Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Kid On The Block


  • Please log in to reply
8 replies to this topic

#1 Mike Andrews

Mike Andrews

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:East Point, Georgia
  • Local time:10:28 AM

Posted 01 December 2005 - 12:32 AM

Hello, all.

Since I grew up during the age of Teletype and the B&W TV I guess I'm a bit long in the tooth for this sort of thing. But I enjoy helping others who are struggling with the old PC, and who knows... maybe someone can give ME a hand one of these days?

But ask me questions about stuff dealing with Windows and I'll do my best to answer in a helpful way. Retirement affords a great deal of free time, haha.

My system of choice is Macintosh OS-X, and right now I'm using Panther v10.3.9. There's also an x-86 box in the bay running WinXP -- and I still have memories of earlier Windows versions :-(.

Windows XP is colorful and fun, even if fraught with security hazards. But that problem CAN be solved for most individuals, provided time spent on the Internet is accompanied by a healthy degree of common sense.

I happen to know things about unca Billy's product line ( ;- ) that may be of interest to those of you with spyware concerns. Just rattle my cage any time!

Andreades

BC AdBot (Login to Remove)

 


m

#2 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:09:28 AM

Posted 01 December 2005 - 08:07 AM

Wow! It sounds like you are going to fit in quite well around here. Welcome to BC. Feel free to jump in where ever you feel you can be of help. I believe you will find the BC community warm and inviting. Good to have you onboard. Where do you retire from?

Edited by acklan, 01 December 2005 - 08:07 AM.

"2007 & 2008 Windows Shell/User Award"

#3 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:10:28 AM

Posted 01 December 2005 - 10:21 AM

Welcome Mike Andrews

Thanks for signing up. We need some Mac users here so I'm sure your contributions will be helpful.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#4 yano

yano

    I can see what you post!


  • Members
  • 6,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 01 December 2005 - 05:37 PM

:thumbsup: to BC! Mike Andrews.
Yes our Mac population is low, and we are always looking for new members, in any field. :flowers:

Good Luck,
yano

#5 Mike Andrews

Mike Andrews
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:East Point, Georgia
  • Local time:10:28 AM

Posted 01 December 2005 - 06:28 PM

acklan and Leurgy,

Thanks for the warm welcome!

Don't misunderstand, please; I'm no certified technician, but merely an old SOTP (seat of the pants) guy.

But there's little regarding Windows boxes I can't fathom in regard to fixing stuff and performing repair installations, etc. Yet I imagine there are areas in which your understanding is greater than mine.

I've had a lot of experience removing spyware; but must admit defeat where it comes to most CWS infections. My finding has been that CWS usually CAN'T be fully removed, as the coding used by its writers allows for so many clones of the root file, that killing it in one place only leads to its springing up again in another. In instances like that I defer to others' greater expertise. Maybe that's where you come in?

Commonname is something I see as having been unca Billy's NO.1 money maker over the past 10-12 year period, serving as a vector under the 'bigger-better' scenario. Having a CN infection is tantamount to hoisting a 100' neon sign with the flashing logo "INSTALL MALWARE HERE." It was shipped with virtually all OEM/bundled media and can still be found in countless millions of computers purchased with pre-installed Windows shipped up until about mid 2003.

Recently, during a dialogue with an honest Microsoft tech I'd spoken with via telephone from India, I had occasion to win a small victory. The topic of our debate had been whether I should receive a second unit of replacement media to replace the first unit, which turned out infected with... you guessed it. The fellow was in complete denial until I persuaded him to run a check on HIS OWN COMPUTER, (which I'd taken a big risk in supposing was an Enterprize setup running WinXP, installed from cheap, infected, bundled OEM multi-seat media) -- and darned if he didn't discover Commonname! That same tech tried repeatedly to contact me afterwards to rekindle our dialogue; but Microsoft had pulled the two-way plug on our communications. I only hope he realizes what happened. The Indians are wonderful people with, perhaps the most sincere and honest outlooks of any people on earth. I would never wish to offend anyone in Bharata Varsha, the First Land.

You guys (assuming you're male; otherwise, my apologies for being presumptuous) probably know of Commonname; but many individuals who consider themselves expert in the x-86 platform do NOT. They don't even have a clue; and that's one way in which Microsoft has ascended to its status as global software monopoly. That... and some admittedly colorful and interesting nuances of the Windows system. It ain't all bad; just, the good part is like a rose with long, sharp thorns.

For openers, please allow me to offer a simple means of running a check for the Commonname parasite in Windows:

Click start > run and type regedit; enter. Collapse the registry tree fully so that the five keys (assuming you're using WinXP; but it works the same in all Win systems) -- are retracted and only the words "My Computer" remain.

Click edit > find and into the find box type this CLSID: {00000000-0000-0000-0000-000000000000}. Click find now.

For those of us running SpyBot S&D the above CLSID will turn up at the top of the HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility list. SpyBot places it there for your protection, although the jury's still out as to whether doing so represents any actual benefit.

If the all-zeroes CLSID turns up anywhere else, such as EventSystem, the computer is infected and the user should engage in a removal operation. This, although if you've been using your computer for a while it is unlikely that you've any secrets. As the Intego company, makers of NetBarrier for Mac, assert, sometimes having a spy in your midst and KNOWING IT can serve as a powerful tool. But that caveat is not always desirable, as in circumstances where the spy component causes malicious behavior. CWS should take a bow, along with a virtual plethora of other malware.

Since there are several versions of CN besides the, er, 'common' one most often used in unca Billy's spymill, there are variances in the ways this voratious parasite must be handled during removal. That's why I hesitate in offering removal advice unless the version in question is what I think of as 'unca Billy simplex' -- the one most often encountered, and which in almost every case comes from infected media. It installs to EventSystem in some 35-odd locations and sequesters its main component in a little nothing-looking system32 file named es.dll.

You can run a scan on your install media to see if the CN file is there; might save you some headaches later on, to know. If it is it will turn up in either nine or ten folders, depending on whether your version features SP2. Just place the media in your CD-ROM and go immediately to start > search and set up the parameters for that drive, entering the all-zeroes CLSID into THE BOTTOM BOX. Be sure to tic the 'advanced search' box, and hit the button. Running a search from the second box informs your computer that you want to scan EVERYTHING; not merely the most likely directories. So don't get antsy if the process takes a few minutes. Very often the infected directories will not pop up until last, just about the time you're congratulating yourself for having a clean CD.

The names of the files will be as follows:

HIVECLS.INF (i386)
HIVEDEF.INF (i386)
INTL.INF (i386)
TXTSETUP.SIF
WIN95UPG.INF
LAYOUT.INF (i386)
SCRIPT.DLL (VALUEADD/MSFT/USMT/ANSI)
SCRIPT_A.DLL (VALUEADD/MSFT/USMT/ANSI)
SETUPAPI.DLL (WIN9XUPG)
One file unavailable as of this posting

It's worth mentioning that, if you're infected and find es.dll in your system32... and open es.dll to search for the all-zeroes CLSID under the edit > find menu, the result will probably be nill. This is because the main component will be installed therein with sleight-of-hand, in that, for one, the CLSID is entered with a space between each digit; and for another the font size used probably removes it from the search engine's purview. But in all likelyhood, if you scroll through the scripted portions of es.dll you'll come upon the zeroes monster, looking something like this (but in size 24 font): {0 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 }. As far as I've been able to determine, es.dll is not a legitimate file and can be deleted to no ill effect after running a de-registration script in regedit32, in safe mode. But that is only the beginning of the removal process.

The later versions of CN are somewhat malicious, like CWS, in that they establish a bogus LSP Winsocket through which all packets flowing in and out via the TCP/IP stack are scavenged. It is impossible to block any version of CN from communicating over the Net as, like most PROMIS-based spyware it transmits packets out through the TCP/IP stack (svchost, or Generic Host Process for Win32 Services); and if blocked will prevent Internet connectivity. All firewalls, however 'statefully' inclined, must regard svchost as a trusted source. But the latest versions are especially troublesome, because unless the removal is done precisely 'according to Hoyle' the user will lose all ability to establish an Internet connection. There is a little repair program to fix it; but it's best to avoid making mistakes during removal, to begin with. DSL/cable subscribers are hardest-hit.

This issue with mimicing scvhost is a dirty little secret unca Billy has used against his clientele for long, and one of many things he is now coming to regret. Maybe he'll consider, then, donating the 48 billion dollars he's stolen from his victims over the years towards cleaning up the world's countless millions of dirty computers? It would serve nicely as a compensatory gesture of good will. But don't hold your breath.

As I, ahem, predicted elsewhere a year ago, Microsoft is said going down the home stretch in finaliizing a new operating system that will have absolutely NOTHING to do with Windows! Although I can't recall its name just off hand (I hastily read of it just last night), there is every reason to believe the new system will be Unix based, much like Macintosh. Mac is a well-thought and stable graphical user interface moulded atop a Free BSD, Unix subsystem. It screams!

Final word: If you happen to be running one of the millions of 'dirty' CN systems, you should be aware that downloads from the Windows Update server subsequent to running a removal procedure will reinstate the es.dll file in at least two new instances, and often three. This informs that Microsoft has established a hidden marker somewhere in Windows which it refers to in determining whether the user installed dirty to begin with; and if he/she did, that's how the update will be effected... in like kind.

Unca Billy's policy is, "once infected, alway$ infected."


A

Edited by Mike Andrews, 01 December 2005 - 06:31 PM.


#6 Mike Andrews

Mike Andrews
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:East Point, Georgia
  • Local time:10:28 AM

Posted 01 December 2005 - 06:47 PM

yano,

Thank you!

#7 Mike Andrews

Mike Andrews
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:East Point, Georgia
  • Local time:10:28 AM

Posted 01 December 2005 - 06:52 PM

acklan,

BTW, I neglected to answer your question re where I retired from. I was an employee at a major airline, and will say no more, haha.

Edited by Mike Andrews, 01 December 2005 - 06:53 PM.


#8 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:09:28 AM

Posted 01 December 2005 - 08:58 PM

Understand. :thumbsup:
"2007 & 2008 Windows Shell/User Award"

#9 yano

yano

    I can see what you post!


  • Members
  • 6,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 01 December 2005 - 09:41 PM

yano,

Thank you!

Your welcome. :thumbsup:

yano
:flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users