My Anti Spyware

International Computer Security Day — November 30

Here are just a few suggestions on what you can you do:

– Change your password(s) to strong passwords. At minimum, mix upper case and lower case letters, numbers, and special symbols. Thelonger the better!
– < *cough*> Remove the “sticky” from under your keyboard that has all your passwords written on it!
– Update your Anti-virus software and run a full system scan
– Check for Windows updates
– Delete unneeded files
– Back up important files
– Take a few minutes to read Anti Spyware Tips.

RootkitRevealer – free rootkit detection tool

RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish, HackerDefender and a fresh rootkits (TDSSserv, w32.tidserv) .

How to use RootkitRevealer

• Download RootkitRevealer from here and uzip it to a folder that you create such as C:\RootkitRevealer\.
• Disconnect from the internet and disable all active protection in order to minimize false positives.
• Double-click RootkitRevealer.exe to run the program.
• When the program opens, click the Scan button.
• When the scan is finished, click File->Save and save a log to your desktop.
• Close RootkitRevealer.
• Post your RootkitRevealer log in the spyware removal forum. Myantispyware.com team will help you.

Note: RootkitRevealer requires that the account from which its run has assigned to it the Backup files and directories, Load drivers and Perform volume maintenance tasks (on Windows XP and higher) privileges. The Administrators group is assigned these privileges by default.

Autoruns – Hunt down autostart programs wherever they hide

Why does logon take so long?
What are all those icons in the system tray?
How do I stop programs from starting automatically?
How do I get rid of that strange error that keeps cropping up during logon?

Free tool that can answer those questions: Sysinternals Autoruns.

Upon installation, many applications configure themselves to start automatically when you log on. Applications do this so that they can automatically check for updates, because they use system tray icons to interact with users, or because they add functionality to Windows components such as Windows Explorer. However, most such applications don’t ask permission before inserting themselves in your logon process and almost never provide an interface to let you disable their autostart functionality.

Windows Server 2003 and Windows XP include the System Configuration utility (Msconfig.exe), which is based on a similar tool in Windows Me. Msconfig features a Startup tab that lists and lets you disable certain items that run automatically when you log on. However, Msconfig has two major limitations: It displays items from only a fraction of the locations in which autostart applications can hide and it shows limited information about the items it does list. Furthermore, if you run Windows 2000 or Windows NT 4.0, you’re out of luck. Neither OS contains Msconfig or other built-in tools to report components that automatically execute at logon.

You can use Autoruns not only to identify the applications that have configured themselves to start at logon but to see all the locations where autostart applications might be configured on the system. Autoruns works on all versions of Windows, including Windows Me and Windows 9x.

What You See
Autoruns displays each location that contains autostart items, or images, in the order in which the locations are processed during system startup and user logon; all images in each location are listed in alphabetical order. Besides providing insight into the Windows logon process, this order can have important repercussions: Programs that launch first might be overwritten by programs that launch later.

Autoruns displays more information about each image than Msconfig does. Autoruns lists each entry in the subkey, as well as a description of the entry’s corresponding image, the company that created the image, and the path to the image file. For example, Figure 2 shows the contents of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry subkey, which Windows Explorer processes during logon. Msconfig would report the Synchronization Manager entry but would list the entry only as mobsync and would provide the corresponding startup command. As you can see in Figure 1, however, Autoruns lists the entry as Synchronization Manager under its corresponding registry subkey, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The tool lists a description—Microsoft Synchronization Manager—that helps identify the image as being related to offline file synchronization. You can see that the image is from Microsoft—information that can help you remove unnecessary entries created by non-Windows components. And Autoruns lists the path to the image file (C:\WINDOWS\SYSTEM32\MOBSYNC.EXE).

Autoruns obtains the description and company name from the image’s version data, which stores details that help identify the image and its purpose. You can examine the rest of an image’s version information by selecting the image and choosing Entry, Properties from Autoruns’ menu bar or by right-clicking the image and selecting Properties from the context menu.

Autoruns gives you the option to show only images that are unsigned, or not published by Microsoft; just select View, Hide Signed Microsoft Entries. An image is said to be signed when it includes a digital signature issued by a digital signing authority that the system’s security policy trusts. Unsigned images’ company names will be preceded by (Not verified) in Autoruns’ display.

Autoruns doesn’t show an image’s startup command, but you can find that information by double-clicking the entry or by selecting the entry and choosing Entry, Jump To. If the image is in the registry, Autoruns executes regedit and navigates to the appropriate subkey or entry. If the image is in the file system, which is the case for items in the Start menu’s Startup folder, Autoruns opens Windows Explorer and navigates to the directory that contains the image.

Autoruns focuses on images that execute when you log on, but many components run as Windows services and automatically execute when the system boots. For example, to toggle Autoruns’ display of autostart services, select View, Show Services; to see Windows Explorer add-ons, select View, Show Explorer Addons.

Where They Hide
Autoruns usually lists more entries than Msconfig because Msconfig is programmed to be aware of only some of the two dozen or so startup entries honored by Windows and its logon components. For example, consider the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit registry subkey, shown in Figure 1 as HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit. After you interactively log on to a system, the Winlogon process executes the program listed in this subkey (userinit.exe by default). Userinit.exe executes logon scripts, restores drive letter and printer mappings, and applies configured Group Policy settings. Msconfig doesn’t list this image.

The list of locations in which applications can configure themselves is astounding (see Top 10, “Windows Program Startup Locations,” December 2002, InstantDoc ID 27100 for a few examples), and nowhere does Microsoft documentation provide the entire list. Autoruns has evolved and continues to evolve over time to include more and more of these locations as Autoruns coauthor Bryce Cogswell and I learn of them. For instance, a Microsoft employee recently told us about the HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components subkey, a location not publicly documented by Microsoft or listed by Msconfig but known by a worm that hides its automatic activation there. To see all the locations that Autoruns knows about, select all the View menu items that begin with Show, then select View, Include Empty Locations.

What to Do
Like Msconfig, Autoruns lets you temporarily disable an entry by clearing the item’s check box. When you do so, Autoruns moves the entry into a backup location in the registry or file system. For example, if you disable an entry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run subkey, Autoruns creates an AutorunsDisabled subkey under that registry subkey and moves the entry’s value into AutorunsDisabled. When you disable an entry in the Startup folder, Autoruns creates a subdirectory named Autorunsdisabled, into which it moves the disabled entry. When you log on, Windows Explorer opens the Autorunsdisabled folder so that you can see any disabled entries.

Autoruns also lets you permanently delete enabled or disabled entries by selecting the entry and typing Ctrl+D or by selecting Entry, Delete from the menu bar. Before you delete an item, though, you might want to save the Autoruns output to a text file for archiving purposes. To do so, choose File, Save.

I recommend you run Autoruns as a general housekeeping task on all your computers and make sure you understand all the programs configured to start during logon.

Download Autoruns and Autorunsc

Link: Mark Russinovich, Windows Power Tools, InstantDoc #44089, Windows IT Pro

MVPS Hosts File – You can use a HOSTS file to block ads, banners, cookies, web bugs, and even most hijackers

The MVPS Hosts file contains the mappings of IP addresses to host names. You can use it to block ads, banners, cookies, web bugs, and even most hijackers. This is accomplished by blocking the Server that supplies these little gems. Example – the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by the DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements.

In many cases this can speed the loading of web pages by not having to wait for these ads, banners, hit counters, etc. to load. This also helps to protect your Privacy by blocking servers that track your viewing habits, known as “click-thru tracking”. Another feature of the HOSTS file is it’s ability to block other applications from connecting to the Internet, as long the the entry exists.

More Info: MVPS Hosts, Here’s how to use the HOST file to block ads

Donwload new host file from MVPS:
http://www.mvps.org/winhelp2002/hosts.htm
http://www.mvps.org/winhelp2002/hosts.zip
http://www.mvps.org/winhelp2002/hosts.txt

Ewido security suite 3.5 – Complement your existing protection system today

Ewido anti-spyware 4.0 will now continue under the new product name AVG Internet Security. AVG Internet Security is comprehensive real-time protection against all Internet threats.

AVG Internet Security offer you realtime protection against these threats.

• Hijackers and Spyware. Secure surfing in the Internet without fear of annoying changes of the start page of your browser, tracking cookies and advertising bars.
• Worms. Nobody should receive e-mails in your name with malicious files in the appendix anymore.
• Dialers. Security against all kinds of dialers. No fear when receiving the next phone bill.
• Trojans and Keyloggers. No chance for thieves to steal your bank data and personal sensitive information by tapped Internet connections, remote controlled webcams or secret keyboard recordings.

Continue reading Ewido security suite 3.5 – Complement your existing protection system today…

MS05-051 POC Exploit

A proof of concept (PoC) exploit was released against systems vulnerable
to MS05-051. MS05-051 was released in October. The vulnerability does allow for
arbitrary code execution in systems with the Microsoft Distriuted Transaction Coordinator (MSDTC) enabled.

In order to disable MSDTC, enter the following command:

sc stop MSDTC & sc config MSDTC start= disabled

By default, port 3372 is used by the exploit. The packet send will cause a denial of service condition. At this point, we see only little activity at port 3372, likely due to the fact that this PoC exploit does not actually execute any “useful” code.

How to detect keylogger on my computer ?

Why Keyloggers Threaten Your Privacy

1. Surveillance software is very common nowadays. A Google search on keyloggers yields 39,000+ results.
2. Software mentioned in (1) has a bunch of features to record your activity in every possible way. See some features here.
3. Due to their “good purpose”, keyloggers and other types of surveillance software are not detected by AntiVirus programs.
4. Most keyloggers are more threatening than the so-called spyware. Keyloggers can record your passwords, emails, credit card number, etc.
5. Some keyloggers can even be installed remotely. Google search here.
6. Most (if not all) keyloggers are invisible. This means you will not know if a keylogger is running on your system.
7. More and more people are using keyloggers or surveillance software. These include your friends, spouse, employer, etc.
8. The recorded keystrokes can be sent to an email address. So physical access to your computer is not necessary.
9. Public computers (e.g. public library’s) might have keyloggers installed. It is just a possibility.
10. You value your privacy, don’t you?

Use follow software for detect keylogger

1. Kldetector – small free program for detecting keyloggers
2. SnoopFree Privacy Shield – informs you when another programme is wanting to log your keystrokes

Update Spybot S&D Detection Rules, 11/25/2005

Dialer
+ DialerPlatform

Hijacker
+ CoolWWWSearch.SearchAssistant
+ Smitfraud-C.
+ CoolWWWSearch.Feat2Installer
+ CoolWWWSearch.Service
+ CoolWWWSearch.Feat2DLL

Keylogger
+ Phoenix

Malware
+ VirtuMonde
+ SintCorporation

PUPS
+ Download Accelerator Plus

Trojan
+ Z-Quest

Update your SpyBot now

How to Remove Trojan Vundo / Winfixer / Virtumonde?

VirtuMonde is an adware program that downloads and displays popup advertisements. It may also hijack the browser to unwanted advertising related sites.

There is a free removal tool offered by Symantec here:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html

Follow the removal directions on the download page. Run the tool twice with a reboot inbetween to be sure it got everything.

Read also How to remove Trojan Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A)

New Version of MYTOB is causing an escalation of Risk Alert

We just received notification that Trend Micro has raised the Alert for the new MYTOB virus to medium. Trend Micro has an excellent write up at:

Mytob.MX

The worm appears to be memory resident and spreads by sending a copy of itself as an attachment (account-password.zip) in an email message using its own Simple Mail Transfer Protocol (SMTP) engine. It also installs malware which Trend Micro is calling TROJ_MONURL.D. Trend Micro has removal instructions and more information about the malware at the link above.

Use extreme care when opening your email. Do not open zip files or other attachments that you are not expecting to receive or from suspicios emails.