http://www.freefixer.com/blog/ Blog posts about spyware. en-us Roger Karlsson http://blogs.law.harvard.edu/tech/rss http://www.freefixer.com/blog/top-20-bundle/ Does this sound familiar? You get a call from your parents. There's some problem with their computer. The printer isn't working, computer won't connect to the wireless network or something like that. You go there and fix the problem, but while troubleshooting you also notice that there are some new toolbars in their web browser. When you ask them about the toolbars they usually say they have no idea how it got there. Fri, 07 Sep 2012 00:00:01 GMT http://www.freefixer.com/blog/top-20-bundle/ http://www.freefixer.com/blog/feedback-please/ What do you think about the FreeFixer application and the freefixer.com web site? I've set up this blog post so you easily can post your feedback. Want to see a new feature? Did you spot a spelling error? Did FreeFixer fail to remove some malware file? What to see more screenshots? Tue, 08 Jun 2010 00:00:01 GMT http://www.freefixer.com/blog/feedback-please/ http://www.freefixer.com/blog/simple-malware-detection/ I'm currently experimenting with a new set of features that allows anyone to create malware definitions for FreeFixer. I've started out with the simplest thing that could possibly work: Detection based on file locations. You simply define which files are malware by specifying the file locations in an .xml file. For example, the existence of ld14.exe in the Windows directory indicates that your machine is infected with the Koobface worm. Fri, 23 Oct 2009 00:00:01 GMT http://www.freefixer.com/blog/simple-malware-detection/ http://www.freefixer.com/blog/summer-drive-by-downloads/ The summer has finally arrived here in Sweden. Now is the time to go swimming, bouldering and do all the other things that requires great weather. As you may know, I've been documenting lots of drive-by downloads and intend to continue doing so during the summer. To make this as smooth as possible I've set up this blog post which I'll update when I find some new malware that use security holes to install. As usual, I'm scanning the infected system with FreeFixer to find out what's been installed on the system. I'm also using FreeFixer to remove the unwanted files. Fri, 26 Jun 2009 00:00:01 GMT http://www.freefixer.com/blog/summer-drive-by-downloads/ http://www.freefixer.com/blog/malware-doctor/ About three weeks ago Avelino Rico Jr over at McAfee Labs blog reported about a new rogue security program called Malware Doctor. This morning my honeypot caught Malware Doctor and some additional malware installing by exploiting a security. I've pasted the FreeFixer log and marked the malware item in red: Wed, 24 Jun 2009 00:00:01 GMT http://www.freefixer.com/blog/malware-doctor/ http://www.freefixer.com/blog/security-holes-antivirus-system-pro/ For the last three days I've been experimenting with a new FreeFixer plugin. The plugin simply lists the most recently modified/created files, which appear at the end of the scan result. Definitely no rocket science, but in a case of a malware infection, I think it can be quite efficient in pointing out the unwanted files. I've tested the new plugin on some real world infection picked up by my malware honeypot. All the unwanted files listed in the scan results were installed through security holes. I've marked them with red. During the testing I also ran into Antivirus System Pro, which is another of those rogue anti-spyware programs. Antivirus System Pro uses sysguard.exe as its file name and is located in the c:\Windows folder. You can find more information and screenshots on this rogue over at Bharath's Security Blog. Mon, 15 Jun 2009 00:00:01 GMT http://www.freefixer.com/blog/security-holes-antivirus-system-pro/ http://www.freefixer.com/blog/june-searches/ I'm obsessed with looking at the traffic stats for FreeFixer.com. About halfway into June shows some new filenames among the top searches: Thu, 11 Jun 2009 00:00:01 GMT http://www.freefixer.com/blog/june-searches/ http://www.freefixer.com/blog/presto-tuneup/ A couple of weeks ago a new rogue security application appeared. Here's a FreeFixer log from the infected machine. I've marked the Presto Tuneup file with red. Tue, 09 Jun 2009 00:00:01 GMT http://www.freefixer.com/blog/presto-tuneup/ http://www.freefixer.com/blog/top-searches-may/ Curious to see what the most popular search terms are for FreeFixer.com during May? Here they are: Fri, 29 May 2009 00:00:01 GMT http://www.freefixer.com/blog/top-searches-may/ http://www.freefixer.com/blog/security-hole-malware/ I've been playing around with my malware honeypot for some days now and collected logs when malware installed through security holes. I've pasted the FreeFixer logs below, and marked the malware with red. I'm currently running this honeypot on Windows XP service pack 1. I'll runs some test with Service Pack 2 or 3 later on to see if I get the same installs, or if something new turns up. Tue, 26 May 2009 00:00:01 GMT http://www.freefixer.com/blog/security-hole-malware/ http://www.freefixer.com/blog/system-security-rogue/ Although five months passed since the System Security first appeared, it's still going strong. Yesterday it installed on my malware honeypot by exploiting a security hole: Here's the FreeFixer log from the infected computer. If your are removing System Security, select the items marked in red: Fri, 22 May 2009 00:00:01 GMT http://www.freefixer.com/blog/system-security-rogue/ http://www.freefixer.com/blog/malware-honeypot-rootkit-infected/ Yesterday my malware honeypot ran into a nasty infection. As usual, the malware was installed just by visiting a web page. To do this, the malware distributor used some security hole to get access to the computer. Once the malware had access to the computer it installed a rootkit and hid a few registry keys to prevent detection and removal. The malware also searched the network for shared folders with write permission and infected executable files. The malware also prevented anti-malware tools such as Hijackthis from running and disabled the Task Manager and the registry editors. Mon, 18 May 2009 00:00:01 GMT http://www.freefixer.com/blog/malware-honeypot-rootkit-infected/ http://www.freefixer.com/blog/greenlisting/ As you probably already know FreeFixer is a tool that helps you to manually analyze and identify unwanted software on your system. Once you have identified the malware on your computer, you can just mark it for deletion and the FreeFixer will remove it for you. Since January 2009 I've been adding many new scan locations, which will increase the chance of spotting the malware. The drawback of is that the size of the log file has been growing and I have to admit that it can be a time-consuming task to go through all the items and check if it should be considered safe or unwanted. Typically there are just one or two malware items in the scan reslult on a infected machine, and these may go undetected when dwarfed by a large number of legitimate items. With version 0.38 of FreeFixer I introduced trusted files. These are file which have been signed by established and trusted software publishers, such as Microsoft, Adobe, TrendMicro, etc. The trusted files appear with a green background color in the scan result, to signal that they are legitimate. Please note that the trusted files will not appear in the FreeFixer log file. This will make it easier for people helping out at the FreeFixer helper forums, which often use the log file to manually identify the unwanted software. Tue, 21 Apr 2009 00:00:01 GMT http://www.freefixer.com/blog/greenlisting/ http://www.freefixer.com/blog/malware-legitimate/ Are you struggling to figure out if a file listed in FreeFixer's File Database is malware or a legitimate file that you want to keep on your computer? Hopefully this guide will help you. Tue, 31 Mar 2009 00:00:01 GMT http://www.freefixer.com/blog/malware-legitimate/ http://www.freefixer.com/blog/help-removing-spyware/ Hello, my name is Roger Karlsson. I'm the programmer of FreeFixer. FreeFixer is a tool for manual identification and removal of spyware, trojans, adware, and other types of unwanted software. I've set up a discussion group where you can post your FreeFixer log. This is a free service. It will not cost you anything except five minutes of your time. I'll respond as soon as possible. Please go through the following steps to post a log: Fri, 20 Feb 2009 00:00:01 GMT http://www.freefixer.com/blog/help-removing-spyware/ http://www.freefixer.com/blog/cid-popups/ So what kind of crap do we got here? Non-labelled popups, a useless uninstaller, randomly named files with useless file properties, placed in a hidden folder. All this bundled with a application with more than 400 million downloads... Fri, 13 Feb 2009 00:00:01 GMT http://www.freefixer.com/blog/cid-popups/ http://www.freefixer.com/blog/monday-morning-rootkit/ Monday morning and here's another security hole exploit. This one installs some new files and configure the machine to start them every time a user logs in. Usually when it comes to these exploits, there's some ad component installed that start popping up adverts for a rogue anti-spyware program, but not this time. There were no signs of an infection unless you start examining the process list or the registry. As a matter of fact, the init.exe process listed below, is hidden from programs that enumerate the running processes running on the machine. It does not appear in the Windows Task Manager nor in FreeFixer's process list. It does not appear in FreeFixer's hidden process list which indicates that it may be a kernel level rootkit, which FreeFixer cannot detect at moment. It does however appear under the 'UserInit' listing in the scan result. Mon, 19 Jan 2009 00:00:01 GMT http://www.freefixer.com/blog/monday-morning-rootkit/ http://www.freefixer.com/blog/what-is-going-on-2009/ Yesterday I ran into a site that install a software component that opens up a fake Windows Firewall alert message saying that you are infected with Win32.Zafi.B. If you click the link in the fake alert message you will land at www.defender-review.com where the rogue anti-spyware program Perfect Defender 2009 is promoted. Another observation about this exploit is that it hides its main process, ocboo1892823.exe, from the user. This process is executing on the machine, but it does not appear in the Windows Task Manager, nor in any other program that enumerates processes using standard procedures. Fri, 09 Jan 2009 00:00:01 GMT http://www.freefixer.com/blog/what-is-going-on-2009/ http://www.freefixer.com/blog/a-new-year-same-old-spyware/ The last two months have been rather hectic. In the end of November I started to work for a game developer. So far it has been a great experience, but unfortunately I've had to set the goals for FreeFixer a bit lower than before. Anyway, it's a new year, FreeFixer 0.26 has been released, and the same old spyware is installing through security holes. The infections listed below was extremely nasty since it made the computer crash with a blue screen around 60 seconds after every reboot. Sun, 03 Feb 2008 00:00:01 GMT http://www.freefixer.com/blog/a-new-year-same-old-spyware/ http://www.freefixer.com/blog/myspace-exploit/ Recently the problems over at Myspace has got plenty of media attention. In short, some hacker has been able to add a background image covering the majority of many Myspace profile pages. If you click any of the links displayed on profile page, you will be taken to the hacker's web site, instead of the place where you intended to go. The hacker's web site will ask you to install some face codes, but more interestingly it also exploit a security hole in unpatched systems to automatically install software. Mon, 12 Nov 2007 00:00:01 GMT http://www.freefixer.com/blog/myspace-exploit/