Wednesday, May 26, 2004
Sorry for the sequels... the hijacker came back. I finally nailed it down though. It was a variant of CWS (coolwebsearch), a very nasty hijacker. It had put an entry in the registry that made a file in the system32 directory invisible... then it was loading this every time explorer loaded.
You can recognize a CWS hijack by running Hijackthis.exe. It will show several entries like:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\edjika.dll/sp.html (obfuscated)
Eradicating them in hijackthis only temporarily solves the problem. Very quickly you'll see it back again. If you delete the offending dll, it only recreates it with a new name. (The edjika.dll is a randomly generated name.) The program also disable the running of SpyBlaster software.
After searching on the web I finally came across the final solution, thanks to 'Bulldog' at tweakxp.com support.
---
Download Registrar lite and install it: http://www.resplendence.com/reglite
Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
And hit the "go" tab, and find: "Appint_Dlls" value on the right side
This will tell you the name of the hidden dll causing the problems to return.
You'll see the completely invisible downloader trojan, which you need to get rid of.
It will be listed as: C:\WINDOWS\System32\resehk.dll (this name is variable)
Bulldog writes:
The next steps would make that file visible.
-Rename the Folder Windows to NotWindows highlighted as a purple folder in the left hand pane of reglite.
-Click "AppInit_DLLs" again and clear the data value: C:\WINDOWS\System32\resehk.dll -<>resehk.dll in System32 folder but Don't attempt to delete it yet. (Remember to enable....show system and hidden files.)
Go to your root drive: C:\ And create new folder, Name it: "junk"
Unzip and run the 'Winfile' you previously downloaded.
Expand and navigate to System32 folder.
You need to navigate by Double clicking to expand.
When in System32 click top menu: File>Select files
Copy and paste to the box: resehk.dll hit select-
Find and hilite that file. Next in top menu>Security>permissions,
tell us what is listed there for that file. Also check the 'owner' tab
Lastly, try this: Menu -File>move... In From: Copy/paste: C:\WINDOWS\System32\resehk.dll
To: Copy and paste: C:\junk\resehk.dll
And hit ok.
Close Winfile and check in C:\junk for that file.
---
(Micah adds:) Run hijackthis.exe and clear out the associated links to the other dll.
Reboot, and delete the 'junk folder' along with the other associated dll. Hopefully, this solves the problem. Email/comment me if you need help.
Wednesday, May 19, 2004
3 Years
I love my wife.
My wife and I met at a church singles group. I was just recovering from a tragic experience and relationship. While we really didn't have much interest in each other, we both started attending a bible study together and generally hanging out together. Our attraction toward each other grew as time progressed. We married on May 19, 2001.
Monday, May 17, 2004
I just finished a debate on Total Depravity. I recommend you read the whole thing...
This weekend I was browsing on the web and after doing so, found that my browser had been hijacked. I'd not clicked on anything (I SWEAR!) ;-) Needless to say, I went about the usual methods of determining what the problem was and how to fix it. Hijackthis noted a dll connected to the browser as well as launching as a BHO. The hijacking manifested as html doc on my system which was being called by the dll. Instead of launching my Internet homepage, it would launch the local file which was a search engine type page. This would then launch a pop-up ad which stated "your system is infected with a pop-up... download (name) pop-up stopper."
After deleting the offending entries in hijackthis, I opened the browser and found the hijacker re-established itself. Tried spybot, but it didn't find the problem
Finally, installed Ad-Aware and killed it. Had to do it again after I rebooted...
Watch those sites folks.
Thursday, May 13, 2004
Many months ago I downloaded an add-on for MSN Messenger, I've used this program often, and its quite good, however I didn't notice that this program had added a 'custom install' feature. As it turns out, I didn't use the 'custom install' feature but had I known what the normal install was adding to my system, I would have.
Immediately after install I noted that my browser's homepage was now "lop.com". Do not, ever, go to lop.com or install anything related to it. Not only was my browser homepage hijacked, but my search engines, and my system. I could neither change my browser homepage (it would alway change back to lop.com) nor the search page, nor the crazy pop-ups that began filling the screen. My download had added a browser hijacker, spyware and adware to my system.
After some research I found several great applications which I have begun using in my day-to-day operations at my work. Whenever someone complains about their PC being slow, I install these aps and start hunting. The aps can be found here.
I highly recommend hijackthis, ad-aware and Spybot S&D. There may be other good resources at http://www.spywareinfo.com/, however these are the ones I've used.
Hijackthis is perhaps the most powerful of the three, however, it also is the most technical of them. If you've never messed around in your system's registry, I highly recommend not using Hijackthis.
Finally, here is a bit of news about what browser hijackers can end up doing to your life and reputation.
Remember, if you're not sure when a pop-up window appears... DO NOT CLICK "OK"!
Wednesday, May 12, 2004
Nick Berg, a practicing Jewish, 26 year old civilian contractor from Philedelphia, Penn., was brutally murdered by al-Qaeda this weekend. A video tape of the beheading was made available on an al-Qaeda related website. The video showed Mr. Berg saying his name, his family names and where they lived, then a long statement is read by men in masks carrying various Soviet-style rifles. They said in Arabic that this killing was in response to the abuse at Abu Ghraib prison.
Suddenly the masked men let out a scream of 'Allah akbar' and throw Mr. Berg to the ground. Berg's screams mix with those of his captors as one of the men begins to cut through Berg's neck with a large knife. The cut is not easy, the butcher has to saw through, it is unclear how long Berg lived, however, it is clear that his death was painful and grisly. When finally finished, Berg's severed head is held up to the camera.
Considering how many recent captives have been freed, perhaps Berg thought they would let him go. It seems apparent he had no idea that the men holding him were al-Qaeda, or al-Qaeda related. It is thought that one of the men, perhaps the one who actually murdered Berg, is one of al-Qaeda's new top operatives.
Response has been polar... but oddly rageless. One op-ed piece in the Philadelphia Daily is titled "Time To Get The Hell Out", the text of which basically points the finger at President Bush. Even Berg's family seems to blame the US administration... even though their boy willing went to Iraq looking for work. Mr. Berg's reasons for being in Iraq are still unclear. The Coalition Provisional Authority in Baghdad states they knew he was in Iraq and had suspected that he was engaged in suspicious activity.
Who was Berg working for? What was this young, unemployed, Jewish contractor doing in a war zone in an Arab country?
Tuesday, May 11, 2004
Connection Power!
A Complete Turnkey Solution to Produce Proven Church Growth
(Check out their church growth calculator! And the cool animation of the people
filling the pews, rendered in 3D - NOT A JOKE, BTW)
"ConnectionPower's mission is to empower you, through effective ministry and information delivery systems, to touch and win every possible person who visits your church in such a manner that they will have the greatestopportunity to know Christ and become a meaningful part of your church family..."
"Empowers Your Busy Laity To Function In Meaningful Kingdom Service From The Comfort Of Their Homes While In Their Slippers..."
Some quotes:
"Churches that provide an atmosphere that is highly conducive to spiritual growth have a few key commonalities. Growth means that the Bible becomes relevant to the daily lives of congregants."
"Networking Kingdom resources from a variety of sources that match the targeted needs of the local church. "
"I gradually built up a knowledge of the needs of the customer and of the family." J.C. Penny's philosophy matches that of the wise shepherd who listens to his flock."
"If companies can create raving fans with deep brand loyalty, surely the Church, with its transcendent purposes and opportunities for real-life service, can do even better."
"...winners have learned how to execute the fundamentals over and over again until it is a part of their innate behavior..."
"Perspectives change as a broad awareness of biblical history provides context for the present. The broader themes and principles of the Bible have been absorbed and are being integrated into perspectives."
---
1 Kings 19:14-18 Then he said, "I have been very zealous for the LORD, the God of hosts; for the sons of Israel have forsaken Your covenant, torn down Your altars and killed Your prophets with the sword. And I alone am left; and they seek my life, to take it away."
The LORD said to him, "Go, return on your way to the wilderness of Damascus, and when you have arrived, you shall anoint Hazael king over Aram; and Jehu the son of Nimshi you shall anoint king over Israel; and Elisha the son of Shaphat of Abel-meholah you shall anoint as prophet in your place. It shall come about, the one who escapes from the sword of Hazael, Jehu shall put to death, and the one who escapes from the sword of Jehu, Elisha shall put to death. Yet I will leave 7,000 in Israel, all the knees that have not bowed to Baal and every mouth that has not kissed him."