[identity profile] coyoteden.livejournal.com
http://arstechnica.com/news.ars/post/20050805-5175.html

"Researchers from a little-known security software company named Sunbelt Software have seemingly uncovered a criminal identity theft ring of massive proportions. According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application—rumored to be called CoolWebSearch—they've discovered that the personal information of those "infected" was being captured and uploaded to a server."
...
The list of stolen information includes not only bank accounts but website passwords, eBay accounts, what sort of adult images you fancy, and, supposedly, even more...


Sunbelt has not confirmed what spyware it is, but think of how many machines you've found CoolWebShit on... THAT's how big this scam might be.

[identity profile] coyoteden.livejournal.com
OK, so this evening I was helping out my former employer with a couple of tricky jobs. One of which was cleaning up his own computer. We're all careful about security, but it got hijacked by CoolWebSearch. Don't ask.

Now, this was one of the nastier variants that loads from HKLM/.../Run like most stuff, but then hides itself from the process list, spawns copies, hides the files on disk, puts all the copies in startup, and deletes the original file. If you remove any of the registry keys, it puts them right back. You can't kill it with the usual tools because you just can't see the fnords. The files change every time you reboot, and if you don't get EVERY file from safe mode, it will come right back.

Well, I thought I killed it. I KNOW I killed it. The files had been deleted and the system had been scanned from safe mode.... but the registry keys just kept coming back. Uh-oh. I loaded up Regmon and took a look at what was writing that key in the registry.

"Ad-watch.exe"

Fucking Ad-Aware. Goat-fucking Ad-Aware Pro to be precise. The real-time protection was restoring the damn CoolWebSearch keys (including the browser hijacks!) every time I removed them! And giving no warning. At all.
jecook: (Default)
[personal profile] jecook
Courtesy of El Reg:

Adware maker 180solutions has embarked on an image makeover with a campaign to notify users that its software is installed on their systems and tips on removing its software. On Tuesday, 180solutions said it had begun "re-notifying its 20m users in a stepped-up effort to educate consumers and ensure each of its customers has received proper disclosure and given informed consent".

According to 180solutions, the re-notification programme is part of a wider effort to make sure "rogue distributors" can no longer illicitly install its software on PCs. These efforts including enhancements to its 180search Assistant and Zango applications as well severing ties with "more than 400 websites that have breached the company's strict code of conduct."
Click Here

180solutions is under pressure to clean up its act on several fronts such as threat of litigation, financial pressure from investors and blacklisting by anti-spyware firms. Anti-spyware consortium Coast collapsed in April weeks after its decision to admit 180solutions, which describes itself as a provider of search marketing solutions, to its ranks. CA (here) and other vendors such as McAfee (here) describe 180solutions' software as adware. 180solutions said that the adware accusation, which it contests, is in any case outdated. ®


My take after reading this? BWHWHAHAHAHAHAHAHAHAAAA!!!!!!!

::THUD!!::

::Gets up off of floor::

It's still going to be on my permanent list of "nuke on site" chunks of spyware.

Profile

techrecovery: (Default)
Elitist Computer Nerd Posse

April 2017

S M T W T F S
      1
2345678
91011121314 15
16171819202122
23242526272829
30      

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 25th, 2017 12:47 am
Powered by Dreamwidth Studios