on;
and it happened *just* often enough to be as serious problem, but not often
enough to be able to observe it at will. Anyway, after I finally diagnosed
the problem and replaced the controller, I obviously did have to re-format
the drive and re-load everything from scratch, in order to be really sure
that everything was as it should have been. But this still had nothing to
do with Windows (which I wasn't even running on that box).

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -