MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
August
Sun Mon Tue Wed Thu Fri Sat
     
18
19 20 21 22 23 24 25
26 27 28 29 30 31  
2018
Months
AugSep
Oct Nov Dec


Fri, Sep 15, 2017 11:04 pm

AskPartnerNetwork Directory on a Windows 10 system

A user reported her Windows 10 Professional system was running slowly. On September 14, 2017, I checked the system with SUPERAntispyware, which reported that it found the Ask Toolbar. It reported the following items associated with the toolbar:

C:\ProgramData\ASKPARTNERNETWORK\TOOLBAR
HKCU\Software\AskPartnerNetwork\Toolbar
C:\ProgramData\AskPartnerNetwork

[ More Info ]

[/security/scans] permanent link

Sun, Jul 02, 2017 11:07 pm

SUPERAntispyware Found Ask Toolbar on 2017-07-02

I scanned a Windows 10 system used by a family member on July 2, 2017 with SUPERAntispyware Free Edtion, since the system was responding more slowly than I expected even for simple actions, though the system has other antivirus software on it. The first thing that SUPERAntispyware identified was the Ask Toolbar browser extension. It showed the following information for Ask Toolbar:

Ask Toolbar

C:\ProgramData\ASKPARTNERNETWORK\TOOLBAR
HKLM\SYSTEM\CurrentControlSet\services\APNMCP
HKCU\Software\AskPartnerNetwork\Toolbar
C:\ProgramData\ASKPARTNERNETWORK

[ More Info ]

[/security/scans] permanent link

Sat, Dec 17, 2016 9:45 pm

SUPERAntiSpyware detected Search Protection

I ran a scan for malware on a Microsoft Windows 10 system using SUPERAntiSpyware, an anti-spyware program that is available as a free version, today. I ran a scan of another Windows 10 system at the same location using SUPERAntiSpyware a few days ago after the user of that system reported performance problems on her system. The other user told me that the user of the system I scanned today was also experiencing problems with her system. SUPERAntiSpyware reported "1 Item Found" on the system I scanned today. It reported that it found an application Search Protection:

Search Protection is a program that may display advertisements and is bundled with other potentially unwanted programs.

It identified the following Windows registry key as suspicious:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SearchProtectionService

[ More Info ]

[/security/scans/20161217] permanent link

Wed, Dec 14, 2016 11:04 pm

Malware scan of a Windows 10 system with McAfee Total Protect on 2016-12-14

I ran a malware scan of a Microsoft Windows 10 system yesterday after the user of the system reported that she was having problems with QuickBooks and Internet Explorer on the system and that the system had been performing poorly for some time. SUPERAntiSpyware detected Cartwheel Shopping, et al. potentially unwanted software on the system. I had SUPERAntispyware remove everything it detected, but this evening decided to also run a scan of the system with the antivirus software, McAfee Total Protection, which has been on the system since it was purchased. That antivirus software reported it detected two items. The two items detected were Adware-DealPly and PUP-XAO-ME.

[ More Info ]

[/security/scans] permanent link

Tue, Dec 13, 2016 10:24 pm

SUPERAntiSpyware detected Cartwheel Shopping, et al.

A user reported that she was having a lot of problems with her Windows 10 PC, including performance issues and problems with the Internet Explorer web browser. When I logged into an administrator account and scanned the system with SUPERAntiSpyware, an anti-spyware program that is available as a free edition, it detected Cartwheel Shopping, which it noted "is a program that may display advertisements and is bundled with other potentially unwanted programs."

[ More Info ]

[/security/scans] permanent link

Sat, Mar 22, 2014 10:49 pm

Blocking Internet access except for virus scanning sites

After a system became infected with malware, I disconnected its network cable then added rules to the firewall separating it from the Internet to block all Internet access except for DNS access to its designated DNS server provided by the user's ISP. I then granted access to the VirusTotal IP addresses on all ports. VirusTotal is a website belonging to Google that will allow you to scan files you upload to it with multiple antivirus programs to determine if they may be malware.
NameIP Addresses
virustotal.com 216.239.32.21
216.239.34.21
216.239.36.21
216.239.38.21
www.virustotal.com 74.125.34.46

After implementing the firewall rules, I reconnected the network cable to the system.

Since accessing http://virustotal.com redirects one to http://www.virustotal.com, I wasn't able to access the VirusTotal website until I added the IP address 74.125.34.4 to the list of destination IP addresses the infected system was allowed to access through the firewall. Even though I could then access the site's webapge and select a file to upload, I was unable to actually upload a file that I wanted to check for malware.

So I then added the IP address for the Jotti's malware scan website to the permitted outbound access list for the infected system. I was able to access it with a web browser on the system and upload a suspect file to have it scanned by the 22 antivirus programs the site currently uses to scan uploaded files.

NameIP Addresses
virusscan.jotti.org 209.160.72.83

[/security/scans] permanent link

Sat, Mar 22, 2014 5:42 pm

Blocking access from 171.216.29.98

I noticed entries in Apache's error log today associated with IP address 171.216.29.98:

[Sat Mar 22 15:23:58 2014] [error] [client 171.216.29.98] PHP Notice: Undefined index: HTTP_USER_AGENT in /home/jdoe/public_html/index.php on line 39
[Sat Mar 22 15:23:58 2014] [error] [client 171.216.29.98] PHP Notice: Undefined index: HTTP_USER_AGENT in /home/jdoe/public_html/index.php on line 46
[Sat Mar 22 15:23:58 2014] [error] [client 171.216.29.98] attempt to invoke directory as script: /home/jdoe/public_html/blog/

The error was occurring because of PHP code in the file that checks the value for HTTP_USER_AGENT.

I found that the IP address, which is allocated to a system in China, is listed at the Stop Forum Spam site as being associated with someone trying to post spam into forums today - see 171.216.29.98. And when I checked Apache's CustomLog to check the user agent for the browser the user or software program running at the site might be using to identify itself, I found that the log entries indicated that it wasn't providing user agent information, which browsers and web crawlers normally provide. The log also showed that other than that one file at the site's document root, the user or program accessing the site only queried a directory that has "forums" as part of the path. I have blog entries posted on forum software, so that may have prompted the visit to the site from that IP address, if the person or program is looking for sites where he or it can post forum spam.

I checked the "reputation" of the IP address at other sites that provide information on whether an IP address has been noted to be associated with malicous activity and found the following:

  1. Site: WatchGuard Reputation Authority
    Rating: Bad
    Reputation Score: 95/100
    Comment: The score indicates the overall ReputationAuthority reputation score, including the name and location of the ISP (Internet Service Provier), for the specified address. A score of 0-50 indicates a good to neutral reputation. 51-100 indicates that threats have been detected recently from the address and the reputation has been degraded.
  2. Site: Barracuda Reputation
    Reputation: Poor
    Comment:
  3. Site: McAfee Trusted Source
    Reputation: Unrated
    Comment:
  4. Site: Check Your IP Reputation - Miracare of Mirapoint
    Reputation: High Risk
    Comment: This IP address is used for sending Spam on a regular basis
  5. Site: BrightCloud Security Services URL/IP Lookup
    Reputation: High Risk
    Comment: Location - Chengdu, China. Spam Sources found. Webroot IP Reputation is listed as "High Risk", but lower down on the page the status assigned to the address is "Moderate Risk".

To stop any futher access to the server from that IP address, from the root account, I used the route command to reject access by the IP address.

# route add 171.216.29.9 reject

Note: the command is valid on a Linux system, but though the route command is available on a Microsoft Windows system, that operating system doesn't support the "reject" parameter.

The blocked route can be seen by issuing the route command with no parameters.

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
171.216.29.9    -               255.255.255.255 !H    0      -        0 -

If I ever want to permit access to the server from that IP address again, I could use route del 171.216.29.9 to permit access from that address.

References:

  1. Stopping an Attacker with the Route Reject Command
    MoonPoint Support
    Date: April 15, 2007

[/security/scans] permanent link

Sun, Oct 03, 2010 10:37 pm

Scan of Windows XP System on 2010-10-03 with Verizon Internet Security Suite

I ran a scan of a Windows XP Service Pack 2 system with an up-to-date version of Verizon Internet Security Suite on 2010-10-03. The software, which states it is "Powered by McAfee" reported the following:

During the full scan, McAfee detected one item that requires your attention. View the scan details to fix this issue now.

Results
Items Scanned: 324912
Items Detected: 88
Items Fixed: 87
Items Remaining: 1

Potentially Unwanted Programs Adware-Url.gen

Files Affected
C:\Program Files\Free Offers from Freeze.com\afactory.url
C:\Program Files\Free Offers from Freeze.com\bingocafe.url
C:\Program Files\Free Offers from Freeze.com\gamepipe.url
C:\Program Files\Free Offers from Freeze.com\gifart.url
C:\Program Files\Free Offers from Freeze.com\graflatscreen.url
C:\Program Files\Free Offers from Freeze.com\pcpowerscan.url
C:\Program Files\Free Offers from Freeze.com\spcasino_sep.url

I chose to have Verizon Internet Security Suite quarantine the files. When I checked on what else it had found, I found it reporting it had quarantined an instance of Spy-Agent.bw!zip, which it found in a file, bill.zip, that it found at C:\Documents and Settings\Jeanne\My Documents\Email\Embedded\bill.zip, i.e., it appeared to have quarantined an attachment to an email message. There was no indication that the file had actually led to any infection of the system, just that a zip file containing the malware had been detected. The webpage for that malware contained a link to a McAfee webpage Spy-Agent.bw, which indicated McAfee first discovered that malware on August 20, 2007.

The scan also found a lot of cookies wich the antivirus program deleted, but I consider those fairly innocuous.

[/security/scans] permanent link

Thu, Oct 23, 2008 10:30 pm

Checks on ThelmaLou

When I logged into the ThelmaLou system as the administrator to check it today, I saw the following error message:

applnch.exe - Ordinal Not Found
The ordinal 140 could not be located in the dynamic link library MAPI32.dll

OK

 

When I clicked on OK, I then saw the following:

hkcmd Module
hkcmd Module has encounterd a problem and needs to
close. We are sorry for the inconvenience.
If you were in the middle of someting, the information you were working on
might be lost.

For more information about this error, click here.

Close

 

When I clicked on "click here", I saw the following error signature information:

AppName: hkcmd.exe	 AppVer: 3.0.0.1607	 ModName: oleaut32.dll
ModVer: 5.1.2600.3266	 Offset: 000344f1 

The file C:\DOCUME~1\ADMINI~1.MAY\LOCALS~1\Temp\c0f3_appcompat.txt was associated with the error report.

I checked the system with Bazooka Adware and Spyware Scanner, even though it's malware definitions haven't been updated in almost a year; they are 340 days old now. It didn't find any malware.

I then checked the system with Spybot Search & Destroy. It reported Microsoft.WindowsSecurityCenter_disabled. with registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start (is not)W=2, but nothing else, aside from 2 cookies. I eliminated the two cookies, one for DoubleClick and one for ValueClick.

[/security/scans] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo