Computer Tips -Tech Info

Tag: WMF

  • OpenVPN series

    After the Hamachi article I wanted to do a series on OpenVPN. I’ve used it before, but not since the 1.x days…. it’s now at version 2.0.5 and has quite a bit more flexibility. When I first used it, it was pretty much a point-to-point vpn solution. You could set up routing to see the rest of the network and for the network to see the vpn client, but only one client could connect to one server. What this meant is that multiple tap or tun devices were needed on the server, one for each remote vpn client. Also, multiple openvpn processes and multiple openvpn ports.

    From my understanding this setup wasn’t necessary under the 2.x series.

    (more…)

  • WMF exploit and DEP

    There’s a bit of controversy over the suggestion that Hardware DEP seemed to protect against the WMF zero day exploit. Sunbeltblog has responded to the controversy. George Ou in the first link above claims that there’s a lot of bad advice out about this exploit and that hardware DEP (Data execution prevention) doesn’t work to mitigate the problem.

    (more…)

  • Spyware, viral cleanup disabling system restore

    Sorry, but to get into the guts of what I found in the wake of the WMF exploit, I did leave out another important step in the cleanup process. IF you are trying to clean up an infested machine one of the first real goals has to be disabling system restore. (start, (settings,) control panel, system, system restore, and use the checkbox on that sheet, then ok to confirm.) This was one of the first things I did after infection to start the process of cleaning up. Windows uses system restore to keep copies of vital windows files. Unfortunately they can be viral/trojaned files as well.

  • Update on the WMF exploit – more sites to block

    I haven’t checked to see if these are already on other block lists for the WMF exploit, but the following addresses are advised to be blocked (from f-secure)….

    toolbarbiz[dot]biz
    toolbarsite[dot]biz
    toolbartraff[dot]biz
    toolbarurl[dot]biz
    buytoolbar[dot]biz
    buytraff[dot]biz
    iframebiz[dot]biz
    iframecash[dot]biz
    iframesite[dot]biz
    iframetraff[dot]biz
    iframeurl[dot]biz

    (more…)

  • http://60.topnssearch.com popups in infestation

    One other note from the previous series on WMF exploit infestation cleanup. Among the multiple popups that came when launching internet explorer, most were directed at the site http://60.topnssearch.com –

  • Cleaning up after WMF Exploit – summary

    Can I say enough times that after a bad trojan infestation you should format and reinstall? I’ve cleaned up the infested image that I “sacrificed” to the WMF exploit and as I’ve said you’re pestware install will likely be somewhat different. An exploit is just the road, the spyware and viruses are the cars. Once the road is built, just about any car can use it…. Hopefully the series has been helpful on working through some of the problems with a system cleaning.

    (more…)

  • Cleaning up after WMF exploit – BHO removal

    Browser helper objects (BHO’s) are listed in the registry and load with explorer when it runs (Internet Explorer/ File explorer are so closely tied it affects both.) I’ve used BHOdemon in the past to identify and disable BHO’s and a tool like that is the preferred method. However, in my case, this is a disposable virtual machine and I used the “blunt object” approach…. regedit.

    (more…)

  • Cleaning up after WMF exploit – is it clean?

    So, I’ve got most of the baddies cleaned out and I’m not getting popups anymore. No nags on boot, the boot process is quicker, but is it really clean? I found a few files (winlogon.exe, alg.exe in particular) that could be legitimate windows file names. Am I running the good one, or the trojan? That is exactly why a clean install is usually the best treatment for a badly infested system. Ultimately to trust this cleaned system a bit better I would need to. Watch it for signs of peculiar network ports open or peculiar processes…..

    (more…)

  • Cleaning up after WMF exploit third party boot disc

    At this point, I needed to rename or delete some files that windows would not let me touch. I had this winlogon.exe running from a suspect directory c:\windows\inet20001 and windows wouldn’t let me kill it, or remove it’s start entry in the registry. So, I booted my image from a dsl linux cd and opted for command line only. Once booted, I navigated to mount the windows partition and cd’d to /mnt/hda1/windows/inet20001

    (more…)

  • Removing items from MSCONFIG after WMF exploit

    OK, so, I’m busy killing off running processes and fire up MSConfig to try to keep them from coming back on the next boot. To launch msconfig go to start, run… type in msconfig and click ok. The startup tab is where we’re looking for programs running at startup (makes sense…) This is a bit easier and more straightforward than visiting the run entry in the registry. It does combine a few locations into one place.

    (more…)