Johnny Chin

svchost.exe and rundll32.exe used to load a malware/spyware DLL

Mar 5th, 2010 by Johnny

clicking search page links,
results in randomly redirected URL pages
svchost.exe and rundll32.exe used to load malware/spyware DLL

Today, for the second time in a month, I was asked to help remove a spyware/malware from a computer running Windows XP SP3. In both cases, the symptoms were identical. The user immediately noticed something was wrong because their web browser started to behave oddly. Here is what happened:

Open the web browser of choice (IE or Firefox or Opera) and load a search portal (Google, MSN or Yahoo) site
type in something to search (“winter coat”)
on the results page, if you right-click on a link and “open in new tab/window”, the page opens and immediately gets redirected to some other random page (usually some other portal site)
HOWEVER, if you right-click on a link and select “copy shortcut”, then MANUALLY open a tab and paste the link, the page opens just fine

The first time this happened (Feb. 3, 2010), it was on a friend’s computer and he is a veteran IT person (network system administrator for 10+ years). He keeps his computer very secure, usually.

We checked the usual system settings (network settings, proxy settings, “odd” programs running, etc.). We ran the usual anti-spyware and anti-virus scans, call came back clean as usual.

Avast AntiVirus – clean
ClamAV – clean
HiJackThis – normal
MalwareBytes – clean
Spybot SD – clean

However, running the SysInternals utility, PROCEXP.EXE, I happened to notice this line:
C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\efsadub.dll”,DWLGXPLFFX
which was running as a sub-process under svchost.exe (C:\WINDOWS\system32\svchost.exe -k netsvcs).

The file “C:\WINDOWS\system32\efsadub.dll” (notice the “b” in the filename) had its special bits set as “read-only”, “hidden” and “system”. When we try to change the attributes, we get “Access Denied” (even from an Administrator account). Hell, we even tried to access this in Safe-Mode Command Prompt Only, we get the same error. We could not rename the file either, obviously.

I was finally able to change the attributes and rename the file after running “CACLS.EXE efsadub.dll /G EVERYONE:F” on the file. Once the file was renamed and the computer rebooted, the problem went away. I was able to delete the offending file afterwords.

For the VirusTotal analysis report on the file “efsadub.dll“, goto:
http://www.virustotal.com/analisis/b1ff584a9b490418a159ab4afe85ae1802e4c4634c942756640a4411467ef25d-1264975725

Today (March 5, 2010), a client called and his computer had the same symptoms. Again, I checked the usual suspects (running programs, etc.) and performed the usual scans (anti-virus, anti-malware, etc.). They all came back “clean”. However, I did notice that the signatures were slightly dated (about a month old). When I tried to update them, error messages resulted. MalwareBytes gave an error and hung in a loop. Symantec Anti-Virus LiveUpdates just failed.

ClamAV – clean
MalwareBytes – clean
Symantec Anti-Virus – clean

I then ran the PROCEXP.EXE utility from SysInternals. There were no odd DLLs loaded like the last time. Hmm… so this is not exactly the same as last time.

Since this had to be a malware that loaded at startup, I decided to check the System Services. I then noticed an “odd” service running named “Server WebCheckChannelAgent Performance Folder Provisioning Icon Driver CPL”, with a short-name of “srvoko6”. I tried to disable it and it kept resetting to “Automatic”.

Looking at the properties of this service, revealed that it was loading via “%SYSTEM%\svchost.exe –k netsvc6”. I searched the web on the terms “srvoko6” and “netsvc6”, I came across this site:
http://www.threatexpert.com/report.aspx?md5=c801bd4576fc95cb03e918950edd21a1
which mentions the “ok6o.dll” and “ok6o.sys” files. So I searched for those files, and found them (they were not hidden). Trying to rename them worked, but they were immediately recreated by the malware.

NOTE: the above ThreatExpert site reports that this service was also named “Office Workstation Remote”. This tells me that the service display name can vary.

Instead, I used “CACLS.EXE” to change access permissions to these files so that nobody (or system service) was allowed to access them. Rebooted the computer and verified that the malware was no longer actively running. This time, I was able to successfully disable the service and renamed the “ok6o.dll” and “ok6o.sys” files.

I was then able to restore permissions to those files and delete them. Updated signatures for MalwareBytes and Symantec Anti-Virus, followed by a complete system scan. This time those programs found the installer stub files “C:\WINDOWS\bill103.exe” and “C:\WINDOWS\rdr_1267369102.exe” (which most likely are random filenames the initial download script created).

For the VirusTotal analysis on the file “o6ko.dll“, goto:
http://www.virustotal.com/analisis/7d6d2edc4eac763bc687e578008474dc85245b1e55d5ca5ae958d220f4802fbf-1267641995

For the VirusTotal analysis on the file “o6ko.sys“, goto:
http://www.virustotal.com/analisis/d599b5fb31b6387ff7e540fabb655bbde0990ce9db1e6f1918bec6ac21d43278-1267374431

As you can see from the VirusTotal analysis reports, not all anti-virus scanners detect or flag these files. So, for most of these malware/spyware, it still requires manual detection and removal.

STRONG WARNING: be very careful of websites that tells you do download an executable to remove the malware/spyware. If you are not familiar with the website, DO NOT download and run the program, it can possibly install another piece of malwayre/spyware onto your computer. It is best to call a professional (or at least someone who knows with 100% certainty what they are doing) to clean your computer.

NOTICE: when renaming files and changing attributes or permissions, it is strongly advised that you do those via command-line commands in the “Command Prompt” window. If the malware/spyware is attached to the Windows Explorer process and/or its handles, it can intercept your mouse-click commands, making it seem like you did what you wanted to, but in reality the malware/spyware actually created another copy of itself with a different name and reinstalled itself using those new copies. The “Command Prompt” method is the most secure way of doing this work; however it is a lot of typing.

Feel free to post comments below if you need help or have recommendations.

Posted in Microsoft Windows, computer stuff, network security, spyware / viruses / worms, tweaking / hacking / fixing | No Comments »

RIMM Blackberry breaks Google MAIL Messages Integration

Feb 9th, 2010 by Johnny

This past weekend, I upgraded from a Blackberry Curve 8320 to a Blackberry Bold 9700 and I noticed that there was a new Blackberry Enhanced GMAIL plug-in that gives you access to your GMAIL (and Google Apps Mail) account labels, as well as “mark as spam” and the ability to “star” a message. Great! However, it required you to delete your existing GMAIL account from the Blackberry and re-add it.

Well, RIMM / Blackberry broke the Google MAIL Messages Integration in their BIS service, but the GMAIL plug-in works as described (and that is GREAT). Here is what I found.

If you have a working GMAIL account on your Blackberry, think twice before proceeding.

Once you’ve re-add the GMAIL account using the default Blackberry method (fill in the e-mail address and password, then Blackberry figures out the rest). So this mode is what some service providers are calling “G-IMAP”. Also, this seems the only option if you are adding the accounts from the handset itself. Once you have “synced up” (activated) the account, your GMAIL INBOX messages can be found in the “email address” icon and the Blackberry Messages (which is what it should do). However, your GMAIL ARCHIVED messages (those that “skip the inbox” via a GMAIL filter automatically) will also show in your Blackberry Messages (all messages folder, the “M” button), which is NOT what it is suppose to do. That is a problem for me, as I have a lot of e-mail that I filter away from the INBOX and do not want to see on my Blackberry.

So, I decided to try setting up the account and force it to use the old IMAP setting. To do this you must be adding the e-mail account from the BIS web interface from your service provider; go to add another e-mail to the Blackberry, but this time, I leave the password field blank so that it would now ask me for the server settings. On the next screen, put in “imap.gmail.com” for you server settings. Again, Blackberry figures out the rest of the settings. Let us now call this “IMAP” setup, which it is (and it does NOT use the new Blackberry GMAIL plug-in). However, Blackberry decides that for this particular IMAP server (imap.gmail.com), it should check “All Mail” and not the “INBOX” folder. Once again, we face the same situation with GMAIL ARCHIVED messages showing up in the “Messages” folder on the Blackberry.

Now, for a work around. For the “IMAP” setting configuration we just did, we can go and change the IMAP server name to “gmail-imap.l.google.com” (which is a CNAME for “imap.gmail.com”). Save your settings. Your GMAIL account is now back to the way it should work (before Blackberry decided to make its non-standard changes and break the GMAIL integration). NOTE: this does not use the Blackberry GMAIL plug-in, so in order to “mark as spam” or “change labels” you need to install the Google GMail App.

I’ve spent over 4 hours on the phone today explaining first to T-Mobile, then to a RIMM Blackberry customer service, then a Blackberry tech at RIMM, and then finally another RIMM Blackberry tech who had “access to a RIMM Blackberry Analysis:”. They kept saying it was my Blackberry configuration that was wrong, like my BIS Filters were set incorrectly (which were set correctly) and that my “Service Book IDs” were incorrect causing the problem. To top it off, they say that because I kept deleting the account and recreating it, my “Service Book IDs” will keep changing and resulting in blah blah blah.

Finally, I got him (Don) to agree to try it out on a handset himself. So Don was adventurous and said he had no problems with his GMAIL working on his Blackberry. He went ahead and deleted his GMAIL account from his Blackberry and recreated it. Then he want to his GMAIL account and created a filter (for all messages with Subject:archive, “skip the inbox” and “marked as read”). Now I had him send a test message with the subject “archive” from another account to his GMAIL account. He now saw that archived message showed up in his Blackberry Messages “as opened”, which should not have happened. He said “Ah, I see what you are talking about now” and went to talk to an Analyst.

So now Don tells me, it seems to be an isolated case with my account and that he would look into it further. Gave me a case number and said that I should call back in a few days for status updates. What!?!?! I told him that he should “Google” it and see how many other cases of this problem there are. He said he would keep the ticket open for the next 5 days. Oh my goodness, Research In Motion really wants some more bad press?

Damn, must we provide them the code too? All they have to do is fix their “special code” (probably one conditional statement) which pertains to “imap.gmail.com” and no other servers. Most likely they have something that says if the IMAP server is “imap.gmail.com” then check “All Mail” folder instead of letting it check the standard “INBOX” folder like all other IMAP servers it checks.

If you have experienced this issue with your Blackberry, please add a comment below and/or a URL to your forum posts.

Posted in Internet, computer stuff, plugins, tweaking / hacking / fixing | 5 Comments »

Full Body Scanners can Damage your DNA

Jan 19th, 2010 by Johnny

While on New York Fox 5 News website, I came across this article:
TSA Scanners May Violate Rights, Risk Health

What caught my eye, is this section:

Not only has the use of full-body image scanners raised the ire of passengers and serious questions about their constitutionality, but they may also present a serious health risk.

The devices operate on a combination of X-ray technology and millimeter wave technology . Relatively new on the scene, millimeter wave technology has been proven capable of interfering with human DNA. The ultimate results of this exposure remain unknown. Though technically medical devices, the scanners have never been tested or approved by the FDA.

This new “millimeter wave” X-ray technology seems to raise some serious concerns. I, for one, am concerned for my family when it comes to these full body scanners. Some of the questions were raised on the Stranded Passengers blog site are of serious concern. Things like, would it cause birth defects? Cause infertility? Cause birth defects in future babies? Can it cause brain damage? The “millimeter wave” is believed to damage DNA, which cannot be “fixed” or “repaired”. It can permanently affect you and your offspring, as DNA is passed to your future children and grandchildren.

The other technology used in full body scanners is called “backscatter X-ray“.

Other references:
http://strandedpassengers.blogspot.com/2010/01/full-body-scanners-used-on-air.html (they have links to BusinessWeek and New York Times articles)

http://www.reddit.com/r/science/comments/aopsk/the_energy_emitted_by_millimeter_wave_scanners/

Posted in health, network security, terrorism | No Comments »

NY/NJ Port Authority 2-way Radio Problems

Jan 19th, 2010 by Johnny

I just saw this report on NY Fox 5 News (well it took them a little bit of time to post it to their website):
http://www.myfoxny.com/dpp/news/local_news/port-authority-police-radio-concerns-100118

I cannot believe that the NY/NJ Port Authority is not using a “more proprietary” radio frequency. Listening to the radio transmissions, it seems that they are on the same frequency as other civilian businesses using UHF radios. Whoever decided on using those “store bought” (well it has to be from a specialized 2-way radio dealer) radios is kind of a joke.
PA NY NJ

Literally, terrorists can simply get onto that frequency by purchasing one of those easily obtainable radios and keep it keyed up. The Port Authority police would basically have no 2-way radio service. Unlike the Fox 5 News report, it is not a “concern” it is a disaster waiting to happen.

Just imagine, if the TV station transmitters were easily available for purchase by civilians. All that a terrorist needs to do is have one of these transmitters on and send a blank signal (well, more exactly “radio noise”) and effectively it would kill the true signal and nobody would be able to watch a particular TV channel (over-the-air, that is). Now imagine that happening with the cell tower frequencies. Hmmm…. yeah, that is why those frequencies are restricted from civilians.

I think Homeland Security and the NYC Anti-Terrorism Task Force (maybe even the mayor and governors of both states) needs to force the Port Authority to resolve this issue ASAP. It is an easy fix. Just replace the radios and the repeaters. Keeping them UHF radios, would not require them to replace antennas (which can be more difficult). It really is a no-brainer, it is only some money. President Obama seems to be printing them out of the Treasury, so what is another truck load? At least these would actually save lives, unlike those full body scanners which can cause some unknown DNS damage (but that is another post).

So beware while driving through the NY/NJ tunnels and bridges. This issue seems to affect all of them.

Posted in blogging, news & politics, terrorism, tweaking / hacking / fixing | No Comments »

Full Body Scanners at Airports are Useless

Jan 11th, 2010 by Johnny

Recently there has been lots of buzz about using full body scanners in US airports as a means to fight terrorism. Well follks, I hate to burst your bubble, but I personally do not think it would help one bit. The flying public would all get digitally strip searched by the TSA and we will not be any more secure than pre-September 11th.

I can see it now, some dumb TSA agent with a bad day (or a have “fun” day) would take a cell phone video of their scans and post them on YouTube (much like what we see in the news reports today). Granted we are told that the TSA agent would not see the person and be in another room. However, what stops 2 of these agents from working together and coordinating a recording session for pure kicks. The day these start showing up on YouTube or Vimeo and go viral, is the day the lawyers would start having their next few years worth of vacations paid for by the US taxpayers.

On top of that, there is a concern of ionizing radiation exposure. Although they keep saying that the amounts are 1% of a dental X-ray, it is still too much. Consider that during a dental X-ray your body is covered with a lead shield and all metal objects are moved away from the X-ray path. Are we all going to strip our jewelry, watches, coins, keys, cell phones, etc. from our person before being digital strip searched? How much time is this going to take per person? Say in the ideal condition it takes 2 minutes per passenger. Multiply that by the number passengers per flight and flights per hour during peak travel times … we need to take a day off from work just to fly to our meeting that evening (if not the next day).

Since these body scans are 3D, what is stopping some enterprising person from capturing the images and making physical dolls of some famous person or celebrity, then selling them? How many people would like to have their physical characteristics made publicly available to the world to see and touch?

These new scanners are designed to see-through the clothes. What happens when a terrorist decides to weave the bomb into their clothing? Are we all suppose to fly naked next? Computer programmed code is the “secret sauce” behind these scanners. What is to stop someone from “reversing” or “hacking” this video stream and show the facial features of the person being scanned? (already happened, see links at the bottom of this blog) Remember, the recent TSA issue of the digitally blacked-out operations manual, which outlined all of their security weaknesses?

Bottom line, my opinion is that these full body scanners are:
1. an invasion of privacy (just imagine a sexy, well figured, lady having her TSA body scan images posted all over the Internet)
2. a few years from now, we will start hearing about people who travel more frequent than average having tumors
3. the delays would cause the travel industry to take another hit and may even cause more airlines to go out of business; how does that help the economy?

Lastly, has the government even considered getting that head out of the hole in the wall and realize that the flying cargo goes 90% unchecked? To get a bomb to go off in a plane can be as simple as shipping something as air cargo in the belly of the flight you want to permanently cancel.

I think if the United States would stop telling other countries what they should or shouldn’t do, we will have a lot less terrorism and hatred aim toward us. Granted I believe is spreading democracy, however, President Obama “demanding” other countries to do what he says is going too far. It just pisses off (or at least give reason) for Al-Qaeda and others extremist groups to target America. Time for America to demonstrate with loving actions to others that we are there to help and not control other countries. Hell, America can start by helping our own American citizens. Obama, where is the mid-class American citizen’s bailout? We should have never bailed out people and companies who made bad decisions, but that is for another blog entry.

Given all these extra technological steps (mostly useless, in my opinion) to prevent terrorism (more like an invasion of privacy), no wonder why so many more people are driving to their destinations when possible, instead of flying. At least I know I won’t get digitally strip searched and potentially have those images posted on the Internet before I jump into my car and drive.

—–
Updates:
info posted by ABC News 7online: http://abclocal.go.com/wabc/video?id=7197652

read: TSA lies exposed: Full-body scanner machines do save and transmit images, secret documents reveal

full-body scanned images can be inverted to show image of nude women (with her face), see: Full-body scanner cannot replace diplomacy but imposes indecency on billions. Law says indecent exposure is crime, doesn’t it?

more proof of how perverted the scans can be, see: Ban ‘naked body’ scanners

—–
see what people are tweeting about on this topic:
http://twitter.com/#search?q=body%20scanner
.

Posted in health, news & politics, terrorism | No Comments »

Chase Credit Cards double-dipping finance charges

Jan 8th, 2010 by Johnny

Just received my Chase Credit Card statements today. I have not used their credit cards since my last post a month ago. Those statements were $16 each, all finance charges from a previously 1-day late payment. Well guess what? I just got statements for $1.50 each, all of which are finance charges for the completely paid off $16 balance from last months statements. WTF! A finance charge for a finance charge that they charged for a zero balance statement! This is total robbery. Kind of reminds me of the stories of loan sharks in movies. This should be totally illegal.

My previous post on this: http://www.johnnychin.com/blog/2009/12/chase-credit-cards-royally-suck/

Posted in finance | No Comments »

U.S. Drones Hacked

Dec 17th, 2009 by Johnny

According to a Wall Street Journal report, our pilotless drones has been hacked into.
References:
http://cbs2.com/national/predator.drones.hacked.2.1375262.html
http://online.wsj.com/video/news-hub-was-us-intelligence-compromised/A0CDCC4B-0DB5-4C0E-A41C-FC2C16CA3BE7.html

I cannot believe the video feeds are NOT encrypted! In this day and age, what is the Department of Defense thinking?

Posted in computer stuff, network security, news & politics | No Comments »

Do You Know It’s Christmas Time?

Dec 17th, 2009 by Johnny

With the current economy and the stress of work, I have not been really feeling the Christmas spirit this holiday season.

Today, this old song played on the radio in the car and it reminded me of what Christmas should be about. It should be about the love of Jesus Christ and remembering his birth. In celebration of his birth we should be help those around us just has He taught us. Unfortunately, with the current state of the economy, many of us feel that we cannot offer much in terms of finances or gifts. Others have said that we can offer our time. However for many, like myself, are stressed and overworked with our jobs, so “time” is not something we have much to offer to others.

So this holiday season, I am hoping I can gain some Christmas spirit and be able to bring a some love and joy to those around me. May God bless you this Christmas holiday with warmth and love.

Enjoy the video:

Merry Christmas … Happy Holidays !!!

Posted in family stuff, finance, videos | 2 Comments »

Pink Glove Dance

Dec 5th, 2009 by Johnny

This YouTube video was sent to me via e-mail.
It is for Breast Cancer Awareness.

Posted in music video, videos | No Comments »

Chase Credit Cards royally suck

Dec 3rd, 2009 by Johnny

I’ve been a Chase Bank customer for 25+ years. Today I received my credit card statement and it showed an amount due. I found that odd because I didn’t charge anything since I paid off the statement last month. Looking into it I found that …
late fee $15, posted 11/22.
full payment $49, posted 11/23.
finance charge of $1, posted 11/27.
statement closing date 11/27 with an amount due of $16 (all fees).

WTF! This is ridiculous! $16 in fees for a $49 charge for one-day late! That is almost loan-sharking at 979.59% per MONTH (which equals to 11755.10% per year). Gee wouldn’t it be nice to make those kinds of returns! If any citizen did this, they would be locked up!

I then proceeded to call Chase and see if they can reverse the charges. The first customer service rep said “Late is late. And you are late by one day, so there is nothing that I can do. Unless it is a Chase fault, we cannot do anything.” She then proceed to try and sell me a credit protection service. I hung up and called back. The 2nd customer service rep was even worse. He basically said, “there is nothing I can do and if you don’t like our policy, you can close the account.”

Holy crap! I guess they don’t like customers who pay off their credit card bills each month, despite the fact they make 2-3% off the merchants where I use their cards.

Another surprise. When I called back a 3rd time, the customer service rep told me that Chase sent out a notice with their statements a few months ago stating that there is a 5-day change in their grace period. She claims that Chase increased the grace period to 20-days. Upon more careful examination, I found that Chase reduced it to 20-days; but that is not all and this is what I found:
My statement closing dates were always the 27th or 28th of the month and my charges were due on the same day (historically for years).
Now, my statements still close on the same 27th or 28th. However, the due dates are now 5-6 days earlier! To make things worse, I’ve noticed that my statements are not arriving before the 1st of the month like they used to. Instead, they are now arriving around the 4th or 5th of the month. So this means they are holding (or printing late) the statements before they mail them out. This basically cuts the time we have to look over the statements before paying them, down to less than 10 days from 20 days (taking into account 2-5 days Chase holds the money before posting it to the credit card account). In my recent case, the funds cleared out of my bank on the 20th, yet Chase posted it on my statement on the 23rd.

This royally sucks! Chase is basically playing with our money for those few days all interest free and yet, they want to rape their long-time customers because they are not making enough from us simply paying on-time (fundamentally no risk to Chase for making 1-3% per charge from the merchants, after the upto 1% cash back they give the card holder). Chase now wants their good paying customers to pay them 200-300% per year like those higher risk customers who defaults or file bankruptcy.

Totally ridiculous. I guess this is the way JP Morgan Chase makes up the money their investment banking side is losing to rival Goldman Sacks. Something has to look decent on the balance sheets for their shareholders.

Well as of today, I am going to move all of my monthly recurring charges to non-Chase cards (and I have a few Chase cards). The Amazon.com, Buy.com and Toys-R-Us cards now going into the drawer and staying there (except for the one charge per year to keep the card active). I am not closing the accounts as that would end up hurting my credit score with a lower debt to credit ratio (as per Suze Orman).

I hope you don’t experience this yourself.

Posted in finance | No Comments »

« Older Posts

"The fear of the LORD is the beginning of wisdom: and the knowledge of the holy is understanding." - Proverbs 9:10

"Love must be sincere. Hate what is evil; cling to what is good. Be devoted to one another in brotherly love. Honor one another above yourselves." - Romans 12:9-10
Categories
Archives
March 2010
Sun Mon Tue Wed Thu Fri Sat

1 2 3 4 5 6

7 8 9 10 11 12 13

14 15 16 17 18 19 20

21 22 23 24 25 26 27

28 29 30 31
Blogs
Links
Photography
By Erik Rasmussen

March 2010
Sun	Mon	Tue	Wed	Thu	Fri	Sat

	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

my 2-¢ents worth of thoughts and opinions

clicking search page links,results in randomly redirected URL pagessvchost.exe and rundll32.exe used to load malware/spyware DLL

Categories

Archives

Blogs

Links

Photography

clicking search page links,
results in randomly redirected URL pages
svchost.exe and rundll32.exe used to load malware/spyware DLL