Security and Hacking Tools: February 2008

Friday, February 29, 2008

Security Torrents

To fill the need to host and download multiple large security related torrents, I have put a tracker online at http://www.redsphereglobal.com:88. You will primarily find items on this site in the following categories:

Toolkits
Anything that I or various other contributing members find useful, relevant or fun with respect to security. Current items that will go into this category are the various HeX (all) releases and InProtect LiveUSB releases.

Distros
Any custom distributions that have been designed to fit security needs and/or perform specific tasks.

Packet-Captures
Any large packet captures or trace files that are obviously not going to fit on the www.openpacket.org site. There is one up there now, it is the malicious traffic that Richard Bejlich captured at the 2007 Shmoocon. This torrent was created and added by giovani...so a shout out goes to him!

Having said all of that, we will (as with all trackers) need seeders. So if you have a little extra bandwidth and/or want to contribute in any way please let us know!

Cheers,
JJC

FreeBSD 7.0 Released

I am pleased to announce (a few days late) that FreeBSD 7.0R has been released as of Feb 27, 2008! More info here on the release.

You might (I hope not) wonder why this is exciting? Really, aside from the dramatic and significant enhancements to the overall functionality and stability of the operating system, it means that several OSS projects will be moving forward with new development work based on the 7.0 Release. Specifically, we will now begin work on HeX 2.0 with new nifty features to suit your packet loving needs! I also suspect that we will see some additional traction from the freesbie folks.

Further, I will be releasing a new version of the InProtect LiveUSB that will be based on FreeBSD 7.0 Release as soon as the build finishes!

Wednesday, February 27, 2008

X-Max net hijacker removal. Remove X-Max net

X-Max net is the malicious hijacker that replaces Webcry and Search-daily. It will redirect your web searches. X-Max is extremely dangerous for your privacy and security. It can show commercial advertismnets and generate false positives to trick you into buying rogue anti-spyware products. We recomend to remove it using X-max.net remover with free scan.

X-Max Removal Tool

Tuesday, February 26, 2008

WinXDefender 2,1 removal instructions. How to get rid of WinXDefender

WinXDefender 2.1 is the latest rogue with malicious features. WinXDefender may be installed onto your computer through trojan horses that launch fake security alerts. WinXDefender may give you exaggerated security scans and/or popup security alerts to try to scare you into buying WinXDefender. This rogue usually slows your PC and causes system errors and slowdowns. Download WinXDefender Remover (Spyware Doctor anti-spyware with free scan) to get rid of this nasty spyware.

WinXDefender snapshots:

Screenshots from bleepingcomputer.com

WinXDefender automatical remover:

WinXDefender Remover

WinXDefender manual removal instructions:

Delete infector files:

WinXDefender
WinXDefender.exe
defender_setup[1].exe
Start WinXDefender.lnk
WinXDefender Uninstall.lnk
WinXDefender.lnk

Remove WinXDefender registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
”WinXDefender” = “C:\Program Files\WinXDefender\WinXDefender.exe”

Monday, February 25, 2008

Security Toolbar 7.1 Removal - Remove Security Toolbar 7.1

Security Toolbar 7.1 is a malicious toolbar affilated with Zlob trojan. It generates fake spyware detection reports, popups, system tray notifications to scare user and force to download and purchase rogue antispyware product. Security Toolbar 7.1 can seriously damage your computer and erase sensitive data. In addition Security Toolbar 7.1 can hijack your homepage showing fake Security Center page. We strongly recomend to download Security Toolbar 7.1 removal tool with 100% free scan to get rid of this nasty malware.

Security Toolbar 7.1 will popup the following mesages:

"Critical System Error",
"W32.Myzor.fk@yf"
"Your computer is infected",
"Trojan-Spy.win32@mx",
"Virus Alert",
"Security Alert"
"System Alert" or
"Spyware.Cyberlog-X"

Security Toolbar 7.1 screenshots:

Security Toolbar 7.1

Zlob (Security Toolbar 7.1) tray baloons:

Security Toolbar 7.1 removal tool:

Security Toolbar 7.1 Remover With Free Scan

Security Toolbar 7.1 manual removal instructions:
Remove Security Toolbar 7.1 files

eowygj.dll,
Ygjun.dll,
dxovx.dll
vgibz.dll
psndz.dll
cqsfk.dll
wzhtjqo.dll
lrnjnzf.dll
zpuwriz.dll
tkrsw.dll
afzdbl.dll
bgwttyl.dll
dyrwls.dll
ugofuq.dll
gtawclv.dll
vjxwnn.dll
khtbpdl.dll
cfqbw.dll
fdpzgi.dll
gusur.dll

Remove Security Toolbar 7.1 registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{5574E139-F59C-4bee-9A61-150B0D3A16C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}

Sunday, February 24, 2008

Networm-i.Virus@fp tray baloons removal - Networm-i.Virus@fp remover

Networm-i.Virus@fp is not a real worm. It's a fake security alert generated by Zlob.Trojan to promote rogue anti-spyware products (MalwareCrush, Virus Heat, Virus Protect and other). This trojan will show message (system tray notification) about Networm-i.Virus@fp infection every 2-5 minutes. This may slow your computer and may cause serious system errors. We recomend to use Spyware Doctor anti-spyware to remove Networm-i.Virus@fp fake spyware alert, Zlob.Trojan and rogue anti-spyware infections.

Networm-i.Virus@fp screenshot:

Networm-i.Virus@fp Automatical Remover:

Networm-i.Virus@fp Removal Tool with Free Scan

Networm-i.Virus@fp manual removal guide:
Remove Networm-i.Virus@fp files:

ncompat.tlb
dtjby.dll
uimcu.dll
%UserProfile%Application DataMicrosoftCryptoRSA
%UserProfile%Application DataMicrosoftProtect
dumpserv.com nvctrl.exe
msmsgs.exe
hp[X].tmp
msvol.tlb
RSA
Protect
vnp7s.net
zxserv0.com
dumpserv.com
antzozc.dll

Remove Networm-i.Virus@fp registry entries:

HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunRegSvr32=%System%msmsgs.exe
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogon
Shell=explorer.exe
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT CurrentVersionWinlogon
Shell=explorer.exe, msmsgs.exeHKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentV
SOFTWAREMicrosoftInternet ExplorerToolbar{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}
SOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
{60dea04c-9817-4309-bfa2-f8a1766c3cd1}
unsome
SoftwareMicrosoftInternet ExplorerToolbarWebBrowser{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}
SOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorer
{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}
{60dea04c-9817-4309-bfa2-f8a1766c3cd1}
{D579A683-0CC7-4023-BAE7-0544D0D1DA3A}
SOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{D579A683-0CC7-4023-BAE7-0544D0D1DA3A}
unstart

Vundo Trojan Removal Instructions - Vundo Remover

Vundo Trojan (Virtumonde, Virtumondo) is a dangerous trojan horse that launches annoying popup ads on your computer and secretly download malware programs. Vundo creates a DLL file in the Windows system32 directory and writes registry entries, causing Windows to inject the file into winlogon.exe and many other programs. Because Trojan Vundo runs tons of popup ads, it really slows down your computer. Trojan Vundo can open huge security holes and secretly install spyware programs. We recomend to remove it using Spyware Doctor anti-spyware with free scan.

Vundo Trojan Removal Tool:

Vundo Remover

Vundo Trojan manual removal instructions:
Remove Vundo registry keys and subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Active State
HKEY_CURRENT_USER SoftwareMicrosoftWindows CurrentVersionRunOnce*WinLogon
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunOnce*[filename]
HKEY_CLASSES_ROOTCLSID{2316230A-C89C-4BCC-95C2-66659AC7A775}
HKEY_CLASSES_ROOTCLSID{8109AF33-6949-4833-8881-43DCC232B7B2}
HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents
HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents.1
HKEY_LOCAL_MACHINE SOFTWAREClassesCLSID{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{2316230A-C89C-4BCC-95C2-66659AC7A775}
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{8109AF33-6949-4833-8881-43DCC232B7B2}
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainActive State

WinSecurAV Removal Instructions

WinSecureAV (www.winsecureav.com) is a rogue anti-spyware program that can damage your computer. WinSecureAV display false security warnings and malware detection reports to scare users into buying full version of this needless program. Likewise other rogue applications, it can install other malware, capture browser's homepage, redirect search results, display ad's and do other troubles with your operating system and computer. Download WinSecureAV removal tool to get rid of this crap.

WinSecureAV screenshot:

screenshot from pcthreat.com

WinSecureAV automatical removal tool:

WinSecureAV Removal Tool

WinSecureAV manual removal instructions:
Remove WinSecurAV files:

[%COMMON_DESKTOPDIRECTORY%]\WinSecureAv.lnk
[%PROFILE_TEMP%]\is-69GNC.tmp\ga6plicense.ini
[%PROFILE_TEMP%]\is-69GNC.tmp\gfl.exe
[%PROFILE_TEMP%]\is-69GNC.tmp\License_4_1.rtf
[%PROFILE_TEMP%]\is-69GNC.tmp\_isetup\_shfoldr.dll

Remove WinSecureAV registry entires:

HKEY_LOCAL_MACHINE\software\microsoft\windows\
currentversion\run, winsecureav=
HKEY_LOCAL_MACHINE\software\products, prodname=winsecureav=
HKEY_LOCAL_MACHINE\software\products, rdomain=winsecureav.com=

Saturday, February 23, 2008

Ekvgsnw Removal Tool - Remove Ekvgsnw Toolbar

Ekvgsnw is a new malicious toolbar that will generate tonns of fake spyware warnings, forcing user to download and purchase rogue anti-spyware applications. Ekvgsnw Toolbar results from Zlob.Trojan infection. Ekvgsnw Toolbar dramatically slows down your computer and Internet connection speeds. We recomend to remove Ekvgsnw Toolbar using Spyware Doctor antispyware with free scan.

Ekvgsnw Toolbar Remover:

Ekvgsnw Removal Tool

Ekvgsnw Toolbar SnapShot:

Ekvgsnw Manual Removal:
Remove Ekvgsnw files and dll's:

ekvgsnw.dll
byxww.dll
ssqpp.dll
ezzhjmt.dll
browsew.dll
ddcyvtt.dll
ctl3d3.dll
hggdbab.dll
toprates.dll
sprt_ads.dll
oggview32.dll
turbosearchsite.dll

Remove Ekvgsnw Toolbar registry entires:

A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D
14B65C62-1F53-4B15-9476-5D697608536F
82C8422E-86A3-41C1-9F2E-094F7BF849E2
BCBC8B3C-397C-4D98-B6BA-FF337B9671E1
17D2F953-B2D1-4D1B-BCD3-20432E09ECF1
80DFDD57-D8B8-4991-82B9-9E9D426668B0
4911E55D-9240-49DB-B878-337DE4F53E70
4090F502-6B2D-41B4-8409-B08905A3A0E6
F10587E9-0E47-4CBE-84AE-7DD20B8684BB
47EFD4AD-CB46-4549-B24B-CEE415394C56
3DAF1739-AB9E-493E-8DD7-F65CDF363BCB

Friday, February 22, 2008

New misleading application - WinPerfomance. WinPerfomance removal.

WinPerfomance is a new fake perfomance optimizer and system cleaner. It reports false or exaggerated system problems on the computer to trick you into buying it's full version. It can slow your computer and cause system errors. Download WinPerfomance removal tool to get rid of this malware.

WinPerfomance screenshots:

WinPerfomance Removal Tool:

WinPerfomance Remover

Wednesday, February 20, 2008

Shmoocon 4 in review

For those that have not attended or are not familiar with shmoocon, it's an annual hacker con. The event is held in Washington DC and additional event info can be found on their site at http://shmoocon.org.

Tickets are released on a timed basis and come in three classes... the early bird ticket for $75, the normal ticket for $150, and the I pissed around and didn't get a less expensive ticket for $300. When I say "timed basis", they have specific dates and times that they will make a certain number of each ticket class available. Needless to say, on the ticket release dates the shmoo ticketing server was quite loaded but luckily I was able to obtain one of the early bird special tickets.

Day One:

The con kicked off on Friday Feb-15 with a single track of talks. I missed the first few talks (schedule here) and caught a little more than the last half. Unfortunately I don't really recall the first talks, so they must not have been altogether that interesting for me. I primarily payed attention to the last three talks:

Hacking the Samurai Spirit - Isaac Mathis
New Countermeasures to the Bump Key Attack - Deviant Ollam
Keynote Address - J. Alex Halderman

Hacking the Samurai Spirit:

The premise of this talk was to discuss the current cultural differences, history and mindset of the Japanese as related to Information Security. While this talk was humerus I did not find it terribly technically relevant. The speaker seemed to more be giving a history of security related events over the past 60 years in Japan, though there were some good and interesting points in the end that did relate to Information Security. Specifically, the speaker detailed how there are several scams occurring concerning the uneducated internet user in Japan. A simple example of this type of scam would be a pr0n site that requires the user to click on an I Agree, Enter type link prior to gaining access to the goods. Once this action has been completed, the user is then told that they have just agreed to paying X amount of money to access the site and that if they do not pay said money they will be sued. The people in Japan are afraid of reprise of any type and typically will pay this immediately. So overall I would rate this talk somewhere in the middle due to it's humerus nature.

New Countermeasures to the Bump Key Attack

Having just sat through the history lesson re: Japan, I was certainly ready for something different and more exciting. New Countermeasures to the Bump Key Attack certainly delivered this for me. I (as many in the security community) have been aware for years about the gross weaknesses that exist in the physical lock world. Thanks to the consistent pounding and education of the world by people such as Deviant Ollam. This talk covered the basics of lock-picking using bump keys and modified bump keys then detailed how may lock manufacturers are dealing with this issue. The media for the presentation itself was well done and clear, further the presenter did a great job at getting the point across.

A challenge was also issued during this talk, the title "Gringo Warrior". The setting for Gringo Warrior is simple, you are a Gringo that got a little blitzed in Tijuana and woke up in a Mexican jail cell with no recollection of the night before. In walks the corrupt policia and tells you that you have to pay a fine, the cost of that fine is whatever money you have in your bank account. He tells you that he will leave you for an hour to consider this. Luckily while they were emptying your pockets they missed your lock-picking tools. Your challenge is to pick the handcuffs that you are in, pick the cell door, disable the cell guard and pick a lock cabinet that has your passport in it. At this point, you have a choice; you must either pick the front door lock to leave, or you can pick an additional locked door in the cabinet to obtain a handgun and shoot out a surveillance camera to sneak out a window. This was a timed event, the event winner took under a minute:30 to complete the entire course and received a social engineering kit (hardhat and several vendor specific polos)!

Keynote

This talk was concerning the new electronic voting systems and their MANY security flaws. It was both interesting and somewhat technical but more detailing the process that they took to obtain their first voting machine to test (somewhat clandestine in nature and humerus). The short of it is, as we all now know, that these devices have historically been easily compromised both electronically and physically. One key point of humor is that diebold (the primary manufacturer) had a high resolution picture of the actual keys used to access the IO ports of the system on their website, from this picture they were able to successfully create a working keyset.

Day Two and Three:

I am bundling these days together and only writing about the talks that I found interesting for the remainder of this posting.

VoIP Penetration Testing: Lessons Learned -John Kindervag and Jason Ostrom
Got Citrix? Hack It! - Shanit Gupta
Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land" - Enno Rey and Daniel Mende

VoIP Penetration Testing

This talk primarly dealt with using the voiphopper tool to jump onto voice vlans and conduct your activities as needed there. The fun part would be to jump onto the voice vlan and do a little fuzzing using spike or the like ;-). Overall a fairly interesting talk and there were demonstrations that made it a bit more exciting.

Got Citrix? Hack It!

I found this talk to be fairly basic, but that said quite technically relevant. I think that we often do not consider the most simple way to get into something and that is why this was a good talk. The premise of this was hacking Citrix and primarily focused on using the Kiosk mode. The speaker pointed out that often while the kiosk has a limited set of initial applications available to be run, or force-ran that they hotkeys are still often active. Examples include cntl+n to open a new Internet Explorer Browser instance that now has the address bar in it, you can therefore browse wherever you want and grab a payload to further break into your mom's kiosk. Other examples are cntl+h (history) cntl + F1 (shortcut for cntl+alt+del) and so on.

Advanced Protocol Fuzzing

Probably the best talk of the con in my opinion, this talk focused on the steps that some German researches took to fuzz several layer 2 protocols. They worked though creating the protocol definitions in SPIKE and Sulley and their various reverse engineering processes from various sources including Wireshark. This talk also included a live demo of crashing a medium sized Cisco Cat using LLDP fuzzing techniques.

All the other talks...

I am sure that there were several other good talks, unfortunately due to the nature of three being scheduled at the same time, I was not able to see everything. Shmoocon does post videos of the talks on their site, so keep an eye out. Unfortunately I did attend several talks that were presented by fairly well known people, and I believe that this was the only reason that these talks were approved as they contained really no new or relevant information.

Overall I would rate shmoocon as a good time with decent material and good speakers. I mean, for $75 I can't complain, I certainly feel like I got my moneys worth. Perhaps next year or at an upcoming con I will present on HeX with the team, so keep an eye out!

Cheers,
JJC

FilesSecure Removal Tool - Remove Files Secure 2.1

Files Secure 2.1 is the misleading application, fake spyware and compromising files cleaner. It shows false positives to scare user and trick into buying "full license". NEVER download or purchase this malware. It can damage your computer. If your system is already infected - download automatical remove r (Spyware Doctor anti-spyware).

Files Secure screenshot:

Files Secure Removal Tool:

Files Secure Remover

Files Secure manual removal instructions:
Remove FilesSecure Registry Values:

5792244C-2237-459B-8E84-FA78184843A8
4722D065-A352-42FB-924C-EAEF5A1AE571
F10587E9-0E47-4CBE-84AE-7DD20B8684CC
F10587E9-0E47-4CBE-84AE-7DD20B8685CC

Unregister FilesSecure DLL Files:

VideoMP3.dll
PowerVideo.dll
sysosa.dll
pandsf.dll
mp3avi.dll
sysdivx.dll
windivx.dll
findsiteonline.dll

Delete these FilesSecure Files:

secure.exe
Files Secure 2.1.lnk
VideoMP3.dll
PowerVideo.dll
sysosa.dll
pandsf.dll
secure.db1
secure.db2
secure.db3
secure.db4
secure.db5
mp3avi.dll
sysdivx.dll
windivx.dll
findsiteonline.dll

Tuesday, February 19, 2008

InProtect LiveUSB 0.80.3 Beta!

Though the InProtect project has not made a large number of public postings lately (beta releases and the like...) we have been quite busy. We will soon be releasing a tarball of the latest 0.80.3RC1. That is not, however, the purpose of this article but rather I am releasing a liveUSB image that is an entirely self-contained and functioning installation of InProtect on a FreeBSD 6.3-Current system.

I came up with the idea to create the InProtect LiveUSB when someone requested that I build one for another project that I am an active member of (HeX). Unfortunately it has taken me several months to get the time put together to actually build this tool. Having said that, I am quite pleased with the outcome and functionality of the tool. Placing this tool onto a USB thumb drive gives the user extreme versatility from the perspective of security. Obviously the nature of a USB thumb drive is not terribly secure; we can put them in our pocket and have them fall out in a parking lot where anyone could conceivably pick it up and snag the data off of it and multiple other scenarios. I am more talking about the security of the location or client that may have a sensitive environment with sensitive data and the like. In this scenario the USB device could be taken in and left with the organization, post scan, that has such sensitive data. Again though, the primary purpose of this build is to allow for a solid demo of the InProtect system.

As I said earlier, the system was built using FreeBSD 6.3-Current, ontop of this I built fluxbox (and several applications such as firefox), mysql51, apache22, php5 and several perl modules that are InProtect dependencies. I manually configured all of the components to work with InProtect, the installer currently does not work on freebsd though I am in the process of building a port. In-short, and as stated earlier, this is a fully functional InProtect scanner with a few things that need to be completed by the end-user; Nessus 3.0.x install and jpgraph for php5 install.

The Nessus and jpgraph items are not included in this image due to their licensing restrictions (not GPL). It is for this reason they must be manually installed.

First you will need to download the InProtect LiveUSB 0.80.3 image here:

http://www.redsphereglobal.com/data/tools/security/live/inprotect-i386-0.80.3-beta.usb.img.gz
MD5 (inprotect-i386-0.80.3-beta.usb.img.gz) = 605a5b20d754ea7e6305922695f301ba
SHA256 (inprotect-i386-0.80.3-beta.usb.img.gz) = 1d562d17db0ef4e3afefcca18fd40932b7faecdddd673910c3ad11a4aab4434b

After obtaining the image and gunzipping it you will want to use dd to write it to a 2G or larger USB thumb drive. NOTE that you want to write it to the device itself and NOT to a specific partition on the device. Also, if you didn't figure it out... this will overwrite anything that you may currently have on your thumb drive.

dd if=/path/to/foo/inprotect-i386-0.80.3-beta.usb.img of=/dev/da0 bs=1M

Your output file path may be different than /dev/da0 (this is mine on a freebsd boxen). The key is that you are writing directly to the device address and NOT to a partition, that will NOT work. Assuming that you have a thumb drive and computer capable of USB2.0 this process should take around 10 minutes to write all of the data.

At this point you should be able to boot from your new shiny LiveUSB thumbdrive. The initial login details are simple (these ARE case sensitive so pay attention!):

Username: InProtect
Password: inprotect

Once logged in type startx to get into fluxbox. From here, if you are not familiar

suggest playing around just a little bit. A few tips, this isn't windoze, you access the main menuwith fluxbox, I by right clicking anywhere on the desktop. The image to the right shows the menu of the InProtect LiveUSB. The highlighted option will take you to the Nessus and jpgraph installation instructions.

Even before you install Nessus or jpgraph you will be able to login to the local instance of InProtect by selecting the InProtect menu option as displayed below. Once you have selected the InProtect menu item, you will be able to use

admin / admin for the login and password to access the local instance of InProtect.

Note that until you install Nessus you will not be able to run any scans.

In this image I have already created a default scan zone and default scanner so that once Nessus is installed and the Nessus user created, as noted in the instructions contained on the image, the system is fully functional and scans can be immediately created and executed.

As always please feel free to contact me or leave any comments, criticisms, suggestions or otherwise that you might have.

Cheers,
JJC

Remove Virus Heat 4.3 - VirusHeat 4.3 Removal Tool

New version of VirusHeat released! Virus Heat 4.3 have the same interface as Virus Heat 3.9 , but these two versions have different dll infectors and other files. Try manual removal instructions or download Spyware Doctor with free scan - it will remove Virus Heat 4.3 for seconds.

Virus Heat 4.3 Automatical Removal Tool:

VirusHeat 4.3 Removal Tool with Free scan

Virus Heat 4.3 manual removal instructions:
Remove VirusHeat 4.3 files, processes and unregister dll's:

wuuawkz.dll
iinqyl.dll
osdjhjc.dll
Uninstall VirusHeat 4.3.lnk
VirusHeat 4.3 Website.lnk
VirusHeat 4.3.lnk
VPPLanguage.ini
blacklist.txt
English.ini
msvcp71.dll
msvcr71.dll
uninst.exe
vht.dat
VirusHeat 4.3.exe
VirusHeat 4.3.url

Remove VirusHeat 4.3 registry entires

HKEY_CLASSES_ROOT\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1}
HKEY_CLASSES_ROOT\Interface\{0979850F-6C3E-4294-B225-B3D3C4A6F2A1}
HKEY_CLASSES_ROOT\Interface\{1BB2DA5F-B78F-44EA-BDA1-771CBE1DEC68}
HKEY_CLASSES_ROOT\Interface\{2A4E73C5-BA3C-4391-B7E5-FFE8D3BD6245}
HKEY_CLASSES_ROOT\Interface\{44A923CA-F430-4F85-9F84-5153ECDB882E}
HKEY_CLASSES_ROOT\Interface\{4E6E21EC-9D72-4164-8A53-74786A467872}
HKEY_CLASSES_ROOT\Interface\{631E9E48-B066-43DA-92AC-6DADF61B173B}
HKEY_CLASSES_ROOT\Interface\{65C1361C-E696-4AF0-9E21-81910193F352}
HKEY_CLASSES_ROOT\Interface\{77DCE805-C8CE-48AA-A47F-BFA6CC7704B3}
HKEY_CLASSES_ROOT\Interface\{8D42769F-07D8-494D-AAB4-AA1652C541FA}
HKEY_CLASSES_ROOT\Interface\{A1922071-390C-418D-916D-91209E95D286}
HKEY_CLASSES_ROOT\Interface\{A1F8CD95-CFB3-43D1-A956-63441CC058C1}
HKEY_CLASSES_ROOT\Interface\{A63B46AD-96A7-4A2C-BD8F-8CD097E1593A}
HKEY_CLASSES_ROOT\Interface\{A65F98DD-2360-468C-B76E-B1B84C0D547C}
HKEY_CLASSES_ROOT\Interface\{AE2AEED0-BE1B-4BA2-826E-20D1991081B8}
HKEY_CLASSES_ROOT\Interface\{D7F73787-6206-4BBA-BDC0-7CFA9940DBCB}
HKEY_CLASSES_ROOT\Interface\{E770F739-2968-4ED9-A63C-DC1938DC82A2}
HKEY_CLASSES_ROOT\TypeLib\{CFAFA83C-855B-4E3D-92B9-A587995B675A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\VirusHeat 4.3 .exe 4.3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusHeat 4.3
HKEY_LOCAL_MACHINE\SOFTWARE\VirusHeat 4.3

SwiftCleaner - new malicious cleaner. Remove SwiftCleaner

SwiftCleaner is the latest software that pretends to be a PC cleaner that can remove all compromising data, cookies, temporary files and other unwanted information. But in real it's another rogue program that displays fake scan reports and warnings to trick you into buying it's full version. It can hijack your browser with www.swiftcleaner.com and show fake online scanners. We don’t recomend to download or install SwiftCleaner because it can open security backdoors and download additional spyware to track your keystrokes and steal private data. Download Spyware Doctor antispyware with free scan to remove this malware from your computer.

SwiftCleaner screenshots

SwiftCleaner web-site (www.swiftcleaner.com)

SwiftCleaner Removal Tool

SwiftCleaner Remover

SwiftCleaner manual removal instructions:

Remove SwiftCleaner files:
SwiftCleanerScanner.exe
0-49.txt
Scanner.ini
ilkjh

Emotigt Toolbar Removal Tool - Remove Emotigt Toolbar (Emotigt)

Emotigt Toolbar is the latest malicious BHO Toolbar (Browser helper object) that can be installed through Windows security holes or by Trojan.Media Star or Video Access Codec. It will generate exaggarated reprots about spyware risks and other security errors, forcing users to download rogue anti-spyware applications. Emotigt Toolbar may damage your computer and cause serious system errors and crahses We recomend to remove this toolbar using automatical removal tool with free scan.

Emotigt Toolbar Removal Tool:

Emotigt Toolbar Remover

Emotigt Toolbar Manual Removal Instructions:
Remove Emotigt Toolbar files and unregister dll's:

emotigt.dll
emotrlq.dll
byxww.dll
ssqpp.dll
ezzhjmt.dll
browsew.dll
ddcyvtt.dll
ctl3d3.dll
hggdbab.dll
toprates.dll
sprt_ads.dll
oggview32.dll
turbosearchsite.dll

Remove Emotigt Toolbar Registry Values:

A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D
14B65C62-1F53-4B15-9476-5D697608536F
82C8422E-86A3-41C1-9F2E-094F7BF849E2
BCBC8B3C-397C-4D98-B6BA-FF337B9671E1
17D2F953-B2D1-4D1B-BCD3-20432E09ECF1
80DFDD57-D8B8-4991-82B9-9E9D426668B0
4911E55D-9240-49DB-B878-337DE4F53E70
4090F502-6B2D-41B4-8409-B08905A3A0E6
F10587E9-0E47-4CBE-84AE-7DD20B8684BB
47EFD4AD-CB46-4549-B24B-CEE415394C56
3DAF1739-AB9E-493E-8DD7-F65CDF363BCB

Monday, February 18, 2008

EasySprinter - new fake regitry repair tool. Remove EasySprinter

EasySprinter is the fake regitry tweaker and cleaner. Trojan horses (like Vundo or Zlob) generates fake registry error popups to trick you into downloading and buying EasySprinter's full version. Remember that programs like EasySprinter will never solve your registry errors. In addition EasySprinter can open browser security holes and install other crapware. We recomend to use Spyware Doctor anti-spyware with free scan to remove EasySprinter from your computer.

EasySprinter Removal Tool:

Download EasySprinter remover

EasySprinter's web-site (www.easysprinter.com):

EasySprinter manual removal instructions:

Remove EasySprinter registry values:

EasySprinter
3FC8C143-F2CC-4AB1-9AC0-8B1407302795
SCToolbar.ShellBand.1
SCToolbar.ShellBand
0B187AB0-4CFF-42DA-9503-A38F6F998214
4AD56E6F-7074-41EE-8A40-583C2C76EFCD
SOFTWARE\Microsoft\Internet Explorer\Toolbar\4AD56E6F-7074-41EE-8A40-583C2C76EFCD
Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\4AD56E6F-7074-41EE-8A40-583C2C76EFCD

Remove EasySprinter files:

EasySprinter.lnk
EasySprinter
Uninstall EasySprinter.lnk
cwriter

Sunday, February 17, 2008

AlfaAntivirus - how to remove?

AlfaAntiVirus is another fake virus cleaner. It will show tonns of crap ads (like spyware detection warnings) to scare user and force to pay for "full version" of this useless software. AlfaAntiVirus can infect your machine with different spyware and malware. Download Spyware Doctor with free scan to remove AlfaAntiVirus from your PC

AlfaAntiVirus Automatical Removal Tool:

AlfaAntiVirus Remover

AlfaAntiVirus web-site (www.alfaantivirus.com):

AlfaAntiVirus manual removal instructions:
Remove AlfaAntiVirus files and unregister dll's:

runbst.exe
ska.exe
gtb.dll
ska.dll

Remove AlfaAntiVirus registry values:

Software\Microsoft\Internet Explorer\Toolbar\03B121E9-6152-48b5-BB38-B642B21C62BD
03B121E9-6152-48b5-BB38-B642B21C62BD

Friday, February 15, 2008

HeX 1.0.3 LiveUSB (CNY Release)

After much adeau, here it is! Instructions for usage are quite simple, dd it to your usb thumb drive (the drive, not a partition or it will NOT work). This image includes all of the same features as our mainline HeX 1.0.3 release but is on USB not CD, the filesystem is therefore also writable. You will need a minimum of a 2G Thumb Drive or Memory Stick to write this. I say "Memory Stick" because I have heard rumor of some people using SD rather than USB Thumb Drives to use this tool.

So for example on my freebsd system I would dd as follows:

dd if=/path/to/foo/hex-i386-1.0.3.usb.img of=/dev/da0 bs=1M

command is simple... if is the Input File, output is the Output File (in this case it is the da0 device) and bs=1M is setting the block size to 1mb - this helps to speed up the write process.

Downloads:
USA Site (521MB)
USA MD5 Verification
USA SHA256 Verification

Malaysia Mirrors to be populated soon, I'll post them when they are.

Cheers,
JJC

SpyBurner Removal Tool - Remove SpyBurner

SpyBurner is the latest rogue antispyware (AdvancedCleaner twin). It can be installed manually from www.spyburner.com, www.pcsecuritycenter.net and other sites. Some trojan horses (like Zlob.Trojan, Virtumonde, Vundo) can show fake spyware detection reports forcing users to download and install SpyBurner. These trojans can display system tray notofications, hijack your homepage with fake SpyBurner online scanners. The purpouse of this activites is to trick user into purchasing "full" version of SpyBurner. We recomend to use Spyware Doctor antispyware, it can easily detect and remove SpyBurner and installer trojans.

SpyBurner automatical removal tool:

SpyBurner Remover

SpyBurner screenshots:

SpyBurner manual removal instructions:
Remove SpyBurner registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SpyBurner Free” = “”C:\Program Files\SpyBurner\SpyBurner.exe” /min”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SpyBurner_104911963″ = “”C:\Program Files\SpyBurner\SpyBurner” -c”
HKEY_ALL_USERS\SofTware\SpyBurner
HKEY_LOCAL_MACHINE\SOFTWARE\SpyBurner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyBurner
HKEY_LOCAL_MACHINE\SOFTWARE\SpyBurner_

Remove SpyBurner files:
SpyBurner.exe
SpyBurner.lnk
dkto.dll
Uninstall SpyBurner

Thursday, February 14, 2008

Shmoocon Starts Tomorrow

I trust that we are all prepared for absurdities and enjoyable semi-sober technical security banter? In any event, shmoocon DC 2008 starts tomorrow afternoon and I look forward to seeing you there. You can find the schedule on the shmoocon site itself.

I wanted to comment that if you do not currently have a ticket, there are several for sale on Ebay:

I suspect that there may even be some hockers outside ;-)

Cheers,
JJC

HeX 1.0.3, the CNY Release

I am pleased to announce the release of HeX 1.0.3, release info is below. Thanks to the entire development team for their dedication and hard work. This release has been dubbed the CNY, or Chinese New Year release.

With the recent release of FreeBSD 7.0 RC2, we anticipate an actual 7.0 release in the near future. When the Release version of 7.0 becomes available we will begin working on the new HeX 2.0 project.

Get HeX 1.0.3 Here:
US Mirrors:
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso.md5
https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.3.iso.sha256

Malaysia Mirrors:
http://bsd.ipv6.la/hex-i386-1.0.3.iso
http://bsd.ipv6.la/hex-i386-1.0.3.iso.md5
http://bsd.ipv6.la/hex-i386-1.0.3.iso.sha256

Fixed:
- pkg_info works after installation
- ping works without sudo
- procfs is correctly mounted on /proc at boot

Upgraded:
1. NSM Console 0.6-DEVEL
Features:
- 'dump' command added, you can now dump packet payloads into a binary
file for later analysis
- Significant speedups in the harimau module and 'checkip' command if
wget is installed
- tcpxtract configuration file changed to extract more types of files
- Added foremost module
- Added clamscan module (Thanks JohnQPublic)
- Argus and tcptrace have reverse dns turned off by default now, it
was causing the module to hang for extremely large pcap files. Can be
switched on by changed the module options
- rot13 encoding and decoding added :)
Bugfixes:
- alias command
- urlescape (en|de)coding
- file existence check
- many other things
All the other enhancements, bugfixes and additions since the 0.2
release (there have been many!)

New Application Packages:
- xplot
- uni2ascii
- vnc
- vsftpd
- samplicator
- sflowtool
- pmacct
- ming
- ploticus
- tcpick
- bvi
- elinks
- feh
- tftpgrab
- arpwatch

Misc:
- New wallpapers with different color schemes

The LiveUSB image will be out shortly, it is undergoing a quick regression test currently.

Cheers,
JJC

Wednesday, February 13, 2008

Antispywareupdates.net - new rogue promoting crap site

Antispywareupdates.net is the malicious web site that promote well known rogue anti-spyware programs such as SpyAway and Perfect Cleaner. Antispywareupdates.net can hijack your homepage and display annoying security warnings and fake online scanners. We recomend to download Spyware Doctor, it will remove Antispywareupdates.net for seconds.

Antispywareupdates.net screenshot:

Antispywareupdates.net automatical removal tool:

Antispywareupdates Remover

Tuesday, February 12, 2008

Emotrlq Toolbar Removal Tool - Remove Emotrlq Toolbar

Emotrlq Toolbar is a fake security toolbar that pretends to be the from spam and popup blocker and spyware remover. But in real Emotrlq generates fake spyware detection reports to trick users into downloading and purchasing fake antispyware programs (like VirusHeat 3.9). This malicious toolbar can slow your computer and may cause serious system errors and even crashes. We recomend to remove it using Spyware Doctor antispyware with free scan.

Emotrlq Toolbar Screenshot (note: there are many Emotrlq Toolbar skins) :

Emotrlq Toolbar Remover:

Emotrlq Removal Tool

Emotrlq Toolbar Manual Removal:
Remove Emotrlq Toolbar files and unregister dll's:

emotrlq.dll
byxww.dll
ssqpp.dll
ezzhjmt.dll
browsew.dll
ddcyvtt.dll
ctl3d3.dll
hggdbab.dll
toprates.dll
sprt_ads.dll
oggview32.dll
turbosearchsite.dll

Remove Emotrlq Toolbar registry keys:

A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D
14B65C62-1F53-4B15-9476-5D697608536F
82C8422E-86A3-41C1-9F2E-094F7BF849E2
BCBC8B3C-397C-4D98-B6BA-FF337B9671E1
17D2F953-B2D1-4D1B-BCD3-20432E09ECF1
80DFDD57-D8B8-4991-82B9-9E9D426668B0
4911E55D-9240-49DB-B878-337DE4F53E70
4090F502-6B2D-41B4-8409-B08905A3A0E6
F10587E9-0E47-4CBE-84AE-7DD20B8684BB
47EFD4AD-CB46-4549-B24B-CEE415394C56
3DAF1739-AB9E-493E-8DD7-F65CDF363BCB

Remove Puresafetyhere.com hijacker. Puresafetyhere.com removal tool

Puresafetyhere.com description:
Puresafetyhere.com is a browser hijacker that generates fake spyware detection reports (Myzor@.fk and others) to trick you into buying full verions of rogue anti-spyware programs. Puresafetyhere.com can slow your computer and secretly install dangerous spyware. Download Spyware Doctor antispyware with free scan to remove Puresafetyhere.com from your computer

Puresafetyhere.com screenshots:

Puresafetyhere.com automatical remover with free scan

Puresafetyhere Remover

Puresafetyhere.com manual removal instructions:
Remove Puresafetyhere.com registry entires:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{70d17a5f-ef27-4295-90f5-20ad6f24834f}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80ced3d6-ece9-48ba-8df8-2503d8d87c2b}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Messenger Service
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D61D7E1A-6613-49CA-B6F9-51DB248E209D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper objects\{D61D7E1A-6613-49CA-B6F9-51DB248E209D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Secure Bar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{aa6d4f53-4c8d-4549-84d2-02d584acc4e9}

Remove Puresafetyhere.com files:
icmntr.exe
icthis.exe
ictun.exe
icun.exe
isfmm.exe
isfmntr.exe
isfun.exe
pmuninst.exe
gtawclv.dll
Online Security Guide.url
Security Troubleshooting.url
Online Security Guide.url
Security Troubleshooting.url
pmmon.exe
gtawclv.dll
vjxwnn.dll
cfqbw.dll
fdpzgi.dll
vmlwp.dll
veptlh.dll
isfmdl.dll

Saturday, February 9, 2008

Iwannaseeyounude.com/scan/ - IE Defender fake scan

How to remove iwannaseeyounude.com/scan/ hijacker?
Iwannaseeyounude.com/scan/ is a browser hijacker that reults from Zlob.Trojan infection. It can slow your computer and destroy personal data. This hijacker promotes IEDefender rogue anti-spyware. If your computer was hijacked with Iwannaseeyounude.com/scan/ - download Spyware Doctor - most technologically advanced application on the Internet for detection and removal of potentially undesired items.

Iwannaseeyounude.com/scan/ Removal Tool

Iwannaseeyounude.com screenshot

Remove Powered by Zedo popups

Zedo (Powered by Zedo) is an annoying adware that will popup in the middle of the screen without warning usually when user try to search Google or another search engine. Then they would take your search term and put it in the popup ad showing Ebay or a few other sites. Pop up blockers can't remove Zedo. We recomend to use Spyware Doctor with free scan to remove Zedo cookies and files from your computer.

Zedo produces popups from this urls:

xads.zedo.com
upspiral.com
searchlocal.ws
aavalue.com
url.cpvfeed.com

Zedo Manual removal:
Find and remove this Zedo cookies:

zedo
c1.zedo
c2.zedo
c5.zedo
zedo.com

Remove Zedo files:

core.sys

Remove Zedo registry values:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CORE

Automatical removal:

Zedo Remover

Friday, February 8, 2008

How to remove Edfqvrw Toolbar - Edfqvrw Toolbar Remover

Edfqvrw Toolbar is the latest BHO (Browser Helper Object) that hijacks your browser and generates fake spyware detection reports. Edfqvrw Toolbar may slow your computer and cause system slowdowns and Windows errors.The Edfqvrw Toolbar usually get installed onto your PC without your permission, through Trojan, malware and virus. We recomend to use Spyware Doctor anti-spyware to remove this threat from your computer.

Edfqvrw Toolbar removal tool:

Edfqvrw Toolbar Removal Tool

Edfqvrw Toolbar manual removal instructions:
Unregister Ekxdvft Toolbar DLL Files:

byxww.dll
ssqpp.dll
ezzhjmt.dll
browsew.dll
ddcyvtt.dll
ctl3d3.dll
hggdbab.dll
toprates.dll
sprt_ads.dll
oggview32.dll
turbosearchsite.dll

Remove Ekxdvft Toolbar Registry Values:

A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D
14B65C62-1F53-4B15-9476-5D697608536F
82C8422E-86A3-41C1-9F2E-094F7BF849E2
BCBC8B3C-397C-4D98-B6BA-FF337B9671E1
17D2F953-B2D1-4D1B-BCD3-20432E09ECF1
80DFDD57-D8B8-4991-82B9-9E9D426668B0
4911E55D-9240-49DB-B878-337DE4F53E70
4090F502-6B2D-41B4-8409-B08905A3A0E6
F10587E9-0E47-4CBE-84AE-7DD20B8684BB
47EFD4AD-CB46-4549-B24B-CEE415394C56
3DAF1739-AB9E-493E-8DD7-F65CDF363BCB