Macromedia problem.

[kgun]

I have borken one of my rules and surfed the web as a web master. I have two additional user accouts. I have a valid lincense for Macromedia Dreamweaver Mx 2004.

Problem:

1. On the web master account, Dreamweaver, loads and shuts down.
2. When I look at the processes that are running (CTRL + ALT + Del), I notice a Macromedia License.exe file. I find two versions when I search the disk.
3. When I google: Macromedia License.exe I get the following hit:

license.exe on Spyware-Net

"Description of license.exe This is a component of Win Spy Software. .... Microsoft Outlook, Google Toolbar, Macromedia Flash, Microsoft DirectDraw Helper ...

Component Name: license.exe

Description of license.exe
This is a component of Win Spy Software. Win Spy Software is a commercially available keylogger that can be maliciously used to gather sensitive information. It can perform a number of monitoring functions without the user’s knowledge. Win Spy Software can record keystrokes, and take screenshots. The software can be remotely installed and can send email alerts based on predefined keywords. Win Spy Software can also monitor across a network of computers, hide folders, archive information, remotely stream a webcam, and record two-way chat conversations".

Related thread:
omegasearch...again...damnit [Archive] - Icrontic Forums

"make sure the "Up okay License.exe" is deleted, if not, do it manually in safe mode".


No Problem: On one of the user accounts. Looking at the processes on that account does not show any such file, so it is a spyware.

This is my first infection in a year. Thought many of them had given up.

Question:

Any other WPW member that has experience with this malware? Should I clean the registers, too?

[wige]

Whatever happened to the good old days of calling your keylogger iexplore? I guess too many people switched to Firefox...

Anyway, yes, clean the registers and also change your passwords for everything you have logged in to while using the affected program. Typically, you would want to change your passwords every 4-6 months, but in this case, now is a good time. Best recommendation is to change all your passwords, not just on your system but also web passwords - your webmail, online banking, etc.

As an additional note, many of the packages that deliver keyloggers can also install backdoors onto your system. If the attacker did their homework, self scans will likely not detect it. For the best results, use the external port scanner at GRC*|*Gibson Research Corporation Home Page** (Scroll down to Hot Spots, and select Shields Up, then the All Service Ports scan). This scan should reveal any open ports that are on your system if you have a direct connection to the internet. If you don't have a direct connection, use a port scanner on another computer to scan the affected PC. Most Linux distros have the scanner built in, and for Windows SuperScan3 from Foundstone Security is pretty good (version 4, not so much).

After cleaning and scanning, completely uninstall your antivirus and antispyware utilities and download fresh versions. Assume what you have now is compromised.

[kgun]

Seems like an excellent tool. Thank you.

All ports Ok.

This malware is fairly advanced. Even if I delete the file in scure mode, it returns every time I start Dreamweaver.

A little interesting even if it takes time.

I can use the other user account. May be I should reformat the computer. A time since I did that. When done the computer is as new again. It is soon 6 years old. Thought of buying a new a year ago. It is still good enough. 1 Gb memory, 2.7 GHz processor and 3 hardddisks of about 70 Gb. Good enough for my use, still.

Then I have to reinstall Windows XP 1.0 and then SP 2 with all the other upgrades. Does anybody know of a complete install of Windows XP Home edition? I have the license number.

Thank you very much so long.

[khurramali]

IMO: reinstalling is the best solution becase of the backdoor issues involved with malware and spyware infection.

good antivirus protection is also necessary but you also need anti malware and anti spyware progrems if your antivirus does not include them already.

SP2 is must, you can't connect to the internet without a firewall, get a router, hardware firewalls are the best.

you can also make your old computer useful by installing ASTARO security Gateway on it, free for home use. includes antivirus, firewall and email spam filtering etc.

if you want to save money on antivirus, use free edition of AVG, limited to home use.

then install Windows Defender and another program thanks to Google Spyware Doctor

[kgun]

Thank you Ali.

[wige]

Be aware that the more sophisticated spyware apps install rootkits which can survive a reinstall of the operating system. If the program is replicating after a reinstall of Dreamweaver, it is possible that such a rootkit is present. I believe the free version of Avast antivirus has a utility to scan for rootkits, and runs this scan by default after the initial installation.

[kgun]

But will it survive a complete disk reformatting? Hope for an answer before I start.

[kgun]

Is this a joke? See my post on Opera in this forum.

1. Surfing the web for Macromedia Licensing.exe


Macromedia - Dreamweaver Support Center : Updaters

2. Scroll down to:

English Windows Updater (20.1 MB)


3. Installing.

Macromedia Dreamweaver MX 2004 7.0.1 Updater.

4. Bottom of license agreement says:

OPERA BROWSER SOFTWARE END USER LICENSE AGREEMENT

IN THE EVENT OPERA BROWSER SOFTWARE IS PROVIDED IN OR ALONG WITH THE SOFTWARE DESCRIBED ABOVE, WITH RESPECT TO THE USE OF SUCH OPERA BROWSER SOFTWARE ONLY, THE FOLLOWING END USER LICENSE AGREEMENT SHALL GOVERN:

Opera Browser Information: LICENSE.TXT

===========================================

Copyright (C) Opera Software 1995-2003

IMPORTANT NOTE

The Software, as defined below, is protected by copyright, which are vested in Opera Software ASA/its suppliers.

Registration codes, as defined below, are protected by copyright, which is vested in Opera Software ASA.

The Software and Registration Codes may only be used in accordance with the terms and conditions set out in this document.

If you do not read and agree to be bound by the terms and conditions defined in this document, you are not permitted to keep or use the Software or Registration Codes in any way whatsoever and must destroy or return all copies of these items which are in your possession.

To make personalized advertising possible, users of the ad-sponsored software may provide ad-related profile information on strictly a voluntary basis. The Opera Software ASA privacy policy, found at Opera Privacy Statement governs the use of such profile information.

END USER LICENSE AGREEMENT

DEFINITIONS

The following definitions apply to the terms and conditions included in this Agreement.

Opera
means a Browser, developed by Opera Software ASA, for reading and writing files to and from a network and/or file system.

Software
means Opera, all program and information files and other documentation which are part of the Opera Software package, with the exception of the Registration Codes.

Registration Code
registers a paid version of the software. This disables the advertising banner in the Browser’s top right hand corner, and removes advertising content which has been cached.

Individual
means a particular person.

TERMS OF AGREEMENT

******************* Text deleted by me for brevity.

Privacy statement: Opera Software ASA strives to protect the security and privacy of the users of its products, and will strictly protect the security of the users personal information, within the confines of the Opera domain. The Opera Software ASA privacy statement found at Opera Privacy Statement, is incorporated in this Agreement by reference.

Any variation to the terms of this Agreement shall only be valid if made in writing by Opera Software ASA.

Any and all disputes arising out of the rights and obligations in this Agreement shall be submitted to ordinary court proceedings. You accept the Oslo City Court as legal venue under this Agreement.

This Agreement shall be governed by Norwegian law, and the stipulations set forth herein to be construed in accordance with same.

--- --- --- --- ---

Postal enquiries:

Opera Software ASA
Postboks 2648 St. Hanshaugen
NO-0131 OSLO
NORWAY

Office Hours: 9:00am - 4:00pm (+1 GMT) Monday - Friday
Phone: +47 24 16 40 00
Fax: +47 24 16 40 01

Please visit our Web site before you send us e-mail. We provide many services to our users that will help us respond to you faster than if we receive e-mail.

Web site:
Opera browser: Home page

Contact us:
Contact Opera Software


5. Installation.

Destination Folder.

This folder does not contain Dreamweaver MX 2004.

Browse to the correct folder at the same time as browsing to the same folder with MS Windows explorer.

Joke??

Funny story.

6. Launching the Opera Browser.

Heading:

Technology News: Business: Facebook 'Fad' Spreads to Corporate Campus - Opera.

Impossible to shut down page that is locked.

7. On other launches

A very curious menu on a new version of Oprea is available pop's up.

8. FF and IE.

Launches as usual.

[khurramali]

there you go, AVG Anti Rootkit.

it will tell you if a rootkit is installed, if not, then you can go ahead with the format.

remember to backup before formatting.

[kgun]

Excellent Ali. I am looking a little around since I will start developing XML powered sites. Now I am looking at:

Stylus Studio® 2007 XML Editor

"This fully-functional download includes all Stylus Studio® 2007 XML features including our award winning XML editor, XSLT Editor, XSLT Debugger, XSL:FO Tools, XML Schema Editor, XQuery Editor, DTD Editor, XML Mapping, EDI, X12, EDIFACT, Legacy Data Conversion, XML Publishing, XML Pipeline and Web Service Tools. Stylus Studio® 2007 XML also includes sample projects, XML examples, XML tutorials and complete product documentation to help you learn XML!"

So I am not in a hurry to fix this, since I think I will

1. Reformat the C-disk.
2. Reorganize my computer completely.
3. Upgrade to the last version of DreamWeaver and / or look for a more XML firendly ide.
4. Does any readers of this thread know of other applications / IDE's that handles XLink in a professional way? I think XLink is one of the most difficult members of the XML family so an IDE that is strong on XLink and XPointer is wanted.

Very interesting. Learn much from this.

Now scanning with Avg. since it is easiest.

Congratualtions!

Thre were no installed rootkits found on your computer either by:

• Search for rootkits or by the more advanced
• Perform in-depth search.

Now try Wiges more complex solution 16 Mb download file:

Quote:

Originally Posted by wige

Be aware that the more sophisticated spyware apps install rootkits which can survive a reinstall of the operating system. If the program is replicating after a reinstall of Dreamweaver, it is possible that such a rootkit is present. I believe the free version of Avast antivirus has a utility to scan for rootkits, and runs this scan by default after the initial installation.

My bolding.

One solution is of course to reinstall DreamWeaver, but that is not the preferred option now.

[kgun]

AvswBoot.txt

11/10/2007 16:35
Scan of all local drives
Number of searched folders: 44855
Number of tested files: 397704
Number of infected files: 0

Other suggestiuons before reformatting the C disk and reinstalling?

All 3 disks were scanned.

P.S. Where is an advanced disassembler?

[khurramali]

I think you can format the c drive now, no root kits installed.

best of luck with your XML Adventures.

[kgun]

Agree. I have already made som XML pages.

[kgun]

Quote:

Originally Posted by wige

For the best results, use the external port scanner at GRC*|*Gibson Research Corporation Home Page** (Scroll down to Hot Spots, and select Shields Up, then the All Service Ports scan). This scan should reveal any open ports that are on your system if you have a direct connection to the internet. If you don't have a direct connection, use a port scanner on another computer to scan the affected PC.

I ran ShieldsUp!!

Greetings!

Without your knowledge or explicit permission, the Windows networking technology which connects your computer to the Internet may be offering some or all of your computer's data to the entire world at this very moment!

I knew that. Most of it is already on the internet.

My stone age computer was infected again with a bad virus (I learn from this).

1. It started with some keys on the computer not functioning. That was easy to fix. Deleting the key board driver. It installed itself.
2. The next step was worse. I noticed that there were problems when I shut down the computer. The next day I was not able to start it. Not in secure mode, and not by starting it from the system restore CD (configured in the BIOS setup).
3. I would buy a new Pc, but my son said that he should fix it and he did in an hour or two. But now it starts with 1 above again.

Has this tool changed now?

Scroll down to Hot Spots, and select Shields Up, then the All Service Ports scan.

This is enough?

Select Shields Up, then the All Service Ports scan.

TrueStealth Analysis. Failed. Does that imply that there is a bad root kit?

GRC Port Authority Report created on UTC: 2009-01-11 at 20:37:54

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

[wige]

It has been a while since I have used that utility, but most systems that are behind certain types of firewalls will respond to ICMP Pings, which are different from TCP Pings. TCP pings are sent to port 7, while ICMP pings use another method. This generally does not indicate a problem with the system. Rather, this usually indicates a setting on the firewall needs to be changed to disable pings and ICMP messages.