Weird copy/paste situation - virus?
~BD~
A friend has contacted me and said "Whenever I try to copy paste something
my clipboard always contains this:
hxxp://xp-vista-update.net/?id=71030000330. When I copy paste very fast
(less than a second) then I sometimes end up copy pasting what I want, so
it's probably some malware.."
Has anyone any information which might help?
TIA
Dave
--
Casual Observer
"~BD~" <~BD~@nospam.invalid> wrote in message news:e$kTk7QAJ...@TK2MSFTNGP02.phx.gbl...
![PA Bear [MS MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXsf05hH-R8XChS3fXPPzfoO8FYYxAKhT86KfPnIELr3QJ9tQ=s40-c)
PA Bear [MS MVP]
http://msmvps.com/blogs/spywaresucks/archive/2008/08/09/1644062.aspx
The Clipboard hijacks continue....
http://msmvps.com/blogs/spywaresucks/archive/2008/08/18/1644914.aspx
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/
~BD~
"Casual Observer" <what...@xyzabc.com> wrote in message
news:uW3CqtSA...@TK2MSFTNGP05.phx.gbl...
TIA
Dave
--
Hi.
Interesting article. Thank you for posting the link! :)
I'll watch out for developments.
Dave
--
~BD~
"PA Bear [MS MVP]" <PABe...@gmail.com> wrote in message
news:%23u0L2hT...@TK2MSFTNGP05.phx.gbl...
Hi :)
I reviewed the information at each of the links you kindly provided. This is
the first time that I've met the expression 'Malvertizements'!
I was led here:-
"Even computer security pros vulnerable to scams" on Yahoo News.
http://news.yahoo.com/s/ap/20080807/ap_on_hi_te/tec_friends_list_tomfoolery;_ylt=Attn6Nf8feN40Bt9uRqWSNYjtBAF
"A relatively simple ruse persuaded dozens of prominent security analysts to
connect on their social networking Web pages with people who weren't friends
at all. They were fake profiles, purportedly of other well-known security
pros. The scam was designed to expose the trust that even some of the most
skeptical Internet users display on some of the most insecure sites on the
Web."
Things really have changed over the last few years! I really did trust folk
............. once-upon-a-time!
Dave
--
~BD~
> I'll watch out for developments.
>
> Dave
> --
>
>
>
'Malvertizement' epidemic visits house of Newsweek.com
See: http://www.theregister.co.uk/2008/08/18/malvertizing_epidemic/
Quote:
"Newsweek.com is one of several high-profile websites suspected of running
rogue banner advertisements that try to trick visitors into installing
fraudulent anti-malware programs, security researchers warn.
The malicious ads have been appearing on Newsweek's website via feeds that
carry the Washingtonpost.com address, according to this post on the Bluetack
Internet Security Solutions site. The ads redirect users to a site that
falsely claims users' PCs are infected with malware and urges them to buy
and install software that will remedy the problem. The banner graphic posed
as an ad for www.easy-forex.com, which bills itself as an online foreign
currency exchange".
Dave
--
kalyan
This attack call HTTP Fake Scan Webpage
Download the scanner & remove the Malware
http://www.4shared.com/file/15436123/9ccf9359/roguefix_216.html
"~BD~" <~BD~@nospam.invalid> wrote in message
news:e$kTk7QAJ...@TK2MSFTNGP02.phx.gbl...
~BD~
Crikey!! Do you realise that I almost mistook you for 'Kayman', a well-respected helper on these
newsgroups!
However, I copied and pasted your link into my AOL browser ........ and Google Chrome too!
I noted that there have been 4 - yes, just four - downloads of this programme. Hmmmm!
So now I'm left wondering ........ should I recommend it to my friend?
Anyone else here ever tried it (or willing to experiment? <wink>)
Dave
--
"kalyan" <reach2...@live.com> wrote in message news:eduhKPzD...@TK2MSFTNGP04.phx.gbl...
David H. Lipman
| Hello Kalyan
| Crikey!! Do you realise that I almost mistook you for 'Kayman', a well-respected helper
| on these
| newsgroups!
| However, I copied and pasted your link into my AOL browser ........ and Google Chrome
| too!
| I noted that there have been 4 - yes, just four - downloads of this programme. Hmmmm!
| So now I'm left wondering ........ should I recommend it to my friend?
| Anyone else here ever tried it (or willing to experiment? <wink>)
| Dave
That's because it is an illegitamate copy of Stuart Saunder's RogueFix which is currently
at v2.195 (8/3/08)
http://www.internetinspiration.co.uk/roguefix.htm
It is what PCBUTTS1 plagiarized to become Remove-IT.
Always get the file from the source or a source vetted as a mirror site. NEVER form other
locations.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Gray B.
has helpful info.
On Sep 5, 3:00Â pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "~BD~" <BoaterD...@nospam.invalid>
~BD~
"Gray B." <gbi...@gmail.com> wrote in message
news:3e8d0ab4-5157-4b2f...@d1g2000hsg.googlegroups.com...
http://clipboardextender.com/
has helpful info.
<snip>
Hi Gary - many thanks for that lead. Lots of items of interest! :)
Dave
~BD~
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:O1e7$H5DJH...@TK2MSFTNGP06.phx.gbl...
In no way do I doubt what you say but, for any 'newbies' reading this, how can one be certain that
internetinspiration.co.uk is a/the bonio-fido source?
You mention a Stuart Saunder - but I've so far failed to spot that name on the site; perhaps I've
simply missed it!
You say that the OP posted an illegitimate link here and that Pcbutts1 has stolen RogueFix and
re-invented it. That is (probably <wink>) true, but it's only your say-so, isn't it? What is needed
is some global body with responsibility to check all web sites where 'help and advice' is being
offered to the public at large. Expensive? Of course. Maybe a project for
http://www.gatesfoundation.org/default.htm
Dave
David H. Lipman
| I somehow missed this post of yours Dave - my apologies for not responding earlier.
| In no way do I doubt what you say but, for any 'newbies' reading this, how can one be
| certain that
| internetinspiration.co.uk is a/the bonio-fido source?
| You mention a Stuart Saunder - but I've so far failed to spot that name on the site;
| perhaps I've
| simply missed it!
| You say that the OP posted an illegitimate link here and that Pcbutts1 has stolen
| RogueFix and
| re-invented it. That is (probably <wink>) true, but it's only your say-so, isn't it?
| What is needed
| is some global body with responsibility to check all web sites where 'help and advice'
| is being
| offered to the public at large. Expensive? Of course. Maybe a project for
| http://www.gatesfoundation.org/default.htm
| Dave
Look BoaterDave you are just plain clueless and you don't take the time for investigating
things for your self.
If you did your homework you could easily find out who the Registrant of
www.internetinspiration.co.uk is
and if you continued that work you would easily determine the email of the Registrant.
This takes some knowledge that lack and so you question things. Well here's a hint on the
idea how to do some investigation. I'll start with YOU..
NNTP-Posting-Host: 92.22.178.225
% Information related to '92.16.0.0 - 92.23.255.255'
inetnum: 92.16.0.0 - 92.23.255.255
netname: CPWBBSERV-NET
descr: Carphone Warehouse Broadband Services
country: GB
admin-c: GJB18-RIPE
admin-c: PM58-RIPE
tech-c: GJB18-RIPE
tech-c: PM58-RIPE
status: ASSIGNED PA
mnt-by: OPAL-MNT
source: RIPE # Filtered
person: Gareth J Bowen
address: Opal Telecommunications Plc
address: Northbank Industrial Estate
address: Irlam
address: Manchester
address: United Kingdom
address: UK
phone: +44 161 2222000
fax-no: +44 161 2222003
e-mail: gbo...@opaltelecom.co.uk
nic-hdl: GJB18-RIPE
mnt-by: OPAL-MNT
source: RIPE # Filtered
person: Phill Magill
address: Opal Telecommunications Plc
address: Northbank Industrial Estate
address: Irlam
address: Manchester
address: M44 5BL
address: United Kingdom
phone: +44 161 222-2000
fax-no: +44 161 222-2008
e-mail: pma...@opaltelecom.co.uk
nic-hdl: PM58-RIPE
mnt-by: OPAL-MNT
source: RIPE # Filtered
% Information related to '92.0.0.0/11AS13285'
route: 92.0.0.0/11
descr: Carphone Warehouse Broadband Services Autonomous System
origin: AS13285
mnt-by: OPAL-MNT
source: RIPE # Filtered
% Information related to '92.20.0.0/14AS43234'
route: 92.20.0.0/14
descr: CPW-BS-Subscribers-LOH-2
origin: AS43234
mnt-by: OPAL-MNT
source: RIPE # Filtered
Using the same investigational concept one can determine WHOIS information on
www.internetinspiration.co.uk
As for the theft of RogueFix. Well in the anti malware community this was HIGHLY
documented. I am just one of group of individuals who have investigated this plagiarism
from the start. The fact is I first posted a URL of RogueFix in a.c.v Butts read my post
and found the RougeFix BAT and at that point all of a sudden was posting SuperFix on his
web site around 9/'06 and it was RogueFix's code. By Jan '07 it was renamed and branded
as SpyErase and was using an Inno Setup package. By March '07 it was again re-branded as
Remove-It. While this was going on Butts was password protecting the installer. You
couldn't install it w/o a password. The anti malware community, from the POV of different
countries, played with Butts and obtained several passwords. For example ...
A british investagator got Butts to give him a password arounf 11/19/06 which was ...
IdFqmTh~:_/AjyD!>-O^%Om.?m]Cg+0kItz4jZ?"YHc`s;ujS4>lu<_
Another investigator from Belgium arount 11/27/06
I't$>:xn&5(5CW}6sju^8~W3Fw[@)%wM>BT=\n-I_u= 2^!R/"g}b7|
By Ja 7, 07 the password for SpyErase was
}z+q9%}@ne1h)SE=\Q+]em.a4>L0<t&Tv[^SSFpmkoiq0R~3<s+*ar5
I could go on and on...
The anti malware community has highly documented the plagiarism of RogueFix to what is now
Remove-It.
In fact in January '07 the anti malware community joined with Stuart Saunders and the
community create a false code marker and inserted it in RogueFix.
By Jan 13, '07 Butts posted...
"Anybody want to test a modification to Spyerase that I just put together.
There is a strange issue I am trying to fix that I think may be machine
specific so I need someone to test it for me. The glitch will not harm your
system. Email me, Trolls need not apply."
By Jan 15' 07
Butts posted...
"New Spyerase version 10, it's fast and free. It now has over 1700 signatures
to remove All variants of Virusburst, Spy sheriff and others. New Feature, Spyerase
will now update your hosts file. This tool is designed to Specifically remove all
variants.
Scan time is about 2 minutes. Designed for Windows 2000/XP only. Password is still
required.
First read this page http://www.pcbutts1.com/downloads then download
Spyerase from here http://www.pcbutts1.com/downloads/spyerasesetup.zip"
The password was...
H/G/^u5`f` YNb.4&MJZXS1w5 -kkpsxk47b\CdkB<-u]~U>to'naA4
And the false code marker was found in SpyErase.
So to answer...
"but it's only your say-so, isn't it?"
No, there is a whole community who has documented this !
~BD~
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> From: "~BD~" <Boate...@nospam.invalid>
>
<snip>
I *really* appreciate your comprehensive reply, Dave. Thank you.
What surprised me about all the information you posted was that there was absolutely no mention of
AOL, supposedly my ISP. No doubt the explanation is really simple. I any reader can help explain,
I'd be most grateful.
I wonder, too, if you could explain this term to me: ' IP PTR:IP does not resolve to a hostname '
I am trying to learn. I'm not totally clueless! <smile>
Please take a look here: http://www.malwarebytes.org/forums/index.php?showtopic=5656&st=0
Thanks in anticipation of further help.
Dave
Heather
"~BD~" <Boate...@nospam.invalid> wrote in message
news:%23FErgyM...@TK2MSFTNGP03.phx.gbl...
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:OdDiMaMF...@TK2MSFTNGP05.phx.gbl...
>> From: "~BD~" <Boate...@nospam.invalid>
>>
> <snip>
>
>
>
stand for *brain dead*??
I for one do not have the patience for your stupid enquiries, which have
not improved one iota in the past year!! Who gives a damn about your 2
different IP numbers. They are easily explained and understood by the
rest of the ng.
You are so frickin' annoying with your moronic queries!!
HF
~BD~
"Heather" <fig...@nospam.invalid> wrote in message news:uP0DBUQF...@TK2MSFTNGP05.phx.gbl...
Before I respond ............ a question.
Are you Dustin's friend, Heather?
--
David H. Lipman
| --
I am sure that Figgs knows Dustin but I don't think she is a "friend" of his.
PA Bear [MS MVP]
switching...or having to switch? <w>
David H. Lipman wrote:
<snip>
<snip>
Tom [Pepper] Willett
"PA Bear [MS MVP]" <PABe...@gmail.com> wrote in message
news:OG6YUCRF...@TK2MSFTNGP04.phx.gbl...
: That must be BD's fifth or sixth ISP in as many years. Wonder why he
:
David H. Lipman
| <snip>
| Dave
To continue what I wrote...
I assisted Stuart Saunders with dealing with the plagiarism of Stuart's RogueFix and he
filed a complaint based upon the Digital Millenium Copyright Act (DMCA) with the host
provider of PCBUTTS1.Com. After several attempts the host provider considered the
violation valid and Butts was forced to take SpyErase off his web site. Since he is a
consistent liar, he came up with a stupid and lame excuse for no longer hosting it. He
posted he sold the SpyErase technology to an unidentified entity. Since it was nothing
more than a batch file, there is nothing that could have been sold and we in the anti
malware community knew the truth that he was forced to remove SpyErase or have his
PCBUTTS1.Com site shutdown. This is all documented with the orginal DMCA Takedown
Notification sent to the hosting comapny and their subsequent reply.
At this point, Butts knowing I assisted Stuart commited fraud. I had a relationship with
Ian Kenefick and his web site IK-CS.Com. I provided content for his site in the realm of
malware and allowed Ian to host my Multi AV Scanning Tool and other tools, of orginal
creation, on his web site. Butts used a Sock Puppet, Gregory Taylor, and sent a
fraudulent DMCA notification to Ian's hosting company that provided IK-CS.Com, IpoweredWeb
The contents of teh fraudulent DMCA Takedown Notification...
--------------
1. The Multi-AV, WinfixerFix, and Smithfraud tool hosted on the site listed
below is infringing upon my copyrighted material. All three programs have
been written by me and hosted without my permission.
http://www.ik-cs.com/v2/got-a-virus.htm
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
2.All three programs listed above use a utility called WGET.exe which
belongs to me. I am the author of that program and the website has No
permission to use it. References to my wget program can be found here.
http://www.ik-cs.com/v2/multi-av.htm
http://www.ik-cs.com/v2/winfixerfix.htm
http://www.ik-cs.com/v2/smitfraud.htm
3. The hard copy of my copyright and trademark is stored at my location in
California.
4.I can be reached at the following email address trg...@gmail.com
5. I have a good faith belief that use of the copyrighted materials
described above on the infringing web pages is not authorized by my
registered copyright and by the law. I swear, under penalty of perjury, that
the information in the notification is accurate and that I am the copyright
owner of an exclusive right that is infringed.
Gregory Taylor
President and CEO
GT tools inc
--------------
Now, there are two important facts. The first is the Multi AV Scanning Tool is an
original tool created by me and was based upon previous works where the front-end of 4
anti virus scanners started as individual scanners for McAfee and Trend Micro.
Subsequently I combined the two with kaspersky and Sophos to make the Multi AV Scanning
Tool. They were NOT created in a vacuum. I collaborated with several individuals who
worked with me from the start. They include Art Kopp (A.C.V and A.C.A-V), BigBruva
(M.P.S.V) and NTDOC of the KiXtart Forums to name a few. Therefore I have irrefutable
proof of the sole creation of the Multi AV Scanning tool and the predeccsor utilities that
led me to create it.
Secondly is the following which was used... "...use a utility called WGET.exe which
belongs to me."
The WGET utility is provided as free software
http://gnuwin32.sourceforge.net/packages/wget.htm
It is licensed as free sofware through the GNU GENERAL PUBLIC LICENSE and the Free
Software Foundation, Inc.
It states...
"GNU Wget is free software; you can redistribute it and/or modify it under the terms of
the GNU General Public License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version..."
Since I first started writing my anti malware utiliies using the KiXtart scripting
language, I have included the GNU WGET utility.
By using a Sock Puppet, Butts committed "fraud" under the US Penal code.
By using the text in the DMCA Takedown Notification (under statute)... "All three programs
listed above use a utility called WGET.exe which
belongs to me. I am the author of that program and the website has No permission to use
it", Butts committed Perjury under the US Penal Code.
Even if you make a claim against the KiXtart programming, stating WGET needs permission to
redistribute should have invalidated the fraudulent claim. However, Ian Kenefick is not a
US citizen. He is a citezen of Ireland and they failed to comply with a valid, and legal
(by statute), "Counter Notification and the web site IK-CS.Com was permantly shutdown.
There is/was no "Gregory Taylor" and there is/was no "GT tools inc". No address was
provided and trg...@gmail.com is a free GMail acoount with no vetting as to its source.
This too should have invalidated the claim but, the lawyer for the hosting company,
IPoweredWeb, ignored these facts.
To get back to SpyErase...
Butts did remove SpyErase from his website. However, Butts the re-packaged SpyErase as
Remove-It and was still password protected.
The antti malware community continued to obtain the passwords for each iteration and it
was immediately evident that SuperFix, SpyErase and Remove-It were all the same. All
plagiarized code from Stuart Sauder's RogueFix.
Later, butts modified Remove-It by extracting Registry modifications from the batch file
and creating .REG files and he then made it available without a password. This is how it
is hosted Today.
On the same page as Remove-It, http://pcbutts1.com/downloads/tools/tools.htm , is "What's
Live Running Now". This is a VBS script. It is in fact a plagiarized version of "Silent
Runners" by; Andrew Aronoff -- http://www.silentrunners.org/
I could go on and on with other examples of Butts plagiarism such as Robert A. Cooper's
NailFix, a script created by MS MVP Kelly Theriot and MS MVP Noahdfear.
Heather
who ask stupid questions and then keep bugging you guys (aka MVP's) to
drop what you are doing and answer him.
Hi Pooh Bear......how's the boa??
"Tom [Pepper] Willett" <t...@youreadaisyifyoudo.com> wrote in message
news:%23bFxxUR...@TK2MSFTNGP03.phx.gbl...
Heather
"~BD~" <Boate...@nospam.invalid> wrote in message
~BD~
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> From: "~BD~" <Boate...@nospam.invalid>
<snip
I *really, really* appreciate your second comprehensive reply, Dave. Thank you. <smile>
> | What surprised me about all the information you posted was that there was absolutely no
> | mention of
> | AOL, supposedly my ISP. No doubt the explanation is really simple. I any reader can
> | help explain,
> | I'd be most grateful.
I've now discovered that Carphone Warehouse has purchased AOL UK !!!!!
I knew there would be a simple explanation. ;)
> | I wonder, too, if you could explain this term to me: ' IP PTR:IP does not resolve to a
> | hostname '
<snip>
No advice forthcoming! I know it's a reverse DNS
.......... - but is it significant if there is no host name?
------------------------------------------------------------------
I can't help thinking that you should have all of this information posted on a web site - yes, your
very own David H Lipman site. You could then simply direct enquiring folk to it and also host your
various tools there too. It doesn't cost very much nowadays. I note that you are still at work so
I'm sure you could afford it! ;)
Dave
~BD~
"Heather" <fig...@nospam.invalid> wrote in message news:uyR6CvRF...@TK2MSFTNGP05.phx.gbl...
I have a feeling that Dustin once mentioned a friend called Heather (in a newsgroup thread) and was
quite forceful in suggesting that I didn't post anything to upset her. As he is my cyber-friend, I
wouldn't want to go against his wishes.
HTH
Dave
~BD~
> to switch? <w>
You are not often wrong Robear, but you are this time!
Ten years ago I subscribed to Freeserve. Freeserve were bought by Wanadoo.Wanadoo was bought by
Orange. I remained with them throughout the changes.
After the theft of my identity in 2005, I elected to take advantage of a Broadband package being
offered by AOL which included a Netgear router to enable wireless connection. I joined in early 2006
and I have been with AOL ever since (albeit that shortly after I became a subscriber, AOL UK was
hived off by parent group Time Warner )
Although still trading as AOL UK, the company has been bought by Carphone Warehouse and is the third
largest ISP in the UK.
So, that's really just *TWO* ISP's in ten years.
Earlier this year I took advantage of the newly available 3G Mobile Broadband technology so that I
can use my laptop for Internet connection when I am cruising the British Waterays on my narrowboat.
This *additional* ISP is called 'Three'.
HTH - it's the truth! See
http://www.malwarebytes.org/forums/index.php?showtopic=5656&st=20&gopid=27599&#entry27599
Dave
PS Could you provide me with a copy of the long thread I started at Aumha regarding Annexcafe?
Maybe it's gone forever!
Heather
"~BD~" <Boate...@nospam.invalid> wrote in message
>
> "Heather" <fig...@nospam.invalid> wrote in message
> news:uyR6CvRF...@TK2MSFTNGP05.phx.gbl...
>>
>> "~BD~" <Boate...@nospam.invalid> wrote in message
>> news:%23tId44Q...@TK2MSFTNGP06.phx.gbl...
>>> Before I respond ............ a question.
>>>
>>> Are you Dustin's friend, Heather?
>>>
>> And what does that have to do with your response??
>>
>>
>
> I have a feeling that Dustin once mentioned a friend called Heather
> (in a newsgroup thread) and was quite forceful in suggesting that I
> didn't post anything to upset her. As he is my cyber-friend, I
> wouldn't want to go against his wishes.
>
Yes, I do believe I recall that. And yes, we have been friends for a
long time. From back when he *switched hats*, lol.
Heather
~BD~
"Heather" <fig...@nospam.invalid> wrote in message news:eLo0jBVF...@TK2MSFTNGP03.phx.gbl...
Thank you for confirming that, Heather.
Have a great weekend! <smile>
Dave
kalyan
This attack call HTTP Fake Scan Webpage
Download the scanner follow the instruction& remove the Malware
http://siri.geekstogo.com/SmitfraudFix.php
--
Warm Regards
Kalyan