locked
Exploit: HTML/Repl.B RRS feed

  • Question

  •  

    Only occasionally do I have to try tech support, but this is one time.

     

    Forgive my ignorance, but no matter how I try, I cannot get rid of this "Severe Exploit". I can't even find out how to reach, e-mail, or chat with OneCare tech support. The phone number I used in the past for support no longer works, and I'm going around in circles getting no where. My first year with OneCare was great. Soon after renewal last March, I began to have problems. (By the way, other than this blip, One Care will no longer allow me to do incremental backups to DVD. I have to do the complete backup -using 8 DVDs.) Getting back to the problem at hand, I have been a subscriber to OneCare for almost 2 years, and am finally getting frustrated with the increasing complexity, and inability to communicate with OneCare when I have problems. I guess I'm dense, but none of these posts tells me exactly what to do--at least I cannot glean the info from these "related posts".  This has persisted now for the past 3 days.

     

    Should I reinstall OneCare? Should I mark it as "ignore" since it won't remove or quarantine? It isn't clear to me. Maybe it is time to move on to another security program. I like the concept of One Care however.

    Saturday, December 22, 2007 5:03 AM

Answers

  • Here's the support FAQ:

    How to reach support - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

    If it fails to validate your subscription, select the option that you are using a trial or beta copy and you can proceed to email support without validation once you've signed in.

     

    As to the current threat, there are a few reports on this being detected by OneCare, but apparently it still hasn't been coded into the engine and signatures for removal. In fact, searches on this threat come up blank except for detection by OneCare and the Malware Portal for Microsoft, doesn't even describe any details on this threat.

    Open Onecare, click on Change settings, then click on the logging tab. Click create a support log and it will open a report in your browser, Scroll down to the virus section to see where this threat has been detected. Perhaps you can simply delete the offending file. If the file is in your System Restore points, you may need to disable System Restore and enable it once again to wipe out all restore points, but note that doing so will cause you to be unable to ever use System Restore to revert to an earlier time.

    -steve

    Sunday, December 23, 2007 5:48 PM
    Moderator

All replies

  • Here's the support FAQ:

    How to reach support - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

    If it fails to validate your subscription, select the option that you are using a trial or beta copy and you can proceed to email support without validation once you've signed in.

     

    As to the current threat, there are a few reports on this being detected by OneCare, but apparently it still hasn't been coded into the engine and signatures for removal. In fact, searches on this threat come up blank except for detection by OneCare and the Malware Portal for Microsoft, doesn't even describe any details on this threat.

    Open Onecare, click on Change settings, then click on the logging tab. Click create a support log and it will open a report in your browser, Scroll down to the virus section to see where this threat has been detected. Perhaps you can simply delete the offending file. If the file is in your System Restore points, you may need to disable System Restore and enable it once again to wipe out all restore points, but note that doing so will cause you to be unable to ever use System Restore to revert to an earlier time.

    -steve

    Sunday, December 23, 2007 5:48 PM
    Moderator
  • I find this alert predictably pops up when I visit certain websites.  OneCare does remove it but if I revisit those sites, it comes right back.  The threat is stored in the Temporary Internet Files and apparently can be removed by deleting them.

     

    Viewing the webpage sourcecode suggests the threat comes from the following javascript:

    www#google-analytics#com/urchin#js  (I replaced the dots with # to keep this from being an active script).  Apparently this piece of Google spyware inserts an "urchinTracker()" function onto your computer.

     

    What I find really interesting is that, although this is clearly spyware, no one is describing it as such.  For example, see Wikipedia's puff piece on "Google Analytics" where they admit, "Some users do not have Javascript-enabled/capable browsers, which further limits the tracking ability of Urchin."  Money talks and Google has lots of it!

     

     

     

     

    Monday, December 24, 2007 6:07 PM
  • Interesting, Eric. This would seem to be embedded in Google Ads, then.

    -steve

     

    Monday, December 24, 2007 10:31 PM
    Moderator
  • Any idea what's going on now?  In the last couple of days OneCare has stopped popping up those alerts.  However, the Google spyware www[dot]google-analytics[dot]com/urchin[dot]js and urchinTracker() are still present on the websites whenever I check the source code.  Has OneCare given up, or has it been reprogrammed to disregard this particular spyware?
    Wednesday, December 26, 2007 9:11 PM
  • Can you check your antivirus signature version? That's the only thing that I can think may have changed unless the real problem is that the Google ads were updated to have different characteristics.

    -steve

     

    Thursday, December 27, 2007 1:33 AM
    Moderator
  •  

    Quote:

    What I find really interesting is that, although this is clearly spyware, no one is describing it as such.

     

    Spyware generally is considered nefarious and presents some type of threat to your personal information or your computer's integrity.  The urchin script is your average, everyday web analytics script that has been around nearly forever (in Internet time).  It is really not much more than a glorified server logfile.  I suppose in the strictest sense this could be considered spyware, but it is quite innocuous - at least as far as I know.

     

    The urchin script, to the best of my knowledge, is using only data which doesn't really present any security issues.  (Such as browser type and version, monitor resolution, javascript on/off, IP address, etc.)  The data is aggregrated into reports for webmasters to track the way their site is used and not really used to pinpoint individual persons.  I can tell you from the "webmaster" perspective that there is very little value in the individual bits of data collected (including the IP addresses).  The value is in the aggregated reports and the anomalies that may arise within those reports.  I can only assume, based on the massive volumes of data they must collect, that Google's interests are the same - in the aggregate data, not anyone specific.  So, frankly, your anonymity is much like that in real life - guaranteed by the throng of people around you unless you are doing something really odd to make yourself stick out.

     

    I will add this disclaimer:  I do not know what all data Google may collect with the urchin script - I only see what they show me in the reports.

     

    In any case, for the paranoid privacy fanatic, it is all easily overridden by any one of various means.

    Friday, December 28, 2007 2:58 PM
  • In any case, for the paranoid privacy fanatic, it is all easily overridden by any one of various means.

     

    Please tell me "the various means".


     

    Sunday, December 30, 2007 4:37 AM