Monday, December 15, 2008

Cold Turkey for X-mas.



I haven't been online much lately, this for several reasons. One of the reasons is.. I quit smoking!
I was trying to avoid situations where cigs were needed the most. I have to admit that actually every situation where I was allowed to smoke was a reason to smoke.
But the worst situation was when I was using computers - more than 10 hours a day, one cig after another. You can imagine I was smoking a lot!

I've already tried to quit last year - but that failed. I was going nuts after two days and a cig was my only relief. Sad, isn't it?
After my failure last year, I decided to smoke less. I didn't allow myself to smoke in the house anymore. So everytime I wanted a cig, I had to go outside, or smoke in the garage.
This actually helped a lot, I didn't break my own rule and smoked only the half of what I used to smoke. Even when I was using the computer, instead of having 6 (or sometimes more) cigs in one hour, I only had to go outside 2 or 3 times an hour. (I know, I know, it's still a lot).

After a couple of months (last week), I was wondering what I was actually doing. This was just silly and I had to stop that.

My own rule to go outside for a smoke worked like I charm and I never broke that rule. So why can't I make my own rule to quit smoking?

So, last week, I smoked my last cig and that was it.

I'm not using any nicotine replacement therapy aids like gum, patches or inhalers. No medications either like Zyban to reduce the craving, no hypnosis, acupuncture.... whatever. Just quit smoking Cold Turkey.
The only thing I used was a book (no, I didn't smoke it) by Allen Carr - "Easy Way To Stop Smoking". As a matter of fact, it is easy if you believe it!

It's already more than a week I quit smoking and I have to say - it's going pretty well. I've tried to avoid computers as much as possible in the first couple of days. Now I'm "facing" computers again and I don't really feel the "hunger" for a cig. The only thing is - I still feel the need to stand up 2 or 3 times in an hour to go outside. :-)
I'm like Pavlov's Dog - but then I remember the famous quote by Yoda: "You must unlearn what you have learned".

Anyway, I'm glad I quit smoking and I'm sure I won't fail this time.

Happy Holidays!!

Sunday, November 23, 2008

Please disable Autorun asap!



We see an increase in USB-Based Malware Attacks lately - See here and here for more info.
Unfortunately, in the last few weeks, I have seen many cases where the enabled autorun feature caused A LOT of problems afterwards. This means that many are not aware of the dangers yet.
For example.. Some scenarios I have seen in the last couple of weeks are:

* Computer gets infected with Win32/Sality.NAR (NOD32 detection). This is a polymorphic file infector which searches local and network drives for files with the .exe extension and infects them by adding a new section that contains the viruscode.
It also copies itself into the root folders of removable drives using a random filename and creates an autorun.inf file to make sure it runs whenever it is inserted into another computer. It also disables most AV scanners by terminating their services/processes, disables Taskmanager, disables Regedit and much more to prevent it being detected or disinfected.
In this case, the user had an USB flashdrive and used it to transfer removal tools etc in order to remove this infection, since no scanners would work. What happened was, since this virus also spreads via removable media, his USB flashdrive became infected > result > His other computer was infected as well!

* Computer gets infected with W32/AutoRun-OY - This one also spreads via removable drives. This computer is used at home and every user has its own account. Mom, dad, son and daughter. Son loves to play games, but also loves to download games + cracks via illegal resources.
And that's how the computer at home gets infected with W32/AutoRun-OY. No detection since the Antivirus application that was installed was only a trial and was already expired for more than a year. Dad works for a big company and he tranfers his database+files from the computer at work to an USB flashdrive so he can proceed with his work at home.
The usb flashdrive gets infected when he inserts it into the infected computer at home. Since no scanner (because it's outdated) gives an alert and blocks the malware, there's no sign that the computer + Flashdrive is infected.
Dad goes back to work, inserts the flashdrive into his computer at work and... it gets infected as well. No alert, nothing! It appears that the computer at work didn't even have an Antivirus installed !! And, worst part of all was... Virut was also present! See here for more info. This is imho a lost case, and especially for business owned computers, it is irresponsible to clean this up manually. Format and reinstall is the fastest and especially the safest solution here.
So, who is to blame here? Imho, everyone is. The son who is responsible for visiting illegal sites in order to download his games + cracks, plus the fact that the Antivirus was outdated, plus the fact that dad uses an USB flashdrive containing corporate information and inserts it into the personal computer (see here how to protect your data), plus the fact that the computers at work didn't even have any protection/AV installed.
Anyway, this is so irresponsible, especially when company owned computers are involved.

* And today, I have another case where someone gets infected with W32/AutoRun-OY, where mom uses an usb flashdrive to transfer files to use at work and is already complaining about the fact that there are "problems". This thread is still in progress and I really hope this isn't a lost case.

No wonder the Military bans disks and USB drives

This appears to be a common problem nowadays - that's why it is so important to prevent spreading similar infections by disabling Autorun.

To disable autorun, please read the following tutorials:

http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/ (applies for XP Pro since XP Home has no gpedit.msc present)
http://www.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/ (aplies for XP Home. Same can be used for XP Pro)
http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/ (applies for Vista)

Some malware removal tools already disable Autorun by default. Don't complain about this. This is an extra security measure and you should have it disabled. If you really want to enable this again - then it's your own responsibility. Don't complain afterwards if you get infected and are responsible for infecting a lot of other computers as well.

Update: Extra instructions to disable autorun (by US CERT) can be found here.

Wednesday, November 19, 2008

And another Paypal Phish...

This is a mail I received in my mailbox one hour ago:

For your protection, we have limited access to your account until additional security
measures can be completed. We apologize for any inconvenience this may cause.

To review your account and some or all of the information that Pay Pal
used to make its decision to limit your account access, please visit the Resolution Center.

We encourage you to log in and restore full access as soon as possible. Should access to your
account remain limited for an extended period of time, it may result in further limitations on
the use of your account or may result in eventual account closure.


----------------------------------------------------------------------------------------------

Click here to resolve the problem.

----------------------------------------------------------------------------------------------

Sincerely,
PayPal Account Review Team



Click to enlarge


After I clicked the link, I was presented with this fake page:


Click to enlarge


Ok, let's enter "my" Email Address and PayPal Password to Log In.


Click to enlarge


The usual Logging in screen, which then opened the following page:


Click to enlarge


They don't only want your Paypal Password, but as you see, A LOT of other information as well - Card number, Expiration date, Card verification number, Pin number and Bank name.

Anyway, if you became a victim of this Phish, contact Paypal and your Bank immediately and change your Paypal Password asap!

Sunday, November 16, 2008

MSN Virus!! No scanners detect it!!!!

This is a common subject I see in forums lately.
People are complaining about an "MSN Virus" and no scanners can detect it.
This so called "MSN Virus" is responsible for sending links to their contacts list.
Yes, there are indeed some worms, spreading via messenger and infecting your computer, for example the IRCBOT-RB Trojan and many other variants.

However, this one is totally different... and is actually already going on for a while...

It appears that many aren't aware of this one yet, because I still see so many threads in forums where many AV scanners and other scanners were being used > result > no detections, no strange files, no strange loading points etc..
Long threads with no ending since they can't find the main cause.

Actually, the main cause is very simple - The login/password of the MSN account was gathered because they entered that info via the link they received once.
This is an example of a link they receive:



More detailed info from some older blogposts:
http://phatybomb.blogspot.com/2008/04/how-to-solve-this-pesky-msn-virus.html
http://blog.spywareguide.com/2008/06/another-site-asking-for-msn-lo.html

Links may be different, but the scenario is still the same.

If you click that link, your browser will open and you are presented with a webpage where it prompts you to enter your MSN Login and Password to proceed.
Ofcourse, the only purpose here is to gather your Login and password so they can (ab)use it to log in into your account and send the same link to your other contacts.
In this case, your computer isn't infected which explains why scanners won't find a thing.

Solution is simple: Change your MSN password.

As I said, this one is already going on for a while - but in the last couple of days, I see more and more threads in forums about this one - endless threads with several different logs which won't show anything.
That's why, if you think you're dealing with a similar "infection", change your password first and see if that solves your problem. If not, then make sure your Antivirus Scanner is up to date and perform a full scan with it.

Tuesday, November 11, 2008

Congrats Belsec!


For the people who don't know Belsec, check out the blog here: http://belsec.skynetblogs.be
Today, Belsec exists 1 year - Happy Birthday!!!

Some exclusive articles, free stuff and other goodies will be posted there this week, so make sure you don't miss it.

Monday, November 3, 2008

Meet the Medion Family

A picture of my "Workplace"...

Monday, October 27, 2008

That was a stupid thing to say

I was helping someone yesterday with a SEVERLY infected computer. This computer was infected for at least 1 year since older malware was still active and running, with on top, newer malware including a File infector, some backdoors, random adware and god knows what else...
So you can imagine there wasn't much we could do about it, this computer was TOAST.
Then this user told me that he was actually PROUD of the fact that he managed to get 4 different computers infected/damaged in a short period of time.
Excuse me?



That's where I ended my support - told him to format and reinstall Windows and never use a computer anymore.

This is once again an example why some people should be restricted to use computers and is a perfect addition to my previous rant: "The Neverending story".
Oh, and yes, I do agree with Eugene's Final thoughts - with the addition that Internet access should be restricted for such people as in above example.

MEDION Akoya Mini 10" Netbook E1210



Yes, that's going to be my new notebook. This is the Aldi offer in Belgium for this week and since I always wanted a "mini notebook" to take everywhere with me, this looks like the ideal one for me.
My other notebook (older one) died in a meanwhile after the "coffee accident" I blogged about last month. I'm still surprised that it worked for a couple of days afterwards, so I could back up important data. So in a way, I was lucky.

Specifications of the Medion Akoya Mini are:

1.6Ghz Intel® Atom™ Processor N270
Intel® Atom™ Processor – a new series of very low power processors developed by Intel® especially for Mobile Internet Devices (MIDs) and for a new class of more affordable, smaller and fully functional computer systems built to provide fast, easy internet access. These ‘Netbooks’ are impressive thanks to their ease-of-use, portability, powerful wireless LAN functionality and long battery life.

Windows® XP Home Edition
(incl. Service Pack 3)

10" TFT Widescreen Display
1024 × 600 pixels

80GB SATA hard drive
for more than 16,000 music tracks or photos**

1GB RAM

Fast WLAN Wireless LAN 802.11 b/g +
Draft-n with up to 300 MBit/s.*

Intel® Graphics Media Accelerator 950

Connectivity
USB 2.0, Memory card reader and much more...

Integrated webcam

Connections

* Multi-card reader for SD, MMC, Memory Stick
* 3× USB 2.0
* 1× VGA out
* 1× network (RJ45)
* 1× line out

Also included

* Li-ion battery and mains power adaptor

Dimensions and Weight

* Approx. 260 × 180 × 19/31.5mm
* Approx. 1.2kg incl. battery

Bag and Bluetooth dongle are also included.

And this for 399 euro!

More info also here: http://www.medion.de/ms/aldi/md97160/au/flash.html

I guess I'll have to hurry before they are sold out.

Monday, October 13, 2008

Fake sysaudio.sys causes Searchengine Hijack

What is this infection about...
It actually loads a script, so searchengine results are loaded within a script. For example, when you research something in google or another searchenigine, you get this when you view the source:

script scr= //78. 157. 142. 58/ and then the searchengine results.
or
script scr= //209 .85 .171 .9/ and then the searchengine results.
(more may be present as well)

So, whenever a popular searchengine is being used, a script is loaded to insert its results. For example, a search for: "How to remove rootkits with icesword", you get irrelevant results. Screenshot here:


This only applies for the first page of the results.

It looks like stopzilla.com is also promoted via this piece of malware
Example:


As far as I know.. this one is getting installed via a "Yahoo! Counter starts here" javascript (which is a malicious script and not related with Yahoo) injected on many forums/sites/blogs.

The responsible file for the searchengine hijack is sysaudio.sys, (which is actually a DLL) dropped in the %sysdir% folder (system32 folder).

Note - do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

The loading point for the fake sysaudio.sys is under the
HKLM\software\microsoft\windows nt\currentversion\drivers32 key
with value and valuedata:

"aux"="sysaudio.sys" or
"aux2"="sysaudio.sys"

Legitimate valuedata for "aux" should be wdmaud.drv or mmdrv.dll or ctwdm32.dll (those are the most common legitimate ones I've seen so far, there could be more)

Other files the fake sysaudio.sys may use are divx.nls or ntnet.drv which is also present in the %sysdir% folder.
(could be more already - newer variants)

Anyway, this is another method being used to "hide" its presence because it causes confusion with legitimate files/keys. So be cautious if you think you're dealing with this one and do not delete the legitimate sysaudio.sys file present in the system32\drivers folder or "aux" value in the registry. Ask for help if you're not sure.


UPDATE!!!
A new variant is Windows\system32\wdmaud.sys <== bad one
The legitimate ones are Windows\system32\wdmaud.drv and Windows\system32\drivers\wdmaud.sys, so don't delete those!!

UPDATE2!!!

And again a new variant around. Malwarebytes' Anti-Malware detects this one as Trojan.Gumblar or Trojan.JSRedir. (previous variants were detected as Trojan.Daonol)
Redirections go for example to 209.85.171.199 - or you see 7.7.7.0 in the status bar.
This time, it uses a random file name. To find out, browse to the HKLM\software\microsoft\windows nt\currentversion\drivers32 key in the registry and look what's present under the "aux" values (aux1, aux2, aux3, aux4..) One of them is the cause. It's a "weird" looking filepath and name, examples are: "C:\WINDOWS\system32\..\sjkemx.iqd" or "C:\WINDOWS\system32\..\kvlhurx.niq" or "c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna" - note the reference named ".." which actually refers to "go up two levels". To find the file itself, easiest way is via Windows search. If it comes back immediately after you have removed it, you can use the "Hijackthis - Delete on reboot" option, or any other tool that is able to delete files on reboot.
In case you can't launch regedit (crashes when you launch it), rename regedit and try again.
If you're unsure, don't delete anything, but ask help instead.

Update: A Great, detailed writeup by MAD (French)

To receive help to remove the infection or similar infections, register at one of the forums present on the right, or register at my personal forum here. It's a dutch forum but I also give english support.

Friday, October 3, 2008

Something, somewhere, went terribly wrong.


A t-shirt I ordered - arrived today...

I love it!! :)

Wednesday, October 1, 2008

MySpace/FaceBook worm causes confusion in HijackThislogs

This blogpost is actually a warning for people who are helping others to get rid of this worm via HijackThis-logs.
Here's some more info about the worm itself and how it is being spread:
http://www.kaspersky.com/news?id=207575670
http://www.pcworld.com/businesscenter/article/149559/malicious_hackers_use_facebook_wall_for_malware_attack.html

This worm is also known as Net-Worm.Win32.Koobface.*

People are complaining about Google Redirects, slow computer in general and browser freezing or shutting down whenever they want to log into their FaceBook or MySpace account.
The files responsible for this infection are:

%WinDir%\kenny**.exe (** stands for a number, in this case 16, 17, 18..), runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with displayname sysftray2
%WinDir%\fmark2.dat
%ProgramFiles%\TinyProxy\TinyProxy.exe or %ProgramFiles%\ProtectService\ProtectService.exe which runs as a service.


It also modifies the Proxy to http=127.0.0.1:8181
To fix this:
In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

To remove this infection, just delete the %ProgramFiles%\TinyProxy folder or %ProgramFiles%\ProtectService folder it has created + the %WinDir%\fmark2.dat and %WinDir%\kenny**.exe files + restore proxysettings.
It's recommended that you do this in Windows Safe mode since this infection (mainly the service) is active in Windows normal mode.
There could be newer variants present already.

Now, what's the confusion with HijackThislogs and people who are guiding others with malware removal via HijackThislogs...

Let me explain how HijackThis.exe enumerates the services...
For example, let's take the legitimate Nvidia Display service:

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

What's between the brackets is the Servicename. In this case "NVSvc". That's how the service is registered in the registry.
The Displayname is "NVIDIA Driver Helper Service". This is how you see it in services.msc for example. This is also set under the Servicename with value "Displayname".
The "C:\WINDOWS\system32\nvsvc32.exe" refers to the "ImagePath" value set under the "NVSvc" service. This means the file responsible for running as a service.

In case there are no brackets, then it means that the Servicename is the same as the Displayname, for example:

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

In this case, "Apple Mobile Device" is the servicename and displayname.

If people check and fix a O23 entry in HijackThis, HijackThis doesn't delete the service, but disables it instead. This means, it changes the "Start" valuedata for the service to dword:00000004, which means disabled.
In case when a malicious service is present, if you fix it in HijackThis, it won't remove the service. It will only disable it.
That's why a lot of helpers who are guiding with HijackThislogs are teached to delete the service in the registry as well. The sc delete "servicename" command is the common used command here.

Now let's compare one of these malicious TinyProxy.exe or ProtectService.exe Services..
That's how they look in a HijackThislog:

Some examples:

O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Apple Mobile Device (Apple Mobile Device) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: NMIndexingService (NMIndexingService) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe




In this case, let's take O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe as an example.

People who are used to working with HijackThislogs would think: "Netman" is the servicename and "Network Connections" is the Displayname.
Yes, that's how it looks like.
But.. the service "Netman" is a LEGITIMATE service and the Displayname "Network Connections" matches as well as LEGITIMATE. Normally HijackThis whitelists these services.
Now what? Does that mean that this service in the registry was modified and the "Imagepath" value under the "Netman" service was changed to "C:\Program Files\TinyProxy\TinyProxy.exe" instead of %SystemRoot%\system32\svchost.exe -k netsvcs (which is the default valuedata for this one)?
Yes, that's a possibility... we've seen it before.
In such cases, after you have removed the offending folder C:\Program Files\TinyProxy, you need to restore the default "Imagepath" valuedata again to the legitimate one.

HOWEVER, I found out that this infection isn't modifying any legitimate services at all!
After a bit of research - comparing logs and testing with some dummy services - it appears that this infection creates a new service instead, but makes sure it matches a legitimate service and causes extra confusion in HijackThislogs.
Example:

Let's create the service:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Connections (Netman)]
"Displayname"="Network Connections (Netman)"
"ImagePath"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,\
6c,00,65,00,73,00,25,00,5c,00,54,00,69,00,6e,00,79,00,50,00,72,00,6f,00,78,\
00,79,00,5c,00,54,00,69,00,6e,00,79,00,50,00,72,00,6f,00,78,00,79,00,2e,00,\
65,00,78,00,65,00,00,00
<== which translates to %ProgramFiles%\TinyProxy\TinyProxy.exe
"Start"=dword:00000002 <== which means "autostart"


The service "Network Connections (Netman)" isn't legitimate since the legitimate service is actually "Netman".
But, since the "Displayname" in above example matches the servicename here, in HijackThislogs, it will show as:

O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe

While the servicename is actually: "Network Connections (Netman)" and NOT "Netman"!!

The result of this is.. many helpers look at the servicename in HijackThis (the one between brackets) and since it has a malicious file attached, some don't think further and think that the service itself is malicious as well (without knowing that it may be a legitimate service) > result > they ask to delete the legitimate service from the registry using the sc.exe delete command.
And yes, a Threatexpert report also reveals how it has created its service. Example: http://www.threatexpert.com/report.aspx?uid=b72eb6f9-00dd-442b-8a08-f095ca088e31
In the Threatexpert's example..
"TrkWks" is the LEGITIMATE service, but in this case, as you see in above report, the service: "Distributed Link Tracking Client (TrkWks) " was created.
A slightly bit different from what I've tested with dummy services, but it does make sense. In above example, the service has an extra space after the services name and since the "Displayname" is the same, it will show it like this in a original HijackThislog (since displayname and servicesname matches):

O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe (note the extra empty space after (TrkWks) and -)**

But since people are posting this at forums, the forumsoftware strips that empty space anyway.
The same applies for the threatexpert report itself imho, where it also strips the extra space in the services name/services key if no subkeys are attached.

** After I have posted this, I noticed that this blogpost also strips the extra space after the services name..

Anyway.. imho, I'm pretty sure that, whoever developed this infection is well aware of HijackThis and how it displays its entries, this to cause some extra confusion for helpers.
And that's why I posted this warning in the first place, because I've seen it happen a couple of times already. Legitimate services were deleted > result, no internet access anymore or anything else that was broken because of this confusion in HijackThis.
That's why, before you want to delete a service in the registry, make sure first it's not a legitimate service!

I have not played with this infection itself yet (no samples available) - so my analysis is only based on logs/research and testing.
Samples are welcome. :-)
Samples received. Thanks readers :)

Friday, September 19, 2008

Fujitsu Siemens Amilo - RIP..... for now.....


This was going to happen some day anyway...
I finally managed to spill a full mug of coffee (big size) all over my laptop.
In less than a second, the coffee had covered my entire computer desk. Luckily, my other laptop next to it was on a notebook cooler pad, so that one was saved.
The screen went black immediately, strange noises from underneath... and I sweared like never before.
Unfortunately, the swearing didn't work, so instead, I immediately disconnected the power supply and took out the battery.
I put the unit on its side and the coffee was dripping out. I left it in that position for at least an hour. I cleaned the rest of the mess I made, apart from the stains on the wall (Mr Proper can take care of that).
Then I turned it upside down, opened it and I'm going to let it dry for at least 24 hours.

In a way, I'm glad I don't like milk and sugar in my coffee, so maybe there's still hope... but I doubt it.

My dear Fujitsu Siemens Amilo, May The Force Be With You.

UPDATE! I couldn't wait any longer (waited for two days to let it dry)... so... it's up and running again!! No issues so far - everything works. I was really lucky :-)

Wednesday, September 17, 2008

AntiVirus, Internet Security and Total Security Performance Benchmarking by Passmark.

I actually never really paid attention to comparison/testing reports about Antivirus and Security Suites especially related with "best detection", "best removal" etc etc.. This, since I have my own opinion about this :-)
However, this is a different test, a performance test of several different Antivirus products and Security Suites/Total Security Products by Passmark.

- The Performance tests:

* Boot Time
* Scan Speed
* User Interface launch Speed
* Memory utilization
* Installation Time
* Installation Size
* Registry Key Count
* File Copy, Move and Delete
* Installing Third Party Applications
* Binary File Download Speed
* File Format Conversion
* File Compression and Decompression
* File write, Open and Close

- Overal Ranking in comparison with other products:

Click to enlarge


It looks like Norton Internet Security 2009/Norton Antivirus 2009 is a winner here in comparison with previous tests and older versions.

Anyway, "decide" for yourself and read the full report here: http://www.passmark.com/ftp/antivirus_09-performance-testing-ed1.pdf

Still, imho, the best way to decide what Antivirus/Security Suite to use (for best performance) is to install it and see how it runs on your computer. After all, every computer is different.
If it runs fine and you're satisfied with the Antivirus or Security Suite, then keep it.

Saturday, September 13, 2008

I'll be back - (with a Female Schwarzenegger-style voice)

Many people already contacted me in the last couple of days, wondering where I am, why I'm not that active anymore on forums, my blog etc etc..
Well, I have been really busy lately IRL. This involves, searching for a new job (which is still undecided yet), some family related issues and some other stuff I won't post in public :-)
This is exhausting, I'm tired.. and explains why I'm not that active anymore lately. After all... IRL is still a priority.
However, latest Security threats are still one of my priorities as well - so I'm trying to keep up to date as much as possible. :-)

Anyway, I'll be back when things are sorted out... which will be soon (I hope) :-)

Thursday, September 4, 2008

Feedly - Recommended news and RSS feed aggregator for Firefox.

I've been testing Feedly for about two weeks now and I must say...I really like it! Feedly is a news and RSS feed aggregator similar to Netvibes and iGoogle - a social and magazine-like start page.
Feedly is integrated with Google Reader - so in case you were using Google Reader in the past, any subscription you add to feedly will be added to Google Reader and vice versa.



To quote some Feedly features:

* The welcome wizard can learn from your existing personalizations - bookmarks, My Yahoo!, Bloglines, Netvibes, Twitter, Yahoo Mail, Gmail and Friendfeed - and apply them to your feedly.
* The what's new? page provides a real-time summary of the most relevant content available on the web based on your interests, your reading patterns and recommendations from your friends.

* The annotation tool makes it easy to clip the most interesting parts of a an article and share them with your friends. It also allows you to easily search for related information.

* The feedly+twitter integration allows you to easily spread the word about articles you find interesting. In context.

* The wall gives you a quick overview all the all the articles recommended and annotated by your friends. It combines your activity on both twitter and feedly.

* The explore module adds a pinch of serendipity by continuously suggesting new sources you might be interested in.

* The search bar allows you to perform a personalized search across your favorite sites.

* The dashboard makes it easy to get an at-a-glance view and manage all your favorite sources.

* The feedly API allows content owners to extend their reach by taking control over various aspects of the feedly UI. It will also allow third party developers to create new UI experiences (see cover, screensaver and feedly+flick'r for example) or weave in new annotation extensions (see Yahoo finance for example).


http://www.feedly.com/features.html

I also like the "screensaver" option where it displays a summary of pictures of RSS feeds you're reading



Anyway, you should try it!

Monday, August 25, 2008

Andromeda AV and AntiVirus PRO 2008 - new Rogue scanners

I helped someone today where Andromeda AV was installed on the computer -
According to the user, it was installed automatically. I'm still waiting for some more info where and/or how it was installed.
Not many hits for this scanner via searchengines yet - so I suspected this as a new Rogue Antivirus, especially after I found the website:
andromeda-av. com, where Antivirus PRO 2008 was hosted as well (antiviruspro2008. net)
All these rogues look the same anyway:




For Andromeda AV..
This one installs as a service called AndromedaAVService (system32\AndromedaAv.exe) and driver AndromedaAvDrv (system32\drivers\winav.sys)

Interesting part here is, it creates some extra files in the system32 folder and dllcache folder (actually renamed MS files) and detects the renamed ones afterwards as infected.
For example, rproxycfg.exe, which is the legitimate file proxycfg.exe, hiissuba.dll, which is the legitimate file issuba.dll, vcliconfg.dll, which is the legit cliconfg.dll etc etc.
It doesn't alter the original files, it only adds renamed copies of them.

Andromeda AntiVirus installed on a clean system (XP Pro):




Threatexpert report here.

Monday, August 18, 2008

The Lists have moved



Quote from Javacool:

I'm happy to announce a new, dedicated home for the CLSID + other helper lists: http://www.systemlookup.com

The list maintainers, contributors and I have been working on this site non-stop, and enough features are up and running to get it in the hands of the people that need it. :)

Although global search of all lists isn't yet up, you can browse and search by list: http://www.systemlookup.com/lists.php
The following lists are currently available, with more (the O4s and others) coming soon:

* CLSID List - BHOs, Toolbars, SHs, Explorer Bars
* O9 List - Internet Explorer Buttons
* O10 List - Layered Service Providers
* O18 List - Extra protocols
* O20 List - AppInit_DLLs & Winlogon Notify
* O21 List - ShellServiceObjectDelayLoad
* O22 List - Shared Task Scheduler
* O23 List - Services


We look forward to continuing to improve the site and building some great new features to make things even easier.

But for now - Enjoy! :)

Best regards,

Javacool & the List Maintainers and Contributors:

TonyKlein
miekiemoes
Metallica
random/random
nasdaq
teacup61
Marckie
Zupe


Feel free to share this announcement anywhere else.

Sunday, August 17, 2008

Your illegal internet activities are being logged

I've found at lot of posts at several different forums recently where people are discussing a mail they received from MediaDefender which says that their illegal internet activities are being logged.

Content of the mail:


Dear User!
Your recent internet activity was logged on the following sites:
• Btjunkie
• SumoTorrent
• isoHuntBtscene
• Mininova
• Fenopy
• Monova
• Yotoshi
• GetInvites
• Btmon
We have attached a report about the copyrighted movies, music, softwares you downloaded or searched on these webpages. We strongly advise you to stop any future activities regarding the downloading of illegal content or you can expect prosecution by 17 U.S.C. §§ 512, 1201?1205, 1301?1332; 28 U.S.C. § 4001 laws.

Sincerely,
MediaDefender Inc.


This mail also contains an attachement, a so called report of their illegal activities. Ofcourse the attachement is malicious and appears to be a W32.Mytob@mm variant.

Sneaky tactic since many people actually do use P2P in order to get their (illegal) software from, so they will certainly open the attachement (if not removed by their Antivirus already) to see what exact activities are being logged.
If you recieve similar mail, delete it asap and certainly do not open the attachement.

More detailed info and screenshots of the mails can be found at TrendLabs

Wednesday, August 13, 2008

Joomla! Password Reset/Remind Functionality vulnerability - update asap!

There was a serious security vulnerability found in the popular CMS-software Joomla! (1.5.x, including 1.5.5).
The vulnerability/bug resides in the 'com_user/models/reset.php' where It allows an attacker to remotely change your Joomla administration password since it can reset the password for the first enabled user (admin user).



The exploit can be found here. It already affected a lot of Joomla! users. Example.
So if you are running Joomla! (1.5.x, including 1.5.5) then you should update asap to version 1.5.6 or newer.

More info here

Thursday, August 7, 2008

Beware of fake email from Microsoft!

This is a mail I received in my spambox today:

Sender: admin @ microsoft. com
Subject: Internet Explorer 7


Download the latest version!
About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

©2008 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052




This mail pretends to come from Microsoft, but it's not. There are many different links being used for the download.
If you click the link and install the file, then it downloads/installs the rogue security software Antivirus XP 2008 and its related files. See here for an older threatexpert report of what it may install.
It's detected as Trojan-Downloader.Win32.Small.aafh (Kaspersky Lab), Trojan.Dropper (Symantec), TROJ_RENOS.ADX (Trend Micro), Troj/FakeAle-EF (Sophos), TrojanDownloader:Win32/Renos.DI (Microsoft).

So beware if you receive similar mails and do not click the link in the mail.

Monday, August 4, 2008

I don't use an Antivirus, because I have never been infected...

... said the user while his computer was crippled with malware. His answer didn't make sense, because how would he know that he was (never been) infected if no scanner would alert him?
He asked for my help because his Internet Explorer browser crashed frequently and his computer was crawling. Although he did get popups as well, he didn't really see this as a problem because he had a good popup blocker. O_o
No way malware was causing this (according to him). It has always been like that..... (so you can imagine how long he was infected already...)
And yes, I've found malware from years ago: DollarRevenue crap, EliteMedia, leftovers from the Alcan worm, and a recent Zlob Media variant.

Time to make him aware that his computer really is infected, so the only way to show him the facts is to install an Antivirus....
He was shocked once the scanner started to detect and delete the files. Funny part here was, a HUGE amount of infected files were present in his Limewire shared/complete folder (because of the Alcan Worm, which was luckily already disabled). So it was an extra shock for him since more than 1000 files were already detected and deleted there.
After all, we could clean everything and I'm sure he would never uninstall his Antivirus again. :-)
A shocktherapy is really needed once in a while.



Recently I've been reading many articles, blogposts, discussions about Antivirus Software and Security Suites. Which one is the best and if it's really needed nowadays since a lot of malware can bypass Security software, or scanners don't even detect it.
If I read this, then I'm always wondering what these people actually do online if they are complaining that their Security Software couldn't prevent or detect the infection they are dealing with. Ofcourse you'll get infected if you use 4 different P2P managers and download everything from there. Ofcourse you'll get infected if you visit illegal sites. Ofcourse you'll get infected if you click every link in your mails.
Even with the best Security Software installed, you can get infected if you visit the sources where malware is lurking.
You can even get infected by visiting a (compromised) legit site.
So why blaming your Security software? Also, A LOT of people only install an Antivirus after they got infected... in order to remove the malware... and if it fails to remove the malware, then they complain.

So YES, an Antivirus / Security Software is really needed, not necessarily to remove the malware, but to PREVENT the malware in the first place. It can prevent/detect/delete a lot of malware, but can't prevent all since a lot of new malware is created everyday. After all, it's still better to prevent 80% of the malware than no detection/prevention at all.

Sunday, August 3, 2008

In between message...

One of my shortest blogposts ever...

Almost back... So stay tuned for some new "Security rants" - and some vacation pictures - maybe :-)

Monday, July 14, 2008

Q is good for you

Well, it really is! Nothing security related right now since I'm taking a break, but I wanted to share this with you...
If you're in Belgium and you really need a break, chill out, then you really should visit the Q-Beach House! http://www.q-music.be/beachhouse/



Q-Music is a popular radio station in Belgium and even though I don't live in Ostend, it's my place to be to chill out.
My afternoon starts with a Mojito - (the best I ever had) - then a Sangria Samba with pamperon Rum, then another Mohito and another Sangria....and.... well, I can assure you... a day you won't forget!



Great music in between - One - U2, This is the life - Amy Macdonald, Modern World - Anouk and so many others! Great view as well..



Alexandra Potvin, http://www.q-music.be/page/alexandra, one of the radiopresenters:



She's just great!
So if you really need a break, visit the Q-Beach House!
See you there!

More "holiday pics" will follow soon...

Wednesday, July 9, 2008

Vacation Time

It's finally vacation time - so time to take a break and stay away from my computer/laptop as much as possible.



Be back in 3 weeks.
Later!

Tuesday, July 8, 2008

Internet Explorer Options won't load in Internet Explorer 7

This is nothing malware/security related - but I'm sure it will interest people who encountered the same issue, or helped someone with the same issue.
So, for the uninterested ones, skip this section and read another blog. :-)

If I encounter Windows issues, I always want to figure out what's causing this, so I could learn from it. In this case, when you try to launch the Internet explorer options via IE > Tools menu, you get the hourglass, but nothing happens.
I've researched this issue via search engines and couldn't find a proper solution (most probably I've missed it).
This is not a policy related issue where the Internet Explorer options are disabled, otherwise you should get an error message.
The same is when you do this via start > control panel > Internet Options.
Also, when you enter inetcpl.cpl via start > run, (command prompt), you see the hourglass, but nothing happens.
And that's why I wanted to figure out what's causing this and how to solve it since this is actually a common issue in IE7 (since I've researched this via searchengines).
A solution I found was to replace the inetcpl.cpl file from the C:\WINDOWS\ie7 folder. So the inetcpl.cpl from the ie7 folder should be replaced with the one present in the system32 folder. It works, but doesn't make sense since the inetcpl.cpl file present in the IE7 folder is the previous version and shouldn't be used anyway.
Also, Windows Updates contains a lot of IE updates as well which patches the inetcpl.cpl file, so you should think that an update may fix this issue.... Well, it doesn't, since it's actually not an issue with inetcpl.cpl itself.
So, time to test what could cause this, launch inetcpl.cpl and see what other files are launched as well... and one of them was inetcpl.cpl.mui. This file is present by default in the %Windir%\system32\nl-nl (in case you have a dutch version of IE), or %Windir%\system32\en-US folder (in case you have an english version of IE), or any other language dependent subfolder there.
Reference thread here btw, http://support.bluemedicine.be/mybb/showthread.php?tid=2268&page=1 (Sorry, only Dutch).
And.. in this case, the inetcpl.cpl.mui file was missing.
I actually really had no clue that this could be the main cause, until I asked the user to replace/restore the file again and place it in the correct folder. After all, if you don't try, you won't know. And this actually worked! The Internet Explorer options could be launched again.

This helped in this situation, so not sure if that's actually the solution in general for the same issue (IE Options won't load - nothing policy related). So if anyone has encountered the same issue and above solution worked (inetcpl.cpl.mui was missing and you "restored" it), let me know. :)

Monday, July 7, 2008

Backup your data frequently!

I've already discussed the backup option in Windows Vista previously - However, I'm still amazed that many people don't backup their important data at all, including companies.
A Dutch company contacted me today and asked my advice about a file infector which infected 6 of the 10 computers present there. They have tried several Antivirus Scanners and none of them could properly disinfect the files. Some files were properly disinfected, other files were corrupted after disinfection and some files couldn't be disinfected at all.
2 of the 6 infected computers couldn't load Windows anymore because of the malware present and the damage it already caused.
So I recommended them to format and reinstall Windows - After all, this is still the fastest and safest solution, ESPECIALLY since these computers are used for work.
There was one big problem.... there were no backups present. All the important data, documents and programs they used were never backed up.. ever! This is not the first time that I've helped someone with a company owned computer, crippled with malware, and no backups ever being made.
That's why I can't stress enough how important it is that you backup your data frequently. As a matter of fact, not only companies, but everyone should invest in Backup Software and backup frequently.



There are 2 types of backup software. File Backup Software and Disk Imaging Software.

File Backup Software is designed to backup important files and folders on your computer such as documents, some programs, emails, pictures, music, etc.. Most of the File Backup Software has an option to backup your data automatically.
The File Backup Software I recommend are:

* Handy Backup
* Genie-Soft Backup Manager
* Double Image
* BackupNow!
* Acebackup

Disk Imaging Software is designed to be a complete system recovery solution. This one creates an exact copy of your hard disk, including programs installed, registry, all computer data etc. So in case of disk failure, you can restore it with the image you backed up.
Disk Imaging Software I recommend are:

* Acronis True Image
* Norton Ghost
* Paragon Drive Backup
* NovaBackup

Don't wait until it's too late, backup your data today!

Friday, June 27, 2008

Malware Removal - Where to draw the line

A little intro first...
As many of you know (or don't know), I guide people with removing malware from their computers, or help them with other Windows issues not related with malware. This mainly happens via forums and newsgroups. I used to guide people via mail as well, but quit that since I don't have the time for that anymore.
"Step by step" instructions are really needed since many people don't know much about computers and without detailed instructions, they could make things worse. Hence, even when detailed instructions are given, with screenshots/whatever included, some still have problems to perform the steps properly.
Yes, a lot of patience is needed in many cases.
Many already asked me why I am doing this, offering almost all of my free time as a volunteer to help other people online. Well, there are several reasons why I am doing this...

1st... My hunger for knowledge. I love to learn and want to learn something new everyday. Fixing computers is like solving a puzzle for me, to find the cause and try different solutions. It's always a challenge to find and understand the cause in the first place. Without a cause, you can't offer a proper solution either.
In case of malware removal - it's a challenge to find the loading points, what it changes/modifies, how it behaves in general - and based on that you can give the proper instructions how to remove it and restore whatever it has broken/modified.
Next time if you see the same problem again, then you already know how to deal with this - something you've learned and remembered.
I don't want to give instructions/solutions if I don't understand them in the first place, because that wouldn't make sense and I learn nothing from this.

2nd... As I said, many people still don't know much about computers. I don't really see this as a problem, as long as they know how to secure their computer. Unfortunately many don't know anything about this. They don't even know what an Antivirus/Firewall is, why it is needed and what the dangers of the internet are. Many don't take this serious either and always think that this won't happen to them - until it happens (sooner as they think).
Another lesson learned I hope. Some will never learn as I explained here - or don't see the need why to secure their computer as explained here.
Prevention is better than removal... and that's what I try to teach these people. If more people would take this more seriously, secure their computers and always be careful where they surf, what links to click and what they download, then I'm sure that the internet would be a bit more safer place for anyone.

3rd... I just love to help people in general. If they ask for help and I know how it can be solved or where to find the solution, why wouldn't I help them then? A simple "Thank You" afterwards, the appreciation you get already means a lot to me. I'm always glad that I could teach something and hope that they will learn from it as well.

Also, Budfred's Rant: Volunteers and Malware Criminals sums it up nicely with more reasons why I am doing this and as you'll also read there, volunteers don't always get the appreciation for what they are doing.

Through the years, malware has become more difficult to find (rootkits etc..), more stubborn to remove and more nastier in general. One click on a file or link can already download and install a huge malware bundle where many different infections are installed.
You see popups all the time, your desktop wallpaper has been changed with a "fake alert", displaying that your computer is infected (well, it IS infected, but these "fake alerts" ask to purchase their own product in order to remove the malware they installed in the first place).
Although the fake alerts and popups/advertisements you get is the most annoying part and look the worst, as a matter of fact, it's the least of your concerns. What is hiding in the background is a more serious issue. Trojans in general, such as backdoors, password stealers, keyloggers etc.. all have their own purposes and may damage a lot!
And as I said, all of the above can be installed via one single click on one link or file! Hence, I've even seen file infectors/worms/bots joining the party as well.
Problem is still, many are not aware what the other malware does, or is capable of - and are already satisfied if the annoying popups don't display anymore, their desktop background has been fixed etc..
Then they don't need further help anymore because they think that their issue is already resolved while the biggest problem is still present, silently doing its job in the background. They are not aware that their computer is still severly infected and badly compromised... and responsible for infecting other computers on top.
And what is worrying me the most is that some don't even care - as long as the annoying popups are gone.

Malware compromises/damages a lot, that's a fact - and especially in case of a severly infected computer, even if I clean the malware off the computer, I cannot guarantee that the computer will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I cannot promise that I can repair all the damage it caused... Even after cleaning the malware, errors may still be present afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. Although I love to solve puzzles, I'm sometimes wondering if it's really worth it in such cases.

That's the main disadvantage if you guide people via forums etc, because instructions should be followed asap - and this is not always possible. Also, Internet connection is needed to read the instructions and in case of severly infected computers, I recommend that they disconnect from the internet asap and use another computer to read the instructions from. Unfortunately, this is not always possible either since not everyone has a spare computer.
If I guide someone with cleaning a severly infected computer, it is my responsibility to make them aware of what state their computer is in, how severly infected/compromised it is, they should change passwords afterwards etc etc.... and I won't promise them a clean computer afterwards - because that would be a lie.
I've seen cases where volunteers are helping a user with a severly infected computer, this already for weeks....
And that's why in such cases, I throw in the towel more often and ask to backup important data, then format and reinstall Windows. Not because I give up, but rather because it's really not worth it to clean this mess up manually and then on top restore (if possible) whatever the malware has broken/modified. In such cases, a format and reinstall is the fastest and especially the SAFEST solution.
As a matter of fact, I think it would be irresponsible of me to guide people with manual removal in such cases, knowing that removing the malware from severly infected computers takes a lot of time, especially if you're doing this via online instructions and every single minute that this computer is connected with the internet, it may download more malware, spread more malware, collect more info, send more SPAM etc....
Also, if file infectors are game, in 80% of the cases, I recommend a format and reinstall anyway if an AntiVirus scanner is not able to disinfect the files (properly). Unless the person knows what files are corrupted and knows how to replace them with a clean one. But then again, it's no guarantee that everything will work properly again and the infection will be really gone.

Another article regarding this is:
When Should I Format, How Should I Reinstall.

That's why.... Where to draw the line? When to recommend a format and reinstall?

Saturday, June 21, 2008

Dutch users Alert! - Beware of fake Tax forms - episode 2

This is a follow up to my previous blog post here http://miekiemoes.blogspot.com/2008/06/dutch-users-alert-beware-of-fake-tax.html
Thanks to Jan (who was infected with this one) for sharing the samples. Some were detected by most Antivirus scanners. Others weren't detected at all, so I've sent them the samples.
It is confirmed now.. This one spreads via IM (Messenger - Windows Live Messenger). And since this is a worm, a lot of others may be infected with this one as well.
I don't know via which url yet (will find out later)

Some of the files it drops:

%systemdrive%\svchost.exe and %systemdrive%\smss.exe

svchost.exe is already detected by most scanners as Backdoor.Win32.VB.bsf. The author is Dutch, that's for sure.
As a matter of fact, Roel (Kaspersky) already posted about a variant of this one earlier. See here:
http://www.viruslist.com/en/weblog?discuss=208187474&return=1

svchost.exe and smss.exe have several different loading points. The main ones are:

* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
C:\Windows\System32\userinit.exe,%systemdrive%\svchost.exe
C:\Windows\System32\userinit.exe,%systemdrive%\smss.exe

* HKCR\exefile\shell\open\command
%systemdrive%\svchost.exe "%1" %*

This means, the fileassociation for exefiles is replaced with the malicious file. So if the file is removed, the exeassociation will be broken en you won't be able to run exe files anymore.
To fix this, go to start > run > type "command.com" (without the quotes). In the command prompt, type: ftype exefile="%1" %*
This restores the default association for exefiles.


* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Generic Host Process for Win32 Services=%systemdrive%\svchost.exe
Session Manager SubSystem=%systemdrive%\smss.exe

+ some extra policies:

HKLM\SOFTWARE\Policies\Microsoft\Windows\Windowsupdate
DoNotAllowSPSP2=dword:00000001
DoNotAllowSPSP3=dword:00000001

In case you were infected with this one, please make sure you change all your passwords afterwards as they may be known.
As a matter of fact, make sure you don't get infected with this one in the first place - so always be careful with clicking links in IM, even when they come from friends. Verify with the sender first if the link was sent intentionally or not.

Friday, June 20, 2008

How to guide people with fixing their computers

Rule number 1: Always stay serious, don't try to laugh, no matter what.

Here's a collection of funny quotes or subjects from people who needed help with their computer. They were posted at several different forums and via chat support.
Most were collected from geekstogo forums, bleeping computers, SWI and some Dutch forums.

My favorite top 10:

10:

If I do get a new comp
Ill get windows 98
saves memory

Good idea!!

9:
Subject: "Problem with massages popping"

I wouldn't mind the massages.

8:
miekiemoes: Did you perform a scan or anything else before this happened?
user: brainscan

Guess what.. the brain was severly infected!

7:
Internet explorer was changed to pizza SLICE.

With extra anchovies, olives and mozzarella??

6:
Subject: "virus will not leave me alone!, please help me before my brain explodes!"

Please format and reinstall your brain asap!

5:
The 4 pins that are missing are around the edge of the 'gold triangle' in the corner of the CPU. I have tried replacing the pins by placing a piece of copper wire in the slot where the missing pins are but I think that might be the cause of my PC crashing so I have taken them out.

It would have been better if you used electrical wire.

4:
You know I hear something in the PC box going, like little dominos falling really fast all the darn time or like there is a bleeping little mouse in there playing a bleeping cadence on a bleeping little snare drum all the bleeping time...



3:
From a Dutch forum:
Heb een scan met verschillende progamma's gedaan maar niets gevonden. Als ik de pc opnieuw opstart krijg ik een soort alarm te horen wat een minuut lang blijft afgaan. Daarna wordt mn scherm zwart en verschijnt er een hele rij kaarsjes, die een voor een worden opgelicht....

translated:
I scanned my system with several different programs but nothing was found.
When I restart my computer, I hear an alarm for about one minute.
Then my screen goes black and afterwards, a row of candles appear on my screen which get enlighted one by one...

Happy NewYear!!

2:
I am also thinking of making my monitor black and white to make those
viruses and trojans think i have an ancient pc and not worh attacking.

Best prevention ever! Thanks for the tip!

And the Winner is:

1:
Today I tried to hide my lunch bar chocolates from my brother by taping them to the inside of the side panel of my pc(total disregard for PC components I know but no way was he getting me booty) Any how the tape didn't hold and the chocolate wound up in one of the fans(not a pretty sight) -sigh-. Pc is still fine though (thank God)

you forgot to add the milk for making the chocolate mousse

Feel free to add more in the Comments section below :)

Monday, June 16, 2008

Dutch users Alert! - Beware of fake Tax Forms

This is especially a warning for Dutch users (from the Netherlands). There's malware spreading where it changes your startpage to a random dutch site (.nl domain - which is a compromised/hacked site) , presenting you with this:



Full screenshot of the form:



NOTE.. This is NOT from the legitimate belastingdienst.nl site as they DON'T ask you for this info (PINCode etc).
Even though it says it's from belastingsdienst.nl, it's NOT. Only the template from belastingsdienst.nl was used here, not the form itself.
Also note the "Microsoft Certified" and "Comodo Hacker Proof" logo to make it look like a legitimate site.

This piece of malware is especially designed to target Dutch users in order to steal their banking info.

I found this out yesterday while I was helping a user with an infected PC. The PC was severly infected/badly compromised...
There was also a .bat file present, with the command to change the Internet Explorer startpage to a random .nl site with this fake tax form.
I'm still waiting for the samples and more info how this user got infected in the first place.
I guess this infection is spread via MSN, however, I cannot tell for sure yet. The samples and extra info should tell...

So beware when you see similar forms... especially when they ask to enter your PINCode.

Update... More info about the malware itself here:
http://miekiemoes.blogspot.com/2008/06/dutch-users-alert-beware-of-fake-tax_21.html

Wednesday, June 11, 2008

Protect your family and computer with Windows SteadyState

If you're having kids who use the computer frequently, then it may happen once in a while that important settings were changed, or malware and other unwanted software was installed.
That's why Windows SteadyState may be the ideal program for you.

Windows SteadyState is mainly Parental Control software, where you can create several different user profiles and for each of the profiles you can set restrictive policies.
Example of Windows Restrictions, Feature restrictions and Block programs:




Also, under the general tab, you can set how long your kid may use the computer and you can lock the user profiles in order to prevent that they are making important changes.


But the feature I love the most is the "Windows Disk Protection".
With this option enabled, you can make all changes back undone - it clears all changes that were made during the last user session and resets it to the condition it was in before. A simple reboot is needed to reset it. You can also modify the settings and set it to retain changes temporarily + adjust the date when it should revert itself to a previous condition.
Or you can select to retain all changes permanently.

This is ideal in cases when the computer gets infected, or important settings were changed, or a program is causing problems after install or update etc etc..
As a matter of fact - anyone could use this feature if you like to test several settings on your computer, install software to betatest or perform any important system change if you're not sure what the outcome may be. Just revert to a previous condition if it didn't work out or retain the changes.

Windows SteadyState is for *FREE
*only for genuine Windows XP / Vista

Tuesday, June 10, 2008

Top Ten excuses why people don't want to secure their computer


1. I don't have anything valuable on my computer anyway, so I don't need to worry about someone taking it over.

Actually, you have something very valuable on your computer, especially if you are on a fast internet connection. You have bandwidth. A lot of malware is designed to take over your computer and use it as a server to attack other computer, distribute SPAM or even deliver more malware. It will also steal your data, passwords and account numbers, so the criminals can steal your identity and everything you own. Even if you only use your computer for gaming, there are people now stealing passwords for some computer games so they can steal any reserves you have built up online.

2. The antivirus companies are the ones who put out all those viruses so they can sell their programs anyway. If I install their program, it will install their viruses.


This is mostly one of the silliest myths on the web. It is true that there are rogues that try to trick people into buying their programs by claiming your computer is infected:

List of Rogue Programs

However, the legit companies wouldn't even consider risking their reputations to make a few extra dollars. If they are recommended by reputable sources, they are going to be safe and useful. You need to be sure the source is reputable though. The people that create viruses and other malware are criminals and many are now part of organized crime gangs that make millions by stealing from people like you.

3. Running a firewall slows down my games.

Most firewalls have settings to allow you to play games without removing that protection. Even a few minutes online without your firewall can leave you infected.

4. The programs are too complicated.

Most programs have simple modes that can be set to update automatically and protect you without you having to do much more than renew a subscription or download a major update about once a year.

5. I don't have any money and the programs are all expensive.

You can assemble a very effective set of security programs for free. Even if you pay a bit for a program, it is a lot less than what you will pay to get your computer fixed and possibly deal with having your accounts cleared out by criminals.

6. I have heard that WinXP Service Pack 2 and 3 will cause problems on computers and I don't want to risk it.

That is sort of like saying I will jump off of the cliff because I don't want to risk slipping on the rocks climbing down. SP2 is probably the most important security update that MicroSoft has released for any version of Windows to date. It is true that it caused problems in the first few months, but it has been out for more than 2 years and it is quite stable now. If you don't have it, you also don't have any number of other security updates and you are almost certain to get infected.

7. I have an illegal copy of WinXP and MS won't let me update it. It isn't fair because they make so much money anyway.

If you are running an illegal copy of Windows, do the rest of us a favor - buy a legal copy. When you get infected, you can become a zombie server for the criminals, distributing malware, SPAM and scams all over the web. If all the zombie systems were shut down today, the quantity of SPAM would slow from a tidal wave to a trickle. Don't contribute to the flood. If you don't believe you can afford a legal copy of WinXP, use a free install of Linux. There is no good reason to put yourself and the rest of us at risk.

8. I have never used security programs and I have never been infected.

Maybe, maybe not. Some of the most effective infections today are essentially invisible on your computer. They don't slow it down in a noticeable way, they don't popup ads and they don't do anything to attract your attention. They do quietly send your personal information to the criminals, they do use your computer as a zombie server and they do own your computer more than you do. The truth is, malware is getting more aggressive, harder to detect, harder to kill and almost unavoidable if you go online at all. If you are not armored, you are probably already infected or you will be.

9. It is my computer and it is only my problem if I get infected, so leave me alone!

Well, not really. It is your computer and it is mainly your problem if you get infected. However, if your computer becomes a server that sprays malware, SPAM and attacks against the rest of us, it becomes our problem too. As soon as you go online, you are part of a community and the decisions you make effect everyone in that community. If you don't mind people messing around with your personal information and possibly using it to steal all that you have, please at least consider the harm you may be doing to the rest of us.

10. I plan to install security programs, I just haven't had time yet.

If you are reading this, you are already online. If you are online, you are already at risk. I once fixed a problem with my firewall and had it uninstalled for a while. I went online for about 10 minutes to download a fresh copy and while I was online, my system was infected with the Welchia worm. TEN minutes I was online, only 10 minutes!! How long have you been running without security??


Copied/pasted with permission - Credit goes to Budfred (SWI Admin) - original article. For more similar articles/news/tips, subscribe to the SWI Newsletter.