Technical Tidbits

Before I post part 2 of the “Why is my PC so slow” series, I wanted to tell you about what I just found!

Trend Micro, manufacturer of the reliable PC-cilin, Internet Security software, and RUBotted, has released a new FREE Rootkit Buster! I’ve found this much easier to use then the SystemInternals Rootkit Revealer!

From the initial start up of the program, it allows you to select what areas you want to scan.

The scan took little time to complete and then prompted me to ask if I wanted to see the log file.

For any of you who’ve used the SystemInternals Rootkit Revealer - now owned by Microsoft, I might add - you know that the results are hard to figure out unless your a techie! Well, check out the Trend Micro Rootkit Buster log!

Is that easy or what???

To get your own FREE copy of the Trend Micro Rootkit Buster, just go to the link and get it FREE! No sign-up required, no giving away your first born child, nothing. It’s right there to download!

http://www.trendmicro.com/download/rbuster.asp

And for those of you who aren’t even sure what I’m talking about, a rootkit is a form of malware that hides in your computer and lies to the operating system about what it is so that it can’t get discovered. Hackers, Trojan viruses, keyloggers, and many other ‘bad guys’ use this method to hide inside your machine and steal your data.  (Need more info? Take our course!)

And for those of you who want to correct me on my definition, please don’t. I explain that way so that even the youngest beginner can understand! I know it’s not the “technical” definition!

written by Admin \\ tags: free, kelogger, keyloggers, rootkit, Rootkit Buster, Trend Micro, trojan, Trojan horse

On September 5, I published the first Too Many Trojan’s post about TrendMicro reporting windows files and program files as Trojan’s and quarantining them.

Well, it happened again! Today!

I sent my analysis files to TrendMicro via our PartnerNet but I think I have the culprit found! I wanted to put this out there so you know and I did alert Trend to this possibility.

I believe the running of TeaTimer from Spybot Search and Destroy is the problem. I just tested my theory and so far the problem seems resolved.

1. Turn off TeaTimer.

2. Delete the files under C:\Program Files\Trend Micro (and then your software - mine was under Internet Security) named: lpt$vpn. There will be at least one if not more. Any file starting with that name delete.

3. Reboot your computer.

4. Update Trend again.

5. It will require you to reboot one more time.

6. Re-scan and you should find that it does not quarantine any other files.

If you cannot reboot in normal windows mode, Trend has the directions to reboot in safe mode here:

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038089&id=EN-1038089

And if this does become the reason for the problem, remember it was posted here first! We always keep you ahead of security!

written by Admin \\ tags: infected system files, Internet Security Pro, spybot, spybot S&D, spybot search and destroy, system files, TeaTimer, Trend Micro, trendmicro, TROJ_Generic, TROJ_Generic.adv, TROJ_Generic_adv

There are some days that I am just so happy to be doing the work I do. And today is one of those days!

Last week I received an odd e-mail that was obviously spam, but seemed to contain malware. And of course, I was disturbed because my Trend Micro Internet Security Pro did not catch it. While I did a bit of analysis on my own, it did indeed seem to contain the makings of malware - not that the fact that it was an executable (exe) might have something to do with it too!

So, following our procedures for submission, I submitted the file to Trend’s virus engineers and I just received this e-mail back from them.

The name of the Trojan is TROJ_DLOADR.HR - short form for Trojan, Downloader, variation HR.

And in keeping with my pledge to expose people who are either running botnets unknowingly or expose those who would willingly send out malcode, here’s the e-mail I received and the headers from that e-mail.

(Click to view larger image)

You will notice that first of all, this is a very bizarre e-mail address as the sender and the mail to is not a legitimate MICE e-mail address to begin with.  And there is nothing going on at MICE that required an Attorney to look over our contract. (We have two law firms we conduct business with and neither are at this address!)

So, looking at the headers I can see that this is coming from one specific IP address. Doesn’t appear to be a botnet, but I may be wrong. But from the headers, it seems to me that this e-mail originated from and was sent from this address. Perhaps this person is infected?

(Click to view larger image)

So, once again I go off to the Whatismyipaddress.com website (Gosh, I LOVE THEM!)

So, if you know of someone in that area (Washington State), or you are RoadRunner and you know who has the IP address of: 76.182.157.26, you need to contact them and tell them they are infected!

Not sure if it’s you or not? Go to WhatismyIPaddress.com and they will tell you immediately on the home page - the minute you get there.

So today my job is worthwhile. I found a new Trojan!

And since our press release called me “The Lone Ranger” of PC Security, I guess I will ride another day!

“Hi Ho, Trend MIcro! Away!”

written by Admin \\ tags: 76.182.157.26, botnet, internet security, malware, new trojan, pc security, Road Runner, RoadRunner, Security, Spam, trend, Trend Micro, trojan, trojan downloader, TROJ_DLOADER.HR, Washington State

I know I said that I was going to post the Death of Web 2.0 today, but something came up that I need to get out there in the open.

Jeff, our Director of Marketing & Emerging Technologies (the one who is currently reinstalling his programs even as I type) came to me with a file that Lavasoft’s Ad-aware caught as a Trojan. Since he had been attacked (see the mal-ads report http://mice.org/getit/Mal-Ads Report.pdf) he was concerned that he might have been infected more than he knew. This was before the ForceField incident, by the way!

Since reinstalling his programs he ran a scan and the same file showed up again!

The file in question is kdfhok.dll.

My first instinct is to check Google and I find numerous sites reporting it as malware. Look at just the first two listings that pop up in Google below.

(Click to view larger image)

Something isn’t sitting right with me on this one though. So, I went to do a little search of my own.

Remember, I am a teacher and so I’m going to re-create the steps I took to find this out and trust me folks, I’m not going to show you what a great genius I am. I am going to show you how to do this yourself!

But what I want you to do is notice that in all these posts I’m posting here, I’m showing you - teaching you - how I do my research or discover information! This is also how I teach in my courses.

I’ve been a little bent out of shape lately because I’m reading all these “supposed experts” on the web with all this huge amount of traffic and here I am, little old Debbie trying to get just a wee bit more traffic. And believe me, when I see mistakes like I’m about to show you now that is actually HARMFUL to you if you follow the wrong advice - yes, I get my nose out of joint and my panties in a bundle - to coin a few old phrases!

Okay, first, let me show you how I found out what this file is and where it comes from and then you will be VERY CLEAR on whether it’s good or bad! (And Lavasoft, TAKE NOTICE and remove these files from your scan as malware!)

First I know that Jeff and I have similar setups on our computers. I have a few more programming tools and gadgets and of course all my security research tools. He has his programs he uses for his job and some of his own special Open Source tools he’s investigating ad emerging technologies. But we both have Windows XP and we both are using the same security tools to protect our network.

So, I ran a search on my computer for the file: kdfhok.dll to see if I had this horrible trojan! And guess what? I did! (And no comments about my using the Einstein search assistance! SMILE)

(Click to view larger image)

Now, here’s a great trick to learn right now and to use whenever you are in doubt about a file on your computer. This will prevent you from falling prey to every e-mail hoax that’s out there about files on your PC and prevent you from deleting something you really need!

Right mouse click on the file in question and choose PROPERTIES as the image below shows you.

You will have a screen that will come up that looks similar to the next image, but keep in mind that there are different properties for different files so it may not look EXACTLY like the one below. And also notice the areas I circled.

You can see that this opened to the GENERAL tab and that the file creation date was July 8, 2008. I make a note of the CREATION DATE and click the VERSION tab.

Every LEGITIMATE file on your computer should have information about the company that built the program the file belongs to. As you can see in that image, there is information from Kings Information & Network.

So, now I know that I have a company that created the software this file belongs to, and I have a file creation date. The next step is to find out who this company is and what software both I and my marketing director have on our system that uses this.

My next step is to perform a Google Search for the company Kings Information & Network. But I do the search putting the entire name in quotes “Kings Information & Network” so that Google will search for only results where the entire phrase or string of words appear in that order. (Google hacking in our upcoming Hacking Course!)

Here’s the information I receive from the top three search results:

(Click to view larger image)

The first result looks like a direct hit so I click that and find this information:

I know that many times Microsoft as well as other software vendors use third party programs within their own. So now I have 3 possible programs that some KNOWN software might be integrating in theirs.

I did do further searching for these different pieces of software but came up empty.

Now, I conduct a search on my C drive to find any file or folder that was created on the date of July 8, 2008. This requires me to do some customizing of the search criteria.

I click the All File and Folders to start customizing my search criteria. I choose a file name using wild cards of *.* (asterisk dot asterisk). This is a wild card for any file with any extension on the end. I select to only search my C drive to shorten the search time and because I know the file or program has to be on my C drive. Then I select the criteria for a create date between July 6 and July 9 to cover a day or two before and a day after the actual create date of the file date shown on the kdfhok.dll file.

This is what my search window looks like:

Once I click the search button, I let Einstein do his thing and I get results that look like this:

Hmmmm, doesn’t that look familiar?

So, I double click the folder to open it and look what I find!

Now, the most disturbing part of this is that I also found a post on MajorGeeks forum here that told people to delete this kdefense folder!

Source: http://forums.majorgeeks.com/archive/index.php?t-148705.html

Anyone who has deleted this folder or believed this file or related files was a Trojan has damaged the very protection they paid to receive and have left themselves vulnerable. kdfhok.dll is being reported as a false positive and is very much a part of Trend Micro’s Wireless Encryption plug-in for the web browser.

Now, I not only told you the TRUTH about this file, I showed you how to find file information in the future. I also showed you how many of these supposed EXPERTS are dead wrong and put you in a dangerous position with your security. You need to be very discerning about who you trust with your security - including me! That’s why knowledge is power.

So again, kdfhok.dll is a false positive and the kdefense and all its related files belong with Trend Micro and SHOULD NOT BE DELETED! If you did delete them, you may want to reinstall your version of Trend as you may have compromised your security. I don’t know if that’s true or not at this point, but you may have and I always err on the side of caution in these matters.

If you have questions or concerns about your security or files, please visit our brand new forum and ask!

http://mice.org/forum/

And any wannabe security pros or techies are welcome to try their hand at answering and I will moniter the forum to see how you’re doing or answer questions others can’t.

Or consider taking are courses during the Anniversary Special. You can buy the Essential 3 at the low cost now and you can take them when you’re ready. You don’t have to take them right now!

http://mice.org/celebrate/index.html#order

So tomorrow, we’ll get to the Death of Web 2.0!
(I’m writing it now so I won’t get side tracked!)

Debbie

written by Admin \\ tags: ad-aware, kdefense, kdfhok.dll, Kings Information & Network, Lavasoft, Trend Micro, trendmicro, trojan, Wireless Encryption

If you have TrendMicro Internet Security Pro and have done a scan to find that you have far too many TROJ_Generic and/or TROJ_Generic.adv files in your quarantine - and you look at the list finding Windows Systems files, you DO NOT have a Trojan in your computer system. This is a newly discovered problem in TrendMIcro pattern file updates and you need to fix the problem.

The fix currently may or may not work in all cases. If this fix does not work for you, you must call customer support to get additional assistance.  Home / Home Office Users: +1 (800) 864-6027, SMB +1 (888) 762-8736

The Fix:

1. Go to MY COMPUTER and double-click to open the C Drive.

2. Go to PROGRAM FILES and find the TREND MICRO folder.

3. Find all files named: lpt$vpn (they will also have a dot (.) and a 3-digit number after them. As in, lpt$vpn.521 or similar.

4. Delete all files named in this manner.

5. Reboot your machine.

6. Open Trend and click the UPDATE NOW button. (You may have to reboot again.)

7. Run a scan.

If the false Trojan files do not appear again, you have fixed the problem.

If the false Trojan’s appear again, the problem is still there and you must call customer support.

written by Admin \\ tags: infected system files, Internet Security Pro, system files, Trend Micro, trendmicro, TROJ_Generic, TROJ_Generic.adv, TROJ_Generic_adv