Wednesday, April 13, 2011

Malware Redirects Google Search Results

Encountered what appears to be malware with some javascript which caused Microsoft Security Essentials (MSE) to throw errors and almost, but not quite, infect a system.

Popup notifications appeared in the systray every few seconds, and the MSE process MsMpEng.exe was gobbling up 50%+ CPU trying to keep whatever was trying to infect this Windows XP service pack 3 PC under control.

MSE's log showed the following error at the top of the details:
Microsoft Security Essentials encountered the following error: Error code 0x800703e4. Overlapped I/O event is not in a signaled state.

It listed numerous instances of the following as the most recent triggers for the cleanup:
TrojanDownloader:Java/OpenConnection.J
TrojanDownloader:Java/OpenConnection.JJ

Interestingly, the malware kept triggering the alerts from a specific path on the system:
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\14\3cb28b8e-3c71bd02->lort/cooter.class

Apparently lort/cooter.class is related to a family of malware dubbed JAVA/Exdoer, based on a log file I found posted here. The system's default browser (Firefox) was redirecting Google search results to various sites with advertising. While MSE seemed to be detecting and responding to whatever active component of this malware, freshly-updated installs of SpyBot, MalwareBytes, and PrevX did not detect it.

I decided first to try to simply close all browsers, then run a utility called GOOREDFIX.EXE as described in this forum post. It returned the following log info:
GooredFix by jpshortstuff (03.07.10.1)
Log created at 15:54 on 13/04/2011 (Jan)
Firefox version 3.6.16 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{A1E5480F-729F-4237-AD8E-2C46BA793DFE} -> Success!
Deleting C:\Documents and Settings\User\Local Settings\Application Data\{A1E5480F-729F-4237-AD8E-2C46BA793DFE} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [18:53 08/03/2011]
{972ce4c6-7e08-4474-a285-3208198ce6fd}(2) [18:19 08/03/2011]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [20:30 16/01/2010]

C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\c06n7342.User\extensions\
adblockpopups@jessehakanen.net [01:37 14/03/2011]
{20a82645-c095-46ed-80e3-08825760534b} [01:08 27/12/2010]
{7b13ec3e-999a-4b70-b9cb-2617b8323822} [19:18 12/04/2011]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [16:22 27/03/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:46 30/09/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:30 16/01/2010]

-=E.O.F=-


However, something seemed to reactivate the malware upon reopening Firefox, and the MSE systray popups began again.

I closed the browser, ensured that neither firefox.exe nor any other suspicious executables were present among the running processes, reran GOOREDFIX.EXE, then simply deleted the following folder:
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\

Upon reopening Firefox, no further MSE notification popups appeared, and after running a full scan with MSE, no threats in memory nor in the file system were reported. So far, at least, it looks like whatever this malware was has been eliminated, but we shall see!





Wednesday, March 23, 2011

Manage Blocked Sites? Thanks, Google!

Google recently unveiled a tremendous new feature which allows you to block sites from their search results.

A feature previously only available as an extension for Chrome, users with a Google Account can now maintain their own, personal blacklist of sites whose search results aren't useful.

The original entry about this release on the Google blog tells the story, and you can click the following link to actually access your very own Manage Blocked Sites screen (assuming you're signed in to your Google account).

I mainly use Google, Bing, and Ask for my searches, but now Google is in my top spot solely for this feature. Too often I've submitted a query to a search engine only to be bombarded by useless results consisting of anything from advertising to porn to advertising about porn to malware, and habitually I'd just click the third or fourth page of results in the hope that I'd find some worthwhile content. Now I can shape my search results by eliminating much of the fluff, which translates into much more productive searches.

Creators of fluff are on notice:
"Sites will be blocked only for you, but Google may use everyone's blocking information to improve the ranking of search results overall."

Content is king, as the saying goes, and this is one big step in helping us mere users leverage the system by enabling us to trim away the fluff as we find it.

Well played, Google!


Tuesday, March 22, 2011

Process Lasso

I recently installed Process Lasso, a process management and optimization utility. 

Thus far it seems to be a highly effective and versatile tool for managing CPU. Using a proprietary algorithm dubbed ProBalance™, It strives to maximize your computer's responsiveness in spite of the demands placed upon the CPU by myriad running processes. Runaway processes that might ordinarily eat 99% or more CPU can be dynamically adjusted by Process Lasso so that lag is minimized.

Particularly useful is the ability to tag running processes in the GUI and assign them properties in the context menu, including process priority (to determine how valuable a process is and how much time the CPU devotes to it),  processor affinity (assigning the use of one or more CPU cores in a multi-core processor to a given process), gaming mode (favors a process when it's running so that the CPU dedicated to its function is maximized), and terminate always (very handy if malware with a specific filename keeps trying to execute and hang out in memory), as well as lots of other options that extend Windows' built-in Task Manager by leaps and bounds.

One example of Process Lasso's usefulness arose when I noticed today that a particular process was very frequently being restrained by Process Lasso for trying to monopolize CPU. According to this note about the graph portion of the GUI, bars in red denote CPU spikes, and if you hover over these, the process name is displayed (in this case, a process called smc.exe, or Symantec Mangement Client, part of Symantec Antivirus).
 


This particular process had, in the few weeks I've had Process Lasso installed, been restrained over 900 times, and each of the red vertical bars above denoting CPU spikes revealed smc.exe as the culprit.

I decided to right-click on the smc.exe entry from the list and modify its Default Priority Class from its previous Below Normal setting to Idle. At this point I'm unclear about whether I may be compromising Process Lasso's ability to do its job by dictating to it how to treat a particular process on my system; much of the documentation recommends allowing the ProBalance algorithm to do it's thing. 

However, given that I've already configured Symantec Antivirus to exclude from scanning the applications and folders which I most commonly use, I'm hoping that this step will restrict it from eating more CPU than it should; the graph after the change, at least, seems to indicate that Process Lasso is not having to restrain smc.exe nearly as much as before.




In general, seeing red can incite violence in human beings as well as bulls, so at least for my purposes, as far as Process Lasso is concerned, less red is a favorable outcome.