Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Scumware-Remover.org

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spyware/Adware in the News
View previous topic :: View next topic  
Author Message
Moore
Moderator


Joined: 31 May 2004
Last Visit: 16 Jun 2014
Posts: 758
Location: °°.MooreLand.°°

PostPosted: Sat Oct 23, 2004 4:20 am    Post subject: Scumware-Remover.org Reply with quote

Hi , a site I came across in my travels today was Scumware-Remover.org and smartestsearch.com , anyone heard of them before ?

Also has a removal program available to download , thought I'd better check if they are they good or bad or in between , before I block them Very Happy

Thanks for any info. Cool

Quote:
Scumware-Remover.org

Scumware facts:

Also known as spyware and adware.

Experts view scumware as a real threat to consumers and businesses. If you're online, you should be concerned about scumware.

Nine out of 10 PCs connected to the Internet are infected with scumware.
A recent scumware audit report published by Earthlink and Webroot found an average of 26.5 scumware traces are present on a given PC. In a six-month period, two million scans found 55 million pieces of scumware.
92% of corporate IT managers at companies with more than 100 employees claim they have a "major" scumware problem.
What to do:

Remove scumware from your computer with the free and safe software developed by ICAS (Internet Companies Against Scumware).

Click Here to run the free scumware removal software

http://www.scumware-remover.org/install.html




Liam Rhodes/Scumware-Remover.org:66.79.171.0-66.79.171.127

Scumware-Remover.org:66.79.171.70-66.79.171.70

--

www.smartestsearch.com:66.79.171.75

Registrant:
Steven Burritt
239 millcreek lane
naperville, Illinois 60540
United States

Registered through: GoDaddy.com
Domain Name: SMARTESTSEARCH.COM
Created on: 06-Aug-02
Expires on: 06-Aug-05
Last Updated on: 08-Jun-04

Administrative Contact:
Burritt, Steven
239 millcreek lane
naperville, Illinois 60540
United States
Domain servers in listed order:
NS1.H-C-T.COM
NS2.H-C-T.COM
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |
Back to top
View user's profile Send private message Visit poster's website
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Sat Oct 23, 2004 8:03 pm    Post subject: Reply with quote

Moore:

Thanks for posting that. I tried it on my Windows 2000 box, but it won't work. The thing is hard coded to use Windows XP paths -- tries to install three files to \WINDOWS\SYSTEM32. The default WinDir on a 2K box is \WINNT, so it crashes before doing anything significant.

Based just on that I can't recommend anyone bother with this. If someone with a WinXP box is willing to give it a whirl, I'd be most interested in hearing how it performs. Screenshots would be nice, too.

Best,

Eric L. Hwoes
Back to top
View user's profile Send private message Send e-mail Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 25 Nov 2014
Posts: 10335
Location: at the beach

PostPosted: Sat Oct 23, 2004 9:17 pm    Post subject: Reply with quote

I started it and got ZA alerts and it tried to changed my default search page and homepage to smartestsearch.com. Evil or Very Mad

SpywareGuard gave me the warning and let me change them back with a couple of clicks. The scan gave an error and timed out. But I still got 3 files downloaded to C:Windows\system 32:

dps.exe
dps32.exe
mse.exe

Ok, while I was posting this I thought I should run a HijackThis log. This piece of crap malware put a whole bunch of entries in my hosts file and the 04 entry highlighted in red.

Logfile of HijackThis v1.98.0
Scan saved at 10:29:30 PM, on 10/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\PGPserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Suzi\My Documents\My Downloads\installers\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O1 - Hosts: 66.79.171.75 www.google.com
O1 - Hosts: 66.79.171.75 www.yahoo.com
O1 - Hosts: 66.79.171.75 www.altavista.com
O1 - Hosts: 66.79.171.75 www.hotbot.com
O1 - Hosts: 66.79.171.75 www.lycos.com
O1 - Hosts: 66.79.171.75 www.mamma.com
O1 - Hosts: 66.79.171.75 www.askjeeves.com
O1 - Hosts: 66.79.171.75 www.ask.com
O1 - Hosts: 66.79.171.75 www.google.co.uk
O1 - Hosts: 66.79.171.75 www.yahoo.co.uk
O1 - Hosts: 66.79.171.75 www.altavista.co.uk
O1 - Hosts: 66.79.171.75 www.hotbot.co.uk
O1 - Hosts: 66.79.171.75 www.lycos.co.uk
O1 - Hosts: 66.79.171.75 www.mamma.co.uk
O1 - Hosts: 66.79.171.75 www.askjeeves.co.uk
O1 - Hosts: 66.79.171.75 www.ask.co.uk
O1 - Hosts: 66.79.171.75 www.msn.com
O1 - Hosts: 66.79.171.75 www.msn.co.uk
O1 - Hosts: 66.79.171.75 www.go.com
O1 - Hosts: 66.79.171.75 www.go.co.uk
O1 - Hosts: 66.79.171.75 www.no-ip.com
O1 - Hosts: 66.79.171.75 www.hotbar.com
O1 - Hosts: 66.79.171.75 www.mywebsearch.com
O1 - Hosts: 66.79.171.75 www.exactsearch.net
O1 - Hosts: 66.79.171.75 www.resultsmaster.com
O1 - Hosts: 66.79.171.75 www.kanoodle.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dps] c:\windows\system32\dps.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Mad This is a real nasty!!!
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 21 Sep 2014
Posts: 3913
Location: California

PostPosted: Sat Oct 23, 2004 11:45 pm    Post subject: Reply with quote

OK, so you already know the baddies, but here they are. If you didn't have SpywareGuard, then there would probably be at least one O2 and O3 to be fixed as well.


Quote:

Check the boxes next to all these, close all other windows, then click Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com

O1 - Hosts: 66.79.171.75 www.google.com
O1 - Hosts: 66.79.171.75 www.yahoo.com
O1 - Hosts: 66.79.171.75 www.altavista.com
O1 - Hosts: 66.79.171.75 www.hotbot.com
O1 - Hosts: 66.79.171.75 www.lycos.com
O1 - Hosts: 66.79.171.75 www.mamma.com
O1 - Hosts: 66.79.171.75 www.askjeeves.com
O1 - Hosts: 66.79.171.75 www.ask.com
O1 - Hosts: 66.79.171.75 www.google.co.uk
O1 - Hosts: 66.79.171.75 www.yahoo.co.uk
O1 - Hosts: 66.79.171.75 www.altavista.co.uk
O1 - Hosts: 66.79.171.75 www.hotbot.co.uk
O1 - Hosts: 66.79.171.75 www.lycos.co.uk
O1 - Hosts: 66.79.171.75 www.mamma.co.uk
O1 - Hosts: 66.79.171.75 www.askjeeves.co.uk
O1 - Hosts: 66.79.171.75 www.ask.co.uk
O1 - Hosts: 66.79.171.75 www.msn.com
O1 - Hosts: 66.79.171.75 www.msn.co.uk
O1 - Hosts: 66.79.171.75 www.go.com
O1 - Hosts: 66.79.171.75 www.go.co.uk
O1 - Hosts: 66.79.171.75 www.no-ip.com
O1 - Hosts: 66.79.171.75 www.hotbar.com
O1 - Hosts: 66.79.171.75 www.mywebsearch.com
O1 - Hosts: 66.79.171.75 www.exactsearch.net
O1 - Hosts: 66.79.171.75 www.resultsmaster.com
O1 - Hosts: 66.79.171.75 www.kanoodle.com

O4 - HKLM\..\Run: [dps] c:\windows\system32\dps.exe


After that, restart the computer and enable hidden files by doing this:

* Double-click My Computer.
* Click the Tools menu, and then click Folder Options.
* Click the View tab.
* Clear "Hide file extensions for known file types."
* Under the "Hidden files" folder, select "Show hidden files and folders."
* Clear "Hide protected operating system files."
* Click Apply, and then click OK.

Then find and delete this file:

c:\windows\system32\dps.exe <-- file only
Back to top
View user's profile Send private message
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Sun Oct 24, 2004 7:34 am    Post subject: Reply with quote

thx for the info and the heads up!!

Very Happy
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 25 Nov 2014
Posts: 10335
Location: at the beach

PostPosted: Sun Oct 24, 2004 9:06 am    Post subject: Reply with quote

whois info for scumware-remover.org:

Quote:
omain ID:D104980260-LROR
Domain Name:SCUMWARE-REMOVER.ORG

Created On:08-Oct-2004 23:52:48 UTC
Last Updated On:08-Oct-2004 23:53:17 UTC
Expiration Date:08-Oct-2005 23:52:48 UTC

Sponsoring Registrar:Go Daddy Software, Inc. (R91-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:GODA-08414651

Registrant Name:Steven Burritt
Registrant Organization:
Registrant Street1:239 millcreek lane
Registrant Street2:
Registrant Street3:
Registrant City:naperville
Registrant State/Province:Illinois
Registrant Postal Code:60540
Registrant Country:US
Registrant Phone:+1.6304043009
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:stevesredcamaro@aol.com
Admin ID:GODA-28414651

Admin Name:Steven Burritt
Admin Organization:
Admin Street1:239 millcreek lane
Admin Street2:
Admin Street3:
Admin City:naperville
Admin State/Province:Illinois
Admin Postal Code:60540
Admin Country:US
Admin Phone:+1.6304043009
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:stevesredcamaro@aol.com
Tech ID:GODA-18414651
Tech Name:Steven Burritt
Tech Organization:
Tech Street1:239 millcreek lane
Tech Street2:
Tech Street3:
Tech City:naperville
Tech State/Province:Illinois
Tech Postal Code:60540
Tech Country:US
Tech Phone:+1.6304043009
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:stevesredcamaro@aol.com

Name Server:NS1.H-C-T.COM
Name Server:NS2.H-C-T.COM

_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 25 Nov 2014
Posts: 10335
Location: at the beach

PostPosted: Sun Oct 24, 2004 9:24 pm    Post subject: Reply with quote

I tried this thing again tonight with SpywareGuard disabled and ZA set to allow it access to see if the entire scan would run. I still got the run time error and still got my homepage, search page and hosts file hijacked. So - either this little piece of scumware is so poorly coded that it will not run, or it was designed for the sole purpose of hijacking users' computers. Rolling Eyes Evil or Very Mad






I also tried on my WinMe box but it would not run there either. It gave some file path error or some such thing. It did manage, however, to hijack by browser. It seems to be coded for XP only.

The warning message you see just under the google toolbar is from the new security settings in SP 2.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Scaramouche
Malware Expert


Joined: 06 Jul 2004
Last Visit: 03 May 2006
Posts: 141
Location: Manila, Philippines

PostPosted: Mon Oct 25, 2004 12:03 am    Post subject: Reply with quote

This is just getting ludicrous. Even the bad scanners at least pretend to have some sort of functionality (on more platforms than XP to boot). I've been thinking lately that boards like these are necessary and admirable but they deal with the symptoms and not the root causes. Even scanners and removers are a necessary, yet incomplete solution.

What we need to do is turn spyware removal experts into spyware prosecution activists. Have someone in each major jurisdiction who can send in proof to the various district attorney offices, maybe have a lawyer donate a legalese template where the volunteer fills in how the spyware manufacturer violates laws (and really most bad spyware violates EXISTING laws against computer misuse/privacy as it is, let alone any new spyware laws that evolve in the future). Have these people networked so they can present evidence in cases that span states, or even countries. Have a committee examine each request before it goes out to provide a unified front and to remove traces of excess indignation that might make people take it less seriously. Monitor progress in certain key states, and then try to bring pressure on legislators and prosecutors that aren't doing the job properly. Whew.

I'm not suggesting anyone has to do this, because you know what? You guys already do a lot. I guess it was a little rant brought on by how egregious this particular site is. The implication that sites like this are allowed to exist and indeed, probably others that we don't even know about just makes me fume.

Theoretically, working for a commercial spyware remover seeing this should make me happy. Sort of a "all right, more bad stuff out there to increase the number of our clients!" But it doesn't, it just makes me mad and sad. I guess the things I outline above are more a pipe dream, since the organization and time constraints are pretty big. It would basically end up being an anti-spyware lobbying group to counter the efforts of Gator/Claria :) Even if it was successful it would only end up driving the manufacturers more underground (assuming you could get both an American and European organization set up and working).

If that doesn't work I suggest vigilante justice (note to Homeland Security department; I am not actually suggesting vigilante justice).
_________________
---
My comments represent my own opinions and research.
Back to top
View user's profile Send private message Yahoo Messenger
Moore
Moderator


Joined: 31 May 2004
Last Visit: 16 Jun 2014
Posts: 758
Location: °°.MooreLand.°°

PostPosted: Mon Oct 25, 2004 1:41 am    Post subject: Reply with quote

Thanks for checking this one out , one more garbage site for the lists Very Happy

I thought smartest search was a bit too suspicious , sounded like a CWS wannabe site to me.

Not good to see your computer get hijacked Suzi , at least you know where to go to get help [ if you ever need it Wink ] ..


Quote:
If that doesn't work I suggest vigilante justice (note to Homeland Security department; I am not actually suggesting vigilante justice).


lol Twisted Evil
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 25 Nov 2014
Posts: 10335
Location: at the beach

PostPosted: Mon Oct 25, 2004 8:17 am    Post subject: Reply with quote

Scaramouche, you wrote:

Quote:
I'm not suggesting anyone has to do this, because you know what? You guys already do a lot. I guess it was a little rant brought on by how egregious this particular site is. The implication that sites like this are allowed to exist and indeed, probably others that we don't even know about just makes me fume.


It makes me fume too. I think complaints to the Illinois Attorney General would be in order, as well as to the web hosting company. They are probably violating the TOS of their web host. I'll so some reseach tonight and see if I can come up with addresses.

Moore, you wrote:

Quote:
Not good to see your computer get hijacked Suzi.


Yeah, the first time it happened it totally caught me off guard. I was furious. Of course since SpywareGuard caught it, it was easily correctable. The second time around I let it happen to see if the scan would complete. Thanks to HJT, it was easy to remove.

Also - this has been added to Panda's definitions, so it will now target and remove this scumware!
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 25 Nov 2014
Posts: 10335
Location: at the beach

PostPosted: Tue Oct 26, 2004 5:20 pm    Post subject: Reply with quote

Some interesting information about the person listed in the whois information has been posted in this thread at DSLReports.

http://www.broadbandreports.com/forum/remark,11680505~mode=flat

See the posts by BrettStarr and follow his links. One page has a long list of domains that appear to be re-directed to scumwware-remover.org. Rolling Eyes
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Tue Oct 26, 2004 5:55 pm    Post subject: Reply with quote

err..............daphne? Shocked
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 25 Nov 2014
Posts: 10335
Location: at the beach

PostPosted: Tue Oct 26, 2004 6:17 pm    Post subject: Reply with quote

Quote:
err..............daphne


Yeah, you know, Daphne of Scooby Doo. Very Happy

I was going to go anon there but that didn't last long.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Tue Oct 26, 2004 6:52 pm    Post subject: Reply with quote

LOL, me an the kid we're just paying a ScoobyDoo game on Cartoon Network.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 21 Sep 2014
Posts: 3913
Location: California

PostPosted: Wed Oct 27, 2004 12:27 am    Post subject: Reply with quote

Shcooooby Doooooo!
Back to top
View user's profile Send private message
webhelper
SWW Expert


Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090

PostPosted: Thu Nov 04, 2004 5:36 am    Post subject: Reply with quote

Ok, finally got my screen shots and the list of all their known sites

http://www.webhelper4u.com/CWS/scumwareremover.html
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004
Back to top
View user's profile Send private message Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Thu Nov 04, 2004 10:05 am    Post subject: Reply with quote

webhelper is see the domain names are allso looking for miss spelled google and yahoo. these scum pervayers just don,t quit.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 25 Nov 2014
Posts: 10335
Location: at the beach

PostPosted: Thu Nov 04, 2004 10:41 am    Post subject: Reply with quote

Good one Webhelper!

There are two other files, besides the dps.exe, this scumware puts into the C:\WINDOWS\SYSTEM32\ folder in case you wanted to add that to your page.

dps32.exe
mse.exe

I zipped and submitted all 3 to 3 different places. Kaspersky emailed me back this morning with this info:

Quote:
This is trojan-downloader program TrojanDownloader.Win32.VB.fn.
Detection will be added to the next daily update.

_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Thu Nov 04, 2004 3:00 pm    Post subject: Reply with quote

good catch suzi!!!!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
3162
Honorary Site Admin


Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 4452

PostPosted: Thu Nov 04, 2004 3:07 pm    Post subject: Reply with quote

See here, also
http://spywarewarrior.com/viewtopic.php?t=7312
_________________
Proud member of the Chest Zipper Club!
Back to top
View user's profile Send private message
calvin282
Newbie


Joined: 07 Nov 2004
Last Visit: 07 Nov 2004
Posts: 2

PostPosted: Sun Nov 07, 2004 1:00 am    Post subject: Reply with quote

right now i am trying to use spyware remover to remove the files. but when i try to do so, it says "access to unamed file was denied". can someone help please?

i am basically trying to fix the problem of getting always directed to smartestsearch.com
Back to top
View user's profile Send private message
3162
Honorary Site Admin


Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 4452

PostPosted: Sun Nov 07, 2004 7:44 am    Post subject: Reply with quote

calvin282, I just posted into your other Topic Wink
http://spywarewarrior.com/viewtopic.php?t=7312
_________________
Proud member of the Chest Zipper Club!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spyware/Adware in the News All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group