Battle of the P.U.P

A PUP is a Potentially Unwanted Program.    Not necessarily a virus, nor malware, malicious code but something that just messes with your system.

So a little background before I dive into what happened.   I’ve been working in the IT industry for 20+ years, I know my way around IT “stuff” and computer savvy.    I exercise care with my personal information on the web, I don’t use a password more than once. I have a number of safe guards in place to prevent an attack as best I can, measures to mitigate damage and processes for recovery and restoration.

Mid week one of my computers began to behave oddly, hard to articulate but I know how my system should be performing and I knew something was going on.

A number of virus scanning tools, some well known names, reported my system was cleaning.   In each case, signatures were up to date, heuristic scanning being performed.   I tried an AV a friend had mentioned on more than one occasion in the past and while it couldn’t find the problem at least it was popping up telling me something was going on.

Lots and lots of stuff, all taking place inside my temp directory.    The traditional AV vendors were not up to the task and I was in a fortunate position to alter the battlefield.

Enter Cylance.    Why fortunate?  As far as I know this still is not available to the everyday user, much to the delight of the other AV vendors I’m sure, but we use this at a corporate level and I deployed this onto my home PC.

This was the tipping point.   Cylance put a stop to the behavioral activity of this PUP and that let me get in front of it.   None of the products at my disposal could find this, but at least I halted its progress.  I had to find this, the old fashioned way.

Rebooted into Windows Command repair mode and cleaned out the temp directories.   Sadly stuff came back.   This time a clue to a directory named “kerhdom”.    Found this and wiped it out.   Checked the registry for references to “kerhdom”, wiped them out.  Some of those had further references to MIO.exe.    Rinse and repeat.    Then further references to msi files inside c:\windows\installer.   Not only did I delete them, but fired up my local group policy editor and created my own software restriction policy to prevent these from executing.

Deeper and deeper, chasing reference after reference methodically cleaning out this garbage.  Last were tied to windows task scheduler that was running active script at login.   I tailored Cylance and blocked ALL scripting.

It was a tanlged web employing several different technologies to carry on its nasty business all in plain site of active and up to date AV programs.   Signatures, heuristics all failing.   Behavioral detected did the trick.

It took a good 3 hours over a period of two days to get in front of this.

So what was the PUP.  Well I don’t know for sure but from the files and references I did find, it was establishing its own proxy server on my PC to inject advertising ( and who knows what else ) into my browser.

I raised this with several of my work colleagues as a cautionary note.    What hope does the average computer user have in situation like this.

Advertisements

The hating of Pinterest

I hate Pinterest with a passion.  Why?  Because I just can’t look at it.

My missus always sends me links for stuff to look at and I can never just look.   I don’t have facebook ( yet another pet hate ), and I don’t want to sign up.

Whats additionally annoying is there isn’t anyway to contact them to them how much they suck and that their pestering to sign up is so damn annoying.

Pinterest, you suck and I hate you.

Mind you, with a couple of choice addons for Firefox, all your stupid sign up crap goes away.   Poor design and no apparent support.   I’ll be making sure all off the desktops I look after at work will have the relevant add-ons to bypass all this crapola.

Smartphone epithany

I haven’t blogged in a while, real life got busy with various things and I just didn’t get the time. However, events of the past weeks gave me incentive to write about some things I have learned about my smart phone, specifically the Samsung Galaxy S3.

So, the S3 is a really nice piece of hardware and it comes with the Android OS and Samsung Touchwiz.
Lesson 1) Android OS, really cool OS for smartphones.
Lesson 2) Touchwiz, a fancy looking piece of junk, actually several pieces all placed onto the phone by Samsung with no way to remove the stuff if you don’t use it.
Continue reading “Smartphone epithany”