[Dshield] He wasn't bulletproof after all

Al Reust areust at comcast.net
Sun Feb 8 19:18:59 GMT 2004


You might recommend (the quick list):

SpyBot Search and Destroy - Free
http://www.safer-networking.org/
Pest Patrol - Free download is limited in how it is removed, but should 
identify.
http://www.pestpatrol.com/
AdAware - Free download is limited in how it is removed, but should identify.
http://www.ada-ware.com/
Cookie Cop - PC Mag requires an Annual Subscription, which allows access to 
their other (Free Tools, yes go figure.)
http://www.pcmag.com/article2/0,4149,2019,00.asp?kc=PCNKT0209KTX1K0100360

Clear the browser cache of files (.HTM, .HTML, .JS, .HTA, etc., cookies 
from the specified URL) Otherwise, he needs to get familiar with his 
registry. As you have already found the specific registry keys you should 
be able to help.


At 11:57 AM 2/8/2004 -0500, you wrote:
>Some of you may recall my posting about someone who only ran DOS on his 
>machine and who thought that because of his lack of Windows and his 
>selection of browsers that he was immune to all malware and AV software or 
>firewalls which required Windows would be a waste of his time and money. 
>Today I got this from him.
>________________
>"Somehow when I was online I received a pop-up box which calls itself
>a "sticky-stay" in my Opera version 6.05 which I was running on my
>Windows 95 machine.  I can't get rid of the darned thing, even when I
>am off line.  I even performed a complete re-install of my Opera browser
>and I still can't get rid of it.  The "sticky-stay" is a big black
>box and it says "Inbox".  No text or graphics ever appears in the box.
>When I move my mouse over the icon for it that is stuck in my system
>tray some text appears saying
>"Inbox: http://www.uchase.com/exit/sticky/stay.html"  If I go to the
>URL to try to find out what it is all about I get another sticky-stay.
>I am warning everybody not to go to that URL because if you do you
>will probably get a sticky-stay too.  I really want to get rid of the
>darned thing because I am paranoid and I think it is spying on me.
>Has anyone here ever heard of a problem like this before?  I am not
>crazy and I am not imagining things.  This is actually happening to me.
>How do I get rid of a sticky-stay?"
>
>(Written with Pine)
>_________________________________
>The link given can't be visited at all with my Netscape browser.  Nothing 
>happens at all.  When I try to go there with IE, my IE browser turns off, 
>but Outlook Express tries to open.  Firewall logs show the connection was 
>made when the browser shuts down.  Of course I don't really have a 
>functional Outlook Express in my machine, so just the OE icon activates. 
>(A little registry rewriting on my part, good thing.)  Going to uchase.com 
>with IE shows it to be an Internet advertising company.  Adding 
>exit/sticky brings me to an index.  Clicking on stay, again turns off my 
>IE browser. Since uchase.com won't resolve for me in my altered Netscape I 
>don't know what stay does.  Whois.crisnic.net shows (with a little 
>redirection) Uchase.com belongs to Zeusinterent Pty Ltd. in Brisbane, 
>AU.  Looks to me from his description and what I see on their site what he 
>got is a Spyware.  Probably it was expecting to find Windows on his 
>machine and upon executing some part of it's code the popup would have 
>called home then disappeared.  Of course he doesn't have Windows, so that 
>poor popup is just stuck there hanging around waiting for a windows 
>command.  Anyone have any idea how he can delete it?      :)
>
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list