RB Laptop Infections - Sept 26 2005

I updated the Norton Antivirus 2055 virus definitions on R.B's laptop from ones dated 8/3/2005 to ones dated 9/26/2005 using the latest Intelligent Updater virus definitions to prepare for running a full scan of the system. But before I could run the scan a window opened displaying a virus alert.

Norton AntiVirus
Virus Alert
Object Name	C:\WINDOWS\system32\hhk.dll
Virus Name	Trojan Horse
Action Taken	Unable to repair this file.

When I clicked on "OK", I got the message "Access to the file was denied". And when I clicked on "OK" for that message I was back to the original message and was stuck in a circle with clicking on one message bringing up the other over and over again.

Clicking on the Trojan Horse link just brought up a Symantec webpage with generic information on trojans, which was of no help at all. Unfortunately, Symantec seems to provide a generic "trojan" page for many trojans when surely they must have some information on particular trojans.

Sophos links hhk.dll to Troj/Puper-D, which it describes as a "a browser hacking Trojan for the Windows platform." It indicates that the file shnlog.exe is associated with this trojan. I've seen references to shnlog.exe not closing properly when I shut down the system, i.e. messages indicating the application failed to initialize because the system is shutting down.

I ran a complete scan of the system even though the hhk.dll virus alert couldn't be dismissed. That scan found the following:

Filename	THreat name	Action	Status
hhk.dll	Trojan Horse	Virus found	Infected
hp832A.tmp	Trojan Horse	Virus found	Infected
intmon.exe	Trojan Horse	Virus found	Infected
popuper.exe	Adware.popuppers	Adware found	At risk
shnlog.exe	Adware.popuppers	Adware found	At risk

The files were found in the following locations:

File	Location
hhk.dll	c:\windows\system32
hp832A.tmp	c:\windows\system32
intmon.exe	c:\windows\system32
popuper.exe	c:\windows
shnlog.exe	c:\windows\system32

I opted to have Norton AntiVirus attempt to fix the problems. It reported "quarantine failed" for hhk.dll and hp832A.tmp. It then asked if I wanted to delete files. It was still unable to remove everything, reporting "delete failed" for hhk.dll, hp832A.tmp, popuper.exe, and shnlog.exe. It reported intmon.exe as "quarantined".

I started regedit. I noticed that there was still a key under HKLM\Software\Microsoft\WIndows\Current\Version\Run for "PSGuard spware remover" with a value of "C:\Program Files\PSGuard\PSGuard.exe". That malware had previously been removed, so I removed the key.

And since the Sophos webpage states in regard to the Troj/Puper-D trojan that it creates a regisry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run named paint.exe, which points to shnlog.exe, in order to run itself on startup, I removed that, as well as one that was named notepad2.exe, which pointed to popuper.exe.

Name	Type	Data
paint.exe	REG_SZ	shnlog.exe
notepad2.exe	REG_SZ	popuper.exe

I then rebooted. Norton AntiVirus was then reporting hp8A66.tmp as a Trojan Horse and indicating it couldn't repair it. When I dismissed its warnings for that file, it reported it couldn't repair HHK.DLL again.

I tried deleting shnlog.exe, but couldn't delete the file and when I checked the registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run, I found the paint.exe entry was back pointing to shnlog.exe. I deleted it again and within a few moments it was back again.

I then rebooted the system into Safe Mode and ran a scan of the system with Spybot Search & Destroy 1.4 using adware/spyware definitions from 9/23/2005. It found a plethora of malware, including AV-Gold. On a BleepingComputer.Com webpage titled "How to remove AntiVirus Gold or AVGold", I found the following description for it:

Antivirus Gold is a supposed AntiSpyware application that gets installed by Spyware/malware without asking for permission. This infection hijacks your desktop to display an ad stating you need to buy an antispyware program.

There were also removal instructions on that webpage, but I chose to have Spybot remove it. Spybot also found remnants of PSGuard, which also purports to offer you protection for your system, still on the system. It also reported CoolWWWSearch.ToonComics, PSGuard.msmsgs, QuickNavigate, Smitfraud-C, and Zonemap.Ranges. When I chose to have Spybot remove everything it found, it reported that it couldn't fix 14 items and asked if it could run again when the system was rebooted. I indicated "yes" and rebooted. A Spybot scan ran again immediately after I rebooted, but again it couldn't remove everything and suggested it be run immediately after a system restart, so I rebooted again after it completed its second scan. On the next scan, it found 27 registry entries related to Smitfraud-C, which I requested it fix. However, Spybot reported it fixed 0 of the 27 problems it found and again suggested a reboot to fix the problems it couldn't fix. But again it found 27 entries for Smitfraud-C and reported "Some problems couldn't be fixed; the reason cold be that the associated files are still in use (in memory). This could be fixed after a restart." Again it asked "May Spybot S&D run on your next system startup?" This time I answered "no", since it seemed unable to deal with the problem. But it seems to have dealt with HKK.DLL, since it was no longer in the c:\windows\system32 folder and Norton AntiVirus is no longer displaying alerts immediately after the system is rebooted.

I noticed SpyCatcher was on the system, though I didn't see any process named "spycatcher" in the Task Manager processes list. When I went to "Start" and "Programs", there was a group under titled "SpyCatcher", but the only entry within it was "Uninstall Spycatcher", though all of the files, including a SpyCatcher.exe, appeared to be present under "C:\Program Files\SpyCatcher". At the Tenebril webpage selling the product, the first feature listed for it is "Allows novice PC users to remove aggressive spyware". The Spyware Warrior Rogue/Suspect Anti-Spyware Products & Web Sites stated it was a lesser-known antispyware product that had been tested but not found to be a rogue/suspect antispyware product. Products purporting to be antispyware programs that "are of unknown, questionable, or dubious value as anti-spyware protection" are placed on the rogue/suspect list maintained at this webpage.

In addition to selling SpyCatcher, the Tenebril website also offers a free online scan for spyware at Free Online Spyware Scan.

Since SpyCatcher wasn't listed as a dubious antispyware program, I started it, but was presented with the message "Before using SpyCatcher, you must register the product with your e-mail address and CD order number." I found a positive review, SpyCatcher Review by Chris Hall at Pocket-lint.co.uk and a four-star rating for it at SpyCatcher - adware and spyware scanner on the SnapFiles website.

Since the price was only $19.95, I decided to try the product to see how it performed. After purchasing it, I was given a serial number, which I entered on the infected system. I couldn't immediately run the software, however. It insisted I must log onto the Internet to unlock SpyCatcher. So, if you had a serious adware/spyware problem that prevented you from accessing the Internet, which I've seen occur on many systems, you wouldn't be able to use the software unless you already had it installed and registed on the infected system.

I updated SpyCatcher and had it scan the system. It appeared to get stuck on the "Loadin fingerprint library" phase. It indicated it loaded 13,336 fingerprints and then appeared to hang. It didn't show any updates to the "running programs scanned", "registry items scanned", nor "files and folders scanned".

After killing the SpyCatcher.exe process and restarting it only to get the same results, I gave up on it and installed Microsoft AntiSpyware Beta1. I ran the default "intelligent quick scan", but it found nothing, so I ran a "full scan" with all options selected. It took twice as long - about 10 minutes versus about 5 minutes for the quick scan, but also found nothing.

I then decided to run another scan with Norton AntiVirus 2005 to see what it is still reporting. While that was running a Norton Personal Firewall alert popped up stating that "tgshell.exe is attempting to connect to a DNS server" asking "what do you want to do?" When I searched for information on tgshell.exe, I found the following at Task List Programs - T on the AnswersThatWork.com site.

Tgmd	Tgmd.exe (Tioga software / Support.com)	This is the sort of software we classify as spyware.  It is part of Tioga Software.s remote support and management tools (Tioga.com, Support.com, and SupportSoft.com are one and the same company) and is installed by the setup CD of the @Home ISP (@Home and MediaOne are now part of Comcast, with the ComcastSupport software being the main culprit for introducing TGCMD on a PC).  The Tioga/SupportSoft.com software is also included in the Sony Support software that comes with some Sony Vaio.s and HP Pavillion.s.  The original intention of TG CMD is to have your @Home service or systems software automatically updated when you are online, to provide a remote support technician with setup information about your PC, and, in some cases, to allow the remote support technician to connect to your PC and see what you are doing . in short, technical support is indeed the original intention; unfortunately, its features are also very useful to advertisers and so, depending on who supplied it, TGCMD will also collect information from your PC, which web pages you have visited, what you have downloaded, and permission based information about your system, its software, its settings, etc...,  As if that were not enough for us to recommend disabling it, it has additionally also been known to create a WININIT.INI file in the Windows folder, something which straight away prevents Windows ME users from using the extremely valuable System Restore feature of Windows ME.  Finally, many users have also reported : being unable to clear the Internet history files when it is running, Eudora startup problems, SDCSchedulerWindow error messages on shutdown of Windows, and inability to delete video, audio, or graphics files. Recommendation : If you are a Comcast customer, de-install "Comcast Support" through the Add/Remove icon in your Control Panel.  Next, look up BJCFD in these Task List pages. If you have a Sony Vaio, de-install the "Vaio Support Agent" through the Add/Remove icon in your Control Panel.  In all cases, if the de-installation of Comcast Support or Vaio Support Agent does not remove TGCMD after a reboot, then Immediately disable TGCMD using  The Ultimate Troubleshooter !
Tgshell	TGSHELL.exe (Tioga Software / Support.com)	Read TGCMD above. Recommendation : Absolutely nightmarish software which eats up CPU, drives the hard disk hard, causes boot-up Kernel32 errors, generates illegal operations, invalid page faults, and much more.  De-install as per instructions for TGMD above.

I chose to "Always block connections from this program on all ports" for tgshell.exe.

When the Norton AntiVirus scan completed, it reported "no threats found." I ran a Spybot scan again and it again found the same 27 Smitfraud-C registry entries, under HKEY\USERS\...\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\, which it couldn't fix. It appears to be reporting all of the sites that are listed in Internet Explorer's restricted zone, which is a zone that Internet Explorer uses to restrict access to "Web sites that could potentially damage your computer or data", so appears to be a false positive rather than any real threat.

[/security/viruses] permanent link

Installing RunUO as a Service with FireDaemon

If you are running RunUO as a gaming server, you can use FireDaemon to run it as a Windows system service, so that it starts automatically when Windows starts and can be started and stopped with net start and net stop commands, which can be issued from another computer if desired.

[ More Info ]

[/gaming/runuo/firedaemon] permanent link

FBI Cybercrime Chief Goes to China

A September 21, 2005 article titled FBI cybercrime chief heading to China states that the FBI's assistant director of its Cyber Divsion will be headed to China in November to meet with Chinese counterparts to discuss intellectual property issues.

Software piracy in China is a big issue for Microsoft. Reportedly one can buy copies of Microsoft Windows operating systems or Microsoft Office in China for a few dollars. An InformationWeek article titled Microsoft Fights Priacy In China, Linux Wins states that the Business Software Alliance, of which Microsoft is a member, alleges that 90 percent of all software in China is pirated resulting in a $3.5 billion revenue loss for software vendors (this of course presumes that all those using the software would buy the software, if they couldn't get pirated versions, which is unlikely). Microsoft has resorted to offering lower-priced versions of its software in some markets to encourage users who wouldn't be able to otherwise afford Microsoft's software to buy legitimate copies rather than use pirated copies.

Who knows whether Microsoft's Bill Gates was most irked by this rampant software piracy in China or China's embrace of Linux when he reportedly accused the Chinese government and the Chinese people of treating Microsoft badly (I'm trying to keep this blog P.G. rated, so see "'China has f*cked us' - Bill Gates", if you want the details.. China has embraced Linux, which, since its source code is freely available, frees them from the worry that Microsoft or some other company may have installed hidden back doors that would allow other nations' spy agencies access to Chinese systems and, of course, frees China from reliance on software companies in other nations. I can certainly understand Microsoft executives being upset about the rampant piracy, but, of course Microsoft's own behavior when dealing with competitors shows that it doesn't hold ethical behavior in high regard, if such behavior might impede the company's success.

References:

1. Federal Computer Week
   September 21, 2005
2. Microsoft Fights Piracy In China, Linux Wins
   By Maria Trombly
   Byte.com
   September 6, 2005
3. 'China has f*cked us' - Bill Gates
   By Andrew Orlowski
   The Register
   September 7, 2005

[/security/crime] permanent link

Google AdWords Placement

Robert Cringely posted an article today to his I, Cringely website regarding how the amount of money an advertiser spends for Google AdWords affects the advertiser's placement with Google Adwords when someone searches for a word which the advertiser has paid Google to associate with his website in the ads Google displays. Paying more money for a particular word will supposedly increase the likelihood that the advertiser's website will appear on the first or first few pages Google displays when a search is performed that includes the word.

In the article Google Goes Las Vegas, Cringely reports that one of his readers who makes his living through a website advertised throug Google AdWords conducted an experiment using a duplicate website he created. He continued paying the same amount for AdWords associated with the primary site, but varied the amount he paid for the identical test site. Increasing the amount he paid for words associated with the duplicate site to 10 times the amount he paid for the same words to be associated with the primary site increased his revenue, though not enough to warrant the 10-fold increase in advertising costs, but when he reduced the amount he paid for the identical site, but still kept it above what he paid for the original site, his revenue for the duplicate site plummeted below what he was getting for the original site, even though he was paying more for AdWords for that site. Apparently Google's ad placement algorithm drastically penalizes advertisers when they reduce the amount they pay Google for advertising to discourage them from reducing spending.

[/network/web/shopping] permanent link

Opera Releases Ad-Free Browser for Free

Previously you had two options with the Opera browser. You could download and ad-supported version for free or pay $39 for an ad-free version. The free version would show ad banners within the browser. But one could obtain Firefox for free without any ads. The pressure from competition with Firefox has apparently led Opera to now provide an ad-free version at no cost.

Of course, the company needs to generate revenue by some means in order to survive. Opera expects to generate sufficient revenue to continue developing their browser through revenue-sharing agreements with other sites, primarily Google, by directing traffic through Opera's built-in web search box.

Opera, of couse, is also in competition with Internet Explorer (IE), which is also free. Microsoft has the leeway of simply adding IE's development costs into the cost of its operating systems, so the user doesn't see any separate costs for that browser.

According to WebsideStory, IE's share among web users was 91 percent in April, down from 97 percent in June of 1994. They rated Opera at 0.2 percent and Firefox at 7 percent. Many people have turned to Firefox because of concerns about IE's security.

I've only used Opera on a Unix system, where I like its ability to have multiple webpages open in separate tabs and was impressed with its ability to recover from crashes. When I restarted Opera, it would allow me to go back to its state when the crash occurred with all of my previously open tabs displayed and with the ability to back up to previously viewed pages within those tabs. Since Opera is now free, I plan on installing it on my Windows systems as an alternative to IE . I now have Firefox on some of those systems as an alternative.

References:

1. Opera Makes Its Browser Free, With No Ads
   By Anick Jesdanun
   Associated Press
   September 21, 2005

[/network/web/browser] permanent link

RB Laptop Infections

I was given a laptop running Windows XP Home Edition with a report that it was badly infected. Norton AntiVirus 2005 was installed on the system. It was displaying alerts that the system was infected with W32.Desktophijack.

I installed Bazooka Adware and Spyware Scanner 1.13.03 on the system and updated its database to the September 20, 2005 version. It found the following malware:

Exploit ebs.fuck-access.com
Exploit crackzws-1
Exploit Lookforthe.net

For "Exploit ebs.fuck-access.com", I checked Bazooka's manual removal instructions, which suggested starting the system in safe mode and checking for various registry keys and files. I didn't find any of the listed registry keys, but I did find two of the files: c:\windows\system32\oleadm.dll and c:\windows\system\wp.bmp. I submitted oleadm.dll to Jotti's Online Malware Scan for analysis. The report I received showed that many of the 14 antivirus programs Jotti uses detected the file as being part of a trojan.

I generated a log in Bazooka, which I examined. It only listed C:\Windows\System32\wp.bmp as being associated with "Exploit ebs.fuck-access.com", though. It didn't list oleadm.dll, though the removal instructions advised removing that file if it was found. Symantec was reporting W32.Desktophijack. It's webpage for that malware indicates that wp.bmp is associated with W32.Desktophijack. It doesn't list the other files that Bazooka reports are associated with "Exploit ebs.fuck-access.com". I had to remove oleadm.dll as well as wp.bmp before Bazooka no longer detected "Exploit ebs.fuck-access.com" on the system.

I replaced the infected wininet.dll file with an uninfected copy of the file that was in c:\i386 (see W32_Desktophijack - September 17, 2005 for the MD5 checksums for the infected and uninfected versions of the file and additional information).

For the "Exploit crackz.ws 1" infection, I checked under "Add or Remove Programs" for "Content Delivery Module", "Internet Update", "OIN", "PSGuard" or "UCMore - The Search Accelerator", which the Bazooka webpage indicated are associated with this malware, but didn't find any of those. But I had noticed a deleted shortcut for PSGuard in the Recycle Bin and there was an empy "C:\Program Files\PSGuard" directory with a timestamp of 8/3/2005 6:18 PM. Apparently the software was on the system, but was deleted by the user. When I deleted that directory, Bazooka no longer reported the presence of "Exploit crackz.ws 1".

To remove "Exploit Lookforthe.net", I followed the removal instructions provided by Kephyr. I started the system in Safe Mode and then ran the registry editor, regedit. I didn't see a Olympic key under HKEY_LOCAL\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, but I did see a intell32.exe key with a value of "C:\WINDOWS\System32\intell32.exe". I deleted the key and removed the file from the system. That file had a time stamp of 9/20/2005 11:14 PM and was 6,144 bytes. The creation date was Saturday, August 27, 2005 1:49:48 AM. I also found one of the other files, oleext.dll, listed on the Kephyr page as being associated with this malware. It was also in the "C:\WINDOWS\system32\" directory. At SpyWare BeWare! -> PSGuard, I found a reference to this file being linked to "Trojan.Desktophijack.C". The Symantec webpage indicates this is another piece of malware that attempts to dupe unsuspecting users into downloading antispyware software by displaying a warning message linked to this malware. In reality the user's system is indeed infected - by this malware. Clicking on the link in the displayed message will take the user to a download.psguard.com webpage. I deleted oleext.dll. I didn't see any of the other files Kephyr's site reported as associated with this malware. I then went into Internet Explorer and went to "Tools" and selected "Programs", and then "Reset Web Settings".

After removing the intell32.exe registry entry and the intell32.exe and oleext.dll files, I rescanned the system with Bazooka Adware and Spyware Scanner. It reported "Nothing Detected".

I then rebooted the system normally only to find Norton AntiVirus now displaying the message "Norton AntiVirus 2005 does not support the Repair feature, please uninstall and reinstall." I rebooted again and the message didn't reappear.

[/security/viruses] permanent link

Whazit Detected with Bazooka

Scanning a system with Bazooka Adware and Spyware Scanner, I found components of Whazit and Media Loads, which I manually removed.

[/security/spyware/whazit] permanent link

Differences Between Internet Explorer and Firefox

I've started documenting differences I've found in Internet Explorer and Firefox when viewing some of the webpages I've created. Occasionally it has taken me quite a bit of time to figure out why a page looks different in Firefox than it does in Internet Explorer. Though some of the differences, e.g. the underlining of acronyms, are so minor I consider them inconsequential, others can make a page unreadable and have sometimes taken me quite a bit of time to determine exactly why the discrepancy is occurring.

[ More Info ]

[/network/web/browser] permanent link

Setting up a Floppy-based Firewall with floppyfw

If you have an old PC, even a 386-based PC, with just 12 MB of memory and a floppy drive, you have enough to build a firewall for home use or for use by a small business. You can build your firewall with such minimal hardware requirements if you use floppyfw. In fact, you can get by with even less than 12 MB of memory if you use an older version of floppyfw, i.e. the 1.x series rather than the current 2.x software. And the old 1.x software is still maintained by the developer.

[ More Info ]

[/os/unix/linux/network/firewall] permanent link

Norman Virus Warnings

Norman ASA, an antivirus vendor, provides a virus warning service to websites, which can be viewed at Norman Virus Warnings or the home page for MoonPoint Support.

[/security/antivirus/norman] permanent link

ide21201.vxd

When I scanned a system with Spybot Search & Destroy, Spybot reported "Windows AdTools" was present on the system. It identified the file c:\windows\system32\ide21201.vxd as being part of that adware/spyware. It did not report any other files or registry keys associated with AdTools.

[ More Info ]

[/security/spyware/adtools] permanent link

Norman Sandbox Information Center

Norman ASA provides antivirus software and also a webpage where you can submit a file for a determination of whether it is malware. You will need to provide an email address where the results of the file analysis will be sent. You should get an email regarding your file submission within a minute of submitting your file. The link for the file submission is http://sandbox.norman.no/live.html.

You can also submit a file to Jotti's Online Malware Scan, where it will be scanned by Norman Virus Control as well as thirteen other scanners. The results of the analysis will be displayed immediately

[/security/antivirus/norman] permanent link

Configuring Windows XP Firewall for OpenSSH

If you want to set up a Windows system as an SSH server, you can use OpenSSH for Windows. OpenSSH for Windows can be installed on Windows NT, 2000, XP, or Small Business Server (SBS) 2003 systems. If you are installing it on a Windows XP system with the Windows firewall activated, which will likely be the case if Service Pack 2 has been installed on the system, then you will need to create a firewall rule to allow SSH connectivity.

[ More Info ]

[/os/windows/xp/firewall] permanent link