Scotty is the little dog that appears in your System Tray when running WinPatrol 2007. WinPatrol from BillP Studios is one of those applications that I would classify as a must have for any security conscious Windows user.

After recently reading Bill’s post at Bits from Bill: Vista Won’t Silence Scotty’s Bark, I thought, not for the first time, wow the things that tightening the security in Windows broke. And, of course I wasn’t the least bit surprised by the hoops Bill had to go through with Microsoft to get to the bottom of the issue.

Well the issue will be fixed in the forth coming release of WinPatrol 2007 v12 and a few other surprise features are forth coming according to BillP.

Nice job Bill and looking forward to the release of WinPatrol 2007 v12.

What are the chances that someone looking for WinRAR will type the following into the bowser address bar: http://www.winrar.com (link deactivated)? Probably millions have done this at one time, the official site is http://www.rarlab.com/.

Anyone going to http://www.winrar.com will be redirected to a French site, when they try to click on the “Free Software Downloads” button. There are 11 copies of WinRAR on this site and all 11 are infected with TROJ_STARTPA.QC.

SOURCE: TrendLabs Malware Blog: A WinRAR-lose situation.

Straight from TomCoyote.org

Merijn, the creator of HijackThis ™ recently sold the popular application used to remove malware to Trend Micro™. In addition to improvements like support for Windows Vista™, they’ve added a deceptively titled “AnalyzeThis” button. While the average user likely thinks the AnalyzeThis button provides helpful information for diagnosing their log.

That is certainly interesting.

MalwareTeks is still considering the use of HijackThis v2 from Trend Micro. As Blair points out in his article it is somewhat necessary for Vista users as HijackThis v1.99.1 doesn’t support Vista.

Yes, there are alternatives to HijackThis and we are consider these programs in lieu of HijackThis.

Skimming through the headlines on The Register this one caught my attention: VXers publish blog poisoning tool.

In the past spamvertising tools required some level of human interaction when apply character recognition to CAPTCHA images during the registration process at websites utilizing this anti-spambot measure. With the release of Xrumer 3, human interaction with the OCR aspect of the program isn’t necessary, as the video from PandaLabs shows.

PandaLabs Blog complete write-up on XRumer.

MalwareAlarm is a rogue security program that provides minimum or no protection. MalwareAlarm uses aggressive and deceptive advertising and the false positives work as goad to purchase. MalwareAlarm installs without user consent. Same application as BraveSentry, DIARemover, Mr.AntiSpy, PestCapture, PestTrap, PestWiper, SpyDemolisher, SpyMarshal, SpySheriff, SpyTrooper, SpywareNo, & Spyware-Stop. MalwareAlarm is considered a security risk and is recommended to be removed immediately.

Download to your Desktop:
RougeRemover by MalwareBytes
SmitFraudFix by S!Ri

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Double-click smitfraudfix.exe

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Note: process.exe (which is used by SmitFraudFix) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

RENAME THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below.

Reboot your computer into Safe Mode.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : “Registry cleaning - Do you want to clean the registry ?” answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question “Replace infected file ?” by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

STEP 3: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 4: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question “Restore Trusted Zone ?” by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Since one infection is often accompanied by other infections it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. Both rapport.txt logs from SmitFraudFix
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Mikko Hypponen, Chief Research Officer of F-Secure discusses the various aspects of Crimeware in this YouTube video. Posted by the F-Secure Team.

read more | digg story

A vulnerability has been discovered in Firefox, which can be exploited by malicious people to compromise a user’s system.

The problem is that Firefox registers the “firefoxurl://” URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the “-chrome” parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.

The vulnerability is confirmed in Firefox version 2.0.0.4 on a fully patched Windows XP SP2. Other versions may also be affected.

Secunia Advisory SA25984

VirusProtectPro is a rogue security program that provides minimum or no protection and the false positives work as goad to purchase. It shows Poor scan reports and false Detection. The tool shows fake alerts and highly exaggerate low level threats as critical threats. It wont remove any threats until the copy of trial is purchased. VirusProtectPro is a variant of SpyLocked, SpywareLocked, SpyDawn and VirusBurst. VirusProtectPro is considered a security risk and is recommended to be removed immediately.

Download to your Desktop:
RougeRemover by MalwareBytes
SmitFraudFix by S!Ri

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Double-click smitfraudfix.exe

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

RENAME THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below.

Reboot your computer into Safe Mode.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : “Registry cleaning - Do you want to clean the registry ?” answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question “Replace infected file ?” by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

STEP 3: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 4: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question “Restore Trusted Zone ?” by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Since one infection is often accompanied by other infections it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. Both rapport.txt logs from SmitFraudFix
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Ultimate Fixer is a rogue security program that uses flawed, inadequate detections scheme and the false positives work as goad to purchase.

Download to your Desktop:
RougeRemover by MalwareBytes
VundoFix by Atribune

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Run VundoFix

• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it’s done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES.
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

The Vundo fix log is found at C:\VundoFix.txt
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the Scan for Vundo button.” when VundoFix appears at reboot.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Becuase some variants of Vundo can be difficult to remove it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. VundoFix log
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Nothing like opening your Inbox and getting a flood of emails relating to Independence Day. The following subject lines have been noted by SANS Internet Storm Center:

4th Of July Celebration
America the Beautiful
America’s 231 Birthday
American Pride, On The 4th
Americas B-Day
Celebrate Your Independence
Celebrate Your Nation
Fireworks on the 4th
Fourth of July Party
God Bless America
Happy 4th July
Happy B-Day USA
Happy Birthday America
Independence Day At The Park
Independence Day Celebration
Independence Day Party
July 4th B-B-Q Party
July 4th Family Day
July 4th Fireworks Show (new)
Your Nations Birthday

This is another flood of the Storm Trojan. If you receive an email with the above or similar subjects don’t click on any links in the message, delete the email immediately. If you click on the link and visit the website, various browser exploits are attempted, and a link is presented to download a file called ecard.exe - better known as the Storm Trojan.

Should you fall victim to this scam, follow the directions in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. ISeeYouXp log
2. HijackThis log
3. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

There is no “Silver Bullet” solution to this infection. A RootKit is installed alongside the Storm Trojan and requires special handling to remove.