I just installed iMesh and Kazza Lite on my winXp and noticed a whole LOT of spyware installed, like - "ad delivery by nCase", "bargain buddy", "WinNet.exe", etc.

Does anyone know of a good tool which could remove all of these?

Also my system shuts down after a a while due to "illegal termination of RPC". though i saw that a patch for it is available on ms's site. but it can be installed only on winxp sp1, so i am downloading sp1 right now :rolleyes:

I am furious at the moment. I hate kazza and all these f***ed up tools now. :(
Posted on 2003-08-12 15:10:30 by clippy
Posted on 2003-08-12 15:56:51 by Hiroshimator
Specifically for KaZaA, there's a not-very-legal distrib of it called "KaZaA Lite", google a bit and you should find it.
However, if you are already infected by spyware, sometimes uninstalling isn't enough... There are several programs to remove spyware, right now Ad-Aware and Optout come to my mind. The first is the best, and if I'm not wrong Gibson's Optout was the first.
Also sometimes this spyware programs have an uninstall feature (only because some laws finally forced them to include it). Check in Control panel -> Add and remove programs, and see if there's any software you don't recall to have installed ;)
Posted on 2003-08-12 16:02:12 by QvasiModo

Also my system shuts down after a a while due to "illegal termination of RPC". though i saw that a patch for it is available on ms's site. but it can be installed only on winxp sp1, so i am downloading sp1 right now :rolleyes:

Sounds like the last virus/worm ("RPC worm", uses security bug "MS03-026 DCOM/RPC") to, it's aliases: lovsan,MSBlast, Poza, Blaster, W32/Msblast, Lovesun
Here's a link (in swedish though): http://www.fsecure.se/virus/virusinfo.asp?Namn=Lovsan
It struc pretty hard this morning, had big inet problems last night (maybe due to this :/), My ISP had IIRC 40 servers knocked out for a while.
Posted on 2003-08-12 16:22:35 by scientica
I hate that f***ing worm... i run a reasonably secure machine, and it still infected me. Now my RPC service keeps crashing, and that has the side effect of killing DDE so that drag'n'drop doesn't work anymore. Last night i had worked out what was happening on my machine, but i hadn't worked out *why* it was happening, until i started to see press reports at work today. This is the first time in years that i have been infected, and i have already spent hours diagnosing the problem, i dunno how long it is going to take to clean it out.
Posted on 2003-08-13 00:19:08 by sluggy
yeah, I guess it's a good thing that worm DID pop up, as the vulnerability has been discovered not too long ago and well documented. As a matter of fact, I downloaded the proof of concept and was able to take over a test machine remotely! Complete control. Sure, there was a patch released and it's been out for a month I think, but clearly it wasn't loud enough as so many never updated! I mean it wasn't even announced on any major site that I know of... At least now everyone and their dog will update and prevent any serious damage. (yeah, I know the worm opens you up, but it's so loud that everyone will know and the damage is undone)
Posted on 2003-08-13 01:54:55 by FearHQ
no offense but why on earth are you on the internet without a decent firewall? (especially with broadband connections) that's just asking for certain problems :/
Posted on 2003-08-13 02:10:39 by Hiroshimator
The patch for the leak the virus exploits was already available on July 16th :rolleyes:. Just run windowsupdate.com at least weekly or so and you'll be a lot safer. And some kind of firewall would be nice (even a simple router would do the trick in this case).

Thomas
Posted on 2003-08-13 05:40:54 by Thomas
Maybe it's me but, I never run against win update, esp not now, and even more never after the 15th (esp not the 16th). The virus is set to deliver DoS to those servers, feels a little bit like, get the latest security uppgrade from virii inc. servers :/

Perhaps it's best to use a sandbox (or what they call it), let that take the hit...
Posted on 2003-08-13 07:37:10 by scientica
Just run windowsupdate.com at least weekly or so and you'll be a lot safer. And some kind of firewall would be nice (even a simple router would do the trick in this case).
You are a very trusting person... i like to know what MS is installing on my machine, which is why i have auto updating turned off. And a firewall was not necessarily going to stop this one, as it targets a legitimate port that is always open by default, and virtually no users ever close it. IMO, MS should be slapped around for this, because they did release a patch but they never publicised it enough, i think they simply did not take it very seriously.
Posted on 2003-08-13 08:05:52 by sluggy
Originally posted by sluggy
You are a very trusting person... i like to know what MS is installing on my machine, which is why i have auto updating turned off. And a firewall was not necessarily going to stop this one, as it targets a legitimate port that is always open by default, and virtually no users ever close it. IMO, MS should be slapped around for this, because they did release a patch but they never publicised it enough, i think they simply did not take it very seriously.

I have auto update switched off too but when you use windowsupdate.com you can see and choose exactly what you're installing so I don't see a problem there. About microsoft not publishing enough, it has created autoupdate because too many people just don't install patches.. So they do try.. But if you switch it of it's your own responsability to update the system. Too many people have an 'if it isn't broken, don't fix it'-attitude and then blame microsoft when some virus hits their outdated systems.

Thomas
Posted on 2003-08-13 08:15:20 by Thomas
Originally posted by scientica
Maybe it's me but, I never run against win update, esp not now, and even more never after the 15th (esp not the 16th). The virus is set to deliver DoS to those servers, feels a little bit like, get the latest security uppgrade from virii inc. servers :/

A DoS attack simply puts the servers down but doesn't install virii or something.. At least this virus doesn't.

Thomas
Posted on 2003-08-13 08:18:11 by Thomas
you have to configure your firewall to stop ports. With a decent firewall I don't mean the 'zone-alarm' type of things :) (although even these can be set up better I think)

Also if you don't trust the updates coming from MS, frankly you're running the wrong OS :) either you'll never be able to upgrade from win95 or so or MS will cram what they want down your throat anyway. That's the deal with MS OSes, you take the whole unknown package and live with it :/

or to put it differently (and more clear): there are no legitimate ports, only those whom you decide to open versus those you decide to close. (default DROP policies are usually best)
Posted on 2003-08-13 08:19:56 by Hiroshimator

MS should be slapped around for this, because they did release a patch but they never publicised it enough


The only time I back up M$ :)

But I have been reading about this for about a month now. I can't remember where I saw it, but it was a huge deal because of the '2003 being the must secure' and evidentally this was a bug in that one also.
Posted on 2003-08-13 12:14:42 by gorshing

but they never publicised it enough

Say what? When the RPC overflow was found, it was announced at every major and minor new site rather quickly. Even slow retarded local sites seemed to have at least a vague idea that "this is big". Mind you, this was way before any script-kiddie tools were around.


i run a reasonably secure machine, and it still infected me.

If you have port 135 open across the internet, your machine is nowhere near "reasonably secure". Basically, you need to block off all ports by default, and explicitly allow the necessary ports.


Maybe it's me but, I never run against win update, esp not now, and even more never after the 15th (esp not the 16th). The virus is set to deliver DoS to those servers, feels a little bit like, get the latest security uppgrade from virii inc. servers :/

Then you'd better not boot your machine, or perhaps you should install some other operating system. And perhaps you should get an idea of what DoS'ing means.


which is why i have auto updating turned off

Auto-update off and not regularly checking windowsupdate. It's this moronic mentality that makes these worms possible in the first place.


And a firewall was not necessarily going to stop this one,

Yes it would. "legitimate port" - on a LAN, yes. Across the internet - no. Windows SMB filesharing is legitimate, too, but I sure as hell aren't exposing my shares across the net.

Yep, there's a buffer overflow exploit that works on all NT version. Yes, this is bad. However it has been fixed long ago, there has been plenty of publicity on this, and you can't really blame microsoft for retarded users that wont run windowsupdate.
Posted on 2003-08-13 12:53:16 by f0dder
DoS to day, tomorrow, who knows? When will someone modify this worm in to something nastier?
Posted on 2003-08-13 13:06:19 by scientica
Do you think microsoft has the RPC port open to the internet?
Do you think they haven't patched their own machines?
Posted on 2003-08-13 13:10:54 by f0dder

Do you think microsoft has the RPC port open to the internet?
Do you think they haven't patched their own machines?

Honestly, neither wouldn't surpise me the least, or if they were using *nix/linux software/OS...
Posted on 2003-08-13 14:06:32 by scientica

DoS to day, tomorrow, who knows? When will someone modify this worm in to something nastier?


Which is why I said I'm glad this worm was released ;) Too many didn't update as they had a "not broken, don't fix it" attitude as Thomas said. The worm installed a remote shell on port 4444 too, so not only a DoS :)

What baffles me is if the person wanted the vuln fixed, then why DoS windows update? Doesn't that make it harder to fix? Why not DoS some other ms server like msn.com?
Posted on 2003-08-13 14:50:11 by FearHQ
to make sure he reaches the greatest audience possible? so they'd all feel what it's like to forego on security updates? :confused:
Posted on 2003-08-13 15:01:39 by Hiroshimator