Hi,

I've got several machines that have been getting hit on the weekends with downloader Trojans and the wmf exploit from myspace.com. All of my machines are patched and up to date. I'm not seeing any hits during the week, only on the weekends, almost like a switch is getting flipped on Friday night, and turned off Sunday evening.

While reviewing hijack log of several machines, I came across an entry that I was hoping some of you guys might be able to provide me with more information about:

O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.187/display/PopupSh.ocx

Over the weekend, I have several users who are getting hit with some variation of:

loader[1].exe
bl4ck.com
exp[1].wmf

while using myspace.com - The malware seems to be coming from IP range 209.190.x.x. (www.adoptium.com)

I'm running Symantec anti-virus 9 - and it is catching and quarantining the files, but I need to find out how this Popupsh.ocx is getting on the machines so I can block it. Anyone else seeing this?

I apologize for not providing more detailed log information - the company I work for is sensitive to publicity.

Thanks,

EQTaylor

I know exactly how I got this virus. My free AVG picked right up on it. I checked my computer info. Someone sent me a "Welcome to MySpace" email and that's where it came from. I will be reporting it and I hope he gets arrested. I only got on myspace to check out a family members myspace who died in a fire in April. I want you to know that SpyBot S&D did NOT pick up on this and I am uninstalling it. It's nothing but a pain and really screws things up for me online for no reason Kudos to AVG FREE. I got this virus at 4:07 this afternoon by the way. Peace2uAlwayz

Good information, thanks for the reply!

Trojans are not viruses. Totally different. Spybot S&D doesn't do them. AVG does and it is an excellent product.

If the Teatimer and registry protection provided by SpybotS&D are not working well for you, then turn them off. Use it as an on-demand anti-spyware scanner. If you want that kind of protection get Process Guard: http://www.diamondcs.com.au/

It also helps to get the latest security updates from Microsoft (usually available 2nd Tuesdays of each month). Malware promoters deliberately use the flaws published knowing that many people will not get the updates on time. Your loss if you don't update.

Remove this using HijackThis: O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.187/display/PopupSh.ocx

You can post logs too if you need help with the rest.


Best regards

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

It would appear the culprit has been identified.. even Castlecops got some props out of the article!

http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html