Subject 4912-3337 Apple AppStore Confirmation
Sender Apple Up-To-Date Add contact

Apple Store
Call 1-800-MY-APPLE

#4368-66525
Order Details

You can also contact Apple Store Customer Service or visit online for more information.

Visit the Apple Online Store to purchase Apple hardware, software, and third-party accessories.
Copyright 2010 Apple Inc. All rights reserved.

This one wants you to click on the order details link, which I have removed, but if you look at the “Order Details” link more closely, you will see that it doesn’t go to the apple store but links to some place called goofbomb. I don’t feel like testing out my anti-virus or risk getting a 0-day virus or some malware, let’s just assume it’s a bad place. So keep your eyes out for this and other e-mails that claim you have purchased something, or missed a delivery, and gives you a link to your “order” or has an attachment for you to open. Quite a few of these going around these days.

Surf Safe

My next download was AdAware. Also one of my old standbys. After a couple of hours of scanning, it didn’t find anything. Even though it wasn’t finished I had hoped that after a couple hours it would have found something, anything. Then I thought there must be some other tools out there these days. There was one more on my old reliable but I’ll skip that for now since I didn’t get it. I figured I should find some malware related forums and update my knowledge on what’s out there these days. I don’t mind getting my hands dirty and digging through registry keys and directories. Which, I didn’t mention, but had already gone through the auto start and run registry keys and files that were created around the time my hijacking took place. In my search I came across the Malwarebytes users support forum. After reading a couple of posts I realized this was a good place for finding out about new malware and removal techniques as well as the program Malwarebytes. Since I haven’t tried it before and the forum, which is a forum that was created by users/fans of Malwarebytes, spoke so highly of it, I downloaded and installed it and started a complete scan. In a couple of minutes it had found 2 infections. I let it scan my system, which scanned 653800 objects and took 6 hours 28 minutes for the full scan. The scan just completed and found 35 infected objects. A quick view of the results shows me several registry files and the rest are files, non of which are cookies. Since I ran Spybot S&D earlier and deleted the cookies it found, I can’t say if cookies would have been part of the results. With the exception of a couple of false positives, some of my security tools, the results are looking very promising. One item I see right of the back is svchost.exe which is in my /Local Settings/Temp/ which is defiantly bad. This is something pretending to be a legit windows service but it doesn’t belong here. There are also a couple of registry keys listed as Trojan.BHO which, even though I forgot to mention I did run earlier, Hijackthis didn’t identify. Now I unchecked the couple of false positives, and told Malwarebytes to delete the rest and save a log file. After this I’m told it needs to reboot. No problem, I expected that. Windows is rebooting and I’m anxiously waiting to see if this fixed my problem. I haven’t played World of Warcraft or logged into any of my sites in case there was also a password stealer installed. In fact I’m writing this from my wife’s laptop which is on my network but doesn’t have any write permissions from network users.

Reboot has completed and now comes time to test this. I sure hope it works because I’m posting the results regardless of the outcome. First I will launch Firefox. This isn’t my main browser but I have a script blocking extension in it which has alerted me to some of the redirects and blocked them. My first search “malware forums” brings up plenty of results and the first result I click on, Majorgeeks.com, goes where it should. But this was what happened before. The first result I clicked on would work but all the results I clicked on after would be hijcked… Awww a new window just opened to www.searchfindsite.com which doesn’t look good. !@#$@#$ I just tried another result from google and was redirected to findservicesonline.com and I see that malwarebytes.com didn’t clean it this one up. It did find and remove some items that spybot s&d didn’t but I still have the hijacked search results. And my quest continues. When I do find a way to remove this, I will post about it.

If you know of some good malware removal tools, please leave me a comment. I’m going to try a couple of others I have and let you know what I find.

__________ ESET NOD32 Antivirus warning, version of virus signature database 4693 (20091216) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

Postcard.zip – probably a variant of Win32/Merond.AA worm – deleted
Postcard.zip > ZIP > document.chm .exe – probably a variant of Win32/Merond.AA worm – was a part of the deleted object

This came from one of my works TV affiliates mailing list. So I am guessing it is one that goes through your address book and sends itself to everyone on there.

Figured this was also a good time to remind people to be careful with any “e-cards” they get. Watch out for infected attachments, as was the case with this one, and watch for links that send you to websites designed to infect you or steal your identity / information.