Seems a link to malware got into the HTML wrapped around ads on Universal Hub early this morning (up until about 8 a.m., when I started shutting off ads served through my ad server).
If you got a popup when you visited the site and you clicked on the link (on your Windows computer), your computer may now have a nasty program called SpyEraser, which just doesn't want to go away.
First, my apologies. Second, I'm looking for a fix. In fact, if anybody has any possible solutions, I'd love to hear them. If you delete that program, you get an error message about something called mpor.yuo.
One possibility: Malwarebytes. Although it may not flag the software during a scan, it will get rid of it.
Like the job UHub is doing? Consider a contribution. Thanks!
Ad:
Comments
So that's what happened....
By merlinmurph
Thu, 12/17/2009 - 5:18pm
I remember getting the popup, but declined it. I still got hung up after that. Great job tracking that down
Same here
By Stevil
Thu, 12/17/2009 - 5:30pm
My Norton blocked it (I'm running it on the home computer just to be sure - haven't checked it yet)- but the computer still hung up. My guess is that if Norton blocked it and you have updated software it will either fix or quarantine the problem. Just a guess though.
Update
By Stevil
Thu, 12/17/2009 - 6:43pm
Ran a full scan on the computer while I was at work - appears Norton successfully blocked it - didn't show up in the scan and no apparent lingering effects. Fingers crossed. Had one of these things once - major PITA! Spent hours on the phone with all my best friends in India - very nice people the Indians.
I wish it were my brilliant deductive skills
By adamg
Thu, 12/17/2009 - 5:37pm
But if I had those, this probably wouldn't have happened in the first place. In any case, the reason I know what happened is because, unfortunately, one user did get his PC infected. And fortunately, he's a kindly soul and we've been trying to figure out what to do about it, rather than him coming over here and throwing his computer at me.
So, again, to everybody, my apologies!
WinBlows
By MadMax
Thu, 12/17/2009 - 5:50pm
Simple solution. Infected user should buy a non-windows machine.
Disclosure: I am not actually an apple investor.
No, it's not a simple solution
By adamg
Thu, 12/17/2009 - 6:02pm
Even if you have the money just lying around, it's a bit more complex than that. What about all your files and programs? Yeah, yeah, there are ways to deal with those, but you don't just snap your fingers and presto, you're up and running on your spiffy new contribution to Steve Jobs's bank account.
I got it on my work computer!!
By anon
Thu, 12/17/2009 - 6:24pm
What can I do? Not sure the boss is going to be too happy. Seriously.....WTF?
Download Malwarebytes
By adamg
Thu, 12/17/2009 - 7:30pm
And run it.
Guess My Ad Blocker Took Care of That
By SomervilleDJ
Thu, 12/17/2009 - 7:12pm
I actually went the other, from Mac (five years of it) back to Windows. For a little while I was running Leopard on an old MacBook and Windows 7. As a former all-pro-Mac person, I must say: Windows 7 is, for the most part, better then Leopard. Much more productive. Faster. Etc. (But, yeah, still prone to spyware issues.)
Dare I say it
By Michael Kerpan
Thu, 12/17/2009 - 7:17pm
There's always Linux (free) running on an existing computer (or part of it -- if you want to maintain the ability to boot into Windows , for old-time's sake). Still need to adjust -- but no money sent to Mr. Jobs' bank account.
Tried it...
By SomervilleDJ
Thu, 12/17/2009 - 7:21pm
I messed around with Linux a couple times. However, I really do like Windows 7, and I so far (in however many years, including years of Windows before I switched to Mac) have never had a virus or a spyware issue (fingers crossed). Also, I use OneNote on a daily basis (Windows only).
Advertising still visible
By MadMax
Thu, 12/17/2009 - 7:43pm
I use a FreeBSD box at home myself. I might add, Adam, the Advertising banners are still visible. 1800mattress right now. Thankfully not the Bobinator.
Oh, yeah, you're supposed to see the ads
By adamg
Thu, 12/17/2009 - 7:51pm
Click on 'em, even :-).
What you're not supposed to see are popups asking you to start downloading software. If you do see that, don't click and let me know.
Orly?
By Jay Levitt
Thu, 12/17/2009 - 8:25pm
I'm reading this on a 3GHz Xeon running Windows 7. In a window on my Mac Pro, running Snow Leopard.
Why? Because "Show only feeds with new posts" is one of those unconscionably-absent features in every Mac RSS reader. FeedDemon, OTOH, has it.
Look what I got
By Lanny Budd
Thu, 12/17/2009 - 8:44pm
DEAR SIR,
URGENT AND CONFIDENTIAL BUSINESS PROPOSAL
I AM MARIAM ABACHA, WIDOW OF THE LATE NIGERIAN HEAD OF STATE, GEN. SANI ABACHA. AFTER HE DEATH OF MY HUSBAND WHO DIED MYSTERIOUSLY AS A RESULT OF CARDIAC ARREST, I WAS INFORMED BY OUR LAWYER, BELLO GAMBARI THAT, MY HUSBAND WHO AT THAT TIME WAS THE PRESIDENT OF NIGERIA, CALLED HIM AND CONDUCTED HIM ROUND HIS APARTMENT AND SHOWED HIM FOUR METAL BOXES CONTAINING MONEY ALL IN FOREIGN EXCHANGE AND HE EQUALLY MADE HIM BELIEVE THAT THOSE BOXES ARE FOR ONWARD TRANSFER TO HIS OVERSEAS COUNTERPART FOR PERSONAL INVESTMENT.
I was on the site this
By mixylplik3
Thu, 12/17/2009 - 6:27pm
I was on the site this morning, but I run NoScript with Firefox which is like a concrete and steel condom for my web browser. A little tedious when you first install it since you have to whitelist the sites you go to often, but once you're in a groove there is no turning back.
I got it but think I got rid of it
By DickH
Thu, 12/17/2009 - 9:43pm
When I accessed my blog (and not UH) at about 8 am today I got a popup that I thought was for something I wanted so I clicked on it and within seconds I was deluged with "warning: your computer is infected" popups from this SpyEraser program. There was a new icon in my program tray (next to the clock - I'm running XP) but nothing showed up when I went to "add/remove programs" and there was no "uninstall" with its program icon in my programs area. In "my computer" I couldn't find anything that looked like it. I Googled "spyeraser" and it seems to be a legit but crappy program with unscrupulous marketing by a company called Uniblue. The complaints on the web all said it does a free scan, finds a bunch of stuff that's not really there, then gets you to buy their product. I emailed Uniblue support (http://www.liutilities.com/support/) and got a response, but it was just telling me to do everything I'd already tried. I got rid of the icon from my program tray by waiting for it to popup then doing CTRL-ALT-DEL and using Task Manager to "end program". Then I noticed an icon on my desktop. By right clicking and picking "properties" I found the file name in the "target" window and tracked back to it. It was C:\Windows\system32\msctrl32.exe. The msctrl32.exe was the file. I deleted it and restarted my computer. Now it seems to be gone. My only caveat is I'm not a computer guy but was angry enough to impulsively delete that particular file. It seems to have worked for me, but try it at your own risk. Sorry for the length of this, but I'd like to help others avoid what I suffered through today.
If ^ doesn't work... this should
By greenlinetobrooklyn
Thu, 12/17/2009 - 10:09pm
This is the solution, but only half of it. Since I didn't check UH until 9am, I didn't get the chance to infect my computer. However, I have dealt with similar problems and can tell that your computer is likely to reinfect itself.
The problem with your solution is that you deleted the file from you hard drive, but it still exists in your PC's RAM. If this malware is sophisticated, it will copy itself from the RAM back onto the hard drive and SpyEraser will be back.
So, the problem is that upon startup the msctrl32.exe is copied from the hard drive to the computer's memory and when you delete it from the hard drive, the msctrl32.exe that is loaded in memory copies itself back onto the hard drive. Booting into an environment that doesn't load this file automatically will solve this. Safe mode (F8 on startup, before the Windows logo) may work, you can boot into it and check the running processes (ctrl + alt + delete -> processes tab) and if msctrl32.exe is not running, deleting it should do the trick. Otherwise, a Linux live CD (www.ubuntu.com) or BartPE (http://www.nu2.nu/pebuilder/) will definitely not load the file.
kinda dropped off...
By greenlinetobrooklyn
Thu, 12/17/2009 - 10:44pm
Sorry, just got back from the Sam's Open House... Burning Ubuntu or BartPE to a Cd and then booting to that CD will allow you to use your computer and access the files on your HD without loading files from the HD into memory. From Ubuntu or Bart you'll be able to delete the file off your HD.
thanks for your openness and honesty
By Harry Mattison
Fri, 12/18/2009 - 12:01am
Adam,
I (and many others) appreciate the great public service that you perform with this blog. And I appreciate your willingness to publicly acknowledge the problem the site had this morning. It would have been easy to ignore or deny it, but you took the high road.
Thanks,
Harry
What Harry said
By david_yamada
Fri, 12/18/2009 - 1:26am
Some folks are just stand up folks. Three cheers.
getting rid of Spyeraser
By anon
Fri, 12/18/2009 - 7:23am
so, what's a next step if Malawarebytes doesn't get rid of it entirely?
Try some of the other steps listed above or ...
By adamg
Fri, 12/18/2009 - 8:31am
Spybot got a good recommendation from an IT person I know.
I tried SpyBot,
By twheaton
Fri, 12/18/2009 - 8:50am
but it didn't work. Fortunately my pc is backed up nightly.
Performing a system restore from the previous night's backup quickly and completely eliminated that nasty bit of malware.
System restore
By Allstonian
Fri, 12/18/2009 - 9:32am
Yes, my husband did a system restore to Monday and eliminated the infestation. BTW, you didn't actually have to click through to the website to get infected - I got what I thought was a legitimate Windows warning about an unwanted click-through, and made the mistake of clicking the "no" box ("do you want to allow this - yes/no") instead closing the pop-up, and got infected that way.
Another possibility
By adamg
Fri, 12/18/2009 - 10:02am
That looks like XP instructions. For Vista, when you hit ctrl-alt-delete, click on Task Manager, then end the task or process, I'm betting.
From this Tech Support Guy forum.
So how did this happen?
By Ron Newman
Fri, 12/18/2009 - 9:16am
Is there a bug in PHP (assuming that you use it here), or did someone forget to call htmlspecialchars() ?
No, I was an idiot
By adamg
Fri, 12/18/2009 - 9:55am
New version of the ad-serving software came out. I downloaded it, meant to install it, didn't, somebody took advantage of a hole in the old version to put an iframe underneath every single ad call in the database.