Broderbund DSSagent

Posted by Emma Adrian in Blog Latest Adware Threats, Latest Spyware News, Latest Spyware Threats, Recent Articles, Top Spyware Threats on January 20th, 2009 | Leave a comment
TAGS: , ,

What is Broderbund DSSagent?
Broderbund DSSagent is an Adware program installed by some Mattel/Broderbund products, with the purpose to download new splash screens to be displayed when the products that support this program are started.

Broderbund DSSagent slams your DNS server with continuous connections to www.brodcast.net and other domains. It pops up un-solicited advertisements and analyses computer usage, and then sent the information back to the companies servers. Broderbund DSSagent runs as a hidden process with no user interface. Its behavior can severely slow down your computer as it can consume large numbers of CPU cycles.

Do you have Broderbund DSSagent?
If you have enough time and expertise, you can search your computer for Broderbund DSSagent manually. However, it might take hours to find out all files of Broderbund DSSagent, and it is possible that Broderbund DSSagent will appear after rebooting, for its hidden files may still be there.

Download automatic scanner for Broderbund DSSagent
Spyware Cease – the technology-oriented security protection that provides a risk-free computing environment for your home and office – with detection, removal and guard in one intuitive and straight-forward interface. Only Spyware Cease gives you individual fix against the most dangerous spyware problems.

Manual Broderbund DSSagent removal instructions
WARNING: The manually removal method is for advanced users. Broderbund DSSagent manually removal can be difficult and time-consuming. There is no guarantee that Broderbund DSSagent can be completely removed, for there are hundreds of files generated when Broderbund DSSagent installed on your system. Make sure to back up your computer in case that you make any mistakes and your system does not work.

Follow the instruction below for Broderbund DSSagent removal manually:

Navigate and stop Broderbund DSSagent process:
dssagent.exe

Navigate and Remove Broderbund DSSagent registry values:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\bbstore\dss\dssagent.exe
HKEY_LOCAL_MACHINE\software\broderbund software\dss active
HKEY_LOCAL_MACHINE\software\broderbund software\dss autolaunchremoved
HKEY_LOCAL_MACHINE\software\broderbund software\dss cobwebinterval
HKEY_LOCAL_MACHINE\software\broderbund software\dss serverurl
HKEY_LOCAL_MACHINE\software\broderbund software\dss storagelocation
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run dss

Navigate and Delete Broderbund DSSagent files:
%windows%\bbstore\dss\dssagent.exe
dssagent.exe
dssregistry.ini
%windows%\bbstore\dss\dssagent.exe

What are the symptoms of Broderbund DSSagent?

  • Broderbund DSSagent may display advertisements
  • Broderbund DSSagent may collect users’ Internet surfing information
  • Broderbund DSSagent may run in the background of the system without interface
  • Broderbund DSSagent may slow down computer processing severely
  • Broderbund DSSagent may cause network problems and create heavy CPU usage

How do I keep away from Broderbund DSSagent?
Once you have cleaned up Broderbund DSSagent, the most important point to prevent Broderbund DSSagent and future malicious programs from reverting is to stay suspicious of spam E-mail attachment and unknown websites. Here are several ways in which you can help protect your computer against Broderbund DSSagent and other malware:

  • Use a computer firewall
  • Confirm that you have downloaded all the latest critical security updates
  • Adjust Internet Explorer web browser’s security settings
  • Download and install anti-spyware protection, such as, Spyware Cease
  • Surf sites and download programs from the web sites you trust

What is Adware?
Broderbund DSSagent is a type of Adware.

Adware is a kind of software that displays or downloads advertisements to a computer after the software is installed or while the software is in use. These advertisements can be banners or pop up windows. Some types of adware may even collect the user’s information and display advertisements in the web browser according to the information collected.

Adware can slow down your PC by consuming heavily Memory and CPU resources. Adware can also mess your Internet connection by using bandwidth to resume advertisements. Meanwhile, your system may be in risk of inefficiency because most adware applications are not properly programmed.

MyWebSearch

Posted by Emma Adrian in Blog Latest Adware Threats, Latest Spyware News, Latest Spyware Threats, Recent Articles, Top Spyware Threats on January 19th, 2009 | Leave a comment
TAGS: , , ,

What is MyWebSearch?
MyWebSearch is an advertising Browser Helper Object that consists of an add-on to Internet explorer that tracks the text users put into a search field. MyWebSearch hijacks users’ homepage temporarily, redirecting it to MyWebSearch.com, an access page that hosts the search field, so as to constitute an aggressive advertising practice. MyWebSearch can also manifest as a voluntarily downloaded toolbar that displays links to purportedly useful service and also hosts an Ask.com search field.

MyWebSearch, as well as its similarly titled companion app., MyTotalSearch, was published by Ask.com that was previously called AskJeeves.com. The search field in the BHO does not engage in any direct monitoring essentially. Instead, it simply funnels more users to Ask.com, in order to increase the likelihood that a user will click on a sponsored link and create revenue.

Do you have MyWebSearch?
If you have enough time and expertise, you can search your computer for MyWebSearch manually. However, it might take hours to find out all files of MyWebSearch, and it is possible that MyWebSearch will appear after rebooting, for its hidden files may still be there.

Download automatic scanner for MyWebSearch
Spyware Cease – the technology-oriented security protection that provides a risk-free computing environment for your home and office – with detection, removal and guard in one intuitive and straight-forward interface. Only Spyware Cease gives you individual fix against the most dangerous spyware problems.

Manual MyWebSearch removal instructions
WARNING: The manually removal method is for advanced users. MyWebSearch manually removal can be difficult and time-consuming. There is no guarantee that MyWebSearch can be completely removed, for there are hundreds of files generated when MyWebSearch installed on your system. Make sure to back up your computer in case that you make any mistakes and your system does not work.

Follow the instruction below for MyWebSearch removal manually:

Navigate and stop MyWebSearch process:
mwssrcsp.exe

Navigate and Remove MyWebSearch registry values:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKEY_CURRENT_USER\Software\MyWebSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch
HKEY_CLASSES_ROOT\AskPBar.SettingsPlugin
HKEY_CLASSES_ROOT\AskPBar.SettingsPlugin.1
HKEY_CLASSES_ROOT\CLSID\{F4D76F01-7896-458a-890F-E1F05C46069F}
HKEY_CLASSES_ROOT\IMsiDe1egate.Application.1
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKEY_CLASSES_ROOT\Interface\{F4D76F0A-7896-458A-890F-E1F05C46069F}
HKEY_CLASSES_ROOT\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKEY_CLASSES_ROOT\TypeLib\{F4D76F00-7896-458A-890F-E1F05C46069F}
HKEY_CURRENT_USER\Software\Fun Web Products
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF}
HKEY_LOCAL_MACHINE\SOFTWARE\AskPBar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4D76F01-7896-458a-890F-E1F05C46069F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F4D76F0B-7896-458a-890F-E1F05C46069F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AskPBar Uninstall
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWebSearchService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch Email Clients Uninstaller
HKEY_CLASSES_ROOT\ActiveSplash.Splash
HKEY_CLASSES_ROOT\ActiveSplash.Splash.1
HKEY_CLASSES_ROOT\ActiveSplash.SplashObjects
HKEY_CLASSES_ROOT\ActiveSplash.SplashObjects.1
HKEY_CLASSES_ROOT\ActiveSplash.SplashPicture
HKEY_CLASSES_ROOT\ActiveSplash.SplashPicture.1
HKEY_CLASSES_ROOT\ActiveSplash.SplashText
HKEY_CLASSES_ROOT\ActiveSplash.SplashText.1
HKEY_CLASSES_ROOT\CLSID\{6241AF3F-2B41-41AD-A268-68CD710D34C2}
HKEY_CLASSES_ROOT\CLSID\{D1B5603A-54B5-4C23-BA4B-DEAA204AF07C}
HKEY_CLASSES_ROOT\CLSID\{D4D72717-D96A-4BA1-A136-EADB379BE963}
HKEY_CLASSES_ROOT\CLSID\{D88797FA-4784-4B40-8C5A-C4626297EC0E}
HKEY_CLASSES_ROOT\Interface\{25B5C75A-CC13-443C-AA0F-D92A2A8ECE7E}
HKEY_CLASSES_ROOT\Interface\{4CA2CA27-2031-405C-86E5-84637FB595C5}
HKEY_CLASSES_ROOT\Interface\{4E0E6D86-082D-4D60-A733-29A66909BDC8}
HKEY_CLASSES_ROOT\Interface\{B5745800-DA7C-4B4B-B775-D56AE8984D82}
HKEY_CLASSES_ROOT\Interface\{D3B810A9-7B1C-47F0-9B72-F1A24568B8A6}
HKEY_CLASSES_ROOT\Interface\{EC058846-AE55-4BDF-B379-9D2BE64D7D3A}
HKEY_CLASSES_ROOT\Interface\{EEDD46CD-3900-426F-838F-E543A0D69584}
HKEY_CLASSES_ROOT\Interface\{FB3AF05A-AB26-48E7-BE5A-CFFAA5980A97}
HKEY_CLASSES_ROOT\TypeLib\{46D36DC4-1F37-11D3-9DD0-AE1592195F1B}
HKEY_CURRENT_USER\Software\Cliprex DS
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A29-692B-4205-9CAD-2626E4993404}
HKEY_CLASSES_ROOT\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKEY_CLASSES_ROOT\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}
HKEY_CLASSES_ROOT\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}
HKEY_CLASSES_ROOT\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}
HKEY_CLASSES_ROOT\MyWebSearchToolBar.SettingsPlugin
HKEY_CLASSES_ROOT\MyWebSearchToolBar.SettingsPlugin.1
HKEY_CLASSES_ROOT\MyWebSearchToolBar.ToolbarPlugin
HKEY_CLASSES_ROOT\MyWebSearchToolBar.ToolbarPlugin.1
HKEY_CLASSES_ROOT\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKEY_CLASSES_ROOT\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}
HKEY_CLASSES_ROOT\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}
HKEY_CLASSES_ROOT\CLSID\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CB65201-89C4-402C-BA80-02D8C59F9B1D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}
HKEY_CLASSES_ROOT\AskTBar.SettingsPlugin
HKEY_CLASSES_ROOT\AskTBar.SettingsPlugin.1
HKEY_CLASSES_ROOT\CLSID\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}
HKEY_CLASSES_ROOT\IMsiDe1egate.Application.1
HKEY_CLASSES_ROOT\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}
HKEY_CLASSES_ROOT\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE063DB1-4EC0-403E-8DD8-394C54984B2C}
HKEY_LOCAL_MACHINE\SOFTWARE\AskTBar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AskTBar Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8EAB99C1-F9EC-4B64-A4BA-D9BCAE8779C2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{014DA6CB-189F-421a-88CD-07CFE51CFF10}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}
HKEY_CLASSES_ROOT\CLSID\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}
HKEY_CLASSES_ROOT\CLSID\{0A94B111-4504-4e26-AB05-E61E474AA38B}

Navigate and Delete MyWebSearch files:
%PROGRAM_FILES%\ mywebsearch\ bar\ 1.bin\ m3html.dll
%program_files%\ MyWebSearch\ bar\ 1.bin\ M3IDLE.DLL
%PROGRAM_FILES%\ mywebsearch\ bar\ 1.bin\ m3impipe.exe
%program_files%\ MyWebSearch\ bar\ 1.bin\ M3MSG.DLL
%PROGRAM_FILES%\ mywebsearch\ bar\ 1.bin\ m3outlcn.dll
%program_files%\ MyWebSearch\ bar\ 1.bin\ M3PLUGIN.DLL
%program_files%\ MyWebSearch\ bar\ 1.bin\ M3SKIN.DLL
%Program_Files%\ MyWebSearch\ bar\ 1.bin\ M3SKPLAY.EXE
%PROGRAM_FILES%\ mywebsearch\ bar\ 1.bin\ mwsbar.dll
%program_files%\ mywebsearch\ bar\ 1.bin\ mwsoemon.exe
%program_files%\ MyWebSearch\ bar\ 1.bin\ MWSOEPLG.DLL
%PROGRAM_FILES%\ mywebsearch\ bar\ 1.bin\ mwsoestb.dll
%PROGRAM_FILES%\ mywebsearch\ bar\ 1.bin\ npmywebs.dll
%program_files%\ mywebsearch\ bar\ 2.bin\ m3slsrch.exe
%program_files%\ mywebsearch\ bar\ 2.bin\ m3srchmn.exe
%program_files%\ mywebsearch\ bar\ 2.bin\ mwsoemon.exe
%program_files%\ mywebsearch\ bar\ 2.bin\ mwsoeplg.dll
%program_files%\ mywebsearch\ bar\ 2.bin\ npmywebs.dll
%program_files%\ MyWebSearch\ SrchAstt\ 1.bin\ MWSSRCAS.DLL
%program_files%\ mywebsearch\ srchastt\ 2.bin\ mwssrcas.dll
ebkp.dll
m3slsrch.exe
m3srchmn.exe
mgssetp.exe
mwssetup.commoncodebase.exe
soref_rgbndl.exe

What are the symptoms of MyWebSearch?

  • MyWebSearch may track Internet Explorer surfing activities
  • MyWebSearch may hijack users’ homepage and redirect it to MyWebSearch.com
  • MyWebSearch may display advertisements
  • MyWebSearch may slow down Internet browsing process
  • MyWebSearch may decrease system performance
  • MyWebSearch may decrease system performance

How do I keep away from MyWebSearch?
Once you have cleaned up MyWebSearch, the most important point to prevent MyWebSearch and future malicious programs from reverting is to stay suspicious of spam E-mail attachment and unknown websites. Here are several ways in which you can help protect your computer against MyWebSearch and other malware:

  • Use a computer firewall
  • Confirm that you have downloaded all the latest critical security updates
  • Adjust Internet Explorer web browser’s security settings
  • Download and install anti-spyware protection, such as, Spyware Cease
  • Surf sites and download programs from the web sites you trust

What is Adware?
MyWebSearch is a type of Adware.

Adware is a kind of software that displays or downloads advertisements to a computer after the software is installed or while the software is in use. These advertisements can be banners or pop up windows. Some types of adware may even collect the user’s information and display advertisements in the web browser according to the information collected.

Adware can slow down your PC by consuming heavily Memory and CPU resources. Adware can also mess your Internet connection by using bandwidth to resume advertisements. Meanwhile, your system may be in risk of inefficiency because most adware applications are not properly programmed.

XCP.Sony.Rootkit

Posted by Emma Adrian in Blog Latest Adware Threats, Latest Spyware News, Latest Spyware Threats, Recent Articles, Rookits, Top Spyware Threats on January 19th, 2009 | 1 Comment
TAGS: , , ,

What is XCP.Sony.Rootkit?
XCP.Sony.Rootkit is one way for Sony to reach its goal to control the ripping and distribution of music. XCP.Sony.Rootkit installs a DRM executable as a Windows service, but employs a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows. This service very frequently queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive, which has been shown to shorten the drive’s lifespan.

XCP.Sony.Rootkit loads a system filter driver which hijacks all calls for process, directory or registry listings, even those unrelated to the Sony BMG application. This rootkit driver modifies what information is visible to the operating system in order to cloak the Sony BMG software. This rootkit hides every file, process, or registry key beginning with $sys$. This represents a vulnerability, which has already been exploited to hide World of Warcraft RING0 hacks, and could potentially hide an attacker’s files and processes once access to an infected system had been gained.

Do you have XCP.Sony.Rootkit?
If you have enough time and expertise, you can search your computer for XCP.Sony.Rootkit manually. However, it might take hours to find out all files of XCP.Sony.Rootkit, and it is possible that XCP.Sony.Rootkit will appear after rebooting, for its hidden files may still be there.

Download automatic scanner for XCP.Sony.Rootkit
Spyware Cease – the technology-oriented security protection that provides a risk-free computing environment for your home and office – with detection, removal and guard in one intuitive and straight-forward interface. Only Spyware Cease gives you individual fix against the most dangerous spyware problems.

Manual XCP.Sony.Rootkit removal instructions
WARNING: The manually removal method is for advanced users. XCP.Sony.Rootkit manually removal can be difficult and time-consuming. There is no guarantee that XCP.Sony.Rootkit can be completely removed, for there are hundreds of files generated when XCP.Sony.Rootkit installed on your system. Make sure to back up your computer in case that you make any mistakes and your system does not work.

Follow the instruction below for XCP.Sony.Rootkit removal manually:

Navigate and Remove XCP.Sony.Rootkit registry values:
HKEY_CLASSES_ROOT\clsid\{78037074-0beb-496e-9e4c-92d92d562168}
HKEY_CLASSES_ROOT\clsid\{c62a2089-4eb1-4ebb-8635-0d1fcdd6bf25}
HKEY_CLASSES_ROOT\interface\{6d92b32f-ef61-4366-bd2a-2fff9220e331}
HKEY_CLASSES_ROOT\interface\{d3c63786-0568-477d-b39d-f04cddc3c574}
HKEY_CLASSES_ROOT\typelib\{98cdb417-4f5c-4d8c-93dc-df5ab156e997}
HKEY_CLASSES_ROOT\xcpplayercontrol.xcpplayercontrolctrl.1
HKEY_CURRENT_USER\software\cdextrainstall
HKEY_LOCAL_MACHINE\software\$sys$reference
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$aries
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$drmserver
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$lim
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_$sys$oct
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cd_proxy
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\$sys$aries
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\$sys$cor
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\$sys$crater
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\cd_proxy
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\$sys$drmserve

Navigate and Delete XCP.Sony.Rootkit files:
[%PROFILE_TEMP%]\Autorun.exe
[%SYSTEM%]\$sys$caj.dll
[%SYSTEM%]\$sys$upgtool.exe
[%SYSTEM%]\drivers\$sys$cor.sys
[%SYSTEM%]\tmpx\apix.vxd
[%SYSTEM%]\tmpx\aspienum.vxd
[%SYSTEM%]\tmpx\wnaspi.dll
[%SYSTEM%]\tmpx\wnaspi32.dll
[%WINDOWS%]\cdproxyserv.exe
[%SYSTEM%]\$sys$filesystem

What are the symptoms of XCP.Sony.Rootkit?

  • XCP.Sony.Rootkit may control the ripping and distribution of music
  • XCP.Sony.Rootkit may employ a technique used by malware authors
  • XCP.Sony.Rootkit may shorten the drive’s lifespan
  • XCP.Sony.Rootkit may hijack all calls for process, directory or registry listings
  • XCP.Sony.Rootkit may hide files and processes for attackers
  • XCP.Sony.Rootkit may decrease system performance

How do I keep away from XCP.Sony.Rootkit?
Once you have cleaned up XCP.Sony.Rootkit, the most important point to prevent XCP.Sony.Rootkit and future malicious programs from reverting is to stay suspicious of spam E-mail attachment and unknown websites. Here are several ways in which you can help protect your computer against XCP.Sony.Rootkit and other malware:

  • Use a computer firewall
  • Confirm that you have downloaded all the latest critical security updates
  • Adjust Internet Explorer web browser’s security settings
  • Download and install anti-spyware protection, such as, Spyware Cease
  • Surf sites and download programs from the web sites you trust

What is Adware?
XCP.Sony.Rootkit is a type of Adware.

Adware is a kind of software that displays or downloads advertisements to a computer after the software is installed or while the software is in use. These advertisements can be banners or pop up windows. Some types of adware may even collect the user’s information and display advertisements in the web browser according to the information collected.

Adware can slow down your PC by consuming heavily Memory and CPU resources. Adware can also mess your Internet connection by using bandwidth to resume advertisements. Meanwhile, your system may be in risk of inefficiency because most adware applications are not properly programmed.

Estalive

Posted by Emma Adrian in Blog Latest Adware Threats, Latest Spyware News, Latest Spyware Threats, Recent Articles, Top Spyware Threats on January 19th, 2009 | Leave a comment
TAGS: , ,

What is Estalive?
Estalivee is an adware program that displays advertisements on a PC and gathers information from the user’s computer, including information related to Internet browsing activities or other computer habits. Estalivee silently installs and hooks to Internet Explorer. It will occasionally generate pop-up ads while Internet Explorer is running and may cause Internet Explorer to crash.

Do you have Estalive?
If you have enough time and expertise, you can search your computer for Estalive manually. However, it might take hours to find out all files of Estalive, and it is possible that Estalive will appear after rebooting, for its hidden files may still be there.

Download automatic scanner for Estalive
Spyware Cease – the technology-oriented security protection that provides a risk-free computing environment for your home and office – with detection, removal and guard in one intuitive and straight-forward interface. Only Spyware Cease gives you individual fix against the most dangerous spyware problems.

Manual Estalive removal instructions
WARNING: The manually removal method is for advanced users. Estalive manually removal can be difficult and time-consuming. There is no guarantee that Estalive can be completely removed, for there are hundreds of files generated when Estalive installed on your system. Make sure to back up your computer in case that you make any mistakes and your system does not work.

Follow the instruction below for Estalive removal manually:

Navigate and stop Estalive Process:
2225ask03.exe

Navigate and remove Estalive registry values:
HKEY_CLASSES_ROOT\clsid\{16a770a0-0e87-4278-b748-2460d64a8386}
HKEY_CLASSES_ROOT\clsid\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}
HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}
HKEY_CLASSES_ROOT\estalive.estaliveobj
HKEY_CLASSES_ROOT\estalive.estaliveobj.1
HKEY_CLASSES_ROOT\estalive.estinsobj
HKEY_CLASSES_ROOT\estalive.estinsobj.1
HKEY_CLASSES_ROOT\iehelper.myiehelper
HKEY_CLASSES_ROOT\iehelper.myiehelper.1
HKEY_CLASSES_ROOT\interface\{3772bf4b-0bf0-4dbc-9ecf-7d624609fe23}
HKEY_CLASSES_ROOT\interface\{a4bc2506-c00c-4d2e-b47f-0bb4c2c74ccf}
HKEY_CLASSES_ROOT\interface\{eed86703-463c-41fe-8163-d44a778841b5}
HKEY_CLASSES_ROOT\typelib\{2511de40-34a3-4c6a-b1b2-c5c92a2f00be}
HKEY_CLASSES_ROOT\typelib\{668a536f-359d-4699-9c2b-2c70893e1a8c}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects {a2b7a0f0-b697-4a71-8d91-43443f57d7bb}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{16a770a0-0e87-4278-b748-2460d64a8386}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}

Navigate and delete Estalive files:
%windir%\sysskip.srg
estalive.dll
%windir%\ieyhelper.dll
estAlive.inf
estAlive.cab
%commonapplicationdatadir%\Microsoft\IEHelper\2225ask11.exe
%commonapplicationdatadir%\Microsoft\IEHelper\iehelper_4511.dll
%commonapplicationdatadir%\Microsoft\IEHelper\IEHelper_5001.dll
IEHelper_5001.dll
%windir%\SYSAURL.SRG
search2.skey
YayaBands.dll
%windir%\YayaVerAtl.dll

What are the symptoms of Estalive?

  • Estalive may display advertisements and popups on PCs
  • Estalive may collect information about users’ Internet browsing activities
  • Estalive may install silently and hooks to Internet Explorer
  • Estalive may cause Internet Explorer to crash
  • Estalive may decrease system performance

How do I keep away from Estalive?
Once you have cleaned up Estalive, the most important point to prevent Estalive and future malicious programs from reverting is to stay suspicious of spam E-mail attachment and unknown websites. Here are several ways in which you can help protect your computer against Estalive and other malware:

  • Use a computer firewall
  • Confirm that you have downloaded all the latest critical security updates
  • Adjust Internet Explorer web browser’s security settings
  • Download and install anti-spyware protection, such as, Spyware Cease
  • Surf sites and download programs from the web sites you trust

What is Adware?
Estalive is a type of Adware.

Adware is any software that displays or downloads advertisements to a computer after the software is installed or while the software is in use. These advertisements can be banners or pop up windows. Some types of adware may even collect the user’s information and display advertisements in the web browser according to the information collected.

Adware can slow down your PC by consuming heavily Memory and CPU resources. Adware can also mess your Internet connection by using bandwidth to resume advertisements. Meanwhile, your system may be in risk of inefficiency because most adware applications are not properly programmed.

Nuvens

Posted by Emma Adrian in Blog Latest Adware Threats, Latest Spyware News, Latest Spyware Threats, Recent Articles, Top Spyware Threats on January 16th, 2009 | Leave a comment
TAGS: , ,

What is Nuvens?
Nuvens, also known as Boarim, Puper, Moiling, Poshmont, is one of the latest spyware infections plaguing users on the Internet. Nuvens usually appears on websites that promote them as applications such as video file-format decoders and applications for obtaining pornography. Once installed on your computer, Nuvens constantly runs in the background. Some versions of Nuvens also hijack your searches, redirect them to a new search page with add-on based on that search and display advertised results relating to the users search.

Do you have Nuvens?
If you have enough time and expertise, you can search your computer for Nuvens manually. However, it might take hours to find out all files of Nuvens, and it is possible that Nuvens will appear after rebooting, for its hidden files may still be there.

Download automatic scanner for Nuvens
Spyware Cease – the technology-oriented security protection that provides a risk-free computing environment for your home and office – with detection, removal and guard in one intuitive and straight-forward interface. Only Spyware Cease gives you individual fix against the most dangerous spyware problems.

Manual Nuvens removal instructions
WARNING: The manually removal method is for advanced users. Nuvens manually removal can be difficult and time-consuming. There is no guarantee that Nuvens can be completely removed, for there are hundreds of files generated when Nuvens installed on your system. Make sure to back up your computer in case that you make any mistakes and your system does not work.

Follow the instruction below for Nuvens removal manually:

Navigate and stop Nuvens processes:
pornmagpass.exe

Navigate and Remove Nuvens registry values:
HKEY_CLASSES_ROOT\AVZipEnchancer.Chl
HKEY_CLASSES_ROOT\clsid\{fe8aca46-adf0-4785-b550-89762dc330e6}
HKEY_CLASSES_ROOT\codecssoftwarepackage.chl
HKEY_CLASSES_ROOT\emediacodek.chl
HKEY_CLASSES_ROOT\imageactivexobject.chl
HKEY_CLASSES_ROOT\interface\{e29be7f1-e2d8-4036-91ce-c3f8aac42495}
HKEY_CLASSES_ROOT\paintingroomclasses.animatedicon
HKEY_CLASSES_ROOT\paintingroomclasses.animatedicon.1
HKEY_CLASSES_ROOT\typelib\{979c2ead-48cb-454a-adfa-a123158dd508}
HKEY_CLASSES_ROOT\videoaxobject.chl
HKEY_CLASSES_ROOT\VSEnchancer.Chl
HKEY_CURRENT_USER\Software\Internet Security
HKEY_CURRENT_USER\Software\Online Add-on
HKEY_CURRENT_USER\software\paintingroom
HKEY_CURRENT_USER\Software\PornMag Pass
HKEY_LOCAL_MACHINE\software\paintingroom
HKEY_CLASSES_ROOT\avzipenchancer.chl
HKEY_CLASSES_ROOT\clsid\{f0c5ef8b-f4bb-4612-9ea8-361fff3da3d5}
HKEY_CLASSES_ROOT\imageactivexobject
HKEY_CLASSES_ROOT\videoaccessactivex.chl
HKEY_CLASSES_ROOT\vsenchancer.chl
HKEY_CURRENT_USER\software\online add-on
HKEY_CURRENT_USER\software\pornmag pass
HKEY_CURRENT_USER\software\\internet security
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\brain codec
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\image activex solution
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ivideocodec
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\mmediacodec
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\mpvideocodec
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\pornmag pass
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\pornpass manager
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\qualitycodec
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\softcodec
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\strcodec
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\video activex object
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\video add-on
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\video ax object
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\videocompressioncodec
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\videokeycodec
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\intcodec
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\pcodec

Navigate and Delete Nuvens files:
[%COMMON_DESKTOPDIRECTORY%]\Online Security Guide.url
[%COMMON_DESKTOPDIRECTORY%]\Security Troubleshooting.url
[%COMMON_STARTMENU%]\Online Security Guide.url
[%COMMON_STARTMENU%]\Security Troubleshooting.url
[%PROGRAM_FILES%]\AOL Toolbar\toolbar.dll
[%PROGRAM_FILES%]\PaintingRoom\paintingroomclasses.dll
[%PROGRAM_FILES%]\PCODEC\uninst.exe
[%PROGRAM_FILES%]\Video ActiveX Object\uninst.exe
[%SYSTEM%]\update26313404.exe
[%SYSTEM%]\vcodec.exe
[%DESKTOP%]\PornMag Pass.lnk
[%DESKTOP%]\PornPass Manager.lnk
[%SYSTEM%]\sttwrd.dll
[%COMMON_DESKTOPDIRECTORY%]\Online Security Guide.url
[%COMMON_DESKTOPDIRECTORY%]\Security Troubleshooting.url
[%COMMON_STARTMENU%]\Online Security Guide.url
[%COMMON_STARTMENU%]\Security Troubleshooting.url
[%PROGRAM_FILES%]\AOL Toolbar\toolbar.dll
[%PROGRAM_FILES%]\PaintingRoom\paintingroomclasses.dll
[%PROGRAM_FILES%]\PCODEC\uninst.exe
[%PROGRAM_FILES%]\Video ActiveX Object\uninst.exe
[%SYSTEM%]\update26313404.exe
[%SYSTEM%]\vcodec.exe
[%DESKTOP%]\PornMag Pass.lnk
[%DESKTOP%]\PornPass Manager.lnk
[%SYSTEM%]\sttwrd.dll
[%PROGRAM_FILES%]\Gold Codec
[%PROGRAM_FILES%]\Image ActiveX Access
[%PROGRAM_FILES%]\IntCodec
[%PROGRAM_FILES%]\iVideoCodec
[%PROGRAM_FILES%]\MMediaCodec
[%PROGRAM_FILES%]\MPVIDEOCODEC
[%PROGRAM_FILES%]\Online Image Add-on
[%PROGRAM_FILES%]\paintingroom
[%PROGRAM_FILES%]\PornMag Pass
[%PROGRAM_FILES%]\PornPass Manager
[%PROGRAM_FILES%]\QualityCodec
[%PROGRAM_FILES%]\SoftCodec
[%PROGRAM_FILES%]\StrCodec
[%PROGRAM_FILES%]\Video ActiveX Access
[%PROGRAM_FILES%]\Video ActiveX Object
[%PROGRAM_FILES%]\VideoCompressionCodec
[%PROGRAM_FILES%]\VideoKeyCodec
[%PROGRAM_FILES%]\VideosCodec
[%PROGRAMS%]\Gold Codec
[%PROGRAMS%]\IntCodec
[%PROGRAMS%]\PornMag Pass
[%PROGRAMS%]\PornPass Manager
[%PROGRAM_FILES%]\Brain Codec

What are the symptoms of Nuvens?

  • Nuvens may hijack your searches on the Internet
  • Nuvens may display advertisements
  • Nuvens may run in the background
  • Nuvens may masquerade as any number of legitimate programs
  • Nuvens may slow down Internet surfing process

How do I keep away from Nuvens?
Once you have cleaned up Nuvens, the most important point to prevent Nuvens and future malicious programs from reverting is to stay suspicious of spam E-mail attachment and unknown websites. Here are several ways in which you can help protect your computer against Nuvens and other malware:

  • Use a computer firewall
  • Confirm that you have downloaded all the latest critical security updates
  • Adjust Internet Explorer web browser’s security settings
  • Download and install anti-spyware protection, such as, Spyware Cease
  • Surf sites and download programs from the web sites you trust

What is Adware?
Nuvens is a type of Adware.

Adware is any software that displays or downloads advertisements to a computer after the software is installed or while the software is in use. These advertisements can be banners or pop up windows. Some types of adware may even collect the user’s information and display advertisements in the web browser according to the information collected.

Adware can slow down your PC by consuming heavily Memory and CPU resources. Adware can also mess your Internet connection by using bandwidth to resume advertisements. Meanwhile, your system may be in risk of inefficiency because most adware applications are not properly programmed.