My next download was AdAware. Also one of my old standbys. After a couple of hours of scanning, it didn’t find anything. Even though it wasn’t finished I had hoped that after a couple hours it would have found something, anything. Then I thought there must be some other tools out there these days. There was one more on my old reliable but I’ll skip that for now since I didn’t get it. I figured I should find some malware related forums and update my knowledge on what’s out there these days. I don’t mind getting my hands dirty and digging through registry keys and directories. Which, I didn’t mention, but had already gone through the auto start and run registry keys and files that were created around the time my hijacking took place. In my search I came across the Malwarebytes users support forum. After reading a couple of posts I realized this was a good place for finding out about new malware and removal techniques as well as the program Malwarebytes. Since I haven’t tried it before and the forum, which is a forum that was created by users/fans of Malwarebytes, spoke so highly of it, I downloaded and installed it and started a complete scan. In a couple of minutes it had found 2 infections. I let it scan my system, which scanned 653800 objects and took 6 hours 28 minutes for the full scan. The scan just completed and found 35 infected objects. A quick view of the results shows me several registry files and the rest are files, non of which are cookies. Since I ran Spybot S&D earlier and deleted the cookies it found, I can’t say if cookies would have been part of the results. With the exception of a couple of false positives, some of my security tools, the results are looking very promising. One item I see right of the back is svchost.exe which is in my /Local Settings/Temp/ which is defiantly bad. This is something pretending to be a legit windows service but it doesn’t belong here. There are also a couple of registry keys listed as Trojan.BHO which, even though I forgot to mention I did run earlier, Hijackthis didn’t identify. Now I unchecked the couple of false positives, and told Malwarebytes to delete the rest and save a log file. After this I’m told it needs to reboot. No problem, I expected that. Windows is rebooting and I’m anxiously waiting to see if this fixed my problem. I haven’t played World of Warcraft or logged into any of my sites in case there was also a password stealer installed. In fact I’m writing this from my wife’s laptop which is on my network but doesn’t have any write permissions from network users.

Reboot has completed and now comes time to test this. I sure hope it works because I’m posting the results regardless of the outcome. First I will launch Firefox. This isn’t my main browser but I have a script blocking extension in it which has alerted me to some of the redirects and blocked them. My first search “malware forums” brings up plenty of results and the first result I click on, Majorgeeks.com, goes where it should. But this was what happened before. The first result I clicked on would work but all the results I clicked on after would be hijcked… Awww a new window just opened to www.searchfindsite.com which doesn’t look good. !@#$@#$ I just tried another result from google and was redirected to findservicesonline.com and I see that malwarebytes.com didn’t clean it this one up. It did find and remove some items that spybot s&d didn’t but I still have the hijacked search results. And my quest continues. When I do find a way to remove this, I will post about it.

If you know of some good malware removal tools, please leave me a comment. I’m going to try a couple of others I have and let you know what I find.

If you follow this blog, you know that I did an article on the first stable release of Namp http://www.pccybertek.com/2010/01/nmap-5-20-released yesterday. Now that it has been out for a week, Fydor has already released another update, Namp 5.21 which is also a stable
release and not a beta. It’s mainly just a bug fix release. So I have updated the download section here with a link to the 5.21 release, which is on the right column about 3/4 of the way down the page. My download link is directly to the file on the insecure.org website or you can go to the Nmap download page yourself.

But I don’t want to just tell you about the update, I’d like to offer you some more since you took the time to stop by here. So here is a link to Iron Geek’s Baisc Nmap Tutorial video. And if already know the basics and would like to move on to some more advanced lesson, here is Iron Geek’s Nmap Video Tutorial 2: Port Scan Boogaloo Happy port knocking.

So much for the internal workings, now lets move on to some of the cool upgrades.  There are 31 new Nmap Scripting Engine (NSE) scripts which brings the total up to 80. These NSE scripts are one of my favorite features of Nmap. These scripts allow me to run Nmap in ways I never even thought about. I’m one of those people who learns better by example so the included scripts helps me to have a better understanding of how to write my own NSE scripts. Check out the complete list of NSE scripts.

There has also been an increase in the OS fingerprints, thanks to user submitted fingerprints and many corrections. Some of the more interesting new fingerprints include Google’s Android Linux (for smart phones), Mac OS X 10.6 (Snow Leopard), The Chumby (an internet radio player), a bunch of printers and routers for a total of 1349 fingerprints. This is including the 40 new vendors, 342 new fingerprints and 81 corrections.

Speaking of databases, the OS detection has seen some real growth. Thanks to user submissions, 2,576 of them since Feb. 2009, more than a thousand signatures have been added. That many users submissions shows the kind of community support Nmap has earned.

Nmap started out as a command line tool. But don’t let that scare you away from trying it out if you never have before. There is also a GUI (graphical user interface) called Zenmap that comes packaged with it. Zenmap has also seen improvements. You can now filter the results in Zenmap. So say you have performed a scan and have a lot of results but you just need to see the computers running Linux or a particular service like IIS. You can now apply a filter to your scan results and just have a list of  those machines which are running it.

These are just a few of the improvements made to Nmap since version 5.00 and you can get a complete list of the changes since 5.00 from the release notes. Or just download it and give it a try. There is a release for just about any OS you have. If you work with networks at all, you owe it to yourself to give Nmap a try.

Tonight’s pick is an all in one Instant Messenger, E-mail and Social Network client called Digsby. I’ve been running Digsby for around a year and it is really nice. I’ve set it up to connect to my AIM, MSM, Yahoo Chat, Facebook, Myspace, Twitter and all my various e-mail addresses. It sits nicely in my system tray and when I click on it, it pops up a sidebar on the left side of my screen that lists all the services I have it monitoring. If I click on the MSM bar it expands so I can see who is online and if I click on anyone who is online, I’m chatting with them just like I was running MSM. Instead of having to load all those different chat programs, I just run Digsby. Of course there are other programs like this, I use to run Trillian but it felt kinda clunky me and I haven’t tried the newer version of Trillian which now also supports Twitter and E-mail. However, I see Trillian still offers a pro version which isn’t free so it doesn’t totally fall into my “Free Software” category. Digsby also has several options for notification. Mine is configured so it pops up a little alert window. This is real handy for Twitter. I see the complete tweet and have options to retweet or reply to it. If I click on the notification window it will take me to that tweets page and I will already be logged in to Twitter. The same goes for any notification window, by clicking on it. If it’s one of my webmail accounts, I will be logged in and taken to that e-mail, or if it’s a pop mail account, it will launch whatever application you have chosen for your e-mail, such as Outlook.

Here’s a sample of the features in Digsby:

Instant Messaging
One combined buddy list for all your AIM, MSN, Yahoo, ICQ, Google Talk, Jabber, and Facebook Chat Accounts.
Manage multiple conversations with tabbed conversation windows. You can drag tabs out into their own windows for important conversations.
Rename contacts with an alias so you don’t have to remember buddy names like ‘giantsfan123′.
If one of your friends has more than one IM account you can combine them into a single merged contact to eliminate duplicate buddies.
Send your friends SMS messages right from the IM window.
The InfoBox lets you check everyone’s status message and profile just by moving your mouse down the list.
Changing your status has never been easier. just one click right on the buddy list!
Multitask while you chat. Minimize the IM window and you see popups of new IM’s. Best of all, you can reply right from the popup and get back to what you were doing.
Log conversation history and find the information you need our search-enabled log viewer.
And so much more.
Email
Manage your Hotmail, Gmail, Yahoo Mail, AOL/AIM Mail, IMAP, and POP accounts right from digsby.
Get popup notifications when new email arrives. Clicking a popup takes you right to the message with auto-login into webmail accounts.
The email InfoBox gives you a snapshot of your unread messages with just one click
Perform actions such as “Mark as Read” or “Report Spam” right from the email InfoBox.
Send emails to your friends right from the IM window. The email is sent directly from any account digsby is tracking for you.
Social Networking
Stay up to date with everything happening on your Facebook, Twitter, MySpace and LinkedIn accounts.
Receive alerts of events such as new friend requests, messages, group invites, etc.
The social network InfoBox gives you a real time NewsFeed of what your friends are up to. Everything from new photos, to status updates, to upcoming birthdays is just a click away.
Set your Facebook, Twitter and LinkedIn status right from Digsby.
Personalize
Customize digsby with application skins to give it a personal look and feel.
Change the way your conversations look with themes – everything from simple AIM-style windows to 3D conversation bubbles.
Complete control over the layout of buddies on the buddy list. Change everything from buddy icon size to whether or not to show a snippet of their away message.
Sort your buddy list how ever you want! You can organize buddies manually, by status, by service, by name or by log size to place those you communicate with most at the top. You can even choose a secondary sorting method.
Customizable notification system lets you choose what events you want to be alerted about and how.

If you give it a try, or are already using it, please leave a comment to let myself and others know what you think of it. If you’d like to see it action, you can watch the video demo of it. Or just download Digsby.

Yes, that’s right. The essential network scanner, nmap, has made it to version 5. If you are unfamiliar with nmap, it’s a must have tool for anyone who does anything with networks. It’s the greatest port scanner around. And you can get it for just about any OS. But nmap is much more than just a port scanner. It can be used for more than just seeing what ports are open. You can also use it for its OS detection, among other things, and you can even use it to find the conficker virus on remote computers. It’s available as a command line tool and for those who prefer a gui, it also comes with zenmap which is a graphical front end for it.

My thanks to Fydor and the nmap development team for constantly updating this awesome tool and never being satisfied with the status quo. Now let me quote insecure.org

July 16, 2009 — Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this.

Considering all the changes, we consider this the most important Nmap release since 1997, and we recommend that all current users upgrade.

You can find a list of the changes here and be sure to download it.

The story thus far. For some reason I decided to install web tattoo. I knew it was probably going to install something else. Rule #1 – Programs on the internet that claim to be free, especially add-ons for social sites, aren’t really free. I just figured I could uninstall whatever it slipped in. After I uninstalled Web Tattoo, from FireFox and using add and remove programs in the windows control panel, and it was still redirecting my traffic to Fast Browser Search, I’d just remove it with Spybot or Ad-Aware or Hi-Jack This and remove it from the registry. However, none of these detected it and I couldn’t find any sign of it in the registry. Then I did a search on the internet and couldn’t find anything about removing it either. So I did some thinking and figured out how to remove it. Seeing how there was such a lack of articles dealing with this pest, I figured it would be the perfect thing for my blog. So I wrote this article on how I removed it from FireFox .

Next thing I know there’s a spike in the traffic coming to my little unknown blog. I was happy to learn that referrers were search engine results for “fast browser remove” and other similar queries. All of them looking for a way to take out this blasted thing. For a short time, my blog was on the first page in google if you were searching for a way to remove it. This got me pretty jazzed. I’ve had this blog for a couple years but never had much traffic before. After a couple weeks, the traffic to that article I wrote started tapering off. I was no longer in the first page or two when people searched for it. Then all the sudden it spiked again. Turns out someone on a google forum had Fast Browser Search take over their browser. Next thing I know I’m getting a ton of hits again, this time all comming from this post. Now if the people this helped would just click on my google adds, I could earn a couple cents in this tough economy

There was only one problem. My article only covered how to remove it from FireFox. Turns out there are plenty of people with Internet Explorer who have been attacked by this scourge known as Fast Browser Search. So here is what I’m going to do. Initially I was going to install Windows XP on a virtual Machine. But this would take quite some time and work before I could deliberately infect myself with Fast Browser Search. So I decided to take a short cut. After I’m done writing this, I’m going to create a new user account in windows, head over to Facebook and install Web Tattoo while using Internet Explorer. Then I’m going to figure out how to remove it and write part 2 of this article. So check back in a day or so, hopefully it won’t take me longer than that to figure out. If you would like to show some appreciation, click on my google adds, or leave me a reply. I love getting replies and hearing from you.

Turns out many people are still falling for this scam. I had to clean my parents computer up, from one of these. Try doing it over VNC, and you may have your patience tested like I did. Anyways, the old folks aren’t the only ones falling for this, and now their is a new variation. Spware Protect 2009, is the new breed of scareware. Not only does it con you by getting you to install it, it actually does damage to get you to “purchase” it for $49.99 and install a trojan downloader. Meanwhile it increases the pop ups telling you how infected your computer is. So you order the program with your credit card and guess what, you just gave them your credit card number, no hacking needed. A local electronics store, with the initials RS, got hit by it and from what I could get out of them, sounds like the whole corp has been infected through their network.

Since I first found out about this last week, I’ve found out that it’s now also being installed by the conficker virus. At first I was thinking, wouldn’t people be suspicious if there was a new piece of software, on their computer? I sure as hell would. Then I started thinking about it, in a corporate situation. Some poor schmuck, in accounting or where ever, could think it was installed by their IT Dept. So the keylogger installed would run until the computer crashed. The one good thing is, the domain that was selling Spyware Protect 2009 is gone. Keep an eye out for variations with new names and the same or slightly modified interface.

-Your friendly neighborhood PC Cybertek

There’s no need to try and figure out what’s safe or real and what has more sinister plans in mind. The good folks at dshield.org have been keeping an updated list of third party information on conficker. Here you can find plenty of free conficker detection and removal tools, general information and the microsoft patch. That should help keep you updated, safe and informed.

I’ve also found out about one other real neat way of detecting it, but it’s for more advanced users, so I’m going to make a seperate post about it.