NHD tech
@rr.com
|  Anyone know what spywiper is?
I've been getting a few calls lately with customers saying they are getting messages about spywiper and the usual "you have spyware on your computer, if your cd-rom opens then you have spyware" message. The cust also says that the CD-rom is actually opening when this message comes up. Some have already tried to use ad-aware to search for any ad-ware/spyware and nothing comes up.
I'm thinking the cust has just let code run on their computers that allows the cd-rom to open.
Any ideas.
thanks
Ryan |
|
eburger68
Premium,MVM
join:2001-04-28
| NHD tech:
They probably mean SpyWiper from this outfit:
»https://www.mailwiper.com/spywiper/spywiper.html
I've seen a few complaints about their pop-up ads on other boards. IMHO, I wouldn't recommend downloading or installing that app, given their marketing tactics. As for the opening CD-ROM tray, that's undoubtedly just some obnoxious code designed to scare people -- much like the trick that shows people the contents of their own C-drives.
If you can get a link either to the pop-up ads or the pages from which those ads were spawned, we'd be happy to take a look at it more carefully.
Best,
Eric L. Howes |
|
Tech4769
@rr.com | IMHO, I wouldn't recommend downloading or installing that app, given their marketing tactics.....
are you referring to not downloading spywiper or ad-aware in that sentence? and if your referring to ad-aware...why? |
|
StraitShoot
Who Loves Ya Baby? - Theo Kojak
Premium
join:2003-02-08
Clinton, MA
| said by Tech4769:
IMHO, I wouldn't recommend downloading or installing that app, given their marketing tactics.....
are you referring to not downloading spywiper or ad-aware in that sentence? and if your referring to ad-aware...why?
He means SpyWiper... Both AdAware and Spybot S&D are pretty much held in high regard around here...
--
Stavros, Why are you eating again? |
|
Schouw
Premium
join:2003-05-29
Netherlands
1 edit | reply to Tech4769
He's talking about Spywiper..
Edit: too slow |
|
eburger68
Premium,MVM
join:2001-04-28
1 edit | reply to Tech4769
Tech4769:
I'm referring to SpyWiper. Ad-aware is a legitimate, effective "spyware" removal program.
I've done some nosing around. SpyWiper from mailwiper.com is most definitely your problem.
Some complaints on other boards:
EZ spy ware goes over the top
»beta.ezboard.com/fezboardadminis···49.topic
Spywiper Ads crashing my computer!
»beta.ezboard.com/fezboardadminis···67.topic
spywiper adbot?
»forums.spywareinfo.com/index.php···spywiper
default-homepage-network, something keeps changing my homepage
»forums.spywareinfo.com/index.php···spywiper
search engine hijacked, under the thumb of odysseus
»forums.spywareinfo.com/index.php···spywiper
You'll notice that some of the ezboard complaints also refer to an opening CD-ROM tray. One of the posters at SpywareInfo reports the browser's home page being hijacked to:
»default-homepage-network.com/start.cgi?c001
...which redirects to a SpyWiper ad here:
»default-homepage-network.com/index6.html
Still more interesting, the uninstall page for an OdysseusMarketing app here:
»www.odysseusmarketing.com/uninstall/
...spawns a pop-up for SpyWiper here:
»messagebroadcaster.net/wiper/sw1.htm
All trails lead back to mailwiper.com. A Google search on "mailwiper.com" turns up a number of complaints about spamming:
»www.google.com/search?hl=en&lr=&···2Bcom%22
...so obnoxious pop-ups wouldn't be completely unexpected from this crew.
In nothing that I've seen so far is there any indication of drive-by-download installs of software, so your users are likely OK on that front. They've just encountered some obnoxious advertising.
Best,
Eric L. Howes |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| reply to NHD tech
If you are looking for decent recommendations for freeware security programs, these two threads should help point you in the right direction:
»Maximum security WITHOUT any $$$
»Re: Good security-related programs?
--
oO^..^Oo__HijackThis FAQs__oO^..^Oo |
|
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX | reply to NHD tech
Try this »www.spywareinfo.com and search their forums for spywiper... Youll find it interesting. |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to NHD tech
Hi All:
An update on this one: this may be worse than it originally looked. Suzicat started a topic over at SpywareInfo on this:
»forums.spywareinfo.com/index.php···ry116174
And she points to these blog entries, all with reports of SpyWiper:
»tommytrojan.blogspot.com/2003_11···40138115
»patterico.blogspot.com/2003_11_0···21317113
»patterico.blogspot.com/2003_11_0···86561187
Best,
Eric L. Howes |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to NHD tech
Hi:
Finally found someone who's been having problems with SpyWiper and who's posted a HJT log. See here:
Browser Controlled, Spy Wiper
»forums.net-integration.net/index···pic=7886
The poster's description matches the symptoms we've heard from other sources:
quote:
It seems I have acquired a problem created by a company called Spy Wiper. When I attempt to go to my home page, the page is re-ddirected to a different URL, and there are 2 or 3 different windows that open. One window is a porn window, one is a note pad advertising spy wiper and causes my CD drawer to open and the other window is advertising links.
I have ran both Ad-ware 6.0 and Spybot-S&D and neither have found anything to correct. I have downloaded HijackThis and am attaching the save log. Could someone please review it and help me clear this up. I am running Windows 98. Please advise if you need any further information.
The HJT log shows, among other things, the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://server224.smartbotpro.net/7search/?001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://server224.smartbotpro.net/7search/?002
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://default-homepage-network.com/start.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://server224.smartbotpro.net/7search/?003
The smartbotpro.net links take you to various pages that are related to 7Search Networks (7search.com) and that attempt to do something with JavaScript -- not sure what as the pages don't seem to work properly in Mozilla 1.5 (haven't tried with IE wide and open).
The default-homepage-network.com link takes you to this page:
hxxp://default-homepage-network.com/index2.html
...which is a SpyWiper ad (pointing to mailwiper.com). It also pops open this notice:
hxxp://default-homepage-network.com/spypop4.html
...and eventually to this notice:
hxxp://default-homepage-network.com/spytxt.txt
So far, this appears to be a case of obnoxious, high-pressure advertising. No evidence so far that SpyWiper itself is foisting something onto users' computers.
Best,
Eric L. Howes |
|
I hate Spywiper
@pacbell.net
| reply to NHD tech
Can anyone please, please post a *confirmed* fix to remove this. So far the "fixes" I have seen do not work. Or even answer me this: IS there a fix yet?
I've tried-
* Ad Aware 6 (detects nothing)
* Spybot S&D (detects nothing)
* Registry Clean Expert from Cnet
* Manually resetting the default homepage to yahoo.com
* Manually editing the registry and searching for default-homepage-network.com yields NO MATCHES
Even after all that... I can't remove it.
Within seconds of connecting to the Internet I begin getting multiple popups. I left my system on overnight and in the morning I had 45 instances of Internet Explorer and 15 instances of notepad open.
Logfile of HijackThis v1.97.7
Scan saved at 1:53:32 PM, on 12/2/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Registry Clean Expert\RCScheduler.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\notepad.exe
\192.9.200.8\mis\apps\popupkiller\HiJack This\HijackThis.exe
C:\WINDOWS\System32\notepad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.default-homepage-network.com···gi?k1-hp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\mscpbo.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCScheduler.exe" /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - »i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···.5978125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - »http.gamezone.tukati.com/tukati/···kati.cab
Under R0 I want to add I manually delete/edit that out of the registry and within seconds of plugging the ethernet cable back in the entry re-appears after the popups begin again. So removing the entry does nothing. I'm missing a step here..
Thank you for ANY and all help. Formatting is NOT an option. |
|
discogail
join:2001-12-05
Somerville, MA
| Close all other windows.....check off the box next to:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.default-homepage-network.com/start
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\mscpbo.exe
"Fix Checked".....reboot
after restarting, preferably in safe mode..go to:
C:\WINDOWS\System32 & delete mscpbo.exe
--
»www.amazingtechs.com/ |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to NHD tech
Hi:
Update:
Four threads today that I've spotted at SpywareInfo:
The bastages! HELP!, Spy Wiper has taken over a computer
»forums.spywareinfo.com/index.php···ic=19667
Help with spy wiper
»forums.spywareinfo.com/index.php···ic=19682
spy wiper is taking over my computer, spy wiper
»forums.spywareinfo.com/index.php···ic=19661
Spy Wiper has ABSOLUTE control of my computer, URGENT help needed please...
»forums.spywareinfo.com/index.php···ic=19665
Eric L Howes |
|
rahvee
join:2003-12-07
Candia, NH
| reply to NHD tech
I have a solution to this. Here's what I did:
1- Close everything.
2- Open control panel, Internet options.
2.1- Change the home page to something normal, like Google or whatever you like.
3- Click the "Delete Files" button.
4- Click the "Delete Cookies" button.
5- Go to Advanced, Scroll to the bottom. Click "Empty Temporary Internet files when browser is closed."
6- Hit OK
7- I noticed I was running Windows service pack 3. So I went to Windows Update ( »windowsupdate.microsoft.com )
8- Install Service Pack 4
That's it. The stupid thing is all gone now.
P.S. Here's what the problem was, before I fixed it:
That stupid spywiper thing hijacked my computer. It would rewrite my home page every time I reboot my computer, and every time I open Internet Explorer there would be about 20 popups that would say "if your cdrom is open you have spyware, please download and install this thing..." and the cdroms would open, and at random times popups of the most offensive type would spontaneously appear. |
|
VincentP
@pacbell.n |  reply to NHD tech
THANK YOU SO MUCH...oh man those popups were driving me insane! |
|
cyber111
@aol.com
| Today i filed complaint with ftc.gov about their practices .
They also claim in global whois they are owned with networksolutions.com to fool people .
People, find your state attorney website and file online complaint and also on ftc.gov site . Click on 'c' drive and 'windows and mannually erase all cookies on 'cookies' , also in temp and internet temp .
It is notable they hijack computer which is illegal , disable virus protection and firewall from mcaafe and after you delete cookie mcaafe recognize and delete troyan ????
hehehe , that company will finish in jail, how someone can be stupid and create software and hijack peoples comps thinking they will buy product ? |
|
barrysadie
@bellsouth.ne
| reply to I hate Spywiper
I got this awful high-jacker last week, same homepage-network / spywiper / cellphone ad / porn ad crap. I ran "Spybot Search & Destroy" on it, w/ no success.(Spybot is an awesome free proggy, I sent them a report on this jacker). I cleared cookies & files...... got jacked again ! I have Adaware on my other computers...... forgot to put it on this one. After install, I ran it....... it found all mentioned IE entries / exploits / registry changes. Adaware, I assume, updated their database ( I updated after install, today ).... as it will recognize, and clean this highjacker ( I noticed some of you had no luck with Adaware against it ). My Adaware found it , it matches the registry reports, in previous posts here.
This one is a real bug-a-boo ! |
|
cyber11
@aol.com
| Also, paltalk is trojan program who is disguised as chat .
He monitors everything you see and surf on web , even put code in memory of comp . Go to c: windows and choose 'startup; to erase their icon . If you go to »webroot.com they give you free trial , so you can clean comp for free 30 days from all spywares and paltalk things . Talking on forums dont help.....file complaint at »ftc.gov , they work with fbi . Also, find your state attorney complaint form online . You have also bbb online .
Zedmedia, default-homepage and mailwiper are probably same group .
IMPORTANT ...default-homepage-network.com in global whois for domain claims they are c/o networksolutions company to fool people so that people trust them .
Write or call networksolutions.com and report that , so they have high paid lawyers who will take care and we will all benefit . Fbi and government are probably hijacked in same manner as we are . Also, when Microsoft.com will add all this extra protection that we have to buy from third parties ? In united states, manufacturer is responsible for defected item and free replacement , why we have to pay for firewalls, virusscans , and else ? If product is not good then go out from business and let competion make better software . We had seen a lot recalls in america but never from microsoft . |
|
vulcan146
@Dial1.Bos
| I found the code that opens the cd-drive, am using it as joke on friends 
document.write('\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u004c\u0041\u004e\u0047\u00 55\u0041\u0047\u0045\u003d\u0022\u0056\u0042\u0053\u0063\u0072\u0069\u0070\u0074\u0022\u003e \u000d\u000a\u003c\u0021\u002d\u002d\u000d\u000a\u0053\u0065\u0074\u0020\u006f\u0057\u004d\u 0050\u0020\u003d\u0020\u0043\u0072\u0065\u0061\u0074\u0065\u004f\u0062\u006a\u0065\u0063\u00 74\u0028\u0022\u0057\u004d\u0050\u006c\u0061\u0079\u0065\u0072\u002e\u004f\u0043\u0058\u002e \u0037\u0022\u0020\u0029\u000d\u000a\u0053\u0065\u0074\u0020\u0063\u006f\u006c\u0043\u0044\u 0052\u004f\u004d\u0073\u0020\u003d\u0020\u006f\u0057\u004d\u0050\u002e\u0063\u0064\u0072\u00 6f\u006d\u0043\u006f\u006c\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u000d\u000a\u0069\u0066 \u0020\u0063\u006f\u006c\u0043\u0044\u0052\u004f\u004d\u0073\u002e\u0043\u006f\u0075\u006e\u 0074\u0020\u003e\u003d\u0020\u0031\u0020\u0074\u0068\u0065\u006e\u000d\u000a\u0046\u006f\u00 72\u0020\u0069\u0020\u003d\u0020\u0030\u0020\u0074\u006f\u0020\u0063\u006f\u006c\u0043\u0044 \u0052\u004f\u004d\u0073\u002e\u0043\u006f\u0075\u006e\u0074\u0020\u002d\u0020\u0031\u000d\u 000a\u0063\u006f\u006c\u0043\u0044\u0052\u004f\u004d\u0073\u002e\u0049\u0074\u0065\u006d\u00 28\u0069\u0029\u002e\u0045\u006a\u0065\u0063\u0074\u000d\u000a\u004e\u0065\u0078\u0074\u0020 \u0027\u0020\u0063\u0064\u0072\u006f\u006d\u000d\u000a\u0045\u006e\u0064\u0020\u0049\u0066\u 000d\u000a\u002d\u002d\u003e\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u00 3e')
Hmmm.. if only I knew the actual workings of that |
|
B
Premium,MVM
join:2000-10-28
| Isn't that C code? Not likely to be running from a web ad I think...
I Googled up VBScript and JavaScript IE versions of this trick at »www.waxy.org/archive/2003/03/27/···dr.shtml . I haven't tried them.
I don't know which method SpyWiper's ad uses; I just thought it was a cute feat.
-- B |
|
