TruXter Tech News

Many of us knew of Asquared free. The software that Emsisoft noticed in Google. It was the best malware scanner out there. Well Emsi found it in their best interest to remove their malware scanner and merge it’s code with their virus scanner. I have no idea how long the virus scanner will be free. I do know the virus scanner / Anti virus was trial for as long as I can remember the company site.

There is another way to still get A-squared free, is by downloading the “emergency kit“. and just run it as a stand alone. The Emergency kit was created for usb use. That I.T. guys can float around the office without having to download and install the software on every single infested computer. Also prevent a virus (during the active infection) from directly attaching it’s self to the malware scanner and crippling it.
I was downloading asquared updates yesterday july 26th 2010 during the day at work. When I got home, it was off the site. I tried to update my home pc but was prompted with a notice of the change and would have to uninstall and that a-squared would no longer scan for me.

By now you understand I got an infection while at work and got spooked by it by the time I got home right? Well I am running the emergency kit. So far found 4 viruses that Norton didn’t find, malware bytes didn’t find and that S&D didn’t find. In fact they all showed I was clean. Even though I got the fake virus scanner prompt on this antiquated operating system (XP).

Yep this also happened to me. While at work. AT WORK !!! sorry had to say it like it is supposed to be said, yelling.
Now at my job, I am not “The Tech Guy”. I am the drawings and images guy. I mean I know plenty, but they already have a “resident nerd” and well, he is pretty good at it. So by my wandering around on the internet doing things “my way” and stumbling into an ” Oh dang!” moment isn’t the best thing for my career. First warning was ” Microsoft is ready to install Explorer 8″ Yep you guessed it, I installed it . Not thinking one time that I was on Firefox the whole time.
Ok I started with the on board Symantec end point. It caught either 8 viruses , or the same virus kept trying to rescue it’s self. lol I have no idea, I was panicking and hurrying , I saw the word ” Trojan” in the pop up warning from Symantec, and freaked out. I decide I better go check Windows update site and see if I ever downloaded Internet Explorer 8, The page would not load, I run to another computer on the network and all is fine, I head back to mine, still nothing. So I headed to the first place I could think of. Bitdefender’s online malware scan. It never lets me down. Well this time it surely did. I take it up a notch and head to “Malware Bytes” and start doing a search in Google and search the term “windows update takes me to Google” and started reading all the people praying and begging for help. The ever so faithful “tech guy forums” turned up an unanswered request for help, wow that was surprising. After about 45 minutes of reading, I find nothing (well I actually found the right thing but over looked it like 10 times) and malware bytes is done scanning, It found nothing, nothing at all, I try and update it, will not let me, along with anything else I tried to scan with.
So now I break out A-squared, not the worst thing in the line up for sure, but it did not find anything either. Ok now I am feeling like I am losing my mind. Well as this is going on I am still reading threads in forums about the issue. I go back to this thread . The first link in the first and only response, well tried that. Second link I click it it takes me to Super AntiSpyware. First thought is ” Well crap, this place looks like it’s just going to make the issue worse. I figured that it really couldn’t get much worse if I scan the file first. So I wander off to the download area for the free version. All was fine until I get to the point that I actually try and download it. Another dead link.. “hmmm, the link is dead, it is blocked, it must be what I need” is exactly what I thought. Ok also another thing about that name, just kept making me think about power rangers. It really sounded like the slogan from some kid’s show “super anti-spyware free trial go team action go!!!” is what I kept saying and giggling.
I walked over to another one of the computers in the office and download the file and slip it onto an open space on the server.
Walk back to my computer and here comes the I.T. guy, just in time. I let him fumble through it like I did. He made a lot of the assumptions I did at first, I walked away to the store next to the office and get a soda while he does exactly what I did. I get back into the office and there he is, lol just like me.. Reading the forum posts for a second time. We agreed that super action malware scanner was the way to go. Well we install it while Spybot S&D or something was finishing it’s scan.
We reboot to safe mode administration by pressing F8 after the bios scan, just before the windows logo. Yes I was just sitting there hitting the F8 button repeatedly till I got the boot menu.
In administration mode we ran the quick scan. Within seconds it finds 3 Trojans and a dns changer, by the end of the scan Super AntiSpyware found two root-kits and two registry key modifications.
We rebooted after the scan and checked to see if Microsoft Windows Update worked, all was fine but still could not update any of the virus scanners. So we reboot to safe mode administrator, and do the full scan. Nothing came up.

So far not all of the issues are resolved, I will go through my “hosts” file and see if there are any changes there. Probably not but hopefully there are. I know how to change that. and I will add the link that I got the file from in the first place to the list of blocked sites. I may even email a heads up to the guys from mvp’s hosts file website (google it).
This is the help I have for you. I hope it works for you. Heck I’m going to run that goofy named program on my home pc now and see what it finds. http://www.superantispyware.com/
Hope it helps you get un-hijacked. I promise that program actually works, just the name is stupid and their web designer is cheesy.

Also that “Google” page I kept getting redirected to was not regular google. it was an affiliate page. Google English. So the freak was making money off of each search we did while we tried to resolve the issue.  Google needs to ban that account.

Virus Takes Hold of Houston Courthouses. No Report  if any personal information was acquired or compromised.

Link Here

Read the responses. They will leave you laughing.

I wonder if the person who opened the door to the virus still won that free iPhone.

My question is ‘ did that fake virus scanner work yet? did they pay full price?”  ok that was mean..

[tags]ip adress,malware,virus,trojan,security,computer,hack,intrusion,backdoor,safety,privacy,protection,prevention[/tags]

A hosts file is a file located in the ETC folder of almost every operating system (with some exceptions). The hosts file is a file that is scanned at the first accesses of a network. Be it a program that you expect to go to the internet or not. Your computer will first try and resolve the dns with the host. It does this by checking the hosts file.

In your hosts file, you can tell your computer what IP address to assign web addresses. By doing this, you bypass all network look ups on the internet for specific addresses. It is impossible to knock out every single website there is. You can how ever knock out all sites submitted, reported, and confirmed as malware sites.

You can also stop your kid from hitting sites you do not want her/him going to. The way it works is you move to the lowest section in the hosts file and type in the IP address you would like that website to go to. Like this:

127.0.0.1 a_site_you_do_not_want_to_go_to.com

This blocks that site from ever loading on your computer.

If you have a program that goes to “a_site_you_do_not_want_to_go_to.com” by default, the program will not be able to update. This can be used to your advantage if the site that the program is trying to connect to is a virus site, and the program is a virus, trojan or a malware notification type program (like a spider). We call them adware and spyware these days, the program will not be able to contact it’s owner, this hides you from the owner and increases your security. Some malware updates itself by connecting to its owner’s location, unless it is specificly assigned an IP address to connect to. That, of course, would be a mistake on the writer’s part. Much easier to locate that way, and you could actually block that IP address if you took the time.

I use mvps host because he has a much larger list than I do. I just add my stuff to his when i download it and set up my hosts file. If you have a list of bad sites, do what I and a few others do, email it to mvps site. I do suggest that you read everything on the wiki and mvps site before you do anything to change your hosts. Really, if you block yourself from the interenet (god only knows how that could ever happen) you just clear out all IP addresses and domain names in the list and you are back to the way it was.

If you have any questions related to this topic feel free to ask them.

TruXter

Owner and writer of :

iworkwithtech.com  and iworkwithpeople.com 

After years of not touching Dr.Web, I could not remember, in full, why I did not like it. I could not remember why I did not trust it. It has been at least five years since I tried it and someone I see is trusted by quite a few people recommends it. I gave it a go. Well the first download is 14 MB. Quite tiny and happens in a blink — although the file downloaded was actually just a tool to download the actual program. After the download was complete and the install was nearly finished, it asked for a verification key (I did not have one). So the program allowed me to press a button and have a key automatically inserted. Why? Dunno. The scan seemed pretty smooth; I didn’t see the scanner get hung up on anything. The list of files being scanned was pretty steady. Boots and reboots of the system were smooth and there was no delay or hang time from Dr.Web.

I consider any program that you have to find a program from a second party to remove to be malware. If the program does not allow me to see the size of the actual install until after it is finished installing (I had to navigate to the folder it was contained in), I consider it to be deceptive.

Granted, this is a workplace computer. I am not the first employee to use this computer and formatting it is not an option. I did find traces of Limewire once installed on this machine, so you should have a pretty good idea how beat down this machine is because of misuse. Since this program found nothing and ran smoothly, I decided to break out some of the tried and true programs: Ad-Aware, Spybot, and A-Squared. All three found something, and no, it was not all cookies. Ad-Aware found what it labeled as a w32.novarg.a@mm (aka MY DOOM) file. A-Squared found a few hijackers, and Spybot found, like, 60 things.

Now here comes the issue. I decided I do not need this program to start when I start my computer. Since it never found anything, I was not impressed enough that I could leave it on the workplace computer throughout the trial period. I went to un-install Dr.Web, but it wasn’t happening. The un-install actually tries to install the program again. I went through the whole step of seeing if it would say “before we can install you must un-install; would you like to un-install?” Never happened. Full install right over the current.

So I did a Google search on it. The best information I found was sad and scary, all in one. Delete all registry entries and then go back to the directory of install and delete all signs of Dr.Web. I really do not suggest you do that. I mean, it did not damage this machine. I booted fine afterwards with no errors, but if you are new to ‘regedit,’ stay out. It is much safer that way.

After 14 years of doing this online and nine years on local networks (before the Internet), you would think I learned my lesson. Well, I have learned that sometimes you just have to try stuff and be prepared to put things back together. Good thing I do and can.

Here’s an alternative.

TruXter

Owner and writer of :

iworkwithtech.com  and iworkwithpeople.com 

[tags]adaware, adware, asquared, computer, hijacker, hijackthis, hosts, infected, infection, log, maliciouse program, malware, popup, redirect, scanner, spybot search and destroy, spyware, trojan, virus[/tags]

We all have had infestations, pop ups that never go away, something that changes your home page, or something that redirects the site you type to a totally different site. Even worse than all that, when there is a combination of those problems.

Well, I have some good news and some help for you.

Next time, you might want to consider this stuff first before you even go anywhere on the internet.

For starters, I would begin stopping most malware from even connecting to the net from your computer, this step stops your computer from ever going to the sites where malware is created, uploaded, and/or updated. Fix your “hosts” file by going to MVP’s site and reading up on the subject. I actually just scroll down like 20 lines and he has a zipped file with 5 or so items in it. Extract the contents to the desktop, double click the batch file, and in a blink, I am Protected from tons of malware servers. http://www.mvps.org/winhelp2002/hosts.htm

Please read mvps site to get a full understanding and to be on the same page as me. Yes the hosts project started out as a way to block banner ads, but it was later found that you can do much more. PLEASE READ THE MVPS SITE.

Before installation of new “hosts” file, I head to my existing “hosts” file and open it with Notepad to see if there are any changes made to it that are located here “C:\WINDOWS\system32\drivers\etc”

There is a line that should say “127.0.0.1 localhost” which means local host is YOU. If it says anything other than 127.0.0.1, then your machine has been routed to someone else’s server and everything you do and type is being passed through them first. They filter through it and crack what they want. If you have anything different there, please post it here as a comment so I, and others, can help take care of someone like this.

Next, let’s go scan your machine. If you can, install this, “http://www.emsisoft.com/en/software/download/” and install a-squared Free 3.1

Run that program and remove anything and everything it finds. Let the scan finish before you start the next step. If both scanners try to remove the same files, it could cause problems.

Next, go get Spybot-Search and Destroy, you will find it here “http://www.safer-networking.org/en/download/index.html” spybot – Search & Destroy 1.5.2

Now, go get Ad-Aware “http://www.lavasoftusa.com/single/trialpay.php”

Run Ad-Aware after Spybot. The same rules apply.

If your issue persists, HJT that stands for “hijack this” found here “http://www.spywareinfo.com/~merijn/programs.php”

You can join their forums “http://www.spywareinfo.com/~merijn/forums.php” and get help from people who spend all day, every day just helping people decipher what HJT finds in it’s logs. They all will tell you what to keep and what to kill. They are an excellent group.

In most cases, you would have prevented this from ever happening if you would have started with MVP’s “hosts” file. That is a very good practice. Also, it would be wise prevention to not install anything and everything you find on the internet. First thing you must always do when you download anything is scan it with as many virus scanners as possible. I use Jotti’s site for the online single file scanner. It scans with like 20 different virus scanners at one time and shows you a real time results area at the bottom of the page. If you watch the scan result, you can see what scanners are worth a darn and what scanners are worth being cup holder….. AVG is garbage.. See for yourself. “http://virusscan.jotti.org/”

If anyone has protection tips of the malware kind, drop a note here ..

Good free firewall to prevent this kind of thing:

Sygate firewall:

http://smb.sygate.com/products/spf_standard.htm

Trojan killers:

http://swatit.org/download.html

Trojan Hunter trial version:

http://www.misec.net/

Do this immediately:

Disabling system restore in Win Xp

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?Open&src=sec_doc_nam&docid=2001111912274039&nsf=tsgeninfo.nsf&view=docid&dtype=∏=&ver=&osv=&osv_lvl

More Xp resource:

XP resource info:

www.blackviper.com

http://grc.com/dos/xpsummary.htm

http://www.annoyances.org/exec/forum/winxp

If you do not have SpyBot and Adaware, do this:

Spybot:

Download and Read the SpyBot tutorial here:

http://s89223352.onlinehome.us/mirror/spybot/index1.php

Download it, Unzip the program, and immediately check for updates, install the updates and then do the scan.

Let it fix everything marked in red. Reboot but not with restart, shut it down for two full minutes. You�ve got two measely minutes and it�s worth it, and let Spybot run if it indicates.

To add an item to your �Ignore List� click on the little �+� sign next to the item and left click it to highlight it, then right click it and a menu appears, select the function you want.

When you are done reboot again same way. Two full minutes shut sown is best.

Tea Time discussed by designer here:

http://forums.net-integration.net/index.php?showtopic=13433

Also, go to the update page. Notice 3 icons across the top. Between “Search For Updates” and “Download Updates” there is an icon for the download mirror location. After you click on �search for updates,� the one in the middle will change. If it doesn’t say “Spybot.US by Rootboxen.net USA” click on the dropbox arrows and click on Rootboxen, and use only that one. If you got a “checksum error” trying to download –that’s why.

Ad-Aware:

Download AdAware from http://www.lavasoft.de/

check for updates at “webupdate”.

I use these settings (green check)

From main window click “Start” then make sure ” Activate in-depth scan” has a green check next to it.

Put a black dot nest to “Use custom scanning options� and click Customize” next to it, then green check these options:
“Scan within archives” ,”Scan active processes”, “Scan registry”,
“Deep scan registry” ,”Scan my IE Favorites for banned URL”
“Scan my host-files”

At the top of the �STATUS� page notice the Tweak (gear) icon. Click on it.

The first setting is �Scanning Engine.� Click on the little plus sign next to it, and in the drop-down green check “Unload recognized processes during scanning”, and �include basic Ad-Aware settings in log file�. Next click on the �+� next to “Cleaning Engine” and in the drop-down green check “Let windows remove files in use at next reboot” and Delete quarantine objects after restoring�

Click “proceed”, that will save those settings.

Click “Scan”

When the scan finishes, mark everything for removal and delete it. Right-click the window and choose “select all” from the drop down menu, press �next� and then �yes� to the prompt: �remove all these entries�.

However, if you have certain programs running that will give a false indicator of a browser hijack attempt, such as Script Sentry, which places a monitoring function in the registry and looks like a browser hijacker but is not, then you may want to add that to the ignore list because you want to keep it there to do it�s job. To add an item to the ignore list, put the a cursor on the file it reveals and left click it to highlight it, then right click it and a menu appears. Click on �ignore list.�

Shut down, two minute shut down is best, and let Adaware run on reboot if it indicates.
When you are done all that, go into Safe Mode and run Adaware, SpyBot, and Av. Then go to ‘search files and folders’ and search for the file name of the trojan and delete it in Safe Mode. If you are clean there, that’s about it. Re-enable your system restore.

I also use these:

Spyware Blaster

http://www.javacoolsoftware.com/spywareblaster.html

MRU Blaster

http://www.javacoolsoftware.com/mrublaster.html

and Script Sentry.

Run Adaware, SpyBot and your AV in normal mode. Clean? good. Go here:

Jason�s Browser Security Test:

http://www.jasons-toolbox.com/BrowserSecurity/

Gibson tests:

http://www.grc.com/default.htm

I use LeakTest, DCOMbobulator, ShieldUp, and plugnpray.

Love for the tech community.

Let’s look at a free online virus scanner compared to Norton antivirus

I scanned with Norton first and found nothing, then scanned again with bit defender online free virus scanner.

what do you think is the better choice?

A-Squared	Found Riskware.PSWTool.Win32.Brutus
AntiVir	Found SPR/Brutus
ArcaVir	Found Trojan.Psw.Tool.Brutus
Avast	Found Win32:PolyCrypt-ASO
AVG Antivirus	Found nothing
BitDefender	Found Application.PWCrack.Brutus.A
ClamAV	Found Virtool.Brutus
CPsecure	Found PSWTool.W32.Brutus
Dr.Web	Found Tool.BrutusPWS
F-Prot Antivirus	Found security risk or a “backdoor” program
F-Secure Anti-Virus	Found not-a-virus:PSWTool.Win32.Brutus (6, 2, 605)
Fortinet	Found HackerTool/PWCrack
Ikarus	Found HackTool.Win32.Brutus
Kaspersky Anti-Virus	Found not-a-virus:PSWTool.Win32.Brutus
NOD32	Found Win32/PSWTool.Brutus application
Norman Virus Control	Found nothing
Panda Antivirus	Found Application/Brutus.A
Rising Antivirus	Found nothing
Sophos Antivirus	Found nothing
VirusBuster	Found nothing
VBA32	Found Win32.PSWTool.Brutus