So what damage can be done here? (worried again)

[kabal57]

well I have xp pro sp1 installed and run za pro and spyware blaster.
I have never opened any email attatchments, etc.
I left my puter on last night while my brother was here, and i guess he went to all kinds of websites. I came back to find that my start page had been changed and something erased my whole drop down history and filled it with about 12 porn sites.
I ran spyware blaster again and the only thing it came up with was some active x apps listed as security threats, so I had it deal with them.
Also changed IE to not accept activex anything.

My question is this:
What kind of damage can activeX stuff do?
Is it possible for things like keyloggers to be embedded in activex scripts and then use outlook express to email info away?
Outlook has access to the net so I can send/recieve, Is this some thing I should be worried about?

Basically I'm wondering just how much of a security risk im at If I never download anything intentionally or open email attatchments.
thanks for any future answers.

*edit* forgot to add, I have a ics router as well.

[Croc]

start page has been changed to what?

I would suggest you get a copy of SpyBot SD and use it to scan/repair.

Croc.

[kabal57]

I'm sorry it's late and im a retard.
I meant to put that I do have spybot search and destroy not spyware blaster (they all sound the same)
Thats the proggie I updated tonight and used and it found 5 activex things.
and I did have it do the repair option.

The start page was changed to a porn site as well.
it also added alot of porn bookmarks in my bookmarks section.

What kind of nasty stuff Can I get from just browsing/surfing?
is there a safe activex setting to use?
what is yours set at if i might ask?

also one other question, sometimes on some sites that are redirects they will pop up a dialogue box saying do you wanna download this or that or be safe click here, etc etc.
it has a cancel button on the top right just like a windows popup message, but I have a suspiscion that clicking the cancel box is the same as clicking yes, and it will go ahead and install whatever the program is anyway.. is this correct? (so i never click on any part of a popup installer)

What is the safe way out of that?

I normally ctrl/alt/del the installer program that is trying to run in that dialogue box and shut it down and close the browser.. dont know if this is what I should be doing or not tho...

[ghettoside]

the start page prob is called a BHO; to fix BHO's the best prog I've found is Hijack This. just be careful what you remove with it. a bad bho will be very obvious, and there's a more info on selected item tab if you're unsure.
go here and follow the 'tweaking & security resources' link. there's some basic info before the downloads.
Of course you anti-virus. I run Norton and have protect from malicious script enabled. have IE config to run active x scripts marked safe, never have any probs. need to run spyware blaster w/ spybot, use spywareguard too.
If you need an anti-virus, I can send link to a freebie that I'm still testing out on 3 friends' comps, it doesn't suck up resources and doesn't seem to be doing a bad job. stay away from F-prot av, installed it on a comp and it was horrible with the resources.
caution is good but don't be paranoid about downloading or opening email. when you download, save to disk, then scan w/ av before opening. keep your ms up to date, the patches protect against a lot of email threats. don't open email from people you don't know!

[ghettoside]

the popup question, if you click no it shouldn't install. no, not cancel box. if you have latest version of macromedia shockwave player installed that will eliminate a lot of the boxes you're seeing, lots of sites need the flash player installed and if you don't have it you'll be asked if you want to download it.
again, as long as you have av, firewall, anti-spyware surfing shouldn't compromise your sys.
with active x completely off, you're gonna see a lot of messages while surfing.
set IE to delete cookies and temp folder when you close browser.
I have to look at my settings for IE active x.

[ghettoside]

d/l signed x=enable
d/l unsigned= disable
inti & script not marked safe= disable
run x contrls & plugins=enable
script marked safe=enable
-------also
ms java permissions=high safety
------
scripting=enable

I'm sure some of the guys will disagree w/ my settings. I've yet to have probs and until i do the settings stay.
I run full system scan every time nort updates, and i run boclean anti-trojan prog, full scan each update. I never find anything.

[ghettoside]

I forgot, you could use AVG av, its free (also has pay version)
Norm seems to like it so I'm sure its good. (i don't know if its the free version)

[Croc]

Originally posted by ghettoside
d/l signed x=enable
d/l unsigned= disable
inti & script not marked safe= disable
run x contrls & plugins=enable
script marked safe=enable
-------also
ms java permissions=high safety
------
scripting=enable

I'm sure some of the guys will disagree w/ my settings. I've yet to have probs and until i do the settings stay.
I run full system scan every time nort updates, and i run boclean anti-trojan prog, full scan each update. I never find anything.

Just checked because it's been a while since I was in there and I have the same settings except for signed x = prompt, not enable. (paranoia supreme.)
That, with SpywareBlaster/SpywareGuard, Cookiewall and AVG is about it here.
WinRoute Pro has had the Tiny firewall settings dropped and scans all come up as all ports tested = closed.
The system is happy.

Croc.

AVG is better than most give it credit for.

Another AVP worth looking at very seriously is Gladiator. This IS a great program.

[TonyT]

FYI, a malicious ActiveX control can be used to do just about anything at all to a computer that agrees to install it, including delete files, install other hidden programs, download trojans and viruses, reformat a driver etc etc etc. Bottom line is:

IF you do not trusdt the author of the activeX control, do not install it.

[kabal57]

ah thanks for all the answers guys.

ghettoside: The type of pop up boxes i'm talking about are not normal windows do you wish to install xxxx, or xxxx.
but theyre site redirects that then pop up a box that says do you want to meet hot girls
or click here to get access to the hottest girls blah blah
in the past when i've clicked no on those programs it seems like they still run or are communicating with my machine somehow, or at least it seems like it cause it takes a few seconds for it to go away, rather than a normal win popup that goes away immediately when you click yes or no or ok.
Just curious with the above question tho.

Croc, thanks for the advice. With all those programs running, do they hog your resources? I just set spybot to run on startup, along with ZA and an AV, but it seems like alot of programs to be running in the background. Do you notice any slowdowns or anything on your machines with all those programs running?

Spybot SD found the activex scripts and reg entries and fixed them, and i also downloaded pest patrol and it found a few things Spybod Sd did not, mainly spy cookies, but heres the one that worries me:

15,OnlineDialer,Category: Adware Background Info: About Spyware ,"In File: C:\WINDOWS\downloaded program files\maconnect.dll Date: 11/27/2002 5:19:44 PM File Description: MaConnect Module File Version: 1, 0, 0, 3 Internal Name: MaConnect Legal Copyright: Copyright 2002 Original Filename: MaConnect.DLL Product Name: MaConnect Module Product Version: 1, 0, 0, 3 ",""

can anyone shed any light on what exactly this is and since it is a dialer, and its been on my machine, can it dial out thru IE and around ZA to charge up long distance to my phone bill?

[Norm]

One category of pest that PestPatrol blocks and removes is Diallers. MaConnect is a newly discovered automated porn dialler first used last November 2002. Simply hitting a website or popup advertising window will activate this dangerous and costly pest program to automatically and instantly download and install itself on your computer.

What MaConnect does is quickly hijack your entire system, and then using your modem dials up a 'pay-per-minute' porn server via the phone line. The program runs itself automatically, establishes your country code and loads the necessary telephone number to dial for your region. Charges run out at $6.95 a minute!!! That's $420 an hour onto your home telephone bill, whether you're at the computer or not!

Normal Windows functions like Ctrl-Alt-Delete and Shutdown are disabled. The program installs start up files into the Registry so that it can re-activate itself to take control again as programmed after the computer is restarted. Leaving the computer on and unattended, could result in multiple sessions to the dial up porn server.

MaConnect takes over the entire computer by taking advantage of existing vulnerabilities in Windows. As such it's not a virus or worm, nor needs firewall access, therefore, no antivirus or firewall is going to be able to stop serious pests, like MaConnect and other diallers.

The release of these types of malicious pest programs are increasing all the time. The problem of removing unwanted software from your computer is now as serious and as common, if not more so, than the virus problem.

http://discount-evidence-eliminator.com ... review.htm

[kabal57]

ACK!!!!!!!!!!!
christ. my phone bill hasnt been any higher than normal lately, and i normally leave my computer on all the time...
this may sound stupid but is there any way to tell if its been charging you up, or do you just wait for the phone bill?
Since I dont have a registered version of pest patrol it wouldnt remove the file,
but I found it in windows/downloaded programs and deleted it..
windows ran a pop up box that said the program will be removed.. think its gone for good, or just hiding somewhere?
its never locked up this machine with the ctrl/alt/del not working
any suggestions?

[ghettoside]

spybot does not to be run at startup. if you read the info at my site, I said to run sypbot with spyware blaster and spywaregurad. This was recommended by the University of Dortmund (Germany) and a few other sites (I'll look if I can find links).
Spyware blaster runs silent, not in the tray. it prevents syware from ever installing on your sys, and it updates a lot. It is not a removal tool, it is prevention. spybot is removal (or it was before v1.2 started providing 'immunize') spybot and spyware blaster like each other.
I'm experimenting now running with those two and omitting spywareguard.
I haven't found any spyware while using those progs, and I have used them to fix about 20 comps. I fixed up 4 people in my building, then people I didn't even know started approaching me on the street when I'm out w/ my dog asking if I'm the guy that fixes computers. And I have other friends I've helped out.
The other thing is you should install and run hijack this, scan and remove BHO's. Just be careful what you remove. if you have any questions I'll be glad to help. It will find some things that the other progs don't, I know from firsthand experience.
Of course any progs running will use resources, but would you rather be infested with spyware and dialers?
I updated my site today, take a look at the link 'more info on browser hijackers here' ; you'll be shocked. I'd try hijack this if I were you. BHO's are real bad news.
link
Those popups you're getting are not what i thought you were talking about, those are serious matters!

[kabal57]

yeah the popups i described are kinda scary... i dont come across them often but every now and then a link will switch itself and redirect to a porn site.. with some kind of download that automatically starts itself..
anyway i ran hijack this and here are the results:
some programs I can recognize like pest patrol and such, but others I have no idea what they are

Logfile of HijackThis v1.94.0
Scan saved at 10:08:51 PM, on 5/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://sharempeg.com/xfind/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://sharempeg.com/xfind/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://sharempeg.com/xfind/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.syix.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab

I also downloaded the other programs you said and have them on my machine now

[ghettoside]

the prog you deleted may very well re-appear unless you really remove it, and the stuff will do the job, plus you've got adaware. once you clean out the garbage, as long as you keep your protection on, and keep updated on the definitions, and keep firewall and av on, you won't have any more problems.
you may also want to look at ZA's settings for progs that it will grant internet access to
1 of my neighbors had a badly infested comp, full of spyware, BHOs, even serving up some clown's warez. I put the stuff on, cleaned it out, everything was cool. then a couple weeks later he comes back and says help!. he couldn't even browse the net anymore, and his sys was freezing up constantly, windows explorer wasn't working. he unistalled everything I put on because he thought it was using too much resources (cable modem user too, worst case to go unprotected) and he said ZA was interfering with his viewing of porn sites.
I had trouble getting a clean download of hijack this, everytime I tried, we
when i went to install I had a corrupted file error. did av scan then, found a bunch of viruses, got those off, then was able to get clean d/l of hijack this, and it found a bunch of BHOs. Spybot found stuff too.
needless to say, he hasn't uninstalled the stuff again.

[Norm]

Another good spyware remover that catches some the others miss is Adaware from http://www.lavasoftusa.com. The free version works great.

[ghettoside]

okay, was posting again, just say your post. give me a minute to look it over, be right back.

[ghettoside]

that sharempeg, i went there, it is porno. remove those 3 items! that's where the majority of your problems are coming from.
syix.com, went there, I gather that's what you want your homepage set to. add to ignore list, it will only show up again on scan if it changes.
NvTwk, NvCplDaemon, I don't know, maybe mail program or some kind of 3rd party sys manager, you'd know better than me. leave it alone for now.
gamesspyarcade, went there, i gather it's a game site you use. leave alone for now, unless its not something you want.
macromedia stuff is shockwave player, you can set that to ignore list.
the other stuff is system stuff, msdxm.ocx (ms office i believe)
from R0 down (starting at syix) you can either set all to ignore list or just leave them for now EXCEPT don't add that NvCplDaemon to ignore.
only reason i set things to ignore (that I know are harmless) is so I have less to look at next I scan. every time you install something you're likely to find something new on the scan.
Remove those bad boys and shutdown, restart the comp- but before you so that, put spywareblaster on first if you haven't done so already, update. then you should be good to go. if you got any questions on blaster let me know.

[kabal57]

wow good detective work dude, im impressed.
I have downloaded and updated spyware blaster, spybot SD, spyware guard and ZA, along with the ics router, gonna go get a new norton cd tomorrow, Hopefully I'll be good to go.
Your help has been invaluable you know
now checks with everything turn out clean, hopefully it will stay that way.
thanks again

oh btw, the nvtweak is a 3rd party app i have for my video settings, w my geforce 4 ti, (nvidia software) I found a few posts on the net about the cpl deamon popping up in an error when people try to run the nvidia software its looking for that file.. apparently its a .dll or something the nvidia stuff needs from what I can gather.

[ghettoside]

glad I could help!