Monday, October 27, 2008

That was a stupid thing to say

I was helping someone yesterday with a SEVERLY infected computer. This computer was infected for at least 1 year since older malware was still active and running, with on top, newer malware including a File infector, some backdoors, random adware and god knows what else...
So you can imagine there wasn't much we could do about it, this computer was TOAST.
Then this user told me that he was actually PROUD of the fact that he managed to get 4 different computers infected/damaged in a short period of time.
Excuse me?

That's where I ended my support - told him to format and reinstall Windows and never use a computer anymore.

This is once again an example why some people should be restricted to use computers and is a perfect addition to my previous rant: "The Neverending story".
Oh, and yes, I do agree with Eugene's Final thoughts - with the addition that Internet access should be restricted for such people as in above example.

MEDION Akoya Mini 10" Netbook E1210

Yes, that's going to be my new notebook. This is the Aldi offer in Belgium for this week and since I always wanted a "mini notebook" to take everywhere with me, this looks like the ideal one for me.
My other notebook (older one) died in a meanwhile after the "coffee accident" I blogged about last month. I'm still surprised that it worked for a couple of days afterwards, so I could back up important data. So in a way, I was lucky.

Specifications of the Medion Akoya Mini are:

1.6Ghz Intel® Atom™ Processor N270
Intel® Atom™ Processor – a new series of very low power processors developed by Intel® especially for Mobile Internet Devices (MIDs) and for a new class of more affordable, smaller and fully functional computer systems built to provide fast, easy internet access. These ‘Netbooks’ are impressive thanks to their ease-of-use, portability, powerful wireless LAN functionality and long battery life.

Windows® XP Home Edition
(incl. Service Pack 3)

10" TFT Widescreen Display
1024 × 600 pixels

80GB SATA hard drive
for more than 16,000 music tracks or photos**


Fast WLAN Wireless LAN 802.11 b/g +
Draft-n with up to 300 MBit/s.*

Intel® Graphics Media Accelerator 950

USB 2.0, Memory card reader and much more...

Integrated webcam


* Multi-card reader for SD, MMC, Memory Stick
* 3× USB 2.0
* 1× VGA out
* 1× network (RJ45)
* 1× line out

Also included

* Li-ion battery and mains power adaptor

Dimensions and Weight

* Approx. 260 × 180 × 19/31.5mm
* Approx. 1.2kg incl. battery

Bag and Bluetooth dongle are also included.

And this for 399 euro!

More info also here:

I guess I'll have to hurry before they are sold out.

Monday, October 13, 2008

Fake sysaudio.sys causes Searchengine Hijack

What is this infection about...
It actually loads a script, so searchengine results are loaded within a script. For example, when you research something in google or another searchenigine, you get this when you view the source:

script scr= //78. 157. 142. 58/ and then the searchengine results.
script scr= //209 .85 .171 .9/ and then the searchengine results.
(more may be present as well)

So, whenever a popular searchengine is being used, a script is loaded to insert its results. For example, a search for: "How to remove rootkits with icesword", you get irrelevant results. Screenshot here:

This only applies for the first page of the results.

It looks like is also promoted via this piece of malware

As far as I know.. this one is getting installed via a "Yahoo! Counter starts here" javascript (which is a malicious script and not related with Yahoo) injected on many forums/sites/blogs.

The responsible file for the searchengine hijack is sysaudio.sys, (which is actually a DLL) dropped in the %sysdir% folder (system32 folder).

Note - do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

The loading point for the fake sysaudio.sys is under the
HKLM\software\microsoft\windows nt\currentversion\drivers32 key
with value and valuedata:

"aux"="sysaudio.sys" or

Legitimate valuedata for "aux" should be wdmaud.drv or mmdrv.dll or ctwdm32.dll (those are the most common legitimate ones I've seen so far, there could be more)

Other files the fake sysaudio.sys may use are divx.nls or ntnet.drv which is also present in the %sysdir% folder.
(could be more already - newer variants)

Anyway, this is another method being used to "hide" its presence because it causes confusion with legitimate files/keys. So be cautious if you think you're dealing with this one and do not delete the legitimate sysaudio.sys file present in the system32\drivers folder or "aux" value in the registry. Ask for help if you're not sure.

A new variant is Windows\system32\wdmaud.sys <== bad one
The legitimate ones are Windows\system32\wdmaud.drv and Windows\system32\drivers\wdmaud.sys, so don't delete those!!


And again a new variant around. Malwarebytes' Anti-Malware detects this one as Trojan.Gumblar or Trojan.JSRedir. (previous variants were detected as Trojan.Daonol)
Redirections go for example to - or you see in the status bar.
This time, it uses a random file name. To find out, browse to the HKLM\software\microsoft\windows nt\currentversion\drivers32 key in the registry and look what's present under the "aux" values (aux1, aux2, aux3, aux4..) One of them is the cause. It's a "weird" looking filepath and name, examples are: "C:\WINDOWS\system32\..\sjkemx.iqd" or "C:\WINDOWS\system32\..\kvlhurx.niq" or "c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna" - note the reference named ".." which actually refers to "go up two levels". To find the file itself, easiest way is via Windows search. If it comes back immediately after you have removed it, you can use the "Hijackthis - Delete on reboot" option, or any other tool that is able to delete files on reboot.
In case you can't launch regedit (crashes when you launch it), rename regedit and try again.
If you're unsure, don't delete anything, but ask help instead.

Update: A Great, detailed writeup by MAD (French)

To receive help to remove the infection or similar infections, register at one of the forums present on the right, or register at my personal forum here. It's a dutch forum but I also give english support.

Friday, October 3, 2008

Something, somewhere, went terribly wrong.

A t-shirt I ordered - arrived today...

I love it!! :)

Wednesday, October 1, 2008

MySpace/FaceBook worm causes confusion in HijackThislogs

This blogpost is actually a warning for people who are helping others to get rid of this worm via HijackThis-logs.
Here's some more info about the worm itself and how it is being spread:

This worm is also known as Net-Worm.Win32.Koobface.*

People are complaining about Google Redirects, slow computer in general and browser freezing or shutting down whenever they want to log into their FaceBook or MySpace account.
The files responsible for this infection are:

%WinDir%\kenny**.exe (** stands for a number, in this case 16, 17, 18..), runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with displayname sysftray2
%ProgramFiles%\TinyProxy\TinyProxy.exe or %ProgramFiles%\ProtectService\ProtectService.exe which runs as a service.

It also modifies the Proxy to http=
To fix this:
In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

To remove this infection, just delete the %ProgramFiles%\TinyProxy folder or %ProgramFiles%\ProtectService folder it has created + the %WinDir%\fmark2.dat and %WinDir%\kenny**.exe files + restore proxysettings.
It's recommended that you do this in Windows Safe mode since this infection (mainly the service) is active in Windows normal mode.
There could be newer variants present already.

Now, what's the confusion with HijackThislogs and people who are guiding others with malware removal via HijackThislogs...

Let me explain how HijackThis.exe enumerates the services...
For example, let's take the legitimate Nvidia Display service:

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

What's between the brackets is the Servicename. In this case "NVSvc". That's how the service is registered in the registry.
The Displayname is "NVIDIA Driver Helper Service". This is how you see it in services.msc for example. This is also set under the Servicename with value "Displayname".
The "C:\WINDOWS\system32\nvsvc32.exe" refers to the "ImagePath" value set under the "NVSvc" service. This means the file responsible for running as a service.

In case there are no brackets, then it means that the Servicename is the same as the Displayname, for example:

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

In this case, "Apple Mobile Device" is the servicename and displayname.

If people check and fix a O23 entry in HijackThis, HijackThis doesn't delete the service, but disables it instead. This means, it changes the "Start" valuedata for the service to dword:00000004, which means disabled.
In case when a malicious service is present, if you fix it in HijackThis, it won't remove the service. It will only disable it.
That's why a lot of helpers who are guiding with HijackThislogs are teached to delete the service in the registry as well. The sc delete "servicename" command is the common used command here.

Now let's compare one of these malicious TinyProxy.exe or ProtectService.exe Services..
That's how they look in a HijackThislog:

Some examples:

O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Apple Mobile Device (Apple Mobile Device) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: NMIndexingService (NMIndexingService) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe

In this case, let's take O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe as an example.

People who are used to working with HijackThislogs would think: "Netman" is the servicename and "Network Connections" is the Displayname.
Yes, that's how it looks like.
But.. the service "Netman" is a LEGITIMATE service and the Displayname "Network Connections" matches as well as LEGITIMATE. Normally HijackThis whitelists these services.
Now what? Does that mean that this service in the registry was modified and the "Imagepath" value under the "Netman" service was changed to "C:\Program Files\TinyProxy\TinyProxy.exe" instead of %SystemRoot%\system32\svchost.exe -k netsvcs (which is the default valuedata for this one)?
Yes, that's a possibility... we've seen it before.
In such cases, after you have removed the offending folder C:\Program Files\TinyProxy, you need to restore the default "Imagepath" valuedata again to the legitimate one.

HOWEVER, I found out that this infection isn't modifying any legitimate services at all!
After a bit of research - comparing logs and testing with some dummy services - it appears that this infection creates a new service instead, but makes sure it matches a legitimate service and causes extra confusion in HijackThislogs.

Let's create the service:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Connections (Netman)]
"Displayname"="Network Connections (Netman)"
<== which translates to %ProgramFiles%\TinyProxy\TinyProxy.exe
"Start"=dword:00000002 <== which means "autostart"

The service "Network Connections (Netman)" isn't legitimate since the legitimate service is actually "Netman".
But, since the "Displayname" in above example matches the servicename here, in HijackThislogs, it will show as:

O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe

While the servicename is actually: "Network Connections (Netman)" and NOT "Netman"!!

The result of this is.. many helpers look at the servicename in HijackThis (the one between brackets) and since it has a malicious file attached, some don't think further and think that the service itself is malicious as well (without knowing that it may be a legitimate service) > result > they ask to delete the legitimate service from the registry using the sc.exe delete command.
And yes, a Threatexpert report also reveals how it has created its service. Example:
In the Threatexpert's example..
"TrkWks" is the LEGITIMATE service, but in this case, as you see in above report, the service: "Distributed Link Tracking Client (TrkWks) " was created.
A slightly bit different from what I've tested with dummy services, but it does make sense. In above example, the service has an extra space after the services name and since the "Displayname" is the same, it will show it like this in a original HijackThislog (since displayname and servicesname matches):

O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe (note the extra empty space after (TrkWks) and -)**

But since people are posting this at forums, the forumsoftware strips that empty space anyway.
The same applies for the threatexpert report itself imho, where it also strips the extra space in the services name/services key if no subkeys are attached.

** After I have posted this, I noticed that this blogpost also strips the extra space after the services name..

Anyway.. imho, I'm pretty sure that, whoever developed this infection is well aware of HijackThis and how it displays its entries, this to cause some extra confusion for helpers.
And that's why I posted this warning in the first place, because I've seen it happen a couple of times already. Legitimate services were deleted > result, no internet access anymore or anything else that was broken because of this confusion in HijackThis.
That's why, before you want to delete a service in the registry, make sure first it's not a legitimate service!

I have not played with this infection itself yet (no samples available) - so my analysis is only based on logs/research and testing.
Samples are welcome. :-)
Samples received. Thanks readers :)