Malware infection: Total XP Security

Posted on Updated on

My church’s secretary called me a few days ago and indicated that she saw a number of popups on her computer screen that seemed suspicious. She wasn’t able to catch anyone by phone at the time, so she did the next best thing she could think of–she shut down the computer without clicking on anything.

It was a day and a half before I was able to make it to the church to look at the PC and I discovered that the pastor had booted it during that day and allowed it to run normally (it serves as a file and print server in addition to being the secretary’s primary workstation). After a partial run of ClamWinAV (which I had downloaded, updated, configured to run in standalone mode, and burned to a CD so I wouldn’t risk infecting my USB drive, I decided to take the machine home and scan the drive on a computer with a known good Antivirus/antimalware program (Microsoft Security Essentials [MSE]).

MSE scanned the drive and found only one problem, which I had it remove. I loaded the drive back into the church’s computer and headed back to the church. Upon booting the computer, everything appeared to be normal. I quickly discovered, however, that all was not well. None of the shortcuts on the desktop worked. Neither did any other program I tried to run. I would always get an “Application not found” or the “Open with” dialog box. Right-clicking on a shortcut or executable file gave me the normal Open, Run as…, and Scan with AVG Free options, but I noticed a new “start” option.

Checking the registry for the .exe class (HKEY_CLASSES_ROOT\.exe\shell\open\command) showed that the (Default) action was now ‘”C:\Documents and Settings\User\Local Settings\Application Data\ave.exe” /start “%1” %*.’ A quick Google search indicated that this was part of the Total XP Security fake antivirus program.

Some more quick searching via Google turned up some excellent instructions for removing Total XP Security at BleepingComputer.com.

I also discovered another useful tool during this process: Norton Safe Web. Norton Safe Web scans sites for security problems and gives a report on its findings. It also allows visitors to rate and comment about sites. While Googling for instructions to remove Total XP Security I found several sets of instructions on sites that were not rated well by Norton Safe Web. BleepingComputer.com, however, has an excellent rating.

Following the BleepingComputer.com removal instructions has gotten my church’s computer on the right track again. The Malwarebytes Anti-Malware program took about 20 minutes to run and found over 40 infected files/rogue registry keys! It was able to remove them (with a reboot).

I have since removed the AVG virus program and replaced it with MSE. Let’s hope that we don’t end up in this situation again!

This does lead to another question, though. Is MSE enough protection on a PC? Some people don’t think so.

Running MSE and Malwarebytes Anti-Malware side-by-side.

The easy way to make dig more useful: .digrc

Posted on

I’ve been a long-time “dig” user (on Mac and Linux) to retrieve DNS records before I start transferring a domain to a new registrar. Every time I issue the same dig commands to gather the data I need and put it in a text file for easy reference later. Dig always outputs way more information than I need and I end up fishing through most of it to find the one or two lines that interest me.

$ dig jssm.com any

; <<>> DiG 9.3.6-APPLE-P2 <<>> jssm.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37409
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jssm.com.                      IN      ANY

;; ANSWER SECTION:
jssm.com.               7200    IN      MX      5 ALT1.ASPMX.L.GOOGLE.com.
jssm.com.               7200    IN      MX      0 ASPMX.L.GOOGLE.com.
jssm.com.               7200    IN      A       216.98.141.250
jssm.com.               7200    IN      A       69.72.142.98
jssm.com.               7200    IN      SOA     ns8.zoneedit.com. soacontact.zoneedit.com. 1255263341 14400 7200 950400 7200
jssm.com.               7200    IN      NS      ns17.zoneedit.com.
jssm.com.               7200    IN      NS      ns8.zoneedit.com.

;; Query time: 62 msec
;; SERVER: 172.16.0.100#53(172.16.0.100)
;; WHEN: Tue Mar  9 10:10:20 2010
;; MSG SIZE  rcvd: 203

Dig Options

After perusing the man page for dig, I discovered the magical combination of options that hides all the stuff I don’t want to see while still returning all the data I do want to see: +nostats +nocomments +nocmd +noquestion +recurse.

Now my command is messy, cumbersome, and difficult to remember, but I have what I want:

$ dig +nostats +nocomments +nocmd +noquestion +recurse jssm.com any

jssm.com.               7200    IN      MX      0 ASPMX.L.GOOGLE.com.
jssm.com.               7200    IN      MX      5 ALT1.ASPMX.L.GOOGLE.com.
jssm.com.               7200    IN      A       69.72.142.98
jssm.com.               7200    IN      A       216.98.141.250
jssm.com.               7200    IN      SOA     ns8.zoneedit.com. soacontact.zoneedit.com. 1255263341 14400 7200 950400 7200
jssm.com.               7200    IN      NS      ns8.zoneedit.com.
jssm.com.               7200    IN      NS      ns17.zoneedit.com.

.digrc

I was delighted to see that dig supports a .digrc file for setting default options. I simply plopped the options I like into my ~/.digrc file all on a single line, issued my simple query, and voila! just the data I need without the extra stuff I don’t.

$ dig jssm.com any
jssm.com.               7200    IN      MX      0 ASPMX.L.GOOGLE.com.
jssm.com.               7200    IN      MX      5 ALT1.ASPMX.L.GOOGLE.com.
jssm.com.               7200    IN      A       69.72.142.98
jssm.com.               7200    IN      A       216.98.141.250
jssm.com.               7200    IN      SOA     ns8.zoneedit.com. soacontact.zoneedit.com. 1255263341 14400 7200 950400 7200
jssm.com.               7200    IN      NS      ns8.zoneedit.com.
jssm.com.               7200    IN      NS      ns17.zoneedit.com.

Bonus Syntax

I also discovered that dig supports multiple queries on the command line. I can now issue a single command and get all the DNS information I need for a domain:

$ dig jssm.com any www.jssm.com any mail.jssm.com any
jssm.com.               7200    IN      MX      5 ALT1.ASPMX.L.GOOGLE.com.
jssm.com.               7200    IN      MX      0 ASPMX.L.GOOGLE.com.
jssm.com.               7200    IN      A       216.98.141.250
jssm.com.               7200    IN      A       69.72.142.98
jssm.com.               7200    IN      SOA     ns8.zoneedit.com. soacontact.zoneedit.com. 1255263341 14400 7200 950400 7200
jssm.com.               7200    IN      NS      ns17.zoneedit.com.
jssm.com.               7200    IN      NS      ns8.zoneedit.com.
www.jssm.com.           7200    IN      CNAME   wfb.zoneedit.com.
wfb.zoneedit.com.       951     IN      A       216.98.141.250
wfb.zoneedit.com.       951     IN      A       69.72.142.98
mail.jssm.com.          7200    IN      CNAME   ghs.google.com.

Questions to ask when looking for an apartment

Posted on

  • Can we install child locks on the cabinets, etc.?

Pumpkin Pie Cookies

Posted on

(An adapted recipe)

  • 1 c packed brown sugar
  • 1 c granulated sugar
  • 2 sticks unsalted butter (room temperature)
  • 2 large eggs
  • 3 cups flour
  • 1 t baking powder
  • 1 t baking soda
  • 1.5 c pumpkin pie mix
  • 1 cup oats

Mix all ingredients together. Drop 2″ balls 2″ apart on a cookie sheet and bake at 350 degrees for 15 minutes.

Linux Mint–VMware Guest

Posted on

Setting up Linux Mint as a VMware guest OS is pretty simple. Right out of the box with VMware Server 2.0, some of the functionality usually attributed to the VMware Tools was in place (most notably the auto capture/release of the keyboard and mouse).

I’ve always been one to use the official VMware Tools (VMT) with my VMs, but newer Linux kernels have changes that don’t allow various drivers included with VMT to compile, so I decided to try the Open Virtual Machine Tools this time around.

There’s an easy way to get the OVMT: install the Ubuntu package: sudo apt-get install open-vm-tools open-vm-toolbox. This works fine, but the tools are likely to be out of date. At present they are about 7 months out of date.

Here’s what I had to do to get the latest version installed from source:

  1. Download the open-vm-tools package
  2. Install the necessary development libraries: sudo apt-get install xorg-dev liburiparser-dev libpng-dev libgtk2.0-dev libgtkmm-2.4-dev libproc-dev libdumbnet-dev libicu-dev
  3. Compile the tools: make
  4. Install the tools: sudo make install
  5. reboot (may be optional)

VMware Server still prompts me to install the VMware Tools, but I think everything is running as it should be.

Linux Mint–Initial Configuration

Posted on Updated on

I’ve finally bitten the bullet and installed Linux natively on my laptop. This is something I’ve wanted to do for a very long time and I’m very glad to say that I have.

The first question to answer was that of distribution. There are so many out there, which one should I use? I’ve been a casual Linux user and system administrator for several distributions and my experiences there have led me to one conclusion: a Debian variant. RedHat is a decent distribution, but it uses RPM for packages and I’ve always felt that they’re a little clunky. I’ve experienced most of my package installation problems when dealing with RPMs.

Now that the Linux distribution family is chosen, which variant should I use? Debian is OK, but since it’s a little more difficult to use out of the box, I typically use it only for a server. Ubuntu has been my “go to” distribution since it’s based on Debian but is definitely designed for at least a techy, if not an end user. I recently heard about Linux Mint (an Ubuntu derivative) and how it supposedly takes Ubuntu to the next level with UI. Since I’ve had an Ubuntu installation on a VM at home for well over a year, I decided to go with Linux Mint. Read the rest of this entry »

A Poem Regarding Computer Spell Checkers

Posted on Updated on

Eye halve a spelling chequer
It came with my pea sea
It plainly marques four my revue
Miss steaks eye kin knot sea.
Eye strike a key and type a word
And weight four it two say
Weather eye am wrong oar write
It shows me strait a weigh.
As soon as a mist ache is maid
It nose bee fore two long
And eye can put the error rite
Its rare lea ever wrong.
Eye have run this poem threw it
I am shore your pleased two no
Its letter perfect awl the weigh
My chequer tolled me sew.