I know I said that I was going to post the Death of Web 2.0 today, but something came up that I need to get out there in the open.

Jeff, our Director of Marketing & Emerging Technologies (the one who is currently reinstalling his programs even as I type) came to me with a file that Lavasoft’s Ad-aware caught as a Trojan. Since he had been attacked (see the mal-ads report http://mice.org/getit/Mal-Ads Report.pdf) he was concerned that he might have been infected more than he knew. This was before the ForceField incident, by the way!

Since reinstalling his programs he ran a scan and the same file showed up again!

The file in question is kdfhok.dll.

My first instinct is to check Google and I find numerous sites reporting it as malware. Look at just the first two listings that pop up in Google below.

(Click to view larger image)

Something isn’t sitting right with me on this one though. So, I went to do a little search of my own.

Remember, I am a teacher and so I’m going to re-create the steps I took to find this out and trust me folks, I’m not going to show you what a great genius I am. I am going to show you how to do this yourself!

But what I want you to do is notice that in all these posts I’m posting here, I’m showing you - teaching you - how I do my research or discover information! This is also how I teach in my courses.

I’ve been a little bent out of shape lately because I’m reading all these “supposed experts” on the web with all this huge amount of traffic and here I am, little old Debbie trying to get just a wee bit more traffic. And believe me, when I see mistakes like I’m about to show you now that is actually HARMFUL to you if you follow the wrong advice - yes, I get my nose out of joint and my panties in a bundle - to coin a few old phrases!

Okay, first, let me show you how I found out what this file is and where it comes from and then you will be VERY CLEAR on whether it’s good or bad! (And Lavasoft, TAKE NOTICE and remove these files from your scan as malware!)

First I know that Jeff and I have similar setups on our computers. I have a few more programming tools and gadgets and of course all my security research tools. He has his programs he uses for his job and some of his own special Open Source tools he’s investigating ad emerging technologies. But we both have Windows XP and we both are using the same security tools to protect our network.

So, I ran a search on my computer for the file: kdfhok.dll to see if I had this horrible trojan! And guess what? I did! (And no comments about my using the Einstein search assistance! SMILE)

(Click to view larger image)

Now, here’s a great trick to learn right now and to use whenever you are in doubt about a file on your computer. This will prevent you from falling prey to every e-mail hoax that’s out there about files on your PC and prevent you from deleting something you really need!

Right mouse click on the file in question and choose PROPERTIES as the image below shows you.

You will have a screen that will come up that looks similar to the next image, but keep in mind that there are different properties for different files so it may not look EXACTLY like the one below. And also notice the areas I circled.

You can see that this opened to the GENERAL tab and that the file creation date was July 8, 2008. I make a note of the CREATION DATE and click the VERSION tab.

Every LEGITIMATE file on your computer should have information about the company that built the program the file belongs to. As you can see in that image, there is information from Kings Information & Network.

So, now I know that I have a company that created the software this file belongs to, and I have a file creation date. The next step is to find out who this company is and what software both I and my marketing director have on our system that uses this.

My next step is to perform a Google Search for the company Kings Information & Network. But I do the search putting the entire name in quotes “Kings Information & Network” so that Google will search for only results where the entire phrase or string of words appear in that order. (Google hacking in our upcoming Hacking Course!)

Here’s the information I receive from the top three search results:

(Click to view larger image)

The first result looks like a direct hit so I click that and find this information:

I know that many times Microsoft as well as other software vendors use third party programs within their own. So now I have 3 possible programs that some KNOWN software might be integrating in theirs.

I did do further searching for these different pieces of software but came up empty.

Now, I conduct a search on my C drive to find any file or folder that was created on the date of July 8, 2008. This requires me to do some customizing of the search criteria.

I click the All File and Folders to start customizing my search criteria. I choose a file name using wild cards of *.* (asterisk dot asterisk). This is a wild card for any file with any extension on the end. I select to only search my C drive to shorten the search time and because I know the file or program has to be on my C drive. Then I select the criteria for a create date between July 6 and July 9 to cover a day or two before and a day after the actual create date of the file date shown on the kdfhok.dll file.

This is what my search window looks like:

Once I click the search button, I let Einstein do his thing and I get results that look like this:

Hmmmm, doesn’t that look familiar?

So, I double click the folder to open it and look what I find!

Now, the most disturbing part of this is that I also found a post on MajorGeeks forum here that told people to delete this kdefense folder!

Source: http://forums.majorgeeks.com/archive/index.php?t-148705.html

Anyone who has deleted this folder or believed this file or related files was a Trojan has damaged the very protection they paid to receive and have left themselves vulnerable. kdfhok.dll is being reported as a false positive and is very much a part of Trend Micro’s Wireless Encryption plug-in for the web browser.

Now, I not only told you the TRUTH about this file, I showed you how to find file information in the future. I also showed you how many of these supposed EXPERTS are dead wrong and put you in a dangerous position with your security. You need to be very discerning about who you trust with your security - including me! That’s why knowledge is power.

So again, kdfhok.dll is a false positive and the kdefense and all its related files belong with Trend Micro and SHOULD NOT BE DELETED! If you did delete them, you may want to reinstall your version of Trend as you may have compromised your security. I don’t know if that’s true or not at this point, but you may have and I always err on the side of caution in these matters.

If you have questions or concerns about your security or files, please visit our brand new forum and ask!

http://mice.org/forum/

And any wannabe security pros or techies are welcome to try their hand at answering and I will moniter the forum to see how you’re doing or answer questions others can’t.

Or consider taking are courses during the Anniversary Special. You can buy the Essential 3 at the low cost now and you can take them when you’re ready. You don’t have to take them right now!

http://mice.org/celebrate/index.html#order

So tomorrow, we’ll get to the Death of Web 2.0!
(I’m writing it now so I won’t get side tracked!)

Debbie