SPYWARE ALERT!!!!!!!

[cortez]

Please read the following carefully. It has implications
for all MSAS users.
Yesterday i posted a notice concerning an issue
submitting a spyware report. The spyware report would not
submit due to what it said was "IE Proxy Settings". Two
MS Techno's acknowledged the issue as a MSAS software one
saying it would be fixed with the release of Beta2.
The implications are...a very real spyware threat exists
which MSAS can't act on. This also leaves all other other
MSAS users potentially vulnerable because definition and
signature files can't be updated. And how far off is Beta
2? They didn't say.
So heres the issue.....MSAS alerted me to a host file
issue concerning Oneclicksearches.com and that it was ok
because it was on loop back. I typed the URL into my web
browser and a Microsoft Internet Explorer window opened
with the following message.....Attention! Your PC is
infected with Spyware....Browser version:4.0 (Compatible;
MSIE 6.0; WindowsNT5.1)"StealthSWs114.h!dll"
ver.4.442as18a. Access Port #33299. You are at risk...
blah blah blah.
Note that it was MSIE which opened with the details and
not MSAS... More importantly...how did this manage to get
past MSAS protections shields which were active??? and
how did the resulting full scan not pick it up??? obvious
not on the signature files. Also... MSAS realtime active
protection does not obviously recognise the encoded
language which is common to most spyware. And how do you
like their response and solution??? is this the behaviour
you would expect from a company with professionally
trained software developers and technicians???
The important lesson here is that MSAS is a beta and beta
realise that as such it's not to be relied on as the sole
source of spyware protection. Don't get caught out. Have
a few other more well known and reputable programs
running at the same time. This also once again highlights
the ongoing IE security issues that seem to plague MS.
My advise to Microsoft. Best you understand the serious
nature of this issue and treat it with the urgency it
deserves. This is not just about your spyware. It's about
the spyware community you set up and your commitment to
them and it's also about the community you respresent
having confidence in your company to act appropriately.
In this case words are not enough. Get real and be
authentic. You started out with a great product concept
developed by creative intelligent human beings who were
passionate about being of service to others. The
community will judge you by what you do and not by what
you say so the time to act is now. If you can't get small
issues like this right now how are are going to behave
when a big one comes your way???
You need to be grateful and thankful that the community
takes the time and cares enough to inform you of these
issues. If you don't act accordingly you end up getting
peoples backs up and drawing to yourself alot of self
destructive negative criticism.

 

[Bill Sanderson]

The beta product has consistently gotten top marks in reviews, including
some published very recently.

I'm not totally clear on your report here:

You were warned about an issue with a given URL

You then chose to visit that URL which opened in IE (given that IE is what
is set to open URL's, that doesn't seem surpising to me.)

The website (admittedly malignant) that you visited then spouted back to you
information that it can glean merely by interrogating your web browser.
This shouldn't be too scary--every web site you visit is capable of making
use of this same information.

The issue with getting the spyware reports in is indeed a bug in the beta
version. It is not a bug which affects every user of the beta--the majority
of machines I administer don't see this issue, but a few do.

I can't predict when Beta2 will arrive. And I am not a Microsoft
employee--just another volunteer like most others here.

--

 

[AndyManchesta]

I do not know if you've been infected with
oneclicksearches and about:blank or what the MS support
guys you spoke to advised but Thats a bogus alert there
isnt spyware on your pc or maybe there is but not
connected to this warning and the file StealthSWs114.h!
dll doesnt exist its a con from PCguard and SpySherrif to
make you install one of thier products,

I had the infection of oneclicksearches myself the other
day while I was testing and you will notice that the
options at the botton of the pop up give it away, It
either sends you to a site which says to remove it you
must install one of these products (Spysherrif, PSguard,
AdwareRemove or Spyspotter) They are all rogue removers
but thats the only choice on the page you will probably
also see many links to adultfriendfinder included in
these pop ups plus spelling mistakes such as resluts
instead of results when its saying credit card theft can
result in fraud so ignore the warning and do not visit
the site I only got there as I got infected so had no
choice at it took over IE then changed my desktop to
display a spyware warning and downloaded wareout,
Spysherrif and PSguard so stay away from them as there is
nothing genuine about them.

The biggest mistake you can make is by following one of
these pop ups and installing any of these rogue products
they will install spyware then try charge you to remove
it, Spyspotter for example said csrss.exe was Spy.BC and
said I should pay to delete it this is the Client/Server
Runtime Server Subsystem from Microsoft so deleting this
could cause alot of problems, Same with wareout and
spysherrif they will install spyware then say you must
pay to remove it , Stick with MS Antispy its doing great
from what I can see and believe me when I say ive
downloaded all sorts of junk to test it, Its also wise to
use other free scanners like AdawareSe, Spybot and Ewido
to make sure you stay clean.

Andy

 

[AndyManchesta]

I need to correct one part of that last post, its PSguard
and Spysherrif not PCguard they are a legitimate company
and not connected to these warnings Typo error as its
getting late here,

I do not know the background to this complaint you have
but if you were infected with oneclicksearches its a
nightmare to remove, It took me about 2 hours to remove
all the entries once they had downloaded PSguard and
Spysherrif and changed my desktop and added at least 3
different trojans, No scanners detected the main files
that were causing the hijack so even though Hijack This
and all the scanners showed clear in safe mode and normal
mode everytime I rebooted the infection came back and I
was unable to remove oneclicksearches from the IE
settings. I ended up having to manually check all the
files in the system32 folder and the windows folder and
killbox every file that came with this in safe mode then
finally got things back up and running so its important
you stay away from this site and all the other sites they
link to.

Andy

 

[Guest]

Hi Bill, thanks for the reply.
Scary is not a word i would choose. Vulnerability is. The
way to check any system is to challenge it. Thats what
those with mal intent do. In this case i suspect the
alert was only that and was a possible reason why the
stated spyware was not picked up in the resulting scan.
This is the first time i have come onto this site and it
was done so only because i couldn't submit the spyware
report in the way designed by the MSAS program. I am not
about to stop using MSAS or jump ship as a result of my
experience. The need to justify or defend the program to
me is not necessary. If the spyware mentioned in the
report is not in the current definition file then don't
you think it should be manually checked and entered in if
it is not?
Waiting for B2 appears a poor solution to the reporting
issue. Obviously the issue has existed for some time by
the fact that there are other MSAS users reporting the
same problem. The flow of information is vital to the
virtual functioning operation of this program and it is
assumed that it something that the engineers would want
to treat with some urgency. You are not an employee but
you speak with some authority as volunteer and may wish
to esculate this issue and make it known to those who
need to know. You may even score some boy scout points
for doing so. What do you say? Worth a go for the
community? It's actions that count and if i knew another
way do you think i would be here? If you have a contact
within MSAS please let them know of this post or maybe
you could give me a contact.

 

[AndyManchesta]

The report doesnt exist is a false pop up but maybe you
would rather blame Microsoft than admit you was fooled by
a pop up from a site, Where are there reports you say
that have come from other users ? , Hope you dont mean my
post as thats not connected to these pop ups, I was
infected with trojans which then started all the problems
I described but the popups from oneclick are nothing but
a joke and you fell for it big time.

The site oneclicksearches is a front for malware so why
do you go there unless you get infected with trojans and
cannot help but go there. The file it said you have in
the pop up doesnt exist so MS cannot include a file into
thier database that isnt real. The cause of my infection
which I have to point out was just for a test on a
unpatched pc was these:

http://securityresponse.symantec.com/avcenter/venc/data/tr
ojan.pepop.html

http://securityresponse.symantec.com/avcenter/venc/data/tr
ojan.desktophijack.html

http://securityresponse.symantec.com/avcenter/venc/data/tr
ojan.zlob.html

http://securityresponse.symantec.com/avcenter/venc/data/tr
ojan.secup.html

Plus various other junk that came as a result of the
trojans but MS Antispy cannot be expected to stop
everything this is Antivirus products that will stop this
no spyware scanner I used found all the files
(Spybot,MSAS,Adaware,Spysweeper) I even used Ewido/Hijack
This and Trendmicro's housecall but they couldnt fully
clean the infection and ended up using Killbox so I dont
think you should put the blame on a beta testing Antispy
product.

If you have a fully patched pc and good Antivirus
software you will never even know about sites like this
so lets not try blame MS for you deciding to visit the
site but even if you was infected which Hijacked your pc
to this site it's probably because your pc doesnt have
SP2 and all the security patches installed. If all this
is just because you cannot send a spyware report then
dont worry about it as already mentioned it will be
addressed and fixed, You probably dont have any spyware
to report unless you have rogue antispy products
installed on your pc.

 

[Guest]

dear bill....'top marks' with a reporting bug in beta???
was this bug discovered after the review was done???
scary for you maybe...that there is a MSAS reporting
issue is obviously not scary for MS, nor does it appear
to overly concern them. In case you see a similar report
from another person here's an appropriate reply. It turns
out that msie does not make such alerts and that this is
a bogus scam of oneclicksearch as an attempt to get
people to purchase spyware that they sell and offer as a
solution to the alert. very clever... I will think twice
before reporting any other issue. It is obviously not of
concern to ms. 'top marks' The reviewers obviously didn't
look at this website....regards

 

[Guest]

Hey Andy.... I don't know who you are but thanks. Sorry
to here of your experience. Sounded like a nightmare.
Zone Labs sent me an email giving me the low down on
oneclicksearches which concurs with what you are saying.
your email has much more personal detail thought and i
appreciate your time and effort. I am sticking with MSAS
and have other top of the line, tried and true,
antispyware/antivirus/firewall programs running in real
time. sp2 as well. actually the whole experience has been
a real eye opener for me and my challenged as/av/fw
programs have come through for me and prevented the type
of experience you had. I would not like that and yours
and bills warning is heeded.....Thanks again and Kind
regards....cortez

 

[Anonymous Bob]

<snip>

.... I will think twice

before reporting any other issue. It is obviously not of
concern to ms. 'top marks' The reviewers obviously didn't
look at this website....regards

Here's another point of view:
Microsoft Unwraps HoneyMonkey Detection Project
http://www.eweek.com/article2/0,1895,1844687,00.asp

Strider HoneyMonkey: Trawling for Windows Exploits
http://www.eweek.com/article2/0,1895,1817822,00.asp

Bob Vanderveen

 

[Bill Sanderson]

The review results are based on the effectiveness at cleaning a range of
spyware in place. This is a beta program, and as such, likely to have bugs.

The reporting bug has not been mentioned in any review I've read--perhaps it
happens sufficiently infrequently that no reviewer saw it?

At any rate, Microsoft now understands the bug and it will not be present in
beta2.

I'm glad you now have a clear understanding of what you were seeing.

I'm using pretty careful language here. Yes, the reporting issue is a bug.
Beta programs have bugs--that's part of the purpose of the beta--to bring
them out and get them fixed. This one is on the road to getting fixed, but
it won't be for a while. Sure it'd be nicer if they'd fix it right away and
get better reporting--but there are dollars and time involved in every such
decision. I'm glad that the priority is for getting on with beta2.
--

 

[Ron Chamberlin]

Nice work they do out there!

Ron Chamberlin
MS-MVP