Friday, July 25, 2014

Suffered malware attack via NCH Software, plus update


Tuesday Mini-UPDATE: --






My main machine contracted a bad case of malware in the form of SafeSearch, which will not uninstall even when you do a system restore to a previous restore point. Had to return to Factory Condition and have to figure out how the dingus machine will recognize a previous backup, which it refuses to do now. Why? It appears to operate like the old fashioned TSR type programs did.  It certainly has a behavior pattern of a TSR.

The next person using a search engine on the term SafeSearch will get this post, among others, and what I have to convey to you guys is this: it appears to be a TSR type trojan and even cleaning your Registry won't get rid of it, and it is also piggybacked with DeltaSearch and you have to hunt up info on BOTH. Most info out on the web is inadequate in this regard.  I've done a Factory Condition restoration but I've also put a block in the router for keywords SafeSearch safesear.ch deltasearch and delta.

When/if I get more information on this bastard, I'll update this post with it.

I posted a similar status update on Facebook, and one of my friends recommended Ubuntu, which is the latest version of Linux, which, in its turn, is a version of the very very very old Unix, with which I'm more familiar.  I'll repeat my reply to this person here on this blog:

Right now I'm trying the system "repair disk", which did locate my backup set, so now I'm optimistic. The problems I had with Unix was the command set and that infernal system text editor, which was extremely user-unfriendly, and I'm speaking as a person experienced with Wordstar and EDLIN. The reason I've stuck it out with Microsoft is because I knew Microsoft when it was still using C/PM. Me & Gates go back to the beginning.

 Yup--all the way back to the very C/PM beginning, when Gates was still playing in his garage, and it's my familiarity with Unix that has ruined me on Linux/Ubuntu...but...if enough of this snit happens, I'm not far away from changing my mind about that.

Malware UPDATE: I found the .exe file that was running but when I edit it, it gets reinstalled by something and YES I found my system backup files infected as well.  This is gonna take a lot of quality time by the looks of it.

I found the file spro.exe to be running while my browsers got hijacked, and that's found under User\name\AppData\Local\SearchProtect.  There's also an uninstall.exe file there, and when I ran it, it did look like the program actually got uninstalled. But when I clicked on a browser, it was still hijacking the browser.  This is gonna be a long, long battle {sigh}.

....and I see that people in China are very interested in this post. Hehehehe--you guys ain't whupped me yet, and I have my ways of locating TSRs. It...Is...ON!

Recognize this line, guys? : Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
 
How about this one? windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log

Or this one? ComSpec=C:\Windows\system32\cmd.exe


Yeah, I lifted those out of your program. And I speak hexadecimal fluently. There's nothing like actually reading the trojan program to find out where the TSR is installed, now, is there. You boys picked on the wrong gal this time.

Malware UPDATE 2: Origin of my infection has been established. It is #NHCSoftware via what it claims are free versions but instead are free trials. Freeware doesn't expire, but NCH "free version" software does, and when it expires, the malware launches. Boycott NCH Software.

As to locating a TSR, what I found was a bunch of  not-exactly-TSRs and they were spread out through the operating system. I'm cured, but reverse-engineering this stuff ain't gonna happen overnight. Yeah, you hackers are too clever by half.  At least where MY machines are concerned. Just remember this, hackers--when you leave files on my machines, I can and will use them to find you where you live. It's elementary, my dear Watson--the info you filch from others is of no use to you without you being online too, and when YOU are online, you'd best keep watching over your shoulder.

Almost forgot to add this li'l story of what I did to an ad hacker outfit based in France a few years back. If you're old enough to remember Xupiter, you get the idea of what these guys did, using the name Xiti although their main ops was named Yatoula.  They infected my machine, and by reading their files I found their main server and discovered that browser hijacking/ad serving wasn't the only thing they did. I got in the server's back door and found a treasure trove of animated GIF images they lifted from their victims, and I, in turn, lifted the images from them.

I've already posted a few, by the way, last year in between the Turkey Day recipes I posted about in November.  ALL of those came from THEM.  And now, I shall commence to be insufferably smug for the rest of the day.








I think I forgot to mention, too, that after I got into their server's back door, I also saved pages and pages of the links to their image collection and hot-linked 'em all over cyberspace.  I'll bet the damn thing got extremely non-stop busy, ha.

No comments: