Magic Control

Description

MagicControl is a commercial trojan from dialler manufacturer Electronic Group (eGroup).

It seems to contain code aimed at avoiding personal firewall software installed on the local machine.

Variants

MagicControl/MC: versions 1.0.1.0 to 1.0.1.4, stored in a folder called ‘mc’ in the Windows folder.

MagicControl/Wintrim: versions 1.0.1.5 to 1.0.2.7; folder is now called ‘wintrim’.

MagicControl/Wincomp: version 1.0.2.8; folder is called ‘wincomp’.

MagicControl/Winmgts: version 1.0.2.9; folder is called ‘winmgts’.

Also known as

The Wintrim variant is detected as Persis by F-Secure anti-virus. The Wintrim and Wincomp variants are detected as TROJ_WINTRIM.A by Trend anti-virus.

Distribution

Installed by IEAccess/EGDial and possibly other diallers/loaders from eGroup.

What it does

Advertising

No

Privacy violation

Suspected. The software contacts its controlling servers at secure-firewall.com and nocreditcard.com and passes what seems to be a block of encrypted data, the contents of which are unknown.

Security issues

Yes. May silently download and execute arbitrary code from its controlling servers.

Stability problems

None known.

Removal

From Add/Remove Programs in the Control Panel, choose ‘mc’ (MC variant), ‘wintrim’ (Wintrim variant) or ‘wincomp’ (Wincomp variant). This uninstaller should work, though it requires internet access.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands. For the MC variant:

cd "%WinDir%\System"
regsvr32 /u "..\mc\MagicControl.dll"

Or, for the Wintrim variant:

cd "%WinDir%\System"
regsvr32 /u "..\wintrim\MagicControl.dll"
regsvr32 /u "..\wintrim\EGPing.dll"

Or, for the Wincomp variant:

cd "%WinDir%\System"
regsvr32 /u "..\wincomp\2_wincomp.dll"
regsvr32 /u "..\wincomp\3_1,0,0,5_wincomp.dll"

Or, for the Winmgts variant:

cd "%WinDir%\System"
regsvr32 /u "..\wincomp\2_1,0,2,9_winmgts.dll"
regsvr32 /u "..\wincomp\3_1,0,0,6_winmgts.dll"

Next, open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’), and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘cpntmgc’ entry.

Restart the computer and you should be able to delete the entire ‘mc’, ‘wintrim’ or ‘wincomp’ folder inside the Windows folder, and the ‘msegcompid.dll’ file from the System folder (inside the Windows folder; called ‘System32’ on Windows NT, 2000 and XP).

You can delete the ‘iexplore’ folder in Program Files, too (not ‘Internet Explorer’, which is the real IE program folder). Also check to see if you haveIEAccess loaded and/or the eGroup certificate in your IE Trusted Publishers list.

woolrich parka

lop

What it does

Advertising

Yes. Some shortcut icons are added to the desktop. Many more are added to the Favorites menu. More are on an IE toolbar called ‘Accessories’. The process run on startup also occasionally pops up adverts.

Privacy violation

No.

Security issues

Yes. The startup process can download and execute arbitrary code from its controlling server.

Stability problems

Running the software may cause many ‘dial-up connection’ requests to appear if you are not connected. Windows seems to hang temporarily for a few minutes when this happens.

Removal

lop/Toolbar installations normally put a round icon in the system tray, try right-clicking this, choosing ‘Menu’, then on the resulting window, clicking ‘Help’, then ‘Uninstall’. With newer variants you will have to answer an annoying riddle before it will go away

woolrich parka

LinkReplacer

Description

LinkReplacer is an Internet Explorer Browser Helper Object that adds content to the start of every web page viewed.

This content is (currently) a script that reads all your cookies and sends them to LinkReplacer’s controlling server wcft.net.

Distribution

As yet unknown.

What it does

Advertising

No.

Privacy violation

Yes. Cookies set by web sites (and sent by LinkReplacer) may contain personally identifying information.

Cookies are also often used for authorising access to web sites. LinkReplacer’s owners will often be able to gain access to your accounts on web sites you have accessed with it loaded.

Security issues

Yes. LinkReplacer can download and execute arbitrary code as an update feature.

On opening a new IE window, LinkReplacer contacts its controlling server to download the script to be added, and a new copy of itself if it has not updated for a while.

Stability problems

Yes. On closing an IE window you may receive an ‘Application Error’ crash in IEXPLORE.EXE.

Adding the script to the very start of each page can cause web pages that rely on a standards-compliant document type to render badly in IE6.

Removal

Open a DOS command prompt window (Start->Programs->Accessories) and enter:

cd "%WinDir%\System"
regsvr32 /u iehelper.dll

Restart the computer and you should be able to delete the file ‘iehelper.dll’ inside the System folder (inside the Windows folder; called ‘System32’ under Windows NT/2000/XP or ‘System’ under Windows 95/98/Me).

You might also want to change the passwords on web site accounts you have that LinkReplacer may have compromised.

woolrich arctic parka

KeenValue

Description

KeenValue is adware operated by eUniverse.com.

Variants

KeenValue/v1, original version, consisting of a single process (keenvalue.exe) run at startup, which spawns pop-ups. This variant cannot

KeenValue/Incredifind adds a second process, kwm.exe, to monitor web sites viewed for ad targeting. It also includes a hosts-file hijacker redirecting Netscape Search to incredifind.com, an address-bar-search and error-page hijacker pointed at incredifind.com (redirecting to sirsearch.com), and an Internet Explorer toolbar providing a search field pointed at sirsearch.com.

(The PowerSearch toolbar is a customised version of Visicom Media’s ‘Dynamic Toolbar’, other variants of which are not known to be parasitic.)

Distribution

Included in software supplied by eUniverse sites, such as thunderdownloads.com, myfreecursors.com, cursorzone.com and mycoolscreen.com.

Also installed by the FavoriteMan parasite.

What it does

Advertising

Yes, opens pop-up ads periodically; in the Incredifind variant these may be triggered by targeted terms in pages being viewed.

Privacy violation

The software’s terms claim it may send all URLs viewed to its controllers. This behaviour has not been observed to happen in current versions of the software. In the Incredifind variant, the error hijack feature does leak sometrackable information on pages viewed.

Security issues

Yes. Can download and execute arbitrary code as directed by its controlling server, as an update feature.

Stability problems

There may be problems closing keenvalue.exe when shutting the computer down.

Removal

The v1 variant may be removed from the Control Panel’s Add/Remove Programs feature. Choose ‘KeenValue’ and click ‘Remove’.

The Incredifind variant can be partially removed using the ‘KeenValue’ and ‘PowerSearch toolbar for IE’ entries in Add/Remove Programs, if an internet connection is present.

Manual Removal

For the Incredifind variant, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System" regsvr32 /u "\Program Files\Incredifind\BHO\BHO.dll" regsvr32 /u "\Program Files\PowerSearch\Toolbar\pwrs0rbi.dll"

Next, for either variant, open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Remove the ‘KeenValue’ entry. You can also delete the following keys to clean up, if you wish:

HKEY_CURRENT_USER\Software\Visicom Media\PWRS0RBI HKEY_LOCAL_MACHINE\SOFTWARE\eUniverse HKEY_LOCAL_MACHINE\SOFTWARE\KeenValue

(Also the ‘KeenValue’ and ‘PowerSearch’ keys from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall can be deleted if you still have them.)

Next, restart your computer and you should be able to delete the ‘KeenValue’ folder inside the Program Files\Common Files folder. For the Incredifind variant you can also delete the Program Files folders ‘PowerSearch’, ‘Incredifind’ and ‘Dynamic Toolbar\PWRS0RBI’.

Finally, restore your search settings (Internet Options->Programs->Reset Web Settings), and remove the Hosts file hijack: open the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT, 2000 and XP), go to ‘drivers’->’etc’, and load the file ‘hosts’ (with no file extension) into a text editor. Delete the following line and save.

12.129.205.209 search.netscape.com
woolrich parka

ISTbar

Description

ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc.

Variants

ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an ‘AUpdate’ process.

ISTbar/MSCache also uses TinyBar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com.

ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar based on the Pugi toolbar. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com.

ISTbar also installs other parasites: AUpdate and XXXToolbar install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to installDownloadPlus; the MSCache variant installs nCase and the Wink/EasyDates dialler.

Also known as

The AUpdate variant is known as SearchBarCash-Hijacker, and the MSCache varaint as MSUpdates\MSCache, by Ad-Aware.

Distribution

Installed by ActiveX drive-by download on affiliate sites; typically porn in the case of XXXToolbar, from April 2003. An ‘aggressive’ downloader is usually used: if you refuse the download, a JavaScript alert complains that it won’t take no for an answer and opens the download window again.

ISTbar/MSCache was widely distributed to victims clicking on links to the ‘OutWar’ online game.

What it does

Advertising

In the XXXToolbar variant, yes: opens pop-ups as directed by its controlling server. Otherwise, no, though the TinyBar component could be used to open pop-ups.

All versions also install other third-party software which includes advertising.

Privacy violation

No.

Security issues

Yes. Can download and execute arbitrary unsigned code from its controlling server. This is used both to update the software and to install third-party software.

Stability problems

None known.

Removal

There is a entry in Add/Remove Programs for ‘MS AUpdate’ (AUpdate variant), ‘MS Updates’ (MSCache variant), or ‘ISTbar’ (ISTbar variant). Unfortunately this doesn’t remove the toolbar in the AUpdate variant, or RapidBlaster in the AUpdate or ISTbar variants; in the MSCache variant it does not appear to work at all.

Ad-Aware reflist 20.04.2003 and Spybot S&D update 2003-04-24 can remove ISTbar/AUpdate.

 

Manual removal

AUpdate variant

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘AutoUpdater’ entry on the right (pointing to aupdate.exe). Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey ‘{69550BE2-9A78-11D2-BA91-00600827878D}’. Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

Restart the computer and you should be able to delete the files ‘aupdate.exe’, ‘aupdate.conf’, ‘aupdate.trk’ and (if it is there) ‘aupdate_uninstall.exe’ from the System folder. (The System folder can be found inside the Windows folder; it is called ‘System32’ on Windows NT/2000/XP or just ‘System’ on Windows 95/98/Me.)

Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with RapidBlaster andDownloadPlus.

MSCache variant

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u ../mscache.dll

Next, open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘MS Updates’ entry on the right (pointing to mscache.exe). Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey ‘{69550BE2-9A78-11D2-BA91-00600827878D}’. Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

Restart the computer and you should be able to delete the files ‘mscache.exe’, and ‘mscache.dll’ from the Windows folder

Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with nCase and Wink/EasyDates.

XXXToolbar variant

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘IST Service’ entry, if it is there. (Some early releases of XXXToolbar did not include this.)

Open a DOS command prompt window (form Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"

Restart the computer and you should be able to delete the ‘ISTbar’ folder inside Program Files, and the ‘istsvc.exe’ file inside the Windows folder. You can also delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj (and .1) to clean up if you like.

Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with RapidBlaster.

 

woolrich jacken

Antivirus Guide

We’re going to take a look at what some of the best antivirus software programs are, and give you an idea of what to choose from.  There are several companies that make respectable applications to protect your computer from harm, but it’s difficult to decide which the best are and which aren’t so great.  We’ll go through them one by one looking at things like easy of use, their complete antivirus feature sets, virus isolation and eradication, and more.

Norton Antivirus
norton-antivirus-2005Far and above the most popular choice among many computer users, we want to take a look at its overall effectiveness in comparison to others.  The interface for the program itself is simple and easy to use, and upon the programs installation, you’ll find that it pre-scans your computer to help protect you from any viruses that are already on there.  The program is a bit larger than other antivirus programs, but it’s worth the additional installation time.  Norton focuses on blocking not only malicious viruses, but also the dreaded and often hated adware and spyware type programs that end up ruining and slowing down your computer.  Adware and spyware are huge problems on many computers so you want your antivirus solution to include help against it.  There is an available scheduler in the application that allows you to pre-schedule all your future computer scans so that they are performed consistently but also conveniently.   Norton successfully passed all antivirus standards by West Coast Labs in both level 1 & 2, so the outside confirmation of it’s success is a great bonus when looking at antivirus options.  Additional features include protection against instant messaging viruses, malicious scripts, and will also protect your POP3 email.  There is no protection against peer to peer however.

woolrich sale