Wed, Sep 28, 2005 12:10 am
RB Laptop Infections - Sept 26 2005
I updated the Norton Antivirus 2055 virus definitions on R.B's laptop from
ones dated 8/3/2005 to ones dated 9/26/2005 using the latest Intelligent
Updater virus definitions to prepare for running a full scan
of the system. But before I could run the scan a window opened displaying
a virus alert.
|Action Taken||Unable to repair this file.
When I clicked on "OK", I got the message "Access to the file was denied".
And when I clicked on "OK" for that message I was back to the original message
and was stuck in a circle with clicking on one message bringing up the other
over and over again.
Clicking on the Trojan Horse link just brought up a Symantec
webpage with generic information on trojans, which was of no help at all.
Unfortunately, Symantec seems to provide a generic "trojan" page for many
trojans when surely they must have some information on particular trojans.
Sophos links hhk.dll to
Troj/Puper-D, which it describes as a "a browser hacking Trojan for the
Windows platform." It indicates that the file shnlog.exe is associated with
this trojan. I've seen references to shnlog.exe not closing properly when
I shut down the system, i.e. messages indicating the application failed to
initialize because the system is shutting down.
I ran a complete scan of the system even though the hhk.dll virus alert
couldn't be dismissed. That scan found the following:
|hhk.dll||Trojan Horse||Virus found
|hp832A.tmp||Trojan Horse||Virus found
|intmon.exe||Trojan Horse||Virus found
The files were found in the following locations:
I opted to have Norton AntiVirus attempt to fix the problems. It reported
"quarantine failed" for hhk.dll and hp832A.tmp. It then asked if I wanted
to delete files. It was still unable to remove everything, reporting "delete
failed" for hhk.dll, hp832A.tmp, popuper.exe, and shnlog.exe. It reported
intmon.exe as "quarantined".
I started regedit. I noticed that there was still a key under
HKLM\Software\Microsoft\WIndows\Current\Version\Run for "PSGuard spware
remover" with a value of "C:\Program Files\PSGuard\PSGuard.exe". That
malware had previously been removed, so I removed the key.
And since the Sophos webpage states in regard to the Troj/Puper-D trojan that
it creates a regisry key under
named paint.exe, which points to shnlog.exe, in order to run itself on startup,
I removed that, as well as one that was named notepad2.exe, which pointed to
I then rebooted. Norton AntiVirus was then reporting hp8A66.tmp as a Trojan
Horse and indicating it couldn't repair it. When I dismissed its warnings
for that file, it reported it couldn't repair HHK.DLL again.
I tried deleting shnlog.exe, but couldn't delete the file and when I checked
the registry under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run, I found
the paint.exe entry was back pointing to shnlog.exe. I deleted it again and
within a few moments it was back again.
I then rebooted the system into Safe Mode and ran a scan of the system
with Spybot Search & Destroy 1.4
using adware/spyware definitions from 9/23/2005. It found a plethora of
malware, including AV-Gold. On a
BleepingComputer.Com webpage titled "How to remove
AntiVirus Gold or AVGold", I found the following description for it:
Antivirus Gold is a supposed AntiSpyware application that gets installed by
Spyware/malware without asking for permission. This infection hijacks your
desktop to display an ad stating you need to buy an antispyware program.
There were also removal instructions on that webpage, but I chose to have
Spybot remove it. Spybot also found remnants of PSGuard, which
also purports to offer you protection for your system, still on the system.
It also reported CoolWWWSearch.ToonComics, PSGuard.msmsgs, QuickNavigate,
Smitfraud-C, and Zonemap.Ranges. When I chose to have Spybot remove everything
it found, it reported that it couldn't fix 14 items and asked if it could
run again when the system was rebooted. I indicated "yes" and rebooted.
A Spybot scan ran again immediately after I rebooted, but again it couldn't
remove everything and suggested it be run immediately after a system restart,
so I rebooted again after it completed its second scan. On the next scan,
it found 27 registry entries related to Smitfraud-C, which I requested it
fix. However, Spybot reported it fixed 0 of the 27 problems it found and again
suggested a reboot to fix the problems it couldn't fix. But again it found 27
entries for Smitfraud-C and reported "Some problems couldn't be fixed; the
reason cold be that the associated files are still in use (in memory). This
could be fixed after a restart." Again it asked "May Spybot S&D run on your
next system startup?" This time I answered "no", since it seemed unable to
deal with the problem. But it seems to have dealt with HKK.DLL, since
it was no longer in the c:\windows\system32 folder and Norton AntiVirus is
no longer displaying alerts immediately after the system is rebooted.
SpyCatcher was on the system, though I didn't see any process named
"spycatcher" in the Task Manager processes list. When I went to "Start" and
"Programs", there was a group under titled "SpyCatcher", but the only entry
within it was "Uninstall Spycatcher", though all of the files, including a
SpyCatcher.exe, appeared to be present under "C:\Program Files\SpyCatcher".
At the Tenebril webpage selling the product, the first feature listed for it
is "Allows novice PC users to remove aggressive spyware". The
Rogue/Suspect Anti-Spyware Products & Web Sites stated it was a lesser-known
antispyware product that had been tested but not found to be a rogue/suspect
antispyware product. Products purporting to be antispyware programs that
"are of unknown, questionable, or dubious value as anti-spyware protection"
are placed on the rogue/suspect list maintained at this webpage.
In addition to selling SpyCatcher, the Tenebril website also offers a
free online scan for spyware at
Free Online Spyware
Since SpyCatcher wasn't listed as a dubious antispyware program, I started it,
but was presented with the message "Before using SpyCatcher, you must register
the product with your e-mail address and CD order number." I found a positive
SpyCatcher Review by Chris Hall at
Pocket-lint.co.uk and a four-star rating for it at
SpyCatcher - adware
and spyware scanner on the SnapFiles
Since the price was only $19.95, I decided to try the product to
see how it performed. After purchasing it, I was given a serial number,
which I entered on the infected system. I couldn't immediately run the
software, however. It insisted I must log onto the Internet to unlock
SpyCatcher. So, if you had a serious adware/spyware problem that prevented
you from accessing the Internet, which I've seen occur on many systems,
you wouldn't be able to use the software unless you already had it installed
and registed on the infected system.
I updated SpyCatcher and had it scan the system. It appeared to get stuck
on the "Loadin fingerprint library" phase. It indicated it loaded 13,336
fingerprints and then appeared to hang. It didn't show any updates to
the "running programs scanned", "registry items scanned", nor "files
and folders scanned".
After killing the SpyCatcher.exe process and restarting it only to get
the same results, I gave up on it and installed Microsoft AntiSpyware Beta1.
I ran the default "intelligent quick scan", but it found nothing, so I
ran a "full scan" with all options selected. It took twice as long - about
10 minutes versus about 5 minutes for the quick scan, but also found nothing.
I then decided to run another scan with Norton AntiVirus 2005 to see what
it is still reporting. While that was running a Norton Personal Firewall
alert popped up stating that "tgshell.exe is attempting to connect to a DNS
server" asking "what do you want to do?" When I searched for information
on tgshell.exe, I found the following at
Task List Programs - T on the
This is the sort of
software we classify as spyware. It is part of Tioga
Software.s remote support and management tools (Tioga.com,
Support.com, and SupportSoft.com are one and the same company)
and is installed by the setup CD of the @Home ISP
(@Home and MediaOne are now part of Comcast, with the
ComcastSupport software being the main culprit for introducing
TGCMD on a PC). The Tioga/SupportSoft.com software is also
included in the Sony Support software that comes with some
Sony Vaio.s and HP Pavillion.s. The original intention of
TG CMD is to have your @Home service or systems software automatically
updated when you are online, to provide a remote support
technician with setup information about your PC, and, in some
cases, to allow the remote support technician to connect to
your PC and see what you are doing . in short, technical
support is indeed the original intention; unfortunately, its
features are also very useful to advertisers and so, depending
on who supplied it, TGCMD will also
collect information from your PC, which web pages you have
visited, what you have downloaded, and permission based
information about your system, its software, its settings,
etc..., As if that were not enough for us to recommend
disabling it, it has additionally also been known to create a
WININIT.INI file in the Windows folder, something which
straight away prevents Windows ME users from using the
extremely valuable System Restore feature of Windows ME.
Finally, many users have also reported : being unable to clear
the Internet history files when it is running, Eudora startup
problems, SDCSchedulerWindow error messages on shutdown of
Windows, and inability to delete video, audio, or graphics
If you are a Comcast customer, de-install "Comcast Support"
through the Add/Remove icon in your Control Panel.
Next, look up BJCFD in these Task List pages. If you
have a Sony Vaio, de-install the "Vaio Support Agent"
through the Add/Remove icon in your Control Panel. In
all cases, if the de-installation of Comcast Support or Vaio
Support Agent does not remove TGCMD after a
reboot, then Immediately disable TGCMD using
Ultimate Troubleshooter !
Software / Support.com)
Read TGCMD above.
Absolutely nightmarish software which eats up CPU, drives the
hard disk hard, causes boot-up Kernel32 errors, generates
illegal operations, invalid page faults, and much more.
De-install as per instructions for TGMD above.
I chose to "Always block connections from this program on all ports" for
When the Norton AntiVirus scan completed, it reported "no threats found."
I ran a Spybot scan again and it again found the same 27 Smitfraud-C registry
entries, under HKEY\USERS\...\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\, which it couldn't fix. It appears to be reporting
all of the sites that are listed in Internet Explorer's restricted zone,
which is a zone that Internet Explorer uses to restrict access to "Web sites
that could potentially damage your computer or data", so appears to be a false
positive rather than any real threat.
Mon, Sep 26, 2005 5:57 pm
Installing RunUO as a Service with FireDaemon
If you are running RunUO as a gaming server, you can use FireDaemon
to run it as a Windows system service, so that it starts automatically
when Windows starts and can be started and stopped with
net stop commands, which can be issued from another computer
[ More Info ]
Fri, Sep 23, 2005 6:22 pm
FBI Cybercrime Chief Goes to China
A September 21, 2005 article titled
chief heading to China states that the FBI's assistant director of
its Cyber Divsion will be headed to China in November to meet with Chinese
counterparts to discuss intellectual property issues.
Software piracy in China is a big issue for Microsoft. Reportedly one can
buy copies of Microsoft Windows operating systems or Microsoft Office in China for a few dollars. An InformationWeek article titled
Microsoft Fights Priacy In China, Linux Wins states that the Business
Software Alliance, of which Microsoft is a member, alleges that 90 percent of
all software in China is pirated resulting in a $3.5 billion revenue loss
for software vendors (this of course presumes that all those using the software
would buy the software, if they couldn't get pirated versions, which is
unlikely). Microsoft has resorted to offering lower-priced versions of its software in some markets to encourage users who wouldn't be able to otherwise
afford Microsoft's software to buy legitimate copies rather than use pirated
Who knows whether Microsoft's Bill Gates was most irked by this rampant
software piracy in China or China's embrace of Linux when he reportedly
accused the Chinese government and the Chinese people of
treating Microsoft badly (I'm trying to keep this blog
P.G. rated, so see
f*cked us' - Bill Gates", if you want the details.. China has embraced
Linux, which, since its source code is freely available, frees them from the
worry that Microsoft or some other company may have installed hidden back doors
that would allow other nations' spy agencies access to Chinese systems and,
of course, frees China from reliance on software companies in other nations.
I can certainly understand Microsoft executives being upset about the rampant
piracy, but, of course Microsoft's own behavior when dealing with competitors
shows that it doesn't hold ethical behavior in high regard, if such behavior
might impede the company's success.
- Federal Computer Week
September 21, 2005
- Microsoft Fights Piracy In China, Linux Wins
By Maria Trombly
September 6, 2005
'China has f*cked us' - Bill Gates
By Andrew Orlowski
September 7, 2005
Fri, Sep 23, 2005 5:57 pm
Google AdWords Placement
Robert Cringely posted an article today to his
I, Cringely website regarding
how the amount of money an advertiser spends for Google AdWords affects
the advertiser's placement with Google Adwords when someone searches for
a word which the advertiser has paid Google to associate with his website
in the ads Google displays. Paying more money for a particular word will
supposedly increase the likelihood that the advertiser's website will appear
on the first or first few pages Google displays when a search is performed
that includes the word.
In the article
Google Goes Las Vegas, Cringely reports that one of his readers who
makes his living through a website advertised throug Google AdWords conducted
an experiment using a duplicate website he created. He continued paying the
same amount for AdWords associated with the primary site, but varied the
amount he paid for the identical test site. Increasing the amount he paid
for words associated with the duplicate site to 10 times the amount he paid
for the same words to be associated with the primary site increased his
revenue, though not enough to warrant the 10-fold increase in advertising costs,
but when he reduced the amount he paid for the identical site, but still kept
it above what he paid for the original site, his revenue for the duplicate site
plummeted below what he was getting for the original site, even though he was
paying more for AdWords for that site. Apparently Google's ad placement
algorithm drastically penalizes advertisers when they reduce the amount they
pay Google for advertising to discourage them from reducing spending.
Wed, Sep 21, 2005 11:35 pm
Opera Releases Ad-Free Browser for Free
Previously you had two options with the Opera
browser. You could download and
ad-supported version for free or pay $39 for an ad-free version. The
free version would show ad banners within the browser. But one could obtain
Firefox for free
without any ads. The pressure from competition with Firefox has apparently
led Opera to now provide an ad-free version at no cost.
Of course, the company needs to generate revenue by some means in
order to survive. Opera expects to generate sufficient revenue to continue
developing their browser through revenue-sharing agreements with other sites,
primarily Google, by directing traffic through Opera's built-in web search box.
Opera, of couse, is also in competition with Internet Explorer (IE), which is
also free. Microsoft has the leeway of simply adding IE's development costs
into the cost of its operating systems, so the user doesn't see any separate
costs for that browser.
According to WebsideStory, IE's share among web users was 91 percent in April,
down from 97 percent in June of 1994. They rated Opera at 0.2 percent and
Firefox at 7 percent. Many people have turned to Firefox because of concerns
about IE's security.
I've only used Opera on a Unix system, where I like its ability to have
multiple webpages open in separate tabs and was impressed with its
ability to recover from crashes. When I restarted Opera, it would allow
me to go back to its state when the crash occurred with all of my previously
open tabs displayed and with the ability to back up to previously viewed pages
within those tabs. Since Opera is now free, I plan on installing it on my
Windows systems as an alternative to IE
. I now have Firefox on some of those systems as an alternative.
Opera Makes Its Browser Free, With No Ads
By Anick Jesdanun
September 21, 2005
Tue, Sep 20, 2005 11:58 pm
RB Laptop Infections
I was given a laptop running Windows XP Home Edition with a report that
it was badly infected. Norton AntiVirus 2005 was installed on the system.
It was displaying alerts that the system was infected with
I installed Bazooka Adware and Spyware
Scanner 1.13.03 on the system and updated its database to the
September 20, 2005 version. It found
the following malware:
For "Exploit ebs.fuck-access.com", I checked Bazooka's
manual removal instructions, which suggested starting the system in safe
mode and checking for various registry keys and files. I didn't find any
of the listed registry keys, but I did find two of the files:
c:\windows\system32\oleadm.dll and c:\windows\system\wp.bmp. I submitted
Jotti's Online Malware Scan for
report I received showed that many of the 14 antivirus programs Jotti
uses detected the file as being part of a trojan.
I generated a log in Bazooka, which I examined. It only listed
C:\Windows\System32\wp.bmp as being associated with "Exploit
ebs.fuck-access.com", though. It didn't list oleadm.dll, though the removal
instructions advised removing that file if it was found.
Symantec was reporting W32.Desktophijack. It's
webpage for that malware
indicates that wp.bmp is associated with W32.Desktophijack. It doesn't list
the other files that Bazooka reports are associated with "Exploit
ebs.fuck-access.com". I had to remove oleadm.dll as well as wp.bmp before
Bazooka no longer detected "Exploit ebs.fuck-access.com" on the system.
I replaced the infected wininet.dll file with an uninfected copy of the file
that was in c:\i386 (see
W32_Desktophijack - September 17, 2005 for the MD5 checksums for the
infected and uninfected versions of the file and additional information).
For the "Exploit crackz.ws 1" infection, I checked under "Add or Remove
Programs" for "Content Delivery Module", "Internet Update", "OIN", "PSGuard" or
"UCMore - The Search Accelerator", which the Bazooka webpage indicated are
associated with this malware, but didn't find any of those. But I had
noticed a deleted shortcut for PSGuard in the Recycle Bin and there was an
empy "C:\Program Files\PSGuard" directory with a timestamp of 8/3/2005 6:18 PM.
Apparently the software was on the system, but was deleted by the user. When
I deleted that directory, Bazooka no longer reported the presence of
"Exploit crackz.ws 1".
To remove "Exploit Lookforthe.net", I followed the
removal instructions provided by Kephyr. I started
the system in Safe Mode and then ran the registry editor, regedit. I didn't see
a Olympic key under
HKEY_LOCAL\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, but I did
see a intell32.exe key with a value of "C:\WINDOWS\System32\intell32.exe".
I deleted the key and removed the file from the system. That file had a
time stamp of 9/20/2005 11:14 PM and was 6,144 bytes. The creation date
was Saturday, August 27, 2005 1:49:48 AM. I also found one of the other
files, oleext.dll, listed on the Kephyr page as being associated with this
malware. It was also in the "C:\WINDOWS\system32\" directory. At
SpyWare BeWare! -> PSGuard, I found
a reference to this file being linked to
"Trojan.Desktophijack.C". The Symantec webpage indicates
this is another piece of malware that attempts to dupe unsuspecting users
into downloading antispyware software by displaying a warning message
linked to this malware. In reality
the user's system is indeed infected - by this malware. Clicking
on the link in the displayed message will take the user to
a download.psguard.com webpage. I deleted oleext.dll. I didn't see any of
the other files Kephyr's site reported as associated with this malware. I
then went into Internet Explorer and went to "Tools" and selected "Programs",
and then "Reset Web Settings".
After removing the intell32.exe registry entry and the intell32.exe and
oleext.dll files, I rescanned the system with Bazooka Adware and Spyware
Scanner. It reported "Nothing Detected".
I then rebooted the system normally only to find Norton AntiVirus now
displaying the message "Norton AntiVirus 2005 does not support the Repair
feature, please uninstall and reinstall." I rebooted again and the message
Tue, Sep 20, 2005 11:54 am
Fri, Sep 16, 2005 7:19 pm
Differences Between Internet Explorer and Firefox
I've started documenting differences I've found in Internet Explorer
and Firefox when viewing some of the webpages I've created. Occasionally
it has taken me quite a bit of time to figure out why a page looks
different in Firefox than it does in Internet Explorer. Though some
of the differences, e.g. the underlining of acronyms, are so minor I
consider them inconsequential, others can make a page unreadable and
have sometimes taken me quite a bit of time to determine exactly why
the discrepancy is occurring.
More Info ]
Tue, Sep 06, 2005 11:13 pm
Setting up a Floppy-based Firewall with floppyfw
If you have an old PC, even a 386-based PC, with just 12 MB of memory and a floppy drive, you
have enough to build a firewall for home use or for use by a small
business. You can build your firewall with such minimal hardware
requirements if you use
floppyfw. In fact, you can get by with even less than 12 MB of
memory if you use an older version of floppyfw, i.e. the 1.x series
rather than the current 2.x software. And the old 1.x software is
still maintained by the developer.
More Info ]
Mon, Sep 05, 2005 3:45 pm
Norman Virus Warnings
Norman ASA, an antivirus vendor,
provides a virus warning service to websites, which can be viewed at
Norman Virus Warnings
or the home page for MoonPoint Support.
Sun, Sep 04, 2005 11:03 pm
When I scanned a system with
Spybot Search & Destroy, Spybot reported "Windows AdTools" was present
on the system. It identified the file c:\windows\system32\ide21201.vxd as
being part of that adware/spyware. It did not report any other files or
registry keys associated with AdTools.
[ More Info ]
Fri, Sep 02, 2005 8:52 pm
Norman Sandbox Information Center
Norman ASA provides antivirus software
and also a webpage where you can submit a file for a determination of whether
it is malware. You will need to provide an email address where the results
of the file analysis will be sent. You should get an email regarding your
file submission within a minute of submitting your file. The link for
the file submission is
You can also submit a file to Jotti's
Online Malware Scan, where it will be scanned by Norman Virus Control
as well as thirteen other scanners. The results of the analysis will be
Thu, Sep 01, 2005 7:10 pm
Configuring Windows XP Firewall for OpenSSH
If you want to set up a Windows system as an SSH server, you can use
OpenSSH for Windows
OpenSSH for Windows can be installed on Windows NT, 2000, XP, or Small
Business Server (SBS) 2003 systems. If you are installing it on a
Windows XP system with the Windows firewall activated, which will likely
be the case if Service Pack 2 has been installed on the system, then
you will need to create a firewall rule to allow SSH connectivity.
[ More Info ]
Shop Amazon Local - Subscribe to Deals in Your Neighborhood