exploit neosploit found by AVG -- What to do?

exploit neosploit found by my AVG AV software. My computer is scanned once a day and it is in the midst of being scanned right now.

So far AVG has come up with exploit neosploit 3 times but AVG gives no assistance on how to remove it. It is not listed in AVG's encyclopedia.
It is the same file all 3 times: "91.211.64.180/cgi-bin/index.cgi?tf17";"Exploit Neosploit";""


What am I supposed to do?

 

http://www.theregister.co.uk/2008/10/03/neosploit_powered_mass_hack_attack/

Have you tried using Spybot Search & Destroy or Malwarebytes?

It steals login credentials so i suggest you log into a clean system and change all of your passwords.

 

I don't know what you mean, log into a clean system.

Isn't AVG supposed to protect me from stuff like this?

Is neosploit removable?

 

Log into a different computer thats not compromised by a viruses and change your passwords before the hackers decide to do something malicious with it.

Yes AVG is supposed to protect you but viruses are also updated daily. They come in different variants to stop it from being detected.

No antivirus will always cover everything.

 

AVG updates regularly.

I also run XoftSpySE twice a day.

I deliberately don't store any passwords except for sites like this (i.e., no financial sites -- only virtual communities). I always have to type my password for everything before I can enter.

I am still confused. If AVG detects (it states multiple threat detection -- cites the same IP address each time) why isn't it removing it? Or stopping it.

I am running Spybot S&D now. I used to use but thought purchasing protection would be better.

How does AVG detect something and that not have any info on it or instructions how to remove it? What is the point of that?

Am I supposed to wipe out this hard drive and do a fresh install?. I have most but not all my data on it backed up. There are a few word processing files I don't have backed up yet.

I've also looked on Norton's site -- they seem to have no info...

The only website I've gone on has been The TV station websites: FX and Fox -- that is it. Ihave not used this particular comptuer for days for anything else (I have 2 laptops and a desktop)

 

Update

Just finished SpyBot S&D -- it found nothing but cookies --which I removed.

What does this mean? AVG false alarm?

How do I get rid of the Neosploit?

 

Try Super Anti Spyware

Here is the link: http://www.superantispyware.com/download.html

See this too: http://www.theregister.co.uk/2008/07/30/neosploit_calls_it_quits/

Cheers,
Theo

 

Hi Justitia, if SAS has found and removed the same file, you're good.
If not, it might be possible that AVG caused a false alarm.
The IP adress doesn't seem related to FX or Fox though...
Can you pinpoint the file yourself and upload it to the multiple AV/AS online-scanners linked to in my signature?
Check with Jotti Malware scan and Virus Total. This to exclude the possibility of a false positive.
If multiple AV/AS flag it as malicious, besides SAS, the programs Malwarebytes'Antimalware and Dr.Web CureIt are also worth using.
Cheers.

Edit; Check this post on MBAM if the malware proves difficult to remove and use a program like Secunia OSI regularly to patch any out-dated program that might harbour a possible exploit.

 

I am running Super Anti-Spyware "as we speak" -- so far nothing -- but it has only run for about 20 minutes.

The AVG keeps issuing more threat warnings. I fell asleep and 4 more were listed.

I did leave on Fox's website just to see what would happen. SO if neosploit's presence is from there, it is causing AVG to trigger.

I had read the article you cite but subsequent articles says it's back -- some surmise a smokescreen.

I will wait to see the results.

What is interesting is the domain you found for that IP address is for a Russian company which is where originates from. Apparently it is a "service" criminals use to hack computers.

If AVG keeps coming up with a warning of the threat -- do you think that means it's blocked it? AVG gives absolutely no information. No option to quarantine, remove, etc. But clearly it recognizes it on my computer but gives no info on its site about it.

I will wait to see what SAS does. If nothing there, I will follow your suggestions. I did see the detailed instruction about what to do in the link to the post provided.

Do you all think Super Anti Spyware is worth buying?

I accidentally bought XoftSpySE because I thought was being rated by CNET as one of their top ten -- I believe now it was a clever Google ad on CNET's site design to mislead you into thinking that. It seems next to worthless. It takes 3 minutes to "scan your whole computer'. It comes up with about a dozen cookies, that I delete each time and that's all.

It was less than 30 days ago -- I may ask for my money back as I got it for 3 computers.

But I am willing to spend money on top-rated protection. My time and anxiety are worth more. I thought AVG was a good choice after some research. I've had it for about a year. This is the first time I have run into some problem.

When I did SpyBot S & D a little while ago I agreed to allow Spybot asked delete my temporary files and my laptop is running so much faster.

The IE Internet tools now only deletes temporary internet files without the option of deleting off-line temporary files as earlier versions did.

So I plan to return to running SpyBot Search and Destroy just for that.

Also I never downloaded Service Pak 3 for the Windows XP I am ruining on this machine. Now I am too scared to until this neosploit is fixed.

Though I never store passwords for financial sites (or vendor sites or anything involving money) or any of my email addresses --I think I will use IE to delete all my passwords just as a precaution.

 

SAS did not find anything but another 236 cookies. DId not detect NeoSploit -- do you think it might not be on my computer -- or that AVG blocked it?

Can you pinpoint the file yourself and upload it to the multiple AV/AS online-scanners linked to in my signature? [/QUOTE]

AVG gives no info except the IP address that you've checked out. No info on any file.

I will check those out next.

Thanks for your assistance and detailed attention.

 

AVG gives no info except the IP address that you've checked out. No info on any file.

So Jotti Malware and Virus Totoal can't be used for this situation.

I am doing this next...

 

Remove XoftSpySE 'cause it's a sub-standard antispyware program.
I'd ask my money back if possible.
And yes, SAS and MBAM are worth their money.
They are pretty much on par with MBAM holding the edge at the moment.
I think MBAM costs $24.95 and SAS $19.95, both for a life-time subscription.
Make sure to use a trial version of both before purchasing to see which program you like most.

If all these programs you've used/are using, don't find anything, you can be pretty sure your computer is clean.
Just to clear things up, did AVG give a warning while it was scanning your notebook and you were not using a browser, or did it give a warning while it was doing a regular scan and you were also using IE and visiting a site like Fox.
In the latter case it seems AVG gave a real-time protection warning, not related to the usual scan it was doing.
Cheers.

 

Thank you Baserk... so much ...
I lost half a night's sleep over this...

Well SpyBot S&D found nothing but cookies -- which I deleted.

SAS found nothing but cookies -- which I deleted

Malwarebytes did a full scan and found nothing -- not even cookies (but I deleted all the cookies found in the previous 4 scans: AVG, SpyBot, SAS -- and XoftSpySE.)

AVG popped up a box saying Warning Threat and gave 3 warnings while it was doing a regular scan and while I was also using IE and visiting Fox.

It gave 5 more warnings after its scan was finsihed in the same box and I was still on Fox. (No other website except for here and the various sites for the AV software you suggested) (I figured if I was infected already I would see what would happen if I stayed on Fox.)

Below is what AVG's Web Shield Findings says. It gives the time for each warning which spans from 4:35 AM when AVG was scanning the whole computer (AVG's scan starts at 4:00 AM and lasts about an hour) to 8:38 Am (it is now 11:36 AM) (I bolded the time of the warning but everything else is the same:

"Exploit Neosploit";"91.211.64.180/cgi-bin/index.cgi?tf17";"";"2/1/2009, 8:38:18 AM";"File";"C:\Program Files\Internet Explorer\iexplore.exe"

"Exploit Neosploit";"91.211.64.180/cgi-bin/index.cgi?tf17";"";"2/1/2009, 8:15:55 AM";"File";"C:\Program Files\Internet Explorer\iexplore.exe"

"Exploit Neosploit";"91.211.64.180/cgi-bin/index.cgi?tf17";"";"2/1/2009, 7:59:12 AM";"File";"C:\Program Files\Internet Explorer\iexplore.exe"

"Exploit Neosploit";"91.211.64.180/cgi-bin/index.cgi?tf17";"";"2/1/2009, 7:45:15 AM";"File";"C:\Program Files\Internet Explorer\iexplore.exe"

"Exploit Neosploit";"91.211.64.180/cgi-bin/index.cgi?tf17";"";"2/1/2009, 5:43:05 AM";"File";"C:\Program Files\Internet Explorer\iexplore.exe"

"Exploit Neosploit";"91.211.64.180/cgi-bin/index.cgi?tf17";"";"2/1/2009, 5:26:20 AM";"File";"C:\Program Files\Internet Explorer\iexplore.exe"

"Exploit Neosploit";"91.211.64.180/cgi-bin/index.cgi?tf17";"";"2/1/2009, 5:11:13 AM";"File";"C:\Program Files\Internet Explorer\iexplore.exe"

"Exploit Neosploit";"91.211.64.180/cgi-bin/index.cgi?tf17";"";"2/1/2009, 4:56:56 AM";"File";"C:\Program Files\Internet Explorer\iexplore.exe"

I am still on Fox now and no more warnings came up.

I also did a complete (MS) search on my computer for any file (including hidden files) containing the term "neosploit" and a separate search for "exploit"

Nothing came up.

So do you think AVG stopped the Neosploit and was just warning me it was it was trying to hack in?

And do you think I am safe now? (well as safe as one can be.)

I have another 2 years on AVG Internet Security (3 pak).

Do you think I should add -- or replace -- AVG with SAS or MBAM (depending on which I like better? For a lifetime subscription the cost is trivial for me.

Could I run AVG at the same time as either SAS or MBAM? or would that create a conflict that would be counter productive?

And, finally, do you think it is safe for me to install service Pak 3 for WIndows XP?

Thank you sooo much... again....

 

AVG and SAS or MBAM will run fine together , AVG I'm not crazy about , and I used it for over 10 years . Avira or Avast are better bets for AV scanner .
What are comp specs , factory build , ie Dell HP or self built ? AMD or intel ?They had trouble with some OEM AMD builds and SP-3 . For SP-3 install with AV and AS off
And use something other tha IE or harden it up

 

Asus z70va intel centrino

I tried Avast and Kapersky before AVG. A little too sophisticated for me and I did not want to spend the time getting up to speed.

But AVG has zero tech support. It's all by email, they don't answer for days, and then they just send canned answers that are only very generally related to your problem.


Am I safe re: neosploit?

 

Justitia, as AVG actually did it's job in warning you with AVG's Web Shield, there is no immediate reason to purchase either SAS or MBAM.
You can use both of their free versions to do on-demand scans since they don't offer real-time protection.
If, however, you would like an extra layer of real-time protection, make sure to run the trial (paid-for) versions for a couple of weeks, so you can find out yourself if they don't cause any conflicts with your current AVG setup.
Cheers.

 

I think AVG caught it . clear ie cache history and temp files run scan , bet nothing comes up . if so your good to go . you are safge to update to sp-3 if you like , no problems on that comp . not an amd factory build

 

i've been reading this quickly only... but if the exploit is detected by webshield only, you can stop worrying. webshield is designed to catch the infection *before* it gets into your computer (it checks all traffic on port 80 and some others, used for web browsing), so that if the resident shield is silent, you're safe.

empty your temporary internet files as jerry66 suggested (...just in case) and you're fine.

 

That is what really pissed me off with AVG 8.

WebSield (for me) was an unecessary waste of time (and money).
I always visit legit sites...and this thing was always eating my airtime and money by scanning any Google search I enquire about..

For example: Pets. Anything Google found was automatically scanned.

Good idea by AVG - really bad implementation thereof.

Cheers,
Theo

 

it is not a waste of time... exploits are the best example, resident shield won't catch them "in time", because you need to block them BEFORE the malware gets a chance to get in your computer.

you always visit legit sites... good. but also the legit sites are often attacked by hackers. i've seen exploit codes added to a beekeepers club site, progrock fans site, hats manufacturer site, and so on. you don't have to browse p-o-r-n or warez sites to meet some really ugly code.

the google search results are not marked by WebShield, but by LinkScanner. you can switch the SearchShield feature off if you don't wish to use it.

 

I always visit legitimate sites too..

The neosploit attack occurred over a period of several hours when I was on FOX Broadcasting Networks "FOX on Demand" (where I watch TV shows on the internet as I don't have a TV).

Thank goodness I had AVG. But I do intend to supplement it with something else.

 

More on Neosploit:

http://dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html

Cheers,
Theo

 

Wow... and there is a poster who is see,ing to buy it and another offering to sell it....