Is it spyware or something else? (please help!)

[Bee]

Hello all

Over the last several weeks while chatting/web surfing I've been
seeing dialog boxes suddenly pop up saying things like "Would you like
to install the latest version of..." with a yes/no and no way to
close the box. When I click 'no' a new screen pops up worded in such a
way that clicking 'no' either installs a program/agrees to the terms
and conditions. This goes on for several screens until the program
finally gives up. I've gotten this for about 4 or 5 different things
ranging from online shopping services, search software, etc. I've
never been to these sites and I just ran the latest version of adaware
and they're still coming up. I don't think they're coming from the
website I was surfing on (unless CNN is getting into the act).

My question is, what the heck *is* this thing, how did it get on my
computer, and what can I do to shut it off? I use a dial-up
connection so installing firewall software hasn't been a priority.
Would that make any difference?

Any and all help would be greatly appreciated.

Thanks!

Bee

[Andrew Clover]

Bee <borednow@earthlink.net> wrote:

> My question is, what the heck *is* this thing

Difficult to say without screenshots, but it is possible you have a
commercial trojan installed that is trying to make money by installing
other parasites. Some ask before installing, some ask more forcefully
(repeated prompts etc.), some just install behind your back. One notable
installer is FavoriteMan:

http://www.doxdesk.com/parasite/FavoriteMan.html

but there are other possbilities too. Try running Ad-Aware or Spybot,
or if they don't find it, use HijackThis:

http://www.spywareinfo.com/~merijn/f...hijackthis.zip

and post the log here or one of the forums.

Alternatively, this could just be something spawned by web pages. There
are many tricks you can play on IE users to try get them to allow an
installation. Your best defence is to use a different web browser for
everyday browsing; your not-quite-as-good-but-still-worthwhile defence
is to disable ActiveX downloads in the security settings and make
sure you have all the latest browser and JVM patches from Windows
Update.

> I use a dial-up connection so installing firewall software hasn't been
> a priority. Would that make any difference?

I don't know about this case, but going on-line with Windows without either

a. a firewall or NAT box between you and the open net, OR
b. keeping up to date with all patches, AND
c. spending some considerable effort on disabling Windows network
services such as RPC

is a very bad idea regardless of whether it's an always-on or narrowband
connection. Common worms today are small and attempt to connect frequently;
you can reasonably expect to be infected in a matter of minutes.

--
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdesk.com/

[|3iff //ullins]

lucat bene, der and-google@doxdesk.com (Andrew Clover) goh, a hunnert
truxx inero, sumwit kowz n' sumwit duxx on 24 Sep 2003 09:41:32 -0700:

>Bee <borednow@earthlink.net> wrote:
>
>> My question is, what the heck *is* this thing
>
>Difficult to say without screenshots, but it is possible you have a
>commercial trojan installed that is trying to make money by installing
>other parasites. Some ask before installing, some ask more forcefully
>(repeated prompts etc.), some just install behind your back. One notable
>installer is FavoriteMan:
>
> http://www.doxdesk.com/parasite/FavoriteMan.html
>
>but there are other possbilities too. Try running Ad-Aware or Spybot,
>or if they don't find it, use HijackThis:
>
> http://www.spywareinfo.com/~merijn/f...hijackthis.zip
>
greetings andrew. just letting you know that link gives me a 404.
i did, however, find the following link to hijackthis hosted at
spywareinfo.com:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
hth. peace...

>and post the log here or one of the forums.
>
>Alternatively, this could just be something spawned by web pages. There
>are many tricks you can play on IE users to try get them to allow an
>installation. Your best defence is to use a different web browser for
>everyday browsing; your not-quite-as-good-but-still-worthwhile defence
>is to disable ActiveX downloads in the security settings and make
>sure you have all the latest browser and JVM patches from Windows
>Update.
>
>> I use a dial-up connection so installing firewall software hasn't been
>> a priority. Would that make any difference?
>
>I don't know about this case, but going on-line with Windows without either
>
> a. a firewall or NAT box between you and the open net, OR
> b. keeping up to date with all patches, AND
> c. spending some considerable effort on disabling Windows network
> services such as RPC
>
>is a very bad idea regardless of whether it's an always-on or narrowband
>connection. Common worms today are small and attempt to connect frequently;
>you can reasonably expect to be infected in a matter of minutes.

[|3iff //ullins]

lucat bene, der and-google@doxdesk.com (Andrew Clover) goh, a hunnert
truxx inero, sumwit kowz n' sumwit duxx on 24 Sep 2003 09:41:32 -0700:

>> I use a dial-up connection so installing firewall software hasn't been
>> a priority. Would that make any difference?
>
>I don't know about this case, but going on-line with Windows without either
>
> a. a firewall or NAT box between you and the open net, OR
> b. keeping up to date with all patches, AND
> c. spending some considerable effort on disabling Windows network
> services such as RPC
>
please let me ask you this as i completely respect both your expertise
and opinion. also, kindly forgive me for any inherent stupidity in
this query...

i've been running software firewalls for years now, but have recently
gotten into home networking and now have a dsl router in place that
gives me NAT. do you think i still need the software firewalls (kerio)
on my individual pc's? i would imagine that i do need them, if for no
other reason than to keep crapware from 'phoning home'?...

while i've been on the 'net for years, i am a *total newbie to home
networking.

>is a very bad idea regardless of whether it's an always-on or narrowband
>connection. Common worms today are small and attempt to connect frequently;
>you can reasonably expect to be infected in a matter of minutes.
>
i installed a new pc for a neighbor just the other day. he had dsl all
hooked up and ready for the pc. i plugged it in and within its first 5
minutes of internet connectivity, before i could even download the
firewall and install it), the poor bawx was infexted with at least two
different things. sickening, yet amazing...

peace...

--
"enjoy every sandwich."
-warren zevon

[D11@anywhere.com]

On Wed, 24 Sep 2003 2007 GMT, "|3iff //ullins"
<biff.mullins3@3premeditatedfun.com> wrote:

>lucat bene, der and-google@doxdesk.com (Andrew Clover) goh, a hunnert
>truxx inero, sumwit kowz n' sumwit duxx on 24 Sep 2003 09:41:32 -0700:
>
>>> I use a dial-up connection so installing firewall software hasn't been
>>> a priority. Would that make any difference?
>>
>>I don't know about this case, but going on-line with Windows without either
>>
>> a. a firewall or NAT box between you and the open net, OR
>> b. keeping up to date with all patches, AND
>> c. spending some considerable effort on disabling Windows network
>> services such as RPC
>>
>please let me ask you this as i completely respect both your expertise
>and opinion. also, kindly forgive me for any inherent stupidity in
>this query...
>
>i've been running software firewalls for years now, but have recently
>gotten into home networking and now have a dsl router in place that
>gives me NAT. do you think i still need the software firewalls (kerio)
>on my individual pc's? i would imagine that i do need them, if for no
>other reason than to keep crapware from 'phoning home'?...
>
>while i've been on the 'net for years, i am a *total newbie to home
>networking.
>
>>is a very bad idea regardless of whether it's an always-on or narrowband
>>connection. Common worms today are small and attempt to connect frequently;
>>you can reasonably expect to be infected in a matter of minutes.
>>
>i installed a new pc for a neighbor just the other day. he had dsl all
>hooked up and ready for the pc. i plugged it in and within its first 5
>minutes of internet connectivity, before i could even download the
>firewall and install it), the poor bawx was infexted with at least two
>different things. sickening, yet amazing...
>
>peace...
Is a router a good firewall?

Most consumer routers are just fine as firewalls if you don't need to
open any ports in them. This is true whether the router uses NAT or
SPI technology. Once you do open ports, SPI-based routers can provide
a little more protection for the computers that the ports are
forwarded to, but mainly from denial-of-service (DoS) or similar
attacks that are intended to crash your machine.

We highly recommend running a personal firewall program such as
ZoneAlarm on any machine that has ports forwarded to it. These
applications monitor all network data entering and leaving the system
that they run on, looking for signs of suspicious behavior.
http://www.smallnetbuilder.com/index.php
http://www.firewall-software.com/fir..._firewall.html
http://www.firewallguide.com/

[Jay T. Blocksom]

On Wed, 24 Sep 2003 22:17:59 GMT, in <alt.privacy.spyware>,
"D11@anywhere.com" <> wrote:
>
[snip]
>
> Most consumer routers are just fine as firewalls if you don't need to
> open any ports in them.
[snip]

Your statement is literally true, as far as it goes -- but running a router
that closes *all* ports would make for a pretty useless 'net connection
(translation: "*no* connection"). <~>

Beyond that, a router is *NOT* at all the same thing (or an adequate
substitute for) a proper firewall.

> This is true whether the router uses NAT or
> SPI technology.
[snip]

That's not an "either/or" proposition. A proper firewall uses *both* SPI
*and* NAT (and PAT, and some other "stuff", for that matter).

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[|3iff //ullins]

Blick auf wie gut Jay T. Blocksom
<usenet01+SPAMBLOCK@appropriate-tech.net> goh, a hundert LKWAS in
einer Reihe geht, einige mit Kühen und einige mit Enten on Sat, 27 Sep
2003 18:19:02 -0400:

>On Wed, 24 Sep 2003 22:17:59 GMT, in <alt.privacy.spyware>,
>"D11@anywhere.com" <> wrote:
> >
> [snip]
> >
> > Most consumer routers are just fine as firewalls if you don't need to
> > open any ports in them.
> [snip]
>
>Your statement is literally true, as far as it goes -- but running a router
>that closes *all* ports would make for a pretty useless 'net connection
>(translation: "*no* connection"). <~>
>
>Beyond that, a router is *NOT* at all the same thing (or an adequate
>substitute for) a proper firewall.
>
> > This is true whether the router uses NAT or
> > SPI technology.
> [snip]
>
>That's not an "either/or" proposition. A proper firewall uses *both* SPI
>*and* NAT (and PAT, and some other "stuff", for that matter).
>
thanks to both of you for the info.

[|3iff //ullins]

Blick auf wie gut "D11@anywhere.com" <> goh, a hundert LKWAS in einer
Reihe geht, einige mit Kühen und einige mit Enten on Wed, 24 Sep 2003
22:17:59 GMT:

>On Wed, 24 Sep 2003 2007 GMT, "|3iff //ullins"
><biff.mullins3@3premeditatedfun.com> wrote:
>
>>lucat bene, der and-google@doxdesk.com (Andrew Clover) goh, a hunnert
>>truxx inero, sumwit kowz n' sumwit duxx on 24 Sep 2003 09:41:32 -0700:
>>
>>>> I use a dial-up connection so installing firewall software hasn't been
>>>> a priority. Would that make any difference?
>>>
>>>I don't know about this case, but going on-line with Windows without either
>>>
>>> a. a firewall or NAT box between you and the open net, OR
>>> b. keeping up to date with all patches, AND
>>> c. spending some considerable effort on disabling Windows network
>>> services such as RPC
>>>
>>please let me ask you this as i completely respect both your expertise
>>and opinion. also, kindly forgive me for any inherent stupidity in
>>this query...
>>
>>i've been running software firewalls for years now, but have recently
>>gotten into home networking and now have a dsl router in place that
>>gives me NAT. do you think i still need the software firewalls (kerio)
>>on my individual pc's? i would imagine that i do need them, if for no
>>other reason than to keep crapware from 'phoning home'?...
>>
>>while i've been on the 'net for years, i am a *total newbie to home
>>networking.
>>
>>>is a very bad idea regardless of whether it's an always-on or narrowband
>>>connection. Common worms today are small and attempt to connect frequently;
>>>you can reasonably expect to be infected in a matter of minutes.
>>>
>>i installed a new pc for a neighbor just the other day. he had dsl all
>>hooked up and ready for the pc. i plugged it in and within its first 5
>>minutes of internet connectivity, before i could even download the
>>firewall and install it), the poor bawx was infexted with at least two
>>different things. sickening, yet amazing...
>>
>>peace...
> Is a router a good firewall?
>
>Most consumer routers are just fine as firewalls if you don't need to
>open any ports in them. This is true whether the router uses NAT or
>SPI technology. Once you do open ports, SPI-based routers can provide
>a little more protection for the computers that the ports are
>forwarded to, but mainly from denial-of-service (DoS) or similar
>attacks that are intended to crash your machine.
>
>We highly recommend running a personal firewall program such as
>ZoneAlarm on any machine that has ports forwarded to it. These
>applications monitor all network data entering and leaving the system
>that they run on, looking for signs of suspicious behavior.
>http://www.smallnetbuilder.com/index.php
>http://www.firewall-software.com/fir..._firewall.html
>http://www.firewallguide.com/
>
thanks for the links!

[Chuck]

On 24 Sep 2003 09:41:32 -0700, and-google@doxdesk.com (Andrew Clover)
wrote:

>SNIP<
>I don't know about this case, but going on-line with Windows without either
>
> a. a firewall or NAT box between you and the open net, OR
> b. keeping up to date with all patches, AND
> c. spending some considerable effort on disabling Windows network
> services such as RPC
>
>is a very bad idea regardless of whether it's an always-on or narrowband
>connection. Common worms today are small and attempt to connect frequently;
>you can reasonably expect to be infected in a matter of minutes.

I would change that to "a. AND b. AND c." Patching AND disabling is
not an effective alternative to hardware and software protection.
Particularly cause M$ can't keep up with the patches and then patching
the patches.

A hardware firewall (NAT router) is so cheap, considering the
alternatives.


Chuck Croll
cacrollthespam@yahoo.com
I hate spam - Please get rid of the spam if you want to email me!!
Trusted Computing? Right! http://www.againsttcpa.com/

[Jay T. Blocksom]

On 23 Sep 2003 16:43:47 -0700, in <alt.privacy.spyware>,
borednow@earthlink.net (Bee) wrote:
>
> Hello all
>
> Over the last several weeks while chatting/web surfing I've been
> seeing dialog boxes suddenly pop up saying things like "Would you like
> to install the latest version of..." with a yes/no and no way to
> close the box.
[snip]

Start by disabling ALL scripting, Java, ActiveX, etc.; then also disable
Windows Messenger. This is only "treating the symptom", but it's something
you can do *immediately* to help get a handle on things.

Then go get both "AdAware" and "Spybot Search & Destroy", install them, and
run them per the instructions provided. This will likely point out most of
the other acute problems.

To drastically reduce the chances of them from recurring, use this:

<http://www.litepc.com/ieradicator.html>

Enjoy.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -