d1g3r4t1 d1g3r4t1

Scumware contained in some of the Logons

Scumware contained in some of the Logons

I came across some scumware, when unzipping one of the logons. I sent a message to wincustomize's IT people to advise same. THeir response was that I was stupid and didn't know what I was talking about. The exchange is appended:


Subject: Re: Fwd: scumware
To: "Stardock Support"

LMAO.......you use MS Security, there's a well know oxymoron. The scum installed WHILE I was downloading, and unzipping, the Logons. The scum is contained in one of the zipped files. I see that, instead of checking the problem, your IT people chastise people for reporting such things.

Xupiter does not work on a time delay, it runs at the next bootup/restart. As I have ActiveX controls disabled, it cannot install on my system. Additionally, it installs as an IE toolbar....NOT a standalone active desktop utility.

Seems you need to learn to read what people report........not assume that they are stupid and you are 'Holier Than Thou'.

Thanks for nothing



Stardock Support wrote:


Dear Sir,
None of the skin files contain executables, so it is not possible
that it came from our site. However, if you had recently been
surfing the next, you most likely ran into a web site that did not
protect themselves against Xupiter, which is spyware which will
download and install on your computer from an infected web site
usually on a time delay. We use all current MS internet securities
that safeguard us from such attacks.

Thank you,
Angie

On Wed, 15 Jan 2003 11:42:22 -0500, Stardock General Information
wrote:

>==================BEGIN FORWARDED MESSAGE==================
>>Return-path:
>>Received: from web12402.mail.yahoo.com ([216.136.173.129])
>> by stardock.com ([127.0.0.1])
>> with SMTP (MDaemon.PRO.v6.0.3.R)
>> for ; Wed, 15 Jan 2003 10:57:27 -0500
>>Message-ID:
>>Received: from [24.129.45.113] by web12402.mail.yahoo.com via HTTP; Wed, 15 Jan 2003 08:00:44 PST
>>Date: Wed, 15 Jan 2003 08:00:44 -0800 (PST)
>>From: Doyle
>>Subject: scumware
>>To: [email protected]
>>MIME-Version: 1.0
>>Content-Type: multipart/alternative; boundary="0-1469653529-1042646444=:7431"
>>X-MDRcpt-To: [email protected]
>>X-MDRemoteIP: 216.136.173.129
>>X-Return-Path: [email protected]
>>X-MDaemon-Deliver-To: [email protected]
>
>
>
>
>Last night, while downloading Logons, for Stardock's LogonStudio(TM), at least one of them installed scumware on my system. Specifically, an active
>desktop componant which was a large 'Search toolbar' style piece of scumware. Took me almost 2 hours to track this slime down, and turn it off (Registry,
>Run) I've yet to find the scumware so I can delete it. IF you bother to find and remove the file(s) containing this slime, I would greatly appreciate being
>advised on how to find and remove the scumware that installed on my system.
>
>Thank you, Doyle aka Citizen d1g3r4t1
46,535 views 221 replies
Reply #51 Top
It'll have to be in a while, though...it's 2.18AM, Friday here....
Reply #52 Top
He spelled 'comprehension' correctly, though....perhaps 'SKOOL' is a 'Yank thang'....
Reply #53 Top
Not a single file with the ZIP extension in that list...
Can you explain how you unzipped them or installed them, or what you did to them that would have activated a spyware?
Reply #54 Top
Well, you know - only when you're trying to be 'old skool' - ahem.

And - works for me Jafo - I'll just conviniently forget to mention that I've installed next to nothing on my notebook and my restore CDs are always right at an arm's length away. I don't want to be killed by an admin after all! Er, I mean... my notebook. That's it.


Powered by SkinBrowser!
Reply #55 Top
Jafo: I'll start looking at them. I'm running Linux at the moment, so I'm safe.
I'll let you know where I'm at before you start as well.
Reply #56 Top
All righty then!
Jafo, I hope you sleep well tonight, you deserve it after dealing with this.
Reply #57 Top
Patric...time to hit the hay....I need my 'beauty sleep' [never helps any]....

I'll still lay odds that these are all clean.
We know nothing about his 'history' and what other proggies he may or may not have been using or have installed....

A quick lesson in logic.

3 Professors on a train going from England to Scotland.
They cross the border and see a black sheep in a field.
The first Prof states...
"All sheep in Scotland are black."
Second prof corrects...
"At least one sheep in Scotland is black."
Third prof responds...
"At least one sheep in Scotland is black on at least one of its sides".

Determining 'fact' or 'cause' from limited 'observation' can really get you nowhere real fast...
Reply #58 Top
Jafo- "He spelled 'comprehension' correctly, though....perhaps 'SKOOL' is a 'Yank thang'...."

Yeah, he is being a "Yank" alright (and I don't mean that as being "American"

I was the "stupid one" that even bothered answering his email. I had assumed that a) since he didn't mention what files he was downloading and b) he never mentioned the name of this "scumware" that he was talking about the ever feared Xupiter.

I have to wonder: If this is really here. And millions of people download from here. Why is this the only report? Doesn't seem logical to me at all.

Of course, that might just be me and my 'Holier Than Thou' attitude again And I obviously started that whole disrespectful response with "Dear Sir". I guess instead of emailing "polite" responses like I did, I should just say: "Either give the name of the file downloaded and the name of the so called executable that you *claim* it installed, or go away!" Ok, I guess I said that, anyway

I love these "warnings" that can not be backed up with proof. Reminds me of all those email urban legends.

Bad mood...have not had coffee yet.... Hi!
Reply #59 Top
The spelling of SKOOL was on purpose. Is moronic irony not recognized these days?

I didn't start with the bad manners and sly accusations. I do, however, get that way when dealing with people who ASSume out of pig ignorance.

When asked for tech support, or someone tries to advise you of something, the correct response is to politely ASK if they've done this, this, and this. Ask questions regarding the incident. Gather as much information as possible. This is even more important if what they've advised seems cryptic to you. Do not assume they do not know what Xupiter is, do not have heavy security on their computer (A must with a broadband connection ), not have multiple decades of experience, haven't already run Spybot and Ad-aware, know where to find things in the registry. Don't start with, it can't have been from us, until AFTER you've checked your systems...especially when you're using Microsoft products with their 'screen door on a submarine' security. Above all, NEVER accuse someone of illegal activity, no matter how slyly put, unless you've got proof of same that would stand up in court. Or make yourself look dumb, by making comments about your own products, that are incorrect.
Reply #60 Top
OK, apologies then d1.

But I still don't understand how your Logitech Smartmove could have activated a spyware.
When running a LogonXP file, it's sent to LogonXP, which in turn uncompresses the file and moves it to the LogonXP directory. That's it. It doesn't execute any script or executable contained in the said archived LogonXP document. It's only when actually opening LogonXP and selecting the particular logon and applying it that it reads the INI file it contains. Even then, the INI file needs very particular expected variables and ignores anything that it doesn't understand. It is impossible to script the execution of a program in a LogonXP INI file.

More info is needed. As I asked previously, what did you do in particular, or what did Smartmove do to the LogonXP file? It seems very improbable that any LogonXP file could be infected.
Reply #61 Top
KarmaGirl

>I was the "stupid one" that even bothered answering his email. I >had assumed that a) since he didn't mention what files he was >downloading and b) he never mentioned the name of this "scumware" >that he was talking about the ever feared Xupiter.

Correct. You assumed.

>I have to wonder: If this is really here. And millions of people >download from here. Why is this the only report? Doesn't seem >logical to me at all.

1. Some of the files I downloaded had very few previous downloads.
2. Perhaps no one else made the connection between the scum and a download.
3. Perhaps they did, but didn't know where it came from.
4. Perhaps they didn't bother reporting it. (I've been quilty of this many times).
5. Perhaps they did report it and ran into the same attitudes.
6. Perhaps I'm wrong.

Better to be safe, than sorry, eh?
Reply #62 Top
Paxx. The "Smartmove" didn't activate it. It moved me to the offending button, when that window popped to the top of the stack. As I was clicking away, on another program, I was still clicking, thus pressing the "Yes"/"OK" whatever button and granting permission for it to install. This doesn't occur very often. Usually, when it does, I'm typing something and no harm is done. This one I file under "Stuff happens"


(I loathe programs that steal the focus)
Reply #63 Top
OK then, so where did that offending window come from? It's not possible to get any third party window coming up when executing a LogonXP file.

I really really think you got your scumware somewhere else.
Reply #64 Top
I think #6 is the most likely answer since *none* of us have been able to find this alleged file, and, even though this topic is at the top, *nobody* has jumped in to say that they experienced the same thing.

I would also like you to explain why you posted a "private" email publicly and bashed on the site, Stardock, and me without giving us a fair chance to even try to figure out what in heck you are accusing us of? That just lacks class no matter how you look at it.
Reply #65 Top
Erm. Nobody looks dumb except you. You said spyware was installed while installing a logonxp file. What is a logonxip file? A zip file. What does installing a logonxp file do? It unzips the contents of that file to a folder on your hard drive. Please tell me where the opportunity for installing scumware is in this?

If you had said:

'Hi, I think I may have accidentally double clicked on an executable contained in one of the zip files I downloaded from your website. You may want to check them to see if someone has included an executable. The ones I downloaded are/were : '

I would most probably not be sitting here typing this right now.

Angela's reponse to you was fine. She may have made some incorrect assumptions but under the circumstances they were perfectly justified and in most cases would probably have helped the complainant to track down the cause. There is a known spyware called xupiter which behaves in the same way you describe so the assumptions seem justified to me. The fact that it got on your computer immediately puts doubts on your security setup. However it's true that you can have all the security in the world but it's the person behind the keyboard that is the most risk.

It shows an lack of respect and common decency to post her response to you in a public forum in this way and to ridicule her for trying to help you. All of this could have been dealt with simply by replying to her (after all she was the one who responded to your request) and would have caused a lot less aggro.

Powered by SkinBrowser!
Reply #66 Top
Paxx.......again....the file popped up at the end of the unzipp....not when executing the logon file. Winzip, at least, pops up the 'Install Now?' window, if an exe is present, and/or opens the folder that the file was unzipped to.
Reply #68 Top
Pipowell - If an exe file is included in an archive, Winzip will pop up the 'Install Yes/No' window.

As, has been stated multiple times here, I did not know the exact file, and provided the info that I could. Instead of responding in a correct manner I got the usual brush off response.

Assumptions are NEVER justified. If I recall the witticism correctly, "Assumptions are the mother of all ......ups"

This thread has only been here a couple of hours.

My responses are a reaction to being belittled.

No security is airtight, and is only as good as the last update. Ask everyone who has been hit by the Yaho virus, in the last few days, WHILE running the latest versions of Norton and McCaffe (SP?) Anti-virus.

Reply #69 Top
I looked at them. Didn't see anything that shouldn't be there. Maybe I missed something- but I doubt it.

I am not "bashing" you. You brought this to the public forum. I am responding in the public forum.

Please answer the second part of my last response, and read PJPowell's response.

If you want to accuse a site/company of wrong doing, you should have the cold hard facts to prove it. You don't even know the name of the program installed or the file that it supposedly came from. You have provided *no* facts to substantiate your claims.
Reply #70 Top
Oh for the love of God d1g3r4t1, just shut up and go away What you are proposing is simply impossible. Not only that but your "story" has become the most elaborate collection of bull**** i have ever come across.
Here's what I propose as the most likely cause of your problem: You were surfing a porn/warez site in the background whilst mass unziping logons and got caught by a web-popup. Deal with it. >
Reply #71 Top
Karma, company communications are not Private.

I've read PJPowell's response, and responded as well.

Where have accused anyone of anything? My communication is advisory.

I've provided all data possible. The name of the program was "Search Toolbar". Prove that it did not come from one of these archives. If I were a programmer, I would be able to pull up the program, try to decompile the program and get more information, not to mention sending same to Spybot and Ad-aware for inclusion therein.

My attempt to advise of a problem where met with brush offs, belittling, and acqusations of illegal activity. All BEFORE anyone had even bothered to look into things.
Reply #72 Top
Raven, what occured is VERY possible. I do not engage in ware'z or porn. Point of logic. If I had, why would I come here?
Reply #73 Top
d1: problem is there is no ZPI file in the list you supplied earlier, therefore Winzip wouldn't touch them. All those LongonXP files would be handled by Longon XP, which does NOT open a "Install now?" window if it finds an exe.
Reply #74 Top
Point of logic?
1. What has Porn got to do with wincustomize
2. Why wouldnt warez users come here?

Oh stuff it, that's the last thing I say. Im not going to get wrapped up in some silly argument.
Reply #75 Top
d1g3r4t1 - "Where have accused anyone of anything?"

When you stated publicly "The scum installed WHILE I was downloading, and unzipping, the Logons. The scum is contained in one of the zipped files."

Forgetting what you wrote? That sounds like an accusation to me.

No ZIP files in the files that you stated you downloaded. No proof that the executable came from this site.

And, all you give as the name of the program is ""Search Toolbar", which the only program that I have found that is named that comes from: http://www.searchtoolbar.com/ which is a voluntary download and install.