Had another user who had been infected by the Antivirus XP 2008 malware, I noticed they had both hit the same website at least once, myspacecdn.com, I haven’t checked it yet as I don’t have a machine handy that I can blow out, so I will have to check it later. The main install file seems to be ccwjgn.dll which gets run from the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify, it runs the popup from a program in the TEMP folder in Windows to get you to launch the install. The process is listed as a .tmp in Task Manager, usually with a weird name like ttC.tmp.exe or something similar.
On this machine, however, they set a explorer.exe registry key here, HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options, and Windows explorer could not run, I am assuming they were redirecting it to run some other malware and then starting explorer, but Virusscan deleted the file they were using, so, Windows just sat there. You could run Task Manager by hitting control-alt-delete, so that allowed me to run regedit, navigate to the key and delete the explorer.exe value out, which then allowed Windows explorer to run. After the desktop loaded, the Antivirus XP popup came up, I ended the process using Task Manager, I deleted all the files out of the Windows temp folder, found the programs/dll files in the System 32 folder, two of them this time with the lphctp9j0ea5j.exe and blphctp9j0ea5.scr type of names and after rebooting I was able to delete the ccwjgn.dll file.
I then ran the latest version of Spybot, which found some other stuff and removed them. No more popups or nag screens trying to get her to install their malware.
Update: I thought I had it until I updated to Windows XP Service Pack 3 and after rebooting I received the daggon popup again. More deleting and rebooting, after awhile I gave up and tried the free version of AVG, it found about 40 or so driver files that were infected and cleaned those and she has been running Antivirus Xp 2008 free for a couple hours now. So, for everyone who just wants it removed without knowing how or why, run AVG as Spybot doesn’t seem to clean it yet.
The other day I had a user call me to let me know their PC was getting an error message and that her co-worker had tried to fix it for her but couldn’t. The computer was off when I got there and when it booted up, it went to a blue screen of death with the problem listed as “Panic Stack Switch”, and, although that is an actual error message, it made me believe that it was a fake message, as I had never seen it before and had not searched for any occurrences online. While I was reading the error message though, the user hit her spacebar and the blue screen immediately went away to show me one of those your infected backgrounds that malware, such as Win Antivirus 2008 uses. You can imagine my surprise as the computer should not boot into windows after a blue screen of death, so this was yet another indicator that malware was involved, so I just went about cleaning the machine.
It was infected with the AntiVirus, or Win AntiVirus, XP 2008 malware, and was surprisingly simple to remove, certainly a lot easier than other infections I had dealt with, probably because Spybot and her antivirus software was blocking portions of it. All I had to do was delete the folder the malware was in, I believe it was called rchpcg or something similar, I used the Sysinternals program autoruns to remove any programs that were set to run automatically that shouldn’t, a couple had names something like blphctp9j0ea5.scr or lphctp9j0ea5j.exe or something similar, don’t quote me on those, and I went ahead and removed some of those programs that run in the background just to check to see if their software needs updated, etc, stuff no one really needs running all the time.
Here are some interesting videos from Panda Software.
Death to Digital Vandals One.
Death to Digital Vandals Two.
Panda Software company presentation.
Microsoft patents the mother of all adware systems Instead of quoting the whole article or trying to re-write it here, click the link and read for yourself some of the information unearthed in a patent filing by Microsoft which Ars Technica says would be the mother of all adware. But that?s a good thing because the patent says so. “It would inspect “user document files, user e-mail files, user music files, downloaded podcasts, computer settings, computer status messages (e.g., a low memory status or low printer ink),” and more. How could we have been so blind as to not see the marketing value in computer status messages?” Sounds great……not.
Ransomware… Holding Corporate America Ransom! Have you been targeted by ransomware? Did you get a message similar to this one?
“Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA). You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: email@example.com and provide us your personal code -xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data — Glamorous team.”
Prevx.com says hold up before you pay anything, they already have a decryptor for the files. They have a good program, it has removed some stuff on computers I have scanned that nothing else would, Spybot, Adaware, Ewido, etc.
How Good Are You at Recognizing Fake Websites and Spam Emails ? Think you are good at spotting phishing websites and emails? Take the test from McAfee and see for yourself.
Here I am listing all of the free online scans for your computer, spyware, virus, registry, process and some great utilities at the end. I’m also listing some of the free tools, like SpyBot, Ad-Aware, etc.
Windows Live OneCare works quietly in the background on your computer, so you don’t have to worry about nasty interruptions from viruses, spyware, hackers, and other unwanted intruders. It also goes beyond security, regularly backing up all your important files and cleaning up and tuning up your computer to help keep it running at top speed. Because you have better things to do with your PC. Download the free trial.
Free Online Spyware Scan This scan is free and will remove what it finds, although, it doesn’t try to find the more complicated stuff as it could not remove it without installing software on your computer.
Housecall Free Online Virus Scanner from Trend Micro.
CSShredder CoolWebSearch is notorious for keeping you from removing their crap from your computer, download this special tool just for removing all of the 100′s of different versions of CoolWebSearch.
CoolWebSearch installs dozens of bookmarks, mostly to porn Web sites, on your desktop, changes your home page without asking, and continually changes it back if you attempt to correct it. Furthermore, it significantly slows down the performance of your PC, and introduces modifications which cause Microsoft Windows to freeze, crash or randomly reboot.
Spybot Search and destroy This is not an online scanner, but it is free and it does remove almost everything. You should always have a couple tools you scan with because none of these tools can remove everything.
Ad-Aware This is also a tool and not a free online scan, but the software is free and it is one of the top spyware and adware removers.
Registry Booster – FREE Registry Scan This registry scanner will clean and optimise your system, free it from registry errors and fragmented entries.
SpyEraser – FREE Spyware Scan Does not remove any spyware, requires you to purchase the program to remove the spyware.
ProcessLibrary.com – FREE Process Directory – Free Process Directory, resources and tools for anyone who immediately wants to know the exact nature and purpose of any process running on your PC.
WinTasks 5 Pro – Increase System Security & Performance WinTasks 5.0 Professional provides you with a wealth of information and a powerful set of tools that will help you enhance the protection against system security threats while dramatically increasing computer performance. The award-winning WinTasks 5.0 Professional is the most reliable and intuitive software that enables you to fully take charge of your computer.
WinBackup 2.0 – Secure Your Data Today! Awarded Best Backup Software by Computer Shopper and termed “exceptionally simple to use” by PC World, WinBackup 2.0 Standard is now the obvious choice for home and small office users. Being one of the most efficient and reliable backup solutions available WinBackup 2.0 Standard will help you save both time and money.
If you are hit somewhere with an ad for Spylocked, don’t install it, if you visit codec sites, for any reason, you could be hit with a driveby install of Spylocked. These codec sites are using the Zlob trojans to install this program, and once it is installed, you will begin receiving warnings that you need antispyware and they will try to get your to purchase it or another fake spyware removal program. Source: Spylocked Is Yet Another Rogue Program.
Automatic and manual removal instructions are here, How to remove SpyLocked (Removal Instructions).
When SpyLocked is downloaded to your computer by a Zlob trojan, it will automatically start and act as if it is scanning your computer. It will then provide a list of grossly exaggerated and fake results including the actual Zlob Trojan that installed it in the first place. It will then prompt you to purchase the full commercial version of the software before you can remove these items. This is a complete scam, and the results are a tactic used to scare you into purchasing their software. Needless to say, do not purchase it. A screenshot of SpyLocked can be found below.
The whole thing is pretty simple, download SmitFraudFix.exe, reboot your computer into safe mode, run the SmitFraudFix.exe program and select option 2, Clean, it will run the cleanup process on your computer, which could take awhile, it will ask if you want to clean your registry, select y for yes, and then, when it is done your computer will tell you to reboot. Upon, successful reboot, you should be clean of the spylocked infection. More detailed instructions are here.
Here are a couple cute videos from Panda Software promoting their virus and intrusion prevention products. But first, here are some coupons for their products, Panda Internet Security 2007, Panda Antivirus and Firewall 2007, and one for Panda Antivirus all by itself. Their software will remove viruses, trojans, malware, spyware, adware, and protect you while online, all you are buying is peace of mind.
Grab a FREE 30 day trial of Panda Anti Virus, Panda Anti Virus plus Firewall, or Panda Internet Security, which contains Panda Antivirus, Panda AntiSyware, Panda Firewall, Panda TruPrevent, Panda IdentityProtect, Panda Antispam, and Panda Parental Control.
Webroot Software makes one of the better spyware removal programs around, Spy Sweeper and now you can get a free scan, visit this webpage, and you can get a free trial of Spy Sweeper that includes a copy of the antivirus program from Sophos, click here. This software is compatible with Windows Vista.
It has over 10 million downloads on download.com, and has a user rating of 3 and a half stars, here is what they say about it at download.com.
Get complete protection from the two most dangerous threats on the Internet–spyware and viruses–in a single, easy-to-use solution. Spy Sweeper with AntiVirus incorporates virus protection by Sophos to offer an advanced detection, blocking, and removal available to beat all types of dangerous viruses, spyware, worms, and Trojans. The software is easy to use and requires minimal interaction–updates are automatic. Spy Sweeper with AntiVirus is now Windows Vista compatible.
Powerful Smart Shields block threats as you browse–before they ever reach your computer. Spy Sweeper with AntiVirus offers complete computer protection and catches hard to find viruses and spyware programs. With advanced detection and removal capabilities, even the most dangerous files are removed in a single sweep. You won’t have to scan and restart your PC repeatedly with Spy Sweeper with AntiVirus–one sweep and your PC is clean. If your PC is already infected, Spy Sweeper with AntiVirus uses advanced discovery methods to find and destroy malicious programs hiding within your PC. Source: Webroot Spy Sweeper with AntiVirus 5.3
The free spyware scan will not remove the spyware from your computer, although it does block future infections using their active shields.
As anyone who has ever read this blog knows, I always try to tie these spyware, adware posts back to my friends from Zango, those guys who never do anything wrong, it’s always an affiliate or another website. While Zango is not mentioned, I bet money one of their programs was installed, hehe. But I just read this article from Computer World by Preston Gralla, Porn-surfing teacher: Spyware made me do it!, who obviously should not be posting about spyware, as it appears he does not have a clue and his blog post is a complete joke.
A recent court case found a Connecticut substitute teacher guilty of surfing for pornographic sites in front of her seventh grade class, and now, she faces 40 years in prison. Wow, forty years, I was watching something on TV the other night where two guys killed someone and the max they could and did get was 15 years. But this teacher could get forty years? That is just plain wrong. Anyone who is involved in anyway with school systems know, most teachers aren’t prepared for something like this, the teacher was probably as overwhelmed and shocked as the students were when it happened and was just trying to get them to close down. And if it has happened to you, when you click the x to close a popup, one or many more can popup on you, making it look like you may have actually clicked on the popup itself.
Not only that, the prosecutor wanted to know, but if in fact spyware was on the PC, why didn’t the teacher merely turn off the computer or pull the plug on it?
Julie Amero had no answer.
Lawyers have come up with some novel defenses over the years, including the “Twinkie defense” in which a lawyer argued that defendant Dan White’s eating of Twinkies and drinking Coca-Cola proved that he was depressed, and so not responsible for his actions in murdering San Francisco Mayor George Moscone and Supervisor Harvey Milk in 1978. The defense was partially successful; White was convicted of voluntary manslaughter rather than murder.
Luckily, it seems as if the spyware-made-me-do-it defense doesn’t cut it in court. For once, justice prevails. Source: Porn-surfing teacher: Spyware made me do it!
A substitute teacher is just that a substitute, and has not been in similar situations, and probably had no idea unplugging the machine or turning off the projector would have been the best way out, plus, the school system has to have content filtering in place to be able to get E-rate money to help fund all of the computers, internet access, etc. The school systems filters should’ve prevented most porn sites from popping up to start with, so, why isn’t the school system on trial and not the teacher?
And according to a quote from Alex Eckelberry, who is President of Sunbelt Software, they didn’t even check for spyware.
The court actions of the case were flawed as well. For example, one source reports that the Trial Judge, Hillary Strackbein, was seen falling asleep during proceedings and made comments to the jury that she wanted the case over by the end of the week. It was also reported that Judge Strackbein attempted to pressure the defense into an unwanted plea deal, in place of a trial. The defense attorney for Amero, moved for a mistrial shortly before closing arguments Friday, based on reports that jurors had discussed the case at a local restaurant.?
Was justice done here? A bad spyware infestation can splatter a machine full of porn popups and it?s a bit unnerving to think that a teacher could get hard prison time for something that was likely to have been completely innocent.
We need far more evidence than what is available to come to the conclusion that “justice was done”. In fact, all the available evidence shows quite the opposite — that this might just be a grave miscarriage of justice. Source: Alex Eckelberry
I have recently had the chance to attend several classes on computer forensics, so sure, the police found evidence that those sites were visited, but ANY window that is opened on the computer will show up in the cache and list of websites visited. The fact that neither the defense nor the prosecution tried to show how it happened is incomprehensible to me. If it was one website that caused this to happen, it would be so easy for them to repeat what happened. This quote from computer crimes investigator in an article on the Norwhich Bulletin is very telling,
“You have to physically click on it to get to those sites,” Smith said. “I think the evidence is overwhelming that she did intend to access those Web sites.” Source: Teacher guilty in Norwich porn case
You do NOT have to click on any link, it can be loaded from spyware apps, malware, or other malicious websites, it can be loaded from a website, that was loaded in a popup, from a website that was loaded in another popup, from another website that was loaded in a popup, and as the saying goes, on and on and on. This is just a case of one investigator only having the tools to do forensic investigation and not the knowledge of how a computer works to go along with it. Anyone involved in the Julie Amero case feel free to leave me a message at 304-521-2582 or an email to webmaster at tipsdr.com with “Julie Amero case” as the subject and I will be happy to explain how this could happen with the teacher only opening one “innocent” webpage on her computer. The 40 years should go to the spyware makers or to the school system, not this substitute teacher.
Categories: Computer Forensics, Education, Malware, Protect Children Online, Security, Spyware Info Tags: Alex Eckelberry, Computer Forensics, content filtering, E-rate, Julie Amero, Malicious Websites, porn, spyware, Zango
If you ever get infected by Supercodec.com, the software I found to remove it was Prevx from www.prevx.com. Ewido, spybot nor adaware would get it, and remember, lots of codec sites are not safe, before downloading a codec from anywhere, search for the domain name in Google and see if the name turns up on any lists.
From the front page of Prevx.com, it says it is removing the following files that the other spyware and malware programs are not.
TREVA.EXE VELOREASSOLUTO.EXE DVPLEO.EXE LOGFILESCLEANER.EXE 修論用マップ.EXE BITMATTEST.EXE EJUST-CO.EXE ISTALK_RMAHANDLING.EXE PETITIONSERVER.EXE VIMAGES.EXE 16643.PCSECURITY.EXE 8HYDW1F0.EXE 9BZJYKXU.EXE 9O6R7GBH.EXE AMPSETUPTOOL.EXE AMR100.EXE AMR239.EXE AMR941.EXE BAS102.EXE BAS444.EXE CHKCLS.EXE CLIENT(FULL).EXE CLIENT(WINDOW).EXE DCMGATEWL.EXE DPD LABELS.EXE DR60530W.EXE EJUST-JUST-CO2.EXE ESPORTATOSCANA.EXE F0374702.EXE FIGURA1_M.EXE FR-ALT.EXE FR-YENI.EXE FULL_PATCH_7.EXE FUND5ESL.EXE GASCOOL.EXE GAS-EJE-JUST-PINCH5.EXE GBALOAD.EXE GRECO_V101A.EXE GRECO_V105_P3.EXE GRECO_V105_P3_SSE.EXE HOSPITAL2000.EXE HUNKARE.EXE HUNKARE.EXE INHARITPLUS.EXE INSTDAS.EXE ITURTAS.EXE JW5VX2AG.EXE LAPLACE_P1.EXE LOGFILESANALYZER.EXE M800_332E.EXE MAP+CONT_3.EXE
Common files that have been recently bypassing many security products:
HOOFDSTUK370.EXE COMUNICAZIONI.VB.DLL ARMOROFGOD.EXE CLIENTE_VB2005.EXE CRITICAL VOLUME.EXEA DMIN$@.DLLLABORAS_1.EXE HC_TEST.EXE LIBGMS.DLL ASSETDEMO.DLL EXTRACTPHOTOS.EXE ACADSCRIPT.EXE ALL_DLL_FILES.DLL BARBANEGRA.EXE DOWNLOADSYMBOLS.EXE EMPCONTACTS.DLL DANG ASSIGNMENT 4.EXE LAB10 DEBUG.EXE JUGGLER1.0.2.EXE DMS4.EXE CRSINV.EXE GRNAUDIT.EXE INVAUDIT.EXE GLSREPS.EXE BOMMNT.EXE LIBRAIRIE.CTRLS.DLL EFCSSIPROV15.DLL DPPP.EXE %WINDIR%_E58.EXE DRUID_UNKNOWN.EXE %WINDIR%_E57.EXE %WINDIR%_E56.EXE GOOGLE.PNG.EXE DESKBAR_E55.EXE %WINDIR%_E55.EXE DEGOQATR.EXE DFNDRFF_E54.EXE IMAGE2.GIF.EXE %WINDIR%_E53.EXE %WINDIR%_E52.EXE %WINDIR%_E51.EXE DFNDRFF_E49.EXE IRDVXC.EXE DOCSYS.EXE DFNDRFF_E46A.EXE DFNDRFF_E44A.EXE INVASION3042 UNINSTALLER.EXE DFNDRFF_E43.EXE DLLRUN32.EXE DOLLARREV.EXE
Latest Malware Entities:
Worm Warezov GenMalware Trojan FIFAWin32 Rootkit GenTrojan Windir SXSTrojan MedCodecTrojan WinTasksTrojan MSSecure32Trojan SoftCodecTrojan VideosCodecTrojan LineageTrojan BancosTrojan DropperBackdoor HupigonBackdoor GreybirdTrojan PVieverTrojan DssConfTrojan IMCodecTrojan XpassGenTrojan Update-KBSpyware AntispySoldier