Off To Faster XP............

This forum is for testing I do with various security settings and tools. Infection infiltration, security lock down among other things. Currently XP Home-w\SP 2 installed

Moderators: Admin Team, Moderators

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Off To Faster XP............

Postby TeMerc » Mon Sep 12, 2005 12:40 pm

Just went to FasterXP.com, as I wanted to see what I got hit with, after reading about what Paperghost did here.

Got slammed with Nail\Epolvy and some others, will write up tonite.
Image

User avatar
TICTestBox
Site Admin
Site Admin
Posts: 245
Joined: Tue Apr 19, 2005 12:11 pm
Area Of Expertise: Infectcious Malware
experience: I know the functions, OS settings, registry tweaks and more
Location: TeMerc's House
Contact:

Postby TICTestBox » Wed Sep 14, 2005 12:38 am

In tonites write up I'll go thru what happened when I went to Fasterxp.com.

This was not so much an experiment in prevention, as it was an exercise to see what comes with the DL when you install the software from fasterxp.

So, I allowed all the alerts that popped up, and there were many. Expecially from avast, as usual.

The first one right off was thi one:Image
I got a few more like that thru this install, and I allowed them all to see if I got anything like an EULA(Got two, neither related to AbetterInternet or Direct-Revenue)

I then got this alert, about the faster xp install, with regards to its verification: Image

Soon after, I began to get more alerts from ZA: Image and Image and Image.

And the real nasty of the bunch, which turned out to be the Epolvy infection: Image

I also got this one a few times too, guess their counter isn't very good, cuz I was always the millionth visitor!! Image

Then finally, the first hint at Aurora:
Image

Whoohooo!!! Hit the jackpot. Mind you, nothing yet in way of EULA from them at all.

Then I got a popup from Aurora }{= too:
Image

Next was an anti security app, from the good folks at Aurora, SpySpotter(wanna bet it does not spot Nail?)

So, I install it, sure enough, no nail found in the scan. Wonder why that was? <?>

Image

Well, to make a long story short, I got hit with Web Rebates\Top Moxie, My WebSearch, Epolvy trojan, and Aurora\Nail infection.

Here are the entries from HJT:
Processes:
C:\WINDOWS\system32\qiftrot.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Web_Rebates\WebRebates2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fasterhomepage.com <<<<---They changed my homepage too, how sweet!!
R3 - URLSearchHook: (no name) - {04079856-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL

O4 - HKLM\..\Run: [seaWDurlIE] C:\WINDOWS\system32\seaWDurlIE.exe
O4 - HKLM\..\Run: [gpztld] C:\WINDOWS\system32\qiftrot.exe r<<<<---Epolvy indicator
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


After running scans with Adaware, Spybot, MS\AS and Ewido, the only thing left to remove was the Epolvy\Nail infection, which required 2 separate steps to get, but was done without any stress. Well, for me anyways, I'd hate to be a user and have all this stuff to uninstall.

I would also mention I tried to uninstall AbetterInternet(ABI) via Add\Remove, but was refered to their uninstaller located at mypctuneup.com, a site\tool which is not totally trusted. See Webhelper's writeup about it here.

I finally had to remove it manually, going into the registry to do so.

Its a sad state when people get slammed with all this crap when they think they are getting something which is supposed to help thier system and does more damage than good.

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Thu Sep 15, 2005 12:15 am

I should add, that at no time did I see an EULA from AskJeeves with regards to their installation of MySearch apps. And this was one of the points of going to Fasterxp.

I wasn't 100% sure this app was theirs, but, in fact it is, as seen here:
http://sp.ask.com/docs/jeevesinc/b1.html
Thanks to PG for the link.
Image

varzilthegood
Journalist
Journalist
Posts: 4
Joined: Wed Sep 28, 2005 8:07 am
Contact:

What happened to FasterXP?

Postby varzilthegood » Wed Sep 28, 2005 9:14 am

I've been using fasterxp.com for some time as a reliable source of particular malware. I load up this-or-that antispyware, then install the fasterXP application and note whether the product blocks installation of certain known threats.

But what an odd problem; the site isn't working! Last week I accessed it as usual. This week the status bar visibly shows it redirecting to http://198.87.3.82/fasterxp, and the title bar changes to "Faster XP - Optimize Windows XP for FREE...". BUT after a moment it shows a "Cannot find server or DNS error" instead of displaying the page.

Anybody know what happened? Did the White Hats somehow shut them down?? :?:

How about an alternate reliable online source of Aurora/ABetterInternet (the one with nail.exe, drpmon.dll, etc) and WebRebates/TopRebates?

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Wed Sep 28, 2005 9:41 am

Neil as is the case with many of these site, they tend to pull the bundles and then reload after a while later.

So give em another week or so, and you will find new stuff, or just same stuff with new afiliates they have conned or some other scam.
Last edited by TeMerc on Thu Sep 29, 2005 10:53 am, edited 1 time in total.
Image

varzilthegood
Journalist
Journalist
Posts: 4
Joined: Wed Sep 28, 2005 8:07 am
Contact:

Postby varzilthegood » Wed Sep 28, 2005 10:06 am

Alas, I don't *have* a week. But it seems I'm finding some useful alternate sources, thanks to helpful members here.

varzilthegood
Journalist
Journalist
Posts: 4
Joined: Wed Sep 28, 2005 8:07 am
Contact:

It's BAAAAAACK!

Postby varzilthegood » Thu Sep 29, 2005 9:52 am

Yes, fasterxp.com is back... but the download no longer contains WebRebates/TopRebates. It does still install Aurora... but I already had an alternate for Aurora. Darn! :cry:

Blender
MS-MVP
MS-MVP
Posts: 61
Joined: Sat Jan 29, 2005 2:01 am
Location: Ontario, Canada
Contact:

Postby Blender » Thu Sep 29, 2005 10:06 am

varzilthegood

Where else you been getting Aurora? (besides fasterxp.com)

I have had pretty good luck at crackz.ws
Another one is freeroms.com > click the links at left (snez was good for a while)

Again these are 'rotational installs'....never really know what you will get each try.

I have been lucky enough to get Look2Me, spyware rootkits, keyloggers, tons 'O' adware, etc, etc.

Blender
Never Give Up!

varzilthegood
Journalist
Journalist
Posts: 4
Joined: Wed Sep 28, 2005 8:07 am
Contact:

Postby varzilthegood » Thu Sep 29, 2005 10:10 am

One can find Aurora directly at abetterinternet.com, in a couple of different forms.

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Postby MysteryFCM » Thu Sep 29, 2005 12:09 pm

varzilthegood wrote:One can find Aurora directly at abetterinternet.com, in a couple of different forms.


You probably already know this but figured I'd mention it anyway... abetterinternet.com now redirects to;

www bestoffersnetworks.com

http://mysteryfcm.plus.com/?mode=vURL&p ... ternet.com
http://mysteryfcm.plus.com/?mode=vURL&p ... tworks.com
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!


Return to “TeMerc Test Box”

Who is online

Users browsing this forum: No registered users and 1 guest