Wiz's Computer and Website Security Blog

World reknowned anti-spyware program - Spybot Search and Destroy - was updated with new spyware definition files. If you use this program be sure to run manual updates as soon as possible.

If you see a program listed in these detections by name you should assume that is is malware. All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-04-25
Adware
+Weatherstudio.Toolbar
Dialer
+CyberBill
Keylogger
+BossEveryware +Ghostlogger +HandyKeylogger
Malware
+IRC.Zapchast +Win32.Stration
PUPS (Potentially Unwanted Programs)
+EverestPoker
Spyware
+GuardianMonitor
Trojan
+Agobot.Backdoor +Dmcast.Toolbar +DropSpam (2) +Hupigon13 +Opnis.Nak +Smitfraud-C.KooWo +Smitfraud-C.Toolbar +Win32.Agent.jb +Win32.Delf.zq +Win32.Maran.db +Win32.OnLineGames +Win32.Small.r +Win32.Rbot.aeu +Win32.Rbot.bms +Zlob.BrainCodec (2)
Total: 378907 fingerprints in 66286 rules for 2830 products.

2007-04-18
Adware
+3BSoftware.RegistryRepair
Keylogger
+Perfect Keylogger +SC-KeyLog
Malware
+Bluettooth +Kalmarte +Win32.Small.kj +Win32.SdBot.yx
PUPS
+SpySoap
Spyware
+PC-Spy-Monitor 2007
Trojan
+Fraud.ProtectionBar ++Jupilites +Win32.MicroJoiner +Win32.VB.ahq ++Zlob.MovieBox +Zlob.NewMediaCodec +Zlob.VideoAccessActiveXObject
Total: 374494 fingerprints in 65146 rules for 2807 products.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History
Safer Networking Malware Removal Forum, run by Team Spybot. Volunteers help you remove infections that keep returning, or that Spybot fails to remove permanently. Requires HijackThis logs to be copied and pasted into your Posts. Read the instructions thoroughly before requesting help!

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

Posted by Wiz at 12:31 AM | Permalink

back to top ^

Firefox users take note: Mozilla will only supply security and stability upgrades for Firefox 1.5x until mid-May of this year (2007). They encourage all Firefox 1.5 users to visit http://getfirefox.com to download the latest version of Firefox today. Mozilla is focusing on delivering a faster and more secure online experience. They want all of their users to benefit from the new features in Firefox 2.0, and in the not to distant future, Firefox 3.0.

I personally made the switch to version 2.0.x about two months ago and have no regrets. All of the Extensions I was using are now updated to work with version 2.0 and newer. The tabs that used to get squeezed in width as more were opened will now generate horizontal arrow buttons to scroll them to the right or left, when you have more tabs open than the width will accomodate. There are a lot of neat skins being developed for these new Firefox browsers and some awesome new "Add-ons" as the Extensions are now called. Firefox 2 supports JavaScript 1.7 and inline spell checking in text areas and text fields, which is a tremendous help for us Bloggers and Forumites.

Other new features:
* Microsummaries provide a way to create bookmarks that display information pulled from the site they refer to, updated automatically. Great for stock tickers, auction monitoring, and so forth.
* Search engine manager lets you rearrange and remove search engines shown in the search bar.
* Tabbed browsing enhancements include adding close buttons to each tab, adjustments to how Firefox decides which tab to bring you to when you close the current tab, and simplified preferences for tabs.
* Phishing Protection to warn users when the web site you're looking at appears to be a forgery.

Behind the scenes version 2 and newer have increased security enhancements not found in version 1.x, and they are now basically Windows Vista compatible, with a few minor Vista bugs scheduled to be fixed in soon to be released updates. At the time of this Post the current version of Firefox browser is 2.0.0.3, with 2.0.0.4 around the corner. Updates are released to fix compatibility, security and stability issues and can be applied manually by selecting "Check for Updates..." from the Help menu, on the toolbar, or by allowing (periodic) automatic update checks.

Firefox is available for Windows 98 through XP and now Vista, and non-Microsoft operating systems as well, including Mac and Linux. Current versions offer the option to also install the Google Toolbar, which is used by searchers and Webmasters alike.

Posted by Wiz at 11:58 PM | Permalink

back to top ^

After several failed attempts to claim my blog as a new Technorati member I finally grokked the solution, applied it to my server, and claimed my blog officially! If you are a Technorati member and use Movable Type, or a similar self-installed blog, and are having trouble getting the Technorati spider to recognize and claim your blog, and your website is hosted on an Apache based server, and you are able to upload files to your server via an FTP client, read on for my solution.

I went through several failed attempts before I figured out what the problem was. Like many other bloggers who install their own blog, I installed mine to a sub-directory off the web root, not to a sub-domain. My index page is named index.html and is in that sub-directory. The path to the blog, exemplified, is: http://www.examplified-domain.com/blog

This path is not a problem for any of the search bots as they all index my posts without a hitch. All except the Technorati spider used to "claim" a blog. After reading the access logs over and over I finally figured out that the spider was having a problem because of the way my server was redirecting the request for the index page, and because of the way Technorati strips out all information appended to the end of the path you give it in your profile. E.g. if you try to tell Technorati that your blog's index is at http://www.examplified-domain.com/blog/index.html, it will strip out the last forward slash and the name of the index file, leaving this as it's search: http://www.examplified-domain.com/blog . Your server, if it is setup like mine, will append a trailing slash to that requested URI, then redirect it to the index.html file, without revealing that file name. The stupid spider thinks that is is anywhere but where you told it to go and your claim fails!

Here is what I did to help the Technorati spider get it right. Using notepad, or any other plain text or html editor, create a new plain text file with the following contents:

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(blog|blog/)$
RewriteCond %{REQUEST_URI} !^/blog/index\.html$
RewriteRule (.*) /blog/index.html [R=301,L]

Note that the $ are dollar signs, using the shift key and the number 4 key on a standard keyboard.

Now save this file with the filename " .htaccess ". If you cannot save it with that name, save as htaccess.txt instead and rename it on the server. Next, upload the file to your server, to the directory where your blog index file resides. If you had to change the name, rename it on the server, to .htaccess . Your eyes are not deceiving you. There is no prefix, just a period, followed by htaccess. This is a special server control file used by Apache servers. If you use FTP software to upload and download files to the server, you may have to set the remote "file mask" to -al to view this normally hidden server control file, after uploading it.

With this .htaccess file in the same directory as the blog's index file go back to Technorati, login, and begin the claim process again. If you did everything the same way I did you should succeed in Claiming your Blog!

I hope this helps somebody else, as from what I have been reading, Technorati is not able to help a lot of people who use Movable Type blogs on their servers.

Good luck MT bloggers!
Wiz Feinberg
http://www.wizcrafts.net/

Posted by Wiz at 4:47 PM | Permalink

back to top ^

World reknowned anti-spyware program - Spybot Search and Destroy - was updated with new spyware definition files. If you use this program be sure to run manual updates as soon as possible.

If you see a program listed in these detections by name you should assume that is is malware. All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-04-11
(These updates include detection and removal of the "Windows Safety Alert" parasite)
Adware
++Zango.AntiSpamBar ++Zango.Seekmo
Keylogger
+Perfect Keylogger (2) ++WideStep
Malware
++Free-Key-Logger +InetLoader +Smitfraud-C. (2) +SpyDawn +SpyHunter
++Win32.Agent.ahd ++Win32.Optix.b
Trojan
+1und1Bill.Fake +Hupigon +NumbSoft +Win32.Lager.aq ++Zlob.MovieBox +Zlob.PrivateVideo +WarezP2P

Total: 373599 fingerprints in 64879 rules for 2804 products.

2007-04-04
Keylogger
++A-Spy 2.11 ++Palsol ++CyberSpy ++AYOSpy
Malware
++AllInOneKeylogger +SpyDawn ++SpyLocked +Winsoftware.WinAntiVirusPro2006 +PestCapture +VirtuMonde
Trojan
+Zlob.VideoAccessActiveXObject ++Zlob.MovieCommander +Zlob.SiteTicket +Zlob.HQCodec +Zlob.PornPassManager +Zlob.VideoKeyCodec +Zlob.VideoBox +AnotherBot +Daugeru +Win32.Bancos.zm ++Banker.AHY ++Win32.Small.cnd

2007-03-28
Keylogger
+ActualSpy +IMSurfSentinel +Win32.ActiveKeyLogger
Malware
+Forbot +Smitfraud-C. +SpyHeal +SpyHunter +SpyDawn +Win32.Banload.bsr
PUPS
+SpyCQ
Security
+Microsoft.Windows.Security.FirewallOpenPorts
Spyware
+WebExplorer +WinSpy.SpySoftWareX +FreeKeylogger +EasyKeylogger
Trojan
+Banload +Nurech +Win32.Bagle.E +Win32.LowZones +Win32.Rbot +Win32.Bagle.av ++Win32.Bagle.hl +Zlob.SiteTicket +Zlob.AdultAccess +Zlob.VideoAccessActiveXObject +Zlob.VideoAccess +Banker.PorSMTP +Banker.PorSVC +Winsoftware.WinAntiVirusPro2007 +Win32.RAdmin

2007-03-21
Adware
+E-Ventures N.V.FWNToolbar
Malware
+AntiSpywareBOT +E-Ventures N.V.PCSkinsBrowser +Guptachar +PAL-Spyware-Remover +PSW.WOW +Smitfraud-C.Toolbar888 +Smitfraud-C. +SpyHeal +VirtuMonde
Trojan
+FakeBill +Nurech +Tibiabot +Win32.Bagle.flc +Win32.Bagle.hld ++Win32.Bagle.Rtk +Win32.Banker.anv +Win32.BHO.gen +Win32.Delf.uc +Win32.Delf.zq +Win32.Rbot +Win32.Small.edd ++Zlob.AdultAccess +Zlob.iCodec +Zlob.SiteTicket +Zlob.VideoAccessActiveXObject +Zlob.ZipCodec

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

Posted by Wiz at 8:55 AM | Permalink

back to top ^

Original posting date: 04/03/2007 - Updated on 04/19/2007

If you installed the KB925902 Windows Update patch, released on April 3, 2007, and rebooted to see the following error message, I have solutions for you.

Rthdcpl.exe (or other file) - Illegal System DLL Relocation
"The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:\Windows\System32\Hhctrl.ocx occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL."

This problem occurs when the Realtek HD Audio Control Panel (Rthdcpl.exe) by Realtek Semiconductor Corporation, or AVG 7.5, or certain other applications are installed, which use Hhctrl.ocx. The name of the file causing the conflict will be related to the application it belongs to. The Hhctrl.ocx file that is included in security update 928843 and the User32.dll file that is included in security update 925902 have conflicting base addresses. This problem occurs if a program loads the Hhctrl.ocx file before the program loads the User32.dll file. A list of the applications known to be affected are in my extended comments.

If this happened to your Windows computer, please read this Microsoft Knowledge Base article:

935448 Certain programs may not start, and you receive an error message on a computer that is running Windows XP Service Pack 2: "Illegal System DLL Relocation"

You can read the details about the cause of the problem and download a Hotfix from that page which addresses the issue with the Realtek and other listed device drivers and applications. Alternately, install update 935448 by using Automatic Updates or by using Microsoft Update. To use Microsoft Update, visit the following Microsoft Web site: http://update.microsoft.com/microsoftupdate

Or, better yet, go directly to the manufacturer - Realtek drivers download page and download the newest audio driver (Realtek has released version 1.64 to address this problem), which corrects the above mentioned problems and also works with Windows Vista operating systems.

If you are using another program that is on the affected list, such as AVG Anti Virus Control Center 7.5, check for updates from the manufacturer, which will correct the underlying problem. Most of these updates may require a reboot to install completely, If no updates are available yet, apply the hotfix listed above (for validated copies of Windows XP SP-2 only).

A list of applications known to be affected is below, in the extended comments...

Microsoft has confirmed that this problem affects the following third-party applications.

Realtek HD Audio Control Panel - v1.41, 1.45, 1.49, 1.57
ElsterFormular - v2006, 2007
TUGZip - v3.4
CD-Tag - v2.27
Suunto Ski Manager - v1.0.2, 1.1, 1.2
AVG Anti-Virus Control Center - v7.5
BMC PATROL - v7.1
BricoPack Vista Inspirat - v1.1

Last updated on 4/19/07. This list will be updated if more affected applications are confirmed.

Posted by Wiz at 7:16 PM | Permalink

back to top ^

Three months ago, in December, 2006, Microsoft was notified about a system vulnerability in the handling of animated cursors, but did nothing about it. Proof of concept code was published demonstrating an exploit vector. This new vulnerability is now being widely exploited to install Trojan malware into fully patched Windows 2000, XP, Server 2003 and Vista systems. All fully patched Windows systems are currently vulnerable.

It is now April 3, 2007, and due to the fact that this unpatched vulnerability is currently being exploited in the wild, Microsoft is going to release an "out-of-cycle" patch for the animated cursor vulnerability, today, April 3, 2007.

If you have automatic Windows Updates turned on you will receive the patch when it is pushed to your geographical/IP location. If you prefer to use manual updates (e.g. dial-up customers), start checking whenever you go online, today. All versions of Windows have a link to Windows Updates, somewhere on the Start Menu and also on every version of Internet Explorer (Tools > Windows Update).

If you are unable to obtain Windows Updates at this time you can temporarily protect your Windows computers by downloading and installing a third party patch from eEye Digital Security. If you do install the official Microsoft patch later, be sure you uninstall the eEye patch.

If you install this update, reboot, then get an error message regarding Uer32.dll being relocated, please read this followup article for advise.

Posted by Wiz at 12:27 PM | Permalink

back to top ^