Cold Turkey for X-mas.

I haven't been online much lately, this for several reasons. One of the reasons is.. I quit smoking!
I was trying to avoid situations where cigs were needed the most. I have to admit that actually every situation where I was allowed to smoke was a reason to smoke.
But the worst situation was when I was using computers - more than 10 hours a day, one cig after another. You can imagine I was smoking a lot!

I've already tried to quit last year - but that failed. I was going nuts after two days and a cig was my only relief. Sad, isn't it?
After my failure last year, I decided to smoke less. I didn't allow myself to smoke in the house anymore. So everytime I wanted a cig, I had to go outside, or smoke in the garage.
This actually helped a lot, I didn't break my own rule and smoked only the half of what I used to smoke. Even when I was using the computer, instead of having 6 (or sometimes more) cigs in one hour, I only had to go outside 2 or 3 times an hour. (I know, I know, it's still a lot).

After a couple of months (last week), I was wondering what I was actually doing. This was just silly and I had to stop that.

My own rule to go outside for a smoke worked like I charm and I never broke that rule. So why can't I make my own rule to quit smoking?

So, last week, I smoked my last cig and that was it.

I'm not using any nicotine replacement therapy aids like gum, patches or inhalers. No medications either like Zyban to reduce the craving, no hypnosis, acupuncture.... whatever. Just quit smoking Cold Turkey.
The only thing I used was a book (no, I didn't smoke it) by Allen Carr - "Easy Way To Stop Smoking". As a matter of fact, it is easy if you believe it!

It's already more than a week I quit smoking and I have to say - it's going pretty well. I've tried to avoid computers as much as possible in the first couple of days. Now I'm "facing" computers again and I don't really feel the "hunger" for a cig. The only thing is - I still feel the need to stand up 2 or 3 times in an hour to go outside. :-)
I'm like Pavlov's Dog - but then I remember the famous quote by Yoda: "You must unlearn what you have learned".

Anyway, I'm glad I quit smoking and I'm sure I won't fail this time.

Happy Holidays!!

Read More

Please disable Autorun asap!

We see an increase in USB-Based Malware Attacks lately - See here and here for more info.
Unfortunately, in the last few weeks, I have seen many cases where the enabled autorun feature caused A LOT of problems afterwards. This means that many are not aware of the dangers yet.
For example.. Some scenarios I have seen in the last couple of weeks are:

* Computer gets infected with Win32/Sality.NAR (NOD32 detection). This is a polymorphic file infector which searches local and network drives for files with the .exe extension and infects them by adding a new section that contains the viruscode.
It also copies itself into the root folders of removable drives using a random filename and creates an autorun.inf file to make sure it runs whenever it is inserted into another computer. It also disables most AV scanners by terminating their services/processes, disables Taskmanager, disables Regedit and much more to prevent it being detected or disinfected.
In this case, the user had an USB flashdrive and used it to transfer removal tools etc in order to remove this infection, since no scanners would work. What happened was, since this virus also spreads via removable media, his USB flashdrive became infected > result > His other computer was infected as well!

* Computer gets infected with W32/AutoRun-OY - This one also spreads via removable drives. This computer is used at home and every user has its own account. Mom, dad, son and daughter. Son loves to play games, but also loves to download games + cracks via illegal resources.
And that's how the computer at home gets infected with W32/AutoRun-OY. No detection since the Antivirus application that was installed was only a trial and was already expired for more than a year. Dad works for a big company and he tranfers his database+files from the computer at work to an USB flashdrive so he can proceed with his work at home.
The usb flashdrive gets infected when he inserts it into the infected computer at home. Since no scanner (because it's outdated) gives an alert and blocks the malware, there's no sign that the computer + Flashdrive is infected.
Dad goes back to work, inserts the flashdrive into his computer at work and... it gets infected as well. No alert, nothing! It appears that the computer at work didn't even have an Antivirus installed !! And, worst part of all was... Virut was also present! See here for more info. This is imho a lost case, and especially for business owned computers, it is irresponsible to clean this up manually. Format and reinstall is the fastest and especially the safest solution here.
So, who is to blame here? Imho, everyone is. The son who is responsible for visiting illegal sites in order to download his games + cracks, plus the fact that the Antivirus was outdated, plus the fact that dad uses an USB flashdrive containing corporate information and inserts it into the personal computer (see here how to protect your data), plus the fact that the computers at work didn't even have any protection/AV installed.
Anyway, this is so irresponsible, especially when company owned computers are involved.

* And today, I have another case where someone gets infected with W32/AutoRun-OY, where mom uses an usb flashdrive to transfer files to use at work and is already complaining about the fact that there are "problems". This thread is still in progress and I really hope this isn't a lost case.

No wonder the Military bans disks and USB drives

This appears to be a common problem nowadays - that's why it is so important to prevent spreading similar infections by disabling Autorun.

To disable autorun, please read the following tutorials:

http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/ (applies for XP Pro since XP Home has no gpedit.msc present)
http://www.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/ (aplies for XP Home. Same can be used for XP Pro)
http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/ (applies for Vista)

Some malware removal tools already disable Autorun by default. Don't complain about this. This is an extra security measure and you should have it disabled. If you really want to enable this again - then it's your own responsibility. Don't complain afterwards if you get infected and are responsible for infecting a lot of other computers as well.

Update: Extra instructions to disable autorun (by US CERT) can be found here.

Read More

And another Paypal Phish...

This is a mail I received in my mailbox one hour ago:

For your protection, we have limited access to your account until additional security
measures can be completed. We apologize for any inconvenience this may cause.

To review your account and some or all of the information that Pay Pal
used to make its decision to limit your account access, please visit the Resolution Center.

We encourage you to log in and restore full access as soon as possible. Should access to your
account remain limited for an extended period of time, it may result in further limitations on
the use of your account or may result in eventual account closure.


----------------------------------------------------------------------------------------------

Click here to resolve the problem.

----------------------------------------------------------------------------------------------

Sincerely,
PayPal Account Review Team


Click to enlarge

After I clicked the link, I was presented with this fake page:


Click to enlarge

Ok, let's enter "my" Email Address and PayPal Password to Log In.


Click to enlarge

The usual Logging in screen, which then opened the following page:


Click to enlarge

They don't only want your Paypal Password, but as you see, A LOT of other information as well - Card number, Expiration date, Card verification number, Pin number and Bank name.

Anyway, if you became a victim of this Phish, contact Paypal and your Bank immediately and change your Paypal Password asap!

Read More

MSN Virus!! No scanners detect it!!!!

This is a common subject I see in forums lately.
People are complaining about an "MSN Virus" and no scanners can detect it.
This so called "MSN Virus" is responsible for sending links to their contacts list.
Yes, there are indeed some worms, spreading via messenger and infecting your computer, for example the IRCBOT-RB Trojan and many other variants.

However, this one is totally different... and is actually already going on for a while...

It appears that many aren't aware of this one yet, because I still see so many threads in forums where many AV scanners and other scanners were being used > result > no detections, no strange files, no strange loading points etc..
Long threads with no ending since they can't find the main cause.

Actually, the main cause is very simple - The login/password of the MSN account was gathered because they entered that info via the link they received once.
This is an example of a link they receive:



More detailed info from some older blogposts:
http://phatybomb.blogspot.com/2008/04/how-to-solve-this-pesky-msn-virus.html
http://blog.spywareguide.com/2008/06/another-site-asking-for-msn-lo.html

Links may be different, but the scenario is still the same.

If you click that link, your browser will open and you are presented with a webpage where it prompts you to enter your MSN Login and Password to proceed.
Ofcourse, the only purpose here is to gather your Login and password so they can (ab)use it to log in into your account and send the same link to your other contacts.
In this case, your computer isn't infected which explains why scanners won't find a thing.

Solution is simple: Change your MSN password.

As I said, this one is already going on for a while - but in the last couple of days, I see more and more threads in forums about this one - endless threads with several different logs which won't show anything.
That's why, if you think you're dealing with a similar "infection", change your password first and see if that solves your problem. If not, then make sure your Antivirus Scanner is up to date and perform a full scan with it.

Read More

Congrats Belsec!

For the people who don't know Belsec, check out the blog here: http://belsec.skynetblogs.be
Today, Belsec exists 1 year - Happy Birthday!!!

Some exclusive articles, free stuff and other goodies will be posted there this week, so make sure you don't miss it.

Read More

CCleaner

Download: http://www.ccleaner.com/download/builds

There are 3 builds available. Personally, I prefer the "Slim" version.

1. Standard Build also includes the Yahoo Toolbar but that can be UNcheckmarked during the installation if you so desire.
2. Portable does NOT include the Installer
3. Slim also does NOT include the Toolbar.

Suggested Settings For CCleaner

Options > Advanced >

• UNcheck "Only delete files in Windows Temp folder older than 48 hours".
• Check "Show prompt to back up Registry entries".
  

Options > Cookies

To retain logon cookies, review the cookies in the "Cookies to Delete" column on the left. Select any you wish to keep and click the arrow pointing to the right to add to the "Cookies to Keep" column.



Cleaner > Windows Tab

The settings shown below are based on my choices. In the event assistance is needed, I do not recommend using the Advanced section (not shown) nor checking the following:

• Windows Log Files
• Windows Error Reporting
  

Cleaner > Applications Tab

This is an example of a recent setting.


Registry

It is not recommended that you preform this step unless you are having problems after uninstalling a program or it is recommended at a reputable help site. Generally, registry cleaners have caused more problems than they have repaired.

The settings I have checked below should be sufficient to remove a bad uninstall. I do not recommend checking "Missing Shared DLLs" or "Unused File Extensions". They may not be used by a currently installed software but you may run into problems with a future program you attempt to run.

It is very important to back up the registry. Even though CCleaner has a registry backup, I would also suggest a manual backup. See this article on backing up the registry: Windows XP and Windows Server 2003.

Read More

Mrs. Claus' Cookbook

Just a tidbit based on the emails floating around with copy/pastes of the individual recipe URLs. They are from Mrs. Claus' Cookbook at the North Pole.com. Since someone put a lot of work into that site, I'd suggest visiting there directly. There's lots of fun things for the family at the North Pole.

For the recipes at the North Pole, follow the links below to the various kitchen categories.

Read More

Meet the Medion Family

A picture of my "Workplace"...

Read More

HitmanPro 3 - maybe better, but I still have my doubts..

Mainly dutch users will know this program/removal tool. There were many discussions about it in the past as you will read here.
However, the newest version is a bit different. Instead of installing many several different Antispyware and Antivirus removal tools, it now uses a "Scanwolk" or "ScanCloud". This means that potential malware related files are being uploaded there and are being scanned by a couple of different engines. These engines are Eset (NOD32), Avira, PrevX, Emsi Software - a-squared Anti-Spyware and Ikarus Anti-Virus. As far as I know, some of these "Scansoftware" are for free. Correct me if I am wrong.

This is a littlebit the same principle as Virustotal, but in this case, it happens automatically without users interference.
Previous versions of HitmanPro were for free, however, this time, the new version is different. Scanning stays for free, but to remove what it has found, you have to purchase a license. First you get a trial which is able to remove the found threats - but once that trial has expired, you have to purchase a license..

Before testing this application, I already had a few remarks....

* What about false positives the external scanners find. Will HitmanPro remove them as well or not?
* Automatically uploading files to the "ScanWolk" (as how they are calling it) - what about users interference? Is this automatically allowed? Most scanners ask this before users upload potential suspicious files to a server. HitmanPro goes for faster results and uploads automatically without users interference. Ethics???

Anyway, those were my main concerns, so I decided to give HitmanPro3 a try..

If I test software, I always try it in a Vmware Image first. In this case, it was Windows XP Pro Service Pack 2.
It was a clean install, only some analysis tools (tools which enumerate windows loading points) were installed.

I've downloaded HitmanPro 3 and executed it...
Once again, this is a clean Windows XP SP2 install with only some analysis tools present.

It started with the scan...



Ok, tracking cookies in the first place. You're kidding if people really have to purchase a license to remove these tracking cookies. Easy money..
Anyway.. the other detections..
Too bad to see it detected one of my favorite analysis tools (OtScanIt.exe) as Trojan.Dos.Win32....
I've uploaded it to Virustotal and came back with the following results: http://www.virustotal.com/nl/analisis/ab129671f0130d829a70e395ec5b64fa
HitmanPro uses the Prevx engine, and in this case, its detected as "Cloaked Malware". This is a heuristic detection and may be a false positive. Not sure where HitmanPro gets the "Trojan.Dos.Win32.." from..
Anyway.. during detection, there is NO WAY where you can deselect what it has found. The only option you get is the "next" button. (and the option to select what subscription you have).
Then, if you click the "next" button, it removes what it found, no matter if it was a false positive or not (after all, you could not deselect in from the main screen). Byebye OtScanIt - I couldn't save you.. :(
And even in my clean Vmware image, HitmanPro decided (without notice) to remove my desktop background and replace it with the 'plain blue standard background'. Is there any reason why? Without notice? So this means that everyone who runs HitmanPro3, no matter if you're infected or not, gets a "blank" desktop afterwards?

Once again, this was in a clean Windows XP SP2 image. Detections and removal of files that weren't even malicious and deleting valuedatas in keys (without notice) that weren't even malicious...
It also appears that some others were having problems as well with this newest version. For example:
http://www.techzine.nl/nieuws/18270/SurfRight-brengt-finalversie-Hitman-Pro-3-uit.html (First reaction present there).
To translate: "I've used it two times and deleted it immediately. The scripts crashed and deleted important files from my PC. BSOD, then a system restore (removed HitmanPro) and everything worked OK again."

I'm not suprised at all.....

So the only thing I can say here is... please remove the official version and give it more time to beta test. It's way too dangerous to use/release it in public.
Some important thoughts:

* Ask for confirmation before uploading potential dangerous files.
* Make sure people can select/deselect what files to remove.

EDIT: There's indeed an option to select/deselect what files to remove, but only if you rightclick the view and select the "Virus analist view". Many people won't know about that option (I didn't either), so it may be better to make checkboxes to select/deselect in the main view.

* I can't find a backup/quarantine option. Better to give the option to quarantine what it removed with the option to restore if needed.

... and some more thoughts that I will post later.

Extra note... I have NOT tested this on an infected system yet - I'll certainly do this later and see how it acts/reacts - and post the results. My main important point was how it acted/reacted on a NON infected system since many people just love to run tools and even purchase them if not needed.

Read More

That was a stupid thing to say

I was helping someone yesterday with a SEVERLY infected computer. This computer was infected for at least 1 year since older malware was still active and running, with on top, newer malware including a File infector, some backdoors, random adware and god knows what else...
So you can imagine there wasn't much we could do about it, this computer was TOAST.
Then this user told me that he was actually PROUD of the fact that he managed to get 4 different computers infected/damaged in a short period of time.
Excuse me?



That's where I ended my support - told him to format and reinstall Windows and never use a computer anymore.

This is once again an example why some people should be restricted to use computers and is a perfect addition to my previous rant: "The Neverending story".
Oh, and yes, I do agree with Eugene's Final thoughts - with the addition that Internet access should be restricted for such people as in above example.

Read More

MEDION Akoya Mini 10" Netbook E1210

Yes, that's going to be my new notebook. This is the Aldi offer in Belgium for this week and since I always wanted a "mini notebook" to take everywhere with me, this looks like the ideal one for me.
My other notebook (older one) died in a meanwhile after the "coffee accident" I blogged about last month. I'm still surprised that it worked for a couple of days afterwards, so I could back up important data. So in a way, I was lucky.

Specifications of the Medion Akoya Mini are:

1.6Ghz Intel® Atom™ Processor N270
Intel® Atom™ Processor – a new series of very low power processors developed by Intel® especially for Mobile Internet Devices (MIDs) and for a new class of more affordable, smaller and fully functional computer systems built to provide fast, easy internet access. These ‘Netbooks’ are impressive thanks to their ease-of-use, portability, powerful wireless LAN functionality and long battery life.

Windows® XP Home Edition
(incl. Service Pack 3)

10" TFT Widescreen Display
1024 × 600 pixels

80GB SATA hard drive
for more than 16,000 music tracks or photos**

1GB RAM

Fast WLAN Wireless LAN 802.11 b/g +
Draft-n with up to 300 MBit/s.*

Intel® Graphics Media Accelerator 950

Connectivity
USB 2.0, Memory card reader and much more...

Integrated webcam

Connections

* Multi-card reader for SD, MMC, Memory Stick
* 3× USB 2.0
* 1× VGA out
* 1× network (RJ45)
* 1× line out

Also included

* Li-ion battery and mains power adaptor

Dimensions and Weight

* Approx. 260 × 180 × 19/31.5mm
* Approx. 1.2kg incl. battery

Bag and Bluetooth dongle are also included.

And this for 399 euro!

More info also here: http://www.medion.de/ms/aldi/md97160/au/flash.html

I guess I'll have to hurry before they are sold out.

Read More

Fake sysaudio.sys causes Searchengine Hijack

What is this infection about...
It actually loads a script, so searchengine results are loaded within a script. For example, when you research something in google or another searchenigine, you get this when you view the source:

script scr= //78. 157. 142. 58/ and then the searchengine results.
or
script scr= //209 .85 .171 .9/ and then the searchengine results.
(more may be present as well)

So, whenever a popular searchengine is being used, a script is loaded to insert its results. For example, a search for: "How to remove rootkits with icesword", you get irrelevant results. Screenshot here:


This only applies for the first page of the results.

It looks like stopzilla.com is also promoted via this piece of malware
Example:


As far as I know.. this one is getting installed via a "Yahoo! Counter starts here" javascript (which is a malicious script and not related with Yahoo) injected on many forums/sites/blogs.

The responsible file for the searchengine hijack is sysaudio.sys, (which is actually a DLL) dropped in the %sysdir% folder (system32 folder).

Note - do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

The loading point for the fake sysaudio.sys is under the
HKLM\software\microsoft\windows nt\currentversion\drivers32 key
with value and valuedata:

"aux"="sysaudio.sys" or
"aux2"="sysaudio.sys"

Legitimate valuedata for "aux" should be wdmaud.drv or mmdrv.dll or ctwdm32.dll (those are the most common legitimate ones I've seen so far, there could be more)

Other files the fake sysaudio.sys may use are divx.nls or ntnet.drv which is also present in the %sysdir% folder.
(could be more already - newer variants)

Anyway, this is another method being used to "hide" its presence because it causes confusion with legitimate files/keys. So be cautious if you think you're dealing with this one and do not delete the legitimate sysaudio.sys file present in the system32\drivers folder or "aux" value in the registry. Ask for help if you're not sure.


UPDATE!!!
A new variant is Windows\system32\wdmaud.sys <== bad one
The legitimate ones are Windows\system32\wdmaud.drv and Windows\system32\drivers\wdmaud.sys, so don't delete those!!

UPDATE2!!!

And again a new variant around. Malwarebytes' Anti-Malware detects this one as Trojan.Gumblar or Trojan.JSRedir. (previous variants were detected as Trojan.Daonol)
Redirections go for example to 209.85.171.199 - or you see 7.7.7.0 in the status bar.
This time, it uses a random file name. To find out, browse to the HKLM\software\microsoft\windows nt\currentversion\drivers32 key in the registry and look what's present under the "aux" values (aux1, aux2, aux3, aux4..) One of them is the cause. It's a "weird" looking filepath and name, examples are: "C:\WINDOWS\system32\..\sjkemx.iqd" or "C:\WINDOWS\system32\..\kvlhurx.niq" or "c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna" - note the reference named ".." which actually refers to "go up two levels". To find the file itself, easiest way is via Windows search. If it comes back immediately after you have removed it, you can use the "Hijackthis - Delete on reboot" option, or any other tool that is able to delete files on reboot.
In case you can't launch regedit (crashes when you launch it), rename regedit and try again.
If you're unsure, don't delete anything, but ask help instead.

Update: A Great, detailed writeup by MAD (French)

To receive help to remove the infection or similar infections, register at one of the forums present on the right, or register at my personal forum here. It's a dutch forum but I also give english support.

Read More

Something, somewhere, went terribly wrong.

A t-shirt I ordered - arrived today...

I love it!! :)

Read More

MySpace/FaceBook worm causes confusion in HijackThislogs

This blogpost is actually a warning for people who are helping others to get rid of this worm via HijackThis-logs.
Here's some more info about the worm itself and how it is being spread:
http://www.kaspersky.com/news?id=207575670
http://www.pcworld.com/businesscenter/article/149559/malicious_hackers_use_facebook_wall_for_malware_attack.html
This worm is also known as Net-Worm.Win32.Koobface.*

People are complaining about Google Redirects, slow computer in general and browser freezing or shutting down whenever they want to log into their FaceBook or MySpace account.
The files responsible for this infection are:

%WinDir%\kenny**.exe (** stands for a number, in this case 16, 17, 18..), runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with displayname sysftray2
%WinDir%\fmark2.dat
%ProgramFiles%\TinyProxy\TinyProxy.exe or %ProgramFiles%\ProtectService\ProtectService.exe which runs as a service.

It also modifies the Proxy to http=127.0.0.1:8181
To fix this:
In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

To remove this infection, just delete the %ProgramFiles%\TinyProxy folder or %ProgramFiles%\ProtectService folder it has created + the %WinDir%\fmark2.dat and %WinDir%\kenny**.exe files + restore proxysettings.
It's recommended that you do this in Windows Safe mode since this infection (mainly the service) is active in Windows normal mode.
There could be newer variants present already.

Now, what's the confusion with HijackThislogs and people who are guiding others with malware removal via HijackThislogs...

Let me explain how HijackThis.exe enumerates the services...
For example, let's take the legitimate Nvidia Display service:

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

What's between the brackets is the Servicename. In this case "NVSvc". That's how the service is registered in the registry.
The Displayname is "NVIDIA Driver Helper Service". This is how you see it in services.msc for example. This is also set under the Servicename with value "Displayname".
The "C:\WINDOWS\system32\nvsvc32.exe" refers to the "ImagePath" value set under the "NVSvc" service. This means the file responsible for running as a service.

In case there are no brackets, then it means that the Servicename is the same as the Displayname, for example:

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

In this case, "Apple Mobile Device" is the servicename and displayname.

If people check and fix a O23 entry in HijackThis, HijackThis doesn't delete the service, but disables it instead. This means, it changes the "Start" valuedata for the service to dword:00000004, which means disabled.
In case when a malicious service is present, if you fix it in HijackThis, it won't remove the service. It will only disable it.
That's why a lot of helpers who are guiding with HijackThislogs are teached to delete the service in the registry as well. The sc delete "servicename" command is the common used command here.

Now let's compare one of these malicious TinyProxy.exe or ProtectService.exe Services..
That's how they look in a HijackThislog:

Some examples:

O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Apple Mobile Device (Apple Mobile Device) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: NMIndexingService (NMIndexingService) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe



In this case, let's take O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe as an example.

People who are used to working with HijackThislogs would think: "Netman" is the servicename and "Network Connections" is the Displayname.
Yes, that's how it looks like.
But.. the service "Netman" is a LEGITIMATE service and the Displayname "Network Connections" matches as well as LEGITIMATE. Normally HijackThis whitelists these services.
Now what? Does that mean that this service in the registry was modified and the "Imagepath" value under the "Netman" service was changed to "C:\Program Files\TinyProxy\TinyProxy.exe" instead of %SystemRoot%\system32\svchost.exe -k netsvcs (which is the default valuedata for this one)?
Yes, that's a possibility... we've seen it before.
In such cases, after you have removed the offending folder C:\Program Files\TinyProxy, you need to restore the default "Imagepath" valuedata again to the legitimate one.

HOWEVER, I found out that this infection isn't modifying any legitimate services at all!
After a bit of research - comparing logs and testing with some dummy services - it appears that this infection creates a new service instead, but makes sure it matches a legitimate service and causes extra confusion in HijackThislogs.
Example:

Let's create the service:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Connections (Netman)]
"Displayname"="Network Connections (Netman)"
"ImagePath"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,\
6c,00,65,00,73,00,25,00,5c,00,54,00,69,00,6e,00,79,00,50,00,72,00,6f,00,78,\
00,79,00,5c,00,54,00,69,00,6e,00,79,00,50,00,72,00,6f,00,78,00,79,00,2e,00,\
65,00,78,00,65,00,00,00 <== which translates to %ProgramFiles%\TinyProxy\TinyProxy.exe
"Start"=dword:00000002 <== which means "autostart"

The service "Network Connections (Netman)" isn't legitimate since the legitimate service is actually "Netman".
But, since the "Displayname" in above example matches the servicename here, in HijackThislogs, it will show as:

O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe

While the servicename is actually: "Network Connections (Netman)" and NOT "Netman"!!

The result of this is.. many helpers look at the servicename in HijackThis (the one between brackets) and since it has a malicious file attached, some don't think further and think that the service itself is malicious as well (without knowing that it may be a legitimate service) > result > they ask to delete the legitimate service from the registry using the sc.exe delete command.
And yes, a Threatexpert report also reveals how it has created its service. Example: http://www.threatexpert.com/report.aspx?uid=b72eb6f9-00dd-442b-8a08-f095ca088e31
In the Threatexpert's example..
"TrkWks" is the LEGITIMATE service, but in this case, as you see in above report, the service: "Distributed Link Tracking Client (TrkWks) " was created.
A slightly bit different from what I've tested with dummy services, but it does make sense. In above example, the service has an extra space after the services name and since the "Displayname" is the same, it will show it like this in a original HijackThislog (since displayname and servicesname matches):

O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe (note the extra empty space after (TrkWks) and -)**

But since people are posting this at forums, the forumsoftware strips that empty space anyway.
The same applies for the threatexpert report itself imho, where it also strips the extra space in the services name/services key if no subkeys are attached.

** After I have posted this, I noticed that this blogpost also strips the extra space after the services name..

Anyway.. imho, I'm pretty sure that, whoever developed this infection is well aware of HijackThis and how it displays its entries, this to cause some extra confusion for helpers.
And that's why I posted this warning in the first place, because I've seen it happen a couple of times already. Legitimate services were deleted > result, no internet access anymore or anything else that was broken because of this confusion in HijackThis.
That's why, before you want to delete a service in the registry, make sure first it's not a legitimate service!

I have not played with this infection itself yet (no samples available) - so my analysis is only based on logs/research and testing.
Samples are welcome. :-) Samples received. Thanks readers :)

Read More

Fujitsu Siemens Amilo - RIP..... for now.....

This was going to happen some day anyway...
I finally managed to spill a full mug of coffee (big size) all over my laptop.
In less than a second, the coffee had covered my entire computer desk. Luckily, my other laptop next to it was on a notebook cooler pad, so that one was saved.
The screen went black immediately, strange noises from underneath... and I sweared like never before.
Unfortunately, the swearing didn't work, so instead, I immediately disconnected the power supply and took out the battery.
I put the unit on its side and the coffee was dripping out. I left it in that position for at least an hour. I cleaned the rest of the mess I made, apart from the stains on the wall (Mr Proper can take care of that).
Then I turned it upside down, opened it and I'm going to let it dry for at least 24 hours.

In a way, I'm glad I don't like milk and sugar in my coffee, so maybe there's still hope... but I doubt it.

My dear Fujitsu Siemens Amilo, May The Force Be With You.

UPDATE! I couldn't wait any longer (waited for two days to let it dry)... so... it's up and running again!! No issues so far - everything works. I was really lucky :-)

Read More

AntiVirus, Internet Security and Total Security Performance Benchmarking by Passmark.

I actually never really paid attention to comparison/testing reports about Antivirus and Security Suites especially related with "best detection", "best removal" etc etc.. This, since I have my own opinion about this :-)
However, this is a different test, a performance test of several different Antivirus products and Security Suites/Total Security Products by Passmark.

- The Performance tests:

* Boot Time
* Scan Speed
* User Interface launch Speed
* Memory utilization
* Installation Time
* Installation Size
* Registry Key Count
* File Copy, Move and Delete
* Installing Third Party Applications
* Binary File Download Speed
* File Format Conversion
* File Compression and Decompression
* File write, Open and Close

- Overal Ranking in comparison with other products:

Click to enlarge

It looks like Norton Internet Security 2009/Norton Antivirus 2009 is a winner here in comparison with previous tests and older versions.

Anyway, "decide" for yourself and read the full report here: http://www.passmark.com/ftp/antivirus_09-performance-testing-ed1.pdf

Still, imho, the best way to decide what Antivirus/Security Suite to use (for best performance) is to install it and see how it runs on your computer. After all, every computer is different.
If it runs fine and you're satisfied with the Antivirus or Security Suite, then keep it.

Read More

Zune 3.0 Upgrade is Live!

buy from FM and zune marketplace on your device updating is easy Wireless capabilities just got better: Buy from FM is a new feature that lets you tag songs you hear on the radio via your Zune player's built-in FM tuner and download them later. Plus, you can shop Zune Marketplace directly from your player at Wi-Fi hotspots. Get what you want on the go. dynamic music channels Update now and get the latest features from Zune. 1. Disconnect your Zune. 2. In the software, click Settings, Software, General. 3. Click Check for Updates. After completing the update, your Zune will update automatically the next time you sync. You can follow these steps at any time and manually update your Zune whenever you'd like. Maximize your Zune Pass with Channels. These dynamic playlists bring you a regularly updated collection of tracks that you can subscribe to like podcasts. Other software improvements let you search better, explore music maps of related artists and albums, get personalized picks, set artist alerts for new releases, and more. new 120GB and 16GB players free 14-day zune pass trial Pick your new Zune from a wider variety of capacities and colors. Go large with our ultra-sleek black 120GB and 16GB players. Check out our new 8GB glossy blue Zune. Or custom engrave an original — choosing from more than 50 exclusive designs — at zuneoriginals.net. Zune Pass monthly music subscription is your ticket to millions of songs and albums on Zune Marketplace. Sign-in to your Zune My Account page; click on Zune Pass to select the free trial.
games for your zune Get started with two totally free games — the puzzling Hexic and Texas Hold 'Em Poker (featuring wireless multiplayer!) Many new games are on the way. Check Zune.net for updates in coming months.	audiobooks have arrived We've partnered with Audible.com, using their software to manage audiobooks on Zune. Browse and buy titles at over 7,500 public libraries and leading bookstores.	zune social is growing Now with a community of over 2 million, the new Zune Social works with Windows Live Messenger and includes revamped profile and artist pages. Download Zune Card playlists to go, receive weekly friend activity updates, and more.

Read More