Did you call up UH early this morning on a Windows computer?
By adamg - 12/17/09 - 5:55 pm
Seems a link to malware got into the HTML wrapped around ads on Universal Hub early this morning (up until about 8 a.m., when I started shutting off ads served through my ad server).
If you got a popup when you visited the site and you clicked on the link (on your Windows computer), your computer may now have a nasty program called SpyEraser, which just doesn't want to go away.
First, my apologies. Second, I'm looking for a fix. In fact, if anybody has any possible solutions, I'd love to hear them. If you delete that program, you get an error message about something called mpor.yuo.
One possibility: Malwarebytes. Although it may not flag the software during a scan, it will get rid of it.
Comments
So that's what happened....
I remember getting the popup, but declined it. I still got hung up after that. Great job tracking that down
Same here
My Norton blocked it (I'm running it on the home computer just to be sure - haven't checked it yet)- but the computer still hung up. My guess is that if Norton blocked it and you have updated software it will either fix or quarantine the problem. Just a guess though.
Update
Ran a full scan on the computer while I was at work - appears Norton successfully blocked it - didn't show up in the scan and no apparent lingering effects. Fingers crossed. Had one of these things once - major PITA! Spent hours on the phone with all my best friends in India - very nice people the Indians.
I wish it were my brilliant deductive skills
But if I had those, this probably wouldn't have happened in the first place. In any case, the reason I know what happened is because, unfortunately, one user did get his PC infected. And fortunately, he's a kindly soul and we've been trying to figure out what to do about it, rather than him coming over here and throwing his computer at me.
So, again, to everybody, my apologies!
WinBlows
Simple solution. Infected user should buy a non-windows machine.
Disclosure: I am not actually an apple investor.
No, it's not a simple solution
Even if you have the money just lying around, it's a bit more complex than that. What about all your files and programs? Yeah, yeah, there are ways to deal with those, but you don't just snap your fingers and presto, you're up and running on your spiffy new contribution to Steve Jobs's bank account.
I got it on my work computer!!
What can I do? Not sure the boss is going to be too happy. Seriously.....WTF?
Download Malwarebytes
And run it.
Guess My Ad Blocker Took Care of That
I actually went the other, from Mac (five years of it) back to Windows. For a little while I was running Leopard on an old MacBook and Windows 7. As a former all-pro-Mac person, I must say: Windows 7 is, for the most part, better then Leopard. Much more productive. Faster. Etc. (But, yeah, still prone to spyware issues.)
Dare I say it
There's always Linux (free) running on an existing computer (or part of it -- if you want to maintain the ability to boot into Windows , for old-time's sake). Still need to adjust -- but no money sent to Mr. Jobs' bank account.
Tried it...
I messed around with Linux a couple times. However, I really do like Windows 7, and I so far (in however many years, including years of Windows before I switched to Mac) have never had a virus or a spyware issue (fingers crossed). Also, I use OneNote on a daily basis (Windows only).
Advertising still visible
I use a FreeBSD box at home myself. I might add, Adam, the Advertising banners are still visible. 1800mattress right now. Thankfully not the Bobinator.
Oh, yeah, you're supposed to see the ads
Click on 'em, even :-).
What you're not supposed to see are popups asking you to start downloading software. If you do see that, don't click and let me know.
Orly?
I'm reading this on a 3GHz Xeon running Windows 7. In a window on my Mac Pro, running Snow Leopard.
Why? Because "Show only feeds with new posts" is one of those unconscionably-absent features in every Mac RSS reader. FeedDemon, OTOH, has it.
Look what I got
DEAR SIR,
URGENT AND CONFIDENTIAL BUSINESS PROPOSAL
I AM MARIAM ABACHA, WIDOW OF THE LATE NIGERIAN HEAD OF STATE, GEN. SANI ABACHA. AFTER HE DEATH OF MY HUSBAND WHO DIED MYSTERIOUSLY AS A RESULT OF CARDIAC ARREST, I WAS INFORMED BY OUR LAWYER, BELLO GAMBARI THAT, MY HUSBAND WHO AT THAT TIME WAS THE PRESIDENT OF NIGERIA, CALLED HIM AND CONDUCTED HIM ROUND HIS APARTMENT AND SHOWED HIM FOUR METAL BOXES CONTAINING MONEY ALL IN FOREIGN EXCHANGE AND HE EQUALLY MADE HIM BELIEVE THAT THOSE BOXES ARE FOR ONWARD TRANSFER TO HIS OVERSEAS COUNTERPART FOR PERSONAL INVESTMENT.
I was on the site this
I was on the site this morning, but I run NoScript with Firefox which is like a concrete and steel condom for my web browser. A little tedious when you first install it since you have to whitelist the sites you go to often, but once you're in a groove there is no turning back.
I got it but think I got rid of it
When I accessed my blog (and not UH) at about 8 am today I got a popup that I thought was for something I wanted so I clicked on it and within seconds I was deluged with "warning: your computer is infected" popups from this SpyEraser program. There was a new icon in my program tray (next to the clock - I'm running XP) but nothing showed up when I went to "add/remove programs" and there was no "uninstall" with its program icon in my programs area. In "my computer" I couldn't find anything that looked like it. I Googled "spyeraser" and it seems to be a legit but crappy program with unscrupulous marketing by a company called Uniblue. The complaints on the web all said it does a free scan, finds a bunch of stuff that's not really there, then gets you to buy their product. I emailed Uniblue support (http://www.liutilities.com/support/) and got a response, but it was just telling me to do everything I'd already tried. I got rid of the icon from my program tray by waiting for it to popup then doing CTRL-ALT-DEL and using Task Manager to "end program". Then I noticed an icon on my desktop. By right clicking and picking "properties" I found the file name in the "target" window and tracked back to it. It was C:\Windows\system32\msctrl32.exe. The msctrl32.exe was the file. I deleted it and restarted my computer. Now it seems to be gone. My only caveat is I'm not a computer guy but was angry enough to impulsively delete that particular file. It seems to have worked for me, but try it at your own risk. Sorry for the length of this, but I'd like to help others avoid what I suffered through today.
If ^ doesn't work... this should
This is the solution, but only half of it. Since I didn't check UH until 9am, I didn't get the chance to infect my computer. However, I have dealt with similar problems and can tell that your computer is likely to reinfect itself.
The problem with your solution is that you deleted the file from you hard drive, but it still exists in your PC's RAM. If this malware is sophisticated, it will copy itself from the RAM back onto the hard drive and SpyEraser will be back.
So, the problem is that upon startup the msctrl32.exe is copied from the hard drive to the computer's memory and when you delete it from the hard drive, the msctrl32.exe that is loaded in memory copies itself back onto the hard drive. Booting into an environment that doesn't load this file automatically will solve this. Safe mode (F8 on startup, before the Windows logo) may work, you can boot into it and check the running processes (ctrl + alt + delete -> processes tab) and if msctrl32.exe is not running, deleting it should do the trick. Otherwise, a Linux live CD (www.ubuntu.com) or BartPE (http://www.nu2.nu/pebuilder/) will definitely not load the file.
kinda dropped off...
Sorry, just got back from the Sam's Open House... Burning Ubuntu or BartPE to a Cd and then booting to that CD will allow you to use your computer and access the files on your HD without loading files from the HD into memory. From Ubuntu or Bart you'll be able to delete the file off your HD.
thanks for your openness and honesty
Adam,
I (and many others) appreciate the great public service that you perform with this blog. And I appreciate your willingness to publicly acknowledge the problem the site had this morning. It would have been easy to ignore or deny it, but you took the high road.
Thanks,
Harry
What Harry said
Some folks are just stand up folks. Three cheers.
getting rid of Spyeraser
so, what's a next step if Malawarebytes doesn't get rid of it entirely?
Try some of the other steps listed above or ...
Spybot got a good recommendation from an IT person I know.
I tried SpyBot,
but it didn't work. Fortunately my pc is backed up nightly.
Performing a system restore from the previous night's backup quickly and completely eliminated that nasty bit of malware.
System restore
Yes, my husband did a system restore to Monday and eliminated the infestation. BTW, you didn't actually have to click through to the website to get infected - I got what I thought was a legitimate Windows warning about an unwanted click-through, and made the mistake of clicking the "no" box ("do you want to allow this - yes/no") instead closing the pop-up, and got infected that way.
Another possibility
That looks like XP instructions. For Vista, when you hit ctrl-alt-delete, click on Task Manager, then end the task or process, I'm betting.
From this Tech Support Guy forum.
So how did this happen?
Is there a bug in PHP (assuming that you use it here), or did someone forget to call htmlspecialchars() ?
No, I was an idiot
New version of the ad-serving software came out. I downloaded it, meant to install it, didn't, somebody took advantage of a hole in the old version to put an iframe underneath every single ad call in the database.