|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
A user reported her Windows 10 Professional system was running slowly. On September 14, 2017, I checked the system with SUPERAntispyware, which reported that it found the Ask Toolbar. It reported the following items associated with the toolbar:
C:\ProgramData\ASKPARTNERNETWORK\TOOLBAR
HKCU\Software\AskPartnerNetwork\Toolbar
C:\ProgramData\AskPartnerNetwork
[ More Info ]
I scanned a Windows 10 system used by a family member on July 2, 2017 with SUPERAntispyware Free Edtion, since the system was responding more slowly than I expected even for simple actions, though the system has other antivirus software on it. The first thing that SUPERAntispyware identified was the Ask Toolbar browser extension. It showed the following information for Ask Toolbar:
Ask Toolbar
C:\ProgramData\ASKPARTNERNETWORK\TOOLBAR
HKLM\SYSTEM\CurrentControlSet\services\APNMCP
HKCU\Software\AskPartnerNetwork\Toolbar
C:\ProgramData\ASKPARTNERNETWORK
[ More Info ]
Search Protection is a program that may display advertisements and is bundled with other potentially unwanted programs.
It identified the following Windows registry key as suspicious:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SearchProtectionService
[ More Info ]
[ More Info ]
[ More Info ]
| Name | IP Addresses |
|---|---|
| virustotal.com |
216.239.32.21 216.239.34.21 216.239.36.21 216.239.38.21 |
| www.virustotal.com | 74.125.34.46 |
After implementing the firewall rules, I reconnected the network cable to the system.
Since accessing http://virustotal.com redirects one to http://www.virustotal.com, I wasn't able to access the VirusTotal website until I added the IP address 74.125.34.4 to the list of destination IP addresses the infected system was allowed to access through the firewall. Even though I could then access the site's webapge and select a file to upload, I was unable to actually upload a file that I wanted to check for malware.
So I then added the IP address for the Jotti's malware scan website to the permitted outbound access list for the infected system. I was able to access it with a web browser on the system and upload a suspect file to have it scanned by the 22 antivirus programs the site currently uses to scan uploaded files.
| Name | IP Addresses |
|---|---|
| virusscan.jotti.org | 209.160.72.83 |
171.216.29.98:
[Sat Mar 22 15:23:58 2014] [error] [client 171.216.29.98] PHP Notice: Undefined index: HTTP_USER_AGENT in /home/jdoe/public_html/index.php on line 39
[Sat Mar 22 15:23:58 2014] [error] [client 171.216.29.98] PHP Notice: Undefined index: HTTP_USER_AGENT in /home/jdoe/public_html/index.php on line 46
[Sat Mar 22 15:23:58 2014] [error] [client 171.216.29.98] attempt to invoke directory as script: /home/jdoe/public_html/blog/
The error was occurring because of PHP code in the file that checks the value for HTTP_USER_AGENT.
I found that the IP address, which is allocated to a system in China, is listed at the Stop Forum Spam site as being associated with someone trying to post spam into forums today - see 171.216.29.98. And when I checked Apache's CustomLog to check the user agent for the browser the user or software program running at the site might be using to identify itself, I found that the log entries indicated that it wasn't providing user agent information, which browsers and web crawlers normally provide. The log also showed that other than that one file at the site's document root, the user or program accessing the site only queried a directory that has "forums" as part of the path. I have blog entries posted on forum software, so that may have prompted the visit to the site from that IP address, if the person or program is looking for sites where he or it can post forum spam.
I checked the "reputation" of the IP address at other sites that provide information on whether an IP address has been noted to be associated with malicous activity and found the following:
To stop any futher access to the server from that IP address, from the root account, I used the route command to reject access by the IP address.
# route add 171.216.29.9 reject
Note: the command is valid on a Linux system, but though the route command is available on a Microsoft Windows system, that operating system doesn't support the "reject" parameter.
The blocked route can be seen by issuing the route command with no parameters.
# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 171.216.29.9 - 255.255.255.255 !H 0 - 0 -
If I ever want to permit access to the server from that IP address again,
I could use route del 171.216.29.9 to permit access from that
address.
References:
I ran a scan of a Windows XP Service Pack 2 system with an up-to-date version of Verizon Internet Security Suite on 2010-10-03. The software, which states it is "Powered by McAfee" reported the following:
During the full scan, McAfee detected one item that requires your attention. View the scan details to fix this issue now.
Results
Items Scanned: 324912
Items Detected: 88
Items Fixed: 87
Items Remaining: 1
Potentially Unwanted Programs Adware-Url.gen
Files Affected
C:\Program Files\Free Offers from Freeze.com\afactory.url
C:\Program Files\Free Offers from Freeze.com\bingocafe.url
C:\Program Files\Free Offers from Freeze.com\gamepipe.url
C:\Program Files\Free Offers from Freeze.com\gifart.url
C:\Program Files\Free Offers from Freeze.com\graflatscreen.url
C:\Program Files\Free Offers from Freeze.com\pcpowerscan.url
C:\Program Files\Free Offers from Freeze.com\spcasino_sep.url
I chose to have Verizon Internet Security Suite quarantine
the files. When I checked on what else it had found, I found it reporting
it had quarantined an instance of
Spy-Agent.bw!zip, which it found in a
file, bill.zip, that it found at C:\Documents
and Settings\Jeanne\My Documents\Email\Embedded\bill.zip, i.e., it
appeared to have quarantined an attachment to an email message. There was
no indication that the file had actually led to any infection of the system,
just that a zip file containing the malware had been detected. The webpage
for that malware contained a link to a McAfee webpage
Spy-Agent.bw, which
indicated McAfee first discovered that malware on August 20, 2007.
The scan also found a lot of cookies wich the antivirus program deleted, but I consider those fairly innocuous.
When I logged into the ThelmaLou system as the administrator to check it today, I saw the following error message:
| applnch.exe - Ordinal Not Found |
|
The ordinal 140 could not be located in the dynamic link library MAPI32.dll
|
When I clicked on OK, I then saw the following:
| hkcmd Module |
|
hkcmd Module has encounterd a problem and needs to
If you were in the middle of someting, the information you were working onclose. We are sorry for the inconvenience. might be lost. For more information about this error, click here.
|
When I clicked on "click here", I saw the following error signature information:
AppName: hkcmd.exe AppVer: 3.0.0.1607 ModName: oleaut32.dll
ModVer: 5.1.2600.3266 Offset: 000344f1
The file C:\DOCUME~1\ADMINI~1.MAY\LOCALS~1\Temp\c0f3_appcompat.txt
was associated with the error report.
I checked the system with Bazooka Adware and Spyware Scanner, even though it's malware definitions haven't been updated in almost a year; they are 340 days old now. It didn't find any malware.
I then checked the system with Spybot Search & Destroy. It reported Microsoft.WindowsSecurityCenter_disabled. with registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start (is not)W=2, but nothing else, aside from 2 cookies. I eliminated the two cookies, one for DoubleClick and one for ValueClick.
