Category: Registry

Microsoft Issues a Security Advisory KB971778

Paul

Microsoft Security Advisory: Vulnerability in Microsoft DirectShow could allow remote code execution

http://support.microsoft.com/kb/971778

The systems that are vulnerable are Windows 2000, Windows XP or Windows Server 2003.   I like this new way Microsoft is helping the less educated.   They now havea Fix it button on the site.  This fix it button is a registry change to there system.   It does all the work for the End user.   Although the corporate field will have to modify the registry there own way.

[ad]It looks like Microsoft is thinking of making this more user friendly.  Here is how to do a manual registry fix for your computer:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.

  2. Locate and then click the following subkeys in the registry:

    • For 32-bit Windows systems:
      HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}

    • For 64 bit Windows Systems:
      HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}
      HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}

  3. On the File menu, click Export.

  4. In the Export Registry File dialog box, type Quicktime_Parser_Backup.reg, and then click Save.

    Note By default, this will create a backup of this registry key in the My Documents folder.

  5. Press DELETE on the keyboard to delete the registry key. When prompted to delete the registry key in the Confirm Key Delete dialog box, click Yes.

  6. Exit Registry Editor.

This will fix the problem until Microsoft has come out with a patch.  If you are not comfortable doing it this way, you can always go hit the fix it button to have it do it automatically.  This will help prevent someone from using this exploit!!

Tools for Virus Removal : The ones I like to use!

Paul

In this post I want to talk about virus removal tools that I like to use when I need to remove a virus.   Some thing to consider when using these tools are:

Each of these have to be dealt with differently because each requires something different.  Like rootkits if you have one installed and know that it is a rootkit you only options are to download some rootkit removers like:

  • Sopho’s Anti-rootkit remover —  This is good for those more known viruses and can remove several types of rootkits.   This isn’t the only one I use, but it is a part of group that does the rootkit removing for me.

  • Microsoft Rootkit Revealer —  This is good for proving there is a rootkit.  I’ve not seen it not detect a rootkit.  Most of the time when I find a rootkit from the other rootkit revealers this one actually dos better with information.

  • Panda Anti-Rootkit Remover — This one is another one I use when the other ones can’t remove it.  Each one does remove certain rootkit differently and works better than the other.

  • Aries Rootkit Remover from Lavasoft — This is good for those really tough rootkits but have some great benefits for removing some of the really tough rootkits.

These are the ones that work well with me when it comes to removing the rootkits.  I’ve not had one of these to remove a rootkit but that depends on how you deal with the virus in the first place.  Now for Anti-spyware and Anti-Virus software here are some of the tools that I suggest:

  • HijackthisRun it, and when you get the LOG file you will want to go to HijackThis Log Analysis Site 1 and HijackThis Log Analysis Site 2, and see what it says.  This is the best software because it will scan all of the registry and tells you like a wiki what might it be.

  • MSCONFIG — Sometimes it is hidden but if you check through the MSCONFIG for any files that might not need to load. Also check the services tab and see if there is any services that may not be needed.

  • Pctools Antivirus Free Software — This is a free software so what can I say.

  • AVG Anti-Virus Free Edition 7.5.503 — This is another free one that can remove viruses really easily. Download this and you don’t have to worry to much.

  • Avast Home Edition — AVG does better than this one but people seem to like this so I have to add this for people who like this better than the others.

  • Clamwin Free Anti-virus — This is a good one because this is open sourced and easily can help detect so many viruses. This is good for those people who like open sourced.

These are just  the ones that I like to recommend that does pretty good on removing the viruses but there are others that I recommend on my Malware Resources that people have recommend to me but I haven’t tried them out yet.    Some of the Spyware and Adware removal and here are some of my favorites:

  • SuperAntispyware — Easily remove pests such as WinFixer, SpyAxe, SpyFalcon, and thousands more! Repair broken Internet Connections, Desktops, Registry Editing and more with our unique Repair System.

  • Malwarebytes can provide the needed assistance to remove the infection and restore the machine back to optimum performance.

  • Ad-Aware — This is a very good tool to get rid of some of the most annoying little viruses that try to fool you that you have a virus.

  • Windows Security Trojan Scanner — a Free online scanner to let you see if you might have a Trojan.

  • SmitFraudFix — A great little program to get rid of those Desktop hijacks, those programs that take over your browser or other file system.

If your current antimalware software let an infection through, you may want to consider purchasing the PRO version of SUPERAntiSpyware or Malwarebytes License to protect your computer in the future. SUPERAntiSpyware Professional or Malwarebytes License features highly advanced Real-Time Protection to ensure protection from installation or re-installation of potential threats as you surf the Internet (Both are trusted Vendors by CCSS Forums).

These are just a few that I like to use when it comes to fighting those virus programs and the people behind the virus programs.   If you consider how hard it is sometimes to recognize a virus, you can see the problem with some of the programs they can sometimes  say a file is a virus and delete it and the next thing you know it won’t boot into Windows.  This is what needs to be considered whenever you see a warning on your system so you must be careful when you remove files.  You should always have backups that is what I always recommend because the likely hood of something terrible happening to your data.  You should come up with a way to back up your system every week like a sunday back or even a Monday while your at work backup.

Uncovering a Virus/Trojan

Paul

Getting done with the first part really got my juices flowing. I was shopping looking and thinking about this next article. I came up to only one option turning this into a 3-5 length post due to all the content that I will have.  So where did we leave off?  Oh that is right figuring out if you have a virus/Trojan.  The instant I made a post about this 12 hours later someone make a comment and here is what he said:
[ad#ad2-right]

Rene Van Belzen

I can’t wait to read part two of this article. I always wondered how you’d know you’re infected if a virus don’t want to be detected and no virus definitions are yet available, because the virus is so new.

Now the truth is anytime a Virus does something it usually leaves a footprint somewhere and somehow.   Even the hardest working hacker can’t plan for all possibilities and that is where we begin.   I have been helping people for a while with viruses and know that no matter how hard the virus tries to hide you can usually find it relatively quickly and easily do to virus check here are the ways I’ve done to figure out if they may or may not have a virus/Trojan.

Now if this is a client’s computer and you don’t want to be rude to the client, there are a few indications of user error and installing a virus.   This is relatively simple, all you do is do a quick inventory of all the start menu programs.  You’d want to look for any P2P file sharing program, If they have Firefox Installed, and if they are using Window Mail and not Thunderbird.   You see 80% to 90% of virus downloaded are installed by the End USER.  They either downloading a game and installing a virus with [ad#ad2-left]a game, or not protecting themselves by using Internet Explorer or Using Windows Mail.  That is usually my first step due to the fact, I’ve got to be diplomatic about finding out about security ways.  Also make sure they are up to date on there Window updates, unless they are using a really old system then you will have to work even harder.  Also you can suspect a virus if the client is talking about having problem with a program recently although this isn’t always true it sometimes is the case due to the fact hackers don’t have a big chance to test these viruses/Trojans out before they set them into the wild.  So there are always going to be unplanned problems associated with them.

After the first initial search of desktop, you should really know the likely hood of a possible virus getting on the system and later we will talk about counter measures to prevent virus attacks in the future.   There are a few places a hacker likes to put commands.   Hackers love to put in the Registry to run a program every time Windows starts.  It usually in:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

Usually 50% to 70% of virus like to make sure the program to runs.  This is a flaw in Windows because hackers can edit this without much effort but there isn’t many places a hacker can go to make sure a program is set to run when you boot.   So this is also a benifit to finding those little programs.

Now just like the Regisitry, Hackers also like to put programs in a few areas on the hard drive.   This is also kinda hard to hide because most of the time these are consider important to the system but if you know what to look for you can pretty much figure out if it is truelly a system file.  These areas of the hard drive are:

  • C:\WINDOWS\System32[ad#ad2-right]

  • C:\WINDOWS

  • %programfiles%\common files\microsoft shared

  • %windir%\temp\

These are just a few but if you look hard enough it can be found most of the time.   Most of the time I use the registry to tell me where these programs are so I can do a further check of the program.  Some of this is not needed with some of the programs that I recommend but this is for those who want to be a through job and make sure the virus is gone.

On my next post we will talk about some good tools for the trade to help get rid of a virus/Trojan.  This little step here is used to  better help identify a virus and also give you chance to google each name on the list of registry and the hard drive  to see if you can identify the virus.

Crafty little Trojan:W32/DNSChanger.ARNF

Paul

Saw this post and couldn’t resist talking about it.   This was talked about on F-secure.    It looks like they use a program call “Homeview Installer” and after you install it you get the Trojan:W32/DNSChanger.ARNF.   So how do you get that off your system?  Before we talk about that, let’s talk about what it does.  According to F-secure:

[ad#ad2-right]

This malware is dropped onto the system by Trojan-Dropper:W32/Agent.FLN. It is used to change the DNS settings on a system so that information such as passwords and credit card details can be retrieved.

[Via F-secure]

What you need to do to get rid of this of this Trojan is to scan your system.   You will also need to understand that this is a really good Trojan, it sees to modify your DNS and also your Registry.   Once you located and destroyed it you will then want to remove all your restore points.  After that you will want to check my other resources to better protect yourself.   You are the only one to prevent a virus from getting on your system.   If you like this one check out my other post as well.