News Items
Jun 16, 2006 09:44PM
Latest wave of worm variants has been extremely tiring. I have been working since yesterday trying to come up with a solution. In the process I discovered and fixed two bugs in AIMFix that apparently have been there since version 1.5 but evidently stayed dormant until an exact set of circumstances arose. I think AIMFix should be working to remove the items I posted about yesterday, but it definitely will require at least one reboot to make sure the changes take effect. Unfortunately malicious code doesn't care much about unloading itself from memory so a reboot is often the only way to kill it from running.
The other reason I'm writing is to mention that in many cases, the worm disables the Windows firewall and System Restore - but through Group Policy, preventing the user from re-enabling them. Unfortunately, since this is a policy setting, even after the virus is removed, both items will still be disabled. To resolve this you need to use the group policy editor to re-enable both:
http://www.windowsitpro.com/Article/ArticleID/47381/47381.html
http://www.pchell.com/virus/systemrestore.shtml (See the last part of
the page for Group Policy editing).
In addition to the above, AntiVirus applications may be disabled/deleted, Internet Explorer security settings may be lowered, etc. I can't of course provide solutions for every possible potential problem, but you should always verify your security settings after any breach of the system. Of course, the only real cleaning method is to completely reinstall the operating system or restore the entire system from backup.
-Jay
Jun 15, 2006 03:24PM
There is a new virus out at the moment that is more difficult to remove than most. Symptoms are two services:
O23 - Service: Windows Genuine Advantage Validation (wgav) - Unknown owner - C:\WINDOWS\system32\wgav.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe
These two services work in tandem and the winsock\csrss.exe is set to launch at startup through the "userinit" and "shell" registry keys where it can recreate the services and entries. I have updated AIMFix to attempt and remove these services and associated files/entries as completely as possible. Hopefully this will be successful. If it is not, then I will have no choice but to work on something more low level such as a direct kernel module that will have permission to remove these items.
For now I will be crossing my fingers and hope that the existing update is enough to resolve the problem, since writing a kernel driver is going to be a much more complicated and time-consuming undertaking.
-Jay
Apr 27, 2006 01:34PM
New AIMFix update last night; there was a new one out that took me a bit longer than usual to find. The worm installs a bogus service:
NVIDIA Driver Helper Component (NVIDIADriverHlp) - Unknown owner - C:\WINDOWS\nvsvc32.exe
The real service for the NVIDIA Driver Helper Service looks like this:
NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
The current version of AIMFix has been updated to remove this service and the associated file, so it should take care of that as well. I'll give them a little credit on this one, it took more than one log and more than 30 seconds for me to find it this time.
Thanks to everyone that submitted a HijackThis log and helped me find the issue!
-Jay
Mar 22, 2006 12:28PM
Just received an email this morning from Softpedia, a download archiving site:
Your product AIM Fix 1.5.321.1470 has been awarded by us with 5 stars and SoftPedia Pick Award !
You can check the following page to see the various graphical formats of the award:
http://www.softpedia.com/awards/
Your product review page is located at:
http://www.softpedia.com/get/Antivirus/AIM-Fix.shtmlPlease feel free to link to us using the URL above. Don't hesitate to contact us for more information.
Sincerely,
The Softpedia Team
---------------------------------------------------------------------------------------
Softpedia is a library of over 70,000 free and free-to-try software
programs for Windows and Unix/Linux, games, Mac software, Windows drivers,
mobile devices and IT-related articles.
We review and categorize these products in order to allow the visitor/user
to find the exact product they and their system needs.
We strive to deliver only the best products to the visitor/user
together with self-made evaluation and review notes.
---------------------------------------------------------------------------------------
That makes two years running with the "Free & Clean" Award, and now a Softpedia Pick and 5 stars! Way to go, AIMFix! :)
-Jay
Mar 17, 2006 04:37AM
Finally, Webdefenders.net is now home to an actual website! Given that I have very little time on my hands lately, I decided to hand over the domain name to my friends Jay Cross and Chris Carlino. As part of a joint venture, they will be launching Webdefenders as a online spyware/malware blog, dishing out the latest in malware threats and tracking down those responsible for the outbreaks. In a way, you can consider Webdefenders a "research arm" of AIMFix. While millions of people have come to trust my software to remove IM threats from their systems, it has always frustrated me that I couldn't devote the time and effort into finding the malware authors and bringing them to light.
The few times that I have managed to find the person(s) responsible for an outbreak, it has been uniquely satisfying and fulfilling. To that end, I have teamed up with Jay (the other Jay, not me) and Chris, well known for their efforts in successfully finding the Xupiter creator and pushing Xupiter itself off the Web. It is our hope that by combining the ability to remove the pest software and track down the perpetrators responsible, we can make a very real and tangible impact on the safety and security of the Net.
Head on over to the blog and check out the first articles, already posted for your reading pleasure!
-Jay
