Saturday, July 28, 2007

Interesting Sights in Google Earth

My Streamyx line is very unstable again, SNR margin fluctuating like hell since last 2 weeks. Few days ago, error 676 and 678 visited again, called TM, they said connection in Klang Valley area got problem and they were fixing it, but according to some of my friends near my area, they didn't face any connection issue. So how to explain? I faced error 676 and 678 for almost a day even when the line was stable...

Well, I am not plan to talk about Streamyx in this post, but I want to share some interesting sights that can be found in Google Earth.

No parking space?
(Google Earth coordinates 52.069207,4.3139865)


Ancient man listening to mp3
(Google Earth coordinates 50.010083,-110.113006)

Check out more at PC World - In Pictures: The Strangest Sights in Google Earth.
Of course, there are more than that can be found in Google Earth...

Friday, July 20, 2007

Flash.10.exe Removal Guide

I separated the solution from the last post for better viewing

Solution:

  1. Use HijackThis to scan and then remove the entries that contain Flash.10.exe, JambaMu.com, MSN.msn

  2. Enable Folder Options that disabled by the malware:
    Go to Run -> Type gpedit.msc -> Expand "User Configuration" -> Expand "Administrative Templates" -> Expand "Windows Components" -> Select "Windows Explorer" -> Double click "Removes the Folder Options menu item from the Tools menu" in the right panel -> Select Disabled

    Alternative: Open regedit, go to
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> delete "NoFolderOptions" or "DisableFolderOptions" or similar key if it is there -> Reboot

  3. Folder Options should be appeared now, go to Folder Options -> Select "show hidden files and folders" & uncheck "hide protected operating system files"

  4. Go to C:\Windows\System32, delete Flash.10.exe, JambanMu.com, regedit.com, cmd.com, msconfig.com, ping.com, dxdiag.com

  5. Delete My Secret.fold in My Documents, New Song.lagu & New Video.vidz in My Music, aweks.pikz & seram.pikz in My Pictures

  6. Delete C:\Program Files\Common Files\Microsoft Shared\DAO\MSN.msn

  7. Delete C:\Program Files\Common Files\Microsoft Shared\Macromedia.10.exe

  8. - If you cannot delete the files and get messages like "cannot read from the source disk" or others that similar, probably your antivirus has blocked the access to these files, that's why you cannot move, delete or rename the files. Disable your antivirus and try again.

    *regedit.exe and cmd.exe actually stay intact, it just disabled by the malware.
  9. Enable regedit that disabled by the malware:
    Go to Run -> Type gpedit.msc -> Expand "User Configuration" -> Expand "Administrative Templates" -> Select "System" -> Double click "Prevent access to registry editing tools" in the right panel -> Select Disabled

  10. Enable command prompt(cmd) that disabled by the malware:
    Go to Run -> Type gpedit.msc -> Expand "User Configuration" -> Expand "Administrative Templates" -> Select "System" -> Double click "Prevent access to the command prompt" in the right panel -> Select Disabled
Leave your comment on this solution, I need your feedback, does it helps?

Saturday, July 14, 2007

NOD32 failed to detect Flash.10.exe

Recently, Flash.10.exe is spreading through thumbdrive. It affects regedit, msconfig, cmd and removes folder options and generates Flash.10.exe and JambanMu.com under windows\system32 and some files inside Document and Settings and Program Files. NOD32 detected the autorun.inf that came with the malware inside thumbdrive but failed to detect the Flash.10.exe file. NOD32 only detected the files(regedit, cmd, msconfig, dxdiag, ping, JambaMu.com, MSN.msn, ...)as infected after the infection was made. NOD32 gave warning and deleted the infected files and ask the submission of infected files for analysis, it only has the option to close the warning dialogue. However damage already done and Flash.10.exe is still there, not detected as a threat. The Flash.10.exe executed even you explore the thumbdrive instead of directly open the thumbdrive. Flash.10.exe process that running in the background cannot be terminated inside Task Manager because it didn't appeared inside Task Manager, it only visible when using other process monitor like Process Explorer. Have to delete the malware manually and used HijackThis to clear the the rest of the malware. Folder options, regedit, cmd and msconfig have to be recovered.

*Solution has been moved to new post - Flash.10.exe Removal Guide


UPDATE (16th July):
I tried to infect my thumbdrive with this malware, this time it came with Flash.10.Setup.exe, scanner.exe, Flash Jokes.exe and autorun.inf in the thumbdrive. NOD32 detected all the files at this time.
At another infected pc, Flash.10.exe and Macromedia.10.exe that running in the background can be seen in Task Manager after infection. Different from the case above.

Sunday, July 1, 2007

Hotmail has javascript trojan?

Hotmail contains trojan? One of the javascript loaded in Hotmail was identified as JS/Tivso.14a.gen trojan by NOD32. I think it only happens after NOD32 was updated to virus signature 2365 that released on 30th June. Strange thing is it detects nothing when using Firefox to open the website, but when I tried with IE, after few clicks on the left side menu, NOD32 shown alert when the javascript was loaded. Is it really a threat or NOD32 is just too sensitive?



UPDATE:
It was a false positive, there was a bug
in virus signature 2365, problem fixed after updated to virus signature 2366(1st July) that just released.

UPDATE:
According to ESET, false positive was not totally solved, the generic signature covering JS/Tivso.13a.gen also would generate a false positive. Misdetection solved after virus signature 2368 was released. Details at ESET Threat Center Blog.