Slashdot Mirror


User: Master+of+Transhuman

Master+of+Transhuman's activity in the archive.

Stories
0
Comments
5,622
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,622

  1. Re:On a more positive note... on DOJ Wants ISPs to Retain All Customer Records · · Score: 1

    "It's hard to fire a machine gun or pull the pin on a grenade with one hand occupied."

    Hey, if Ah-nuld or Sly can do do it!

    And most of our troops in Iraq seem to have one hand scratching their heads as to why they're there most of the time, so I guess they're shooting Iraqi civilians with the other.

    And while hard drive costs will come down, you won't have anything to put on them because the porn sites will be charging five hundred a month for access due to their ISP costs of data storage and techs to administer the disk farms.

  2. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    From one of the articles I found on this particular trojan:

    1. Run Regedit, and DELETE the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    N T\CurrentVersion\Windows\AppInit_DLLs

    The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the
    Trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the Trojan DLL cannot load and keep re-infecting your PC. The way to remove the registry key is not obvious. If you just delete it from RegEdit, since the Trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the Trojan).

    So what you have to do is the following which worked for me (many thanks to
    "acomputerpro" at the SpywareInfo.com forums!)

    2. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.

    3. Now delete the AppInit_DLLs key under the Windows2 folder.

    4. Hit F5 and notice that AppInit_DLLs doesn't come back.

    5. Rename the Windows2 folder back to Windows. Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan for good.

    6. Reboot your machine, and check the registry and make sure AppInit_DLLs is
    still gone.

    In my case, even removing the AppInit key value is not sufficient - the DLL still can't be removed, so I'm going to try KillBox (which has worked in some cases reported on the Net and has NOT worked in others) or DelLater, or failing that, booting into the Recovery Console and using cacls to clear the permissions to enable me to delete the DLL.

  3. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1

    Won't work in this case - you have to boot the hard disk XP OS to create the DLL in the first place. To beat this trojan, you have to kill its Registry keys, kill its running process, then reboot and kill the DLL before Windows can lock it. Bart's or UBCD won't help in any of that. I have them.

  4. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    Yup, I've seen those bat files, too. That's what KillBox and DelLater do - they automate that process without using batch files. I'll try them first, and resort to the manual way if they don't work for some reason.

  5. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    Heh, it's a laptop - so I'd have to remove the battery, too! I'm not much of a laptop guy, and I assume the client probably doesn't even know how to do that, so I didn't try it although I will keep it in mind. Given that this is Windows, I don't want to chance corrupting something in the file system doing this, either. Windows makes me paranoid about such things.

  6. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    I HAVE Bart's PE AND the Windows Ultimate Boot CD which is based on Bart's PE. The DLL is not accessible from there because you haven't booted the hard drive's XP and the trojan doesn't create the file until you do and you aren't using Safe Mode. So Bart's is useless.

    I've installed Ad-Aware, SpyBot, SpywareBlaster, AVG, Stinger and Kerio Firewall on the client's machine. Once I get rid of these last trojans, and install SP2, she should be reasonably safe, because she's been converted to using Firefox instead of IE. I've had the same setup for two years and never get any significant spyware. In fact, I didn't even bother with Spybot and Blaster until this past six months or so. Ad-Aware was sufficient because I wasn't running IE - up until a few months ago, I was running Opera, and now Firefox.

  7. Re:One better on Spyware Floods in Through BitTorrent · · Score: 1


    Thanks for the tip - I've downloaded it, it looks like it will be very useful.

  8. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    Well, I'm not going to install Cygwin just to delete a file.

    However, I DO have some DOS versions of UNIX programs that I might try if all else fails. This IS an NTFS file system, however, so I don't think they'll work.

  9. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    1) I ran in Safe Mode repeatedly while cleaning out the easier spyware. This DLL doesn't exist in Safe Mode. The trojan is too smart for that. There has to be a coordinated effort to strangle it via the Registry, killing the running process and then deleting the DLL on reboot.

    2) I need to see if the client has been running as Admin. It's XP Home, so they can't access the Administrator account by default except in Safe Mode, but I forgot to check the regular user account to see whether it's limited or not. However, see below:

    3) In any event, the real problem was the client went away and her roommate left the PC on with IE on a porn site for two weeks with no firewall and no AV. Yes, that WILL do it, given that the average time for an unpatched, unfirewalled XP to get infected is twenty minutes.

    I cleaned out several hundred spyware Registry keys and files and ONE HUNDRED NINE spyware trojans were detected by AVG AV. And that was AFTER somebody had cleaned the system using Ad-Aware AND Spybot AND Norton AND Kaspersky. Running an updated Ad-Aware and Spybot and AVG found the above. Next, I get to run TDS-3 to concentrate on cleaning out any trojans that AVG didn't spot.

    I just hope nobody installed a Windows rootkit on top of everything else.

    She's learning an expensive lesson about computer security, that's for sure. And if I wasn't as cheap as I am, she'd be learning a LOT more expensive lesson.

    I spent seven hours the other night on her machine - mostly due to the fact that until I got a handle on the situation, the machine was so unresponsive it took XP TWENTY MINUTES to shut down! I suppose it would have been easier to simply wipe it and reinstall (she does have a burner on it, so I could have saved her files if I used Bart's PE with Nero or Knoppix with K3B), but you don't know how bad it's going to be until you've been at it for four hours. And then you might as well finish it.

    I figure two more hours with TDS-3 and KillBox will do it - I've already installed Ad-Aware, Spybot, SpywareBlaster, AVG, Kerio Firewall, and Stinger, so once the trojans are gone, she should stay clean as long as she updates and runs the AV and the two anti-spyware programs regularly and installs MS's patches. I may install SP2 as well. She'd been told to use FireFox already by the last guy, so with a little luck she should be okay. I have the same setup on my machine and I've been clean for two years (except lately I use Avast instead of AVG AV).

  10. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1

    DelLater.exe is produced by the people who do the best anti-trojan product, TDS-3, so I got both of them.

    Either KillBox or DelLater should do the trick, I hope, after I do a full trojan scan with TDS-3.

  11. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    Actually this is what KillBox is supposed to do and supposedly it DOES work, at least on some trojans.

    In this case, I think this particular trojan uses the same filename which is stored in the invisible Registry key value. If you delete the Registry key value, then RENAME THE KEY so the running DLL can't renew it, kill the running process, then rename the key back, then run KillBox to delete the DLL on next reboot, it should work. OTOH, if there ARE multiple processes running that are checking each other, this might not work.

    In any event, when I go back to this client, we'll see what works.

  12. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    No, sir!

    I've seen EXACTLY this sort of thing numerous times.

    A program such as the 2xExplorer file manager will not be able to delete a file which was downloaded even though the program that downloaded the file is no longer running. Most of the time the file manager has to be closed and Explorer run to delete the file.

    Sometimes even Explorer can't delete it, you have to reboot to get rid of it.

    Another wonderful effect is this: I installed Winamp while Administrator. I run 2xExplorer and try to move the desktop shortcut from the administrator's Desktop folder to the All Users folder (while logged on as administrator, of course.) The INSTANT I click on that shortcut, 2xExplorer crashes. No error messages, no nothing. INSTANT CRASH. NO PROGRAM except Explorer can TOUCH that file in ANY WAY without INSTANTLY crashing. Weirdest shit I've ever seen. You can't even use the COMMAND LINE to touch this file! ONLY Explorer itself can delete that file.

    And while researching that on Google, I found hundreds of reports of Explorer crashing for all kinds of reasons - just try to open a folder with the wrong kind of AVI file or a corrupt zip file or something. Flakiest piece of crap in Windows.

  13. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1

    I'm familiar with the Recovery Console.

    I have an interesting ISO I just downloaded today. Allegedly it is a bootable CD with just the Recovery Console on it.

    I might try it if nothing else works.

  14. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    That was my first reaction when I read about it.

    Another case of "mad featuritis syndrome" on the part of the morons at Microsoft.

    The Registry itself was a bad enough idea...

  15. Re:Deleting the file on Spyware Floods in Through BitTorrent · · Score: 1

    I think some of the batch file solutions to this problem I've seen have used the CACLS.exe program and done as you suggest.

    KillBox seems to be the automated way of doing this.

    If KillBox doesn't work in this case, I'll try the manual way.

  16. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    I have Bart's PE - let me remind you this file can NOT be deleted from Windows XP, from the Windows XP command line, or from DOS. Nor does it EXIST unless you boot Windows XP normally - it doesn't exist in Safe Mode. ANY attempt to access this file gives an "Access Denied" once Windows XP has been booted. Doesn't matter if you're Administrator, either.

    I have the UBCD4WIN CD and one of the latest Bart's PE. Didn't work.

    According to a search of various anti-malware sites, the only thing that works is booting normally into Windows XP, but running a delete utility that kills the file before XP is fully loaded and able to lock it down. I haven't actually done it yet, so I don't know if it will work, but KillBox is the utility said to handle this sort of thing. With KillBox, you tell it the file name, it sets Windows to run it on boot, then it reboots Windows and deletes the file. Without this utility, you have to do this sort of thing manually with batch files and Registry keys.

  17. Re:DLL on Spyware Floods in Through BitTorrent · · Score: 1


    I wasn't aware of biew - on examining the Web site, I don't see any indication it handles current NTFS - unless the NT version does. Might be worth a shot next time.

  18. Re:DLL on Spyware Floods in Through BitTorrent · · Score: 1


    The DLL doesn't always have a consistent filename - these things generate random file names a lot of the time.

    Actually this particular one DOES have a consistent file name, so maybe creating a fake DLL would prevent it from creating it if it's smart enough to see if it already exists.

    Might be something to try next time I run into it. Right now, I just want to delete it for the client, and I think the KillBox utility will do that.

  19. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 1


    I'm familiar with the DOS NTFS product AND the use of Knoppix with the Captive utility.

    I had neither with me at the time - I really need to try to do something with Bart's PE and/or Knoppix so I can easily deal with a totally bogged-down, nonresponsive NTFS machine.

    I wonder if it's possible to take a thirty-day trial anti-trojan like TDS-3 and install it using Wine via a Knoppix live CD with the Captive NTFS utility and then mount and scan NTFS file systems for and remove trojans.

    Right now, my Bart's PE is limited to running McAfee Stinger and some DOS-based AV's that can't handle NTFS reliably. They'll read some of the files, but not all of them and they won't clean them. It will run Ad-ware though. I need to do a Bart's or a Knoppix with more industrial-strength anti-trojan/AV/spyware cleaning tools that can handle NTFS.

  20. Somebody has WAY too much time on their hands! on Pure JavaScript Unix-Like Web Based OS · · Score: 1


    Still, an interesting project - I'm sure the author(s) learned a lot about JavaScript doing this.

  21. Re:This is Dumb on Spyware Floods in Through BitTorrent · · Score: 3, Interesting

    Excuse me, but porn sites mostly don't need spyware - they know what you're there to get - they don't need marketing of any kind - the marketing is between your legs.

    Most of my clients are picking up spyware from going to SPORTS sites. I got a client whose kids keep checking out Nike shoes at sleazy commercial sites and going to sports sites. It's sleazy commercial sites that are using spyware and spam software to hawk their products and sell marketing info.

    And why would a warez site install spyware? What's in it for them (unless they're big enough to make deals with sleazy marketing operations)? They're distributing FREE illegal stuff to begin with! Again, they KNOW what you're there for. Sure, some of them are probably crackers who are looking to spread viruses and the like, but a lot of people using warez will spot that in a hurry and spread the word and then they're out of business (on that site at least.)

    Even this BitTorrent thing - it's not the "legitimate" sharers doing this - it's COMPANIES seeding the torrents with crap. It's the companies that need to be targeted and shut down, regardless of their legal excuses.

    Ultimately I think that since the law can't work - because it's mostly unenforceable - it will have to be hackers who start finding and (illegally) targeting these companies for DoS attacks and the like that will have to solve this.

    And of course, better tools and better user education is needed to stop people from clicking on spam and installing crap.

    Even so, a certain level of crime is a given and security is an issue that won't go away (until humans do, which fortunately is a given as well.)

  22. Re:Doh on Spyware Floods in Through BitTorrent · · Score: 1


    No need for an army.

    One or two (very busy) assassins ought to handle it - you just need to whack the few guys who own the spyware companies.

    Of course, there will always be more, so it's job security.

    The REAL answer of course is to use nanotech to wipe out the thousands of morons who actually click on spam ads...

  23. Re:Oh, the Irony! on Spyware Floods in Through BitTorrent · · Score: 5, Informative


    These spyware programs that use the Registry to spawn renamed multiple copies of the spyware programs are a nightmare to get rid of.

    I had a client last night with the Backdoor.Agent.BA trojan which is incredibly hard to get rid of. There are plenty of varied instructions on the Net on how to detect it and find it, but the problem is deleting the DLL file. You can't delete it from the command line or from Windows - in Safe Mode or not (and of course if it's an NTFS system, DOS can't touch it - Linux with the Captive utility might be able to). Not only that, but the DLL does not EXIST in Safe Mode! It can ONLY be created and accessible during a normal boot - by which time you're screwed.

    The only way to delete it is to get a program called KillBox which will prompt for the filename, set itself to run on reboot before Windows is fully loaded, and then reboot Windows, deleting the file before Windows can lock it down.

    You also have to get into the Registry and delete a key which has an invisible value which is what causes it to recreate itself.

    I get my hands on the asshole who wrote this thing, he's gonna need medical life support for the rest of his life.

  24. Re:Maybe consolidation is good on Mandriva Buys Assets from Lycoris · · Score: 1


    Yes, the nice thing about Apple was it didn't have any legacy UNIX stuff to worry about. DOS and Windows borrowed from UNIX, but Apple at least tried to name everything halfway rationally so an end user could figure it out.

    We really need a new OS that doesn't do ANYTHING the "old way", but still doesn't do anything "stupid new" (i.e., learns from the past, but doesn't repeat it slavishly.) If I had the time, I'd look into things like the BeOS which supposedly was reasonably well done.

  25. Re:Maybe consolidation is good on Mandriva Buys Assets from Lycoris · · Score: 1


    Well, yes, but quite frankly I doubt OSX is any more intuitive than any other OS. It may have some MORE intuitive features, but in the end, the user has to click on menus and run programs, and nothing about that process is "intuitive" as I understand the term.

    And I always hated Apple for doing the "drag the file to trashcan" bit to eject the disk or whatever that nonsense was in the old days. As soon as I heard that one, I knew Apple wasn't as intuitive as anybody was claiming.