Battle of the P.U.P

A PUP is a Potentially Unwanted Program.    Not necessarily a virus, nor malware, malicious code but something that just messes with your system.

So a little background before I dive into what happened.   I’ve been working in the IT industry for 20+ years, I know my way around IT “stuff” and computer savvy.    I exercise care with my personal information on the web, I don’t use a password more than once. I have a number of safe guards in place to prevent an attack as best I can, measures to mitigate damage and processes for recovery and restoration.

Mid week one of my computers began to behave oddly, hard to articulate but I know how my system should be performing and I knew something was going on.

A number of virus scanning tools, some well known names, reported my system was cleaning.   In each case, signatures were up to date, heuristic scanning being performed.   I tried an AV a friend had mentioned on more than one occasion in the past and while it couldn’t find the problem at least it was popping up telling me something was going on.

Lots and lots of stuff, all taking place inside my temp directory.    The traditional AV vendors were not up to the task and I was in a fortunate position to alter the battlefield.

Enter Cylance.    Why fortunate?  As far as I know this still is not available to the everyday user, much to the delight of the other AV vendors I’m sure, but we use this at a corporate level and I deployed this onto my home PC.

This was the tipping point.   Cylance put a stop to the behavioral activity of this PUP and that let me get in front of it.   None of the products at my disposal could find this, but at least I halted its progress.  I had to find this, the old fashioned way.

Rebooted into Windows Command repair mode and cleaned out the temp directories.   Sadly stuff came back.   This time a clue to a directory named “kerhdom”.    Found this and wiped it out.   Checked the registry for references to “kerhdom”, wiped them out.  Some of those had further references to MIO.exe.    Rinse and repeat.    Then further references to msi files inside c:\windows\installer.   Not only did I delete them, but fired up my local group policy editor and created my own software restriction policy to prevent these from executing.

Deeper and deeper, chasing reference after reference methodically cleaning out this garbage.  Last were tied to windows task scheduler that was running active script at login.   I tailored Cylance and blocked ALL scripting.

It was a tanlged web employing several different technologies to carry on its nasty business all in plain site of active and up to date AV programs.   Signatures, heuristics all failing.   Behavioral detected did the trick.

It took a good 3 hours over a period of two days to get in front of this.

So what was the PUP.  Well I don’t know for sure but from the files and references I did find, it was establishing its own proxy server on my PC to inject advertising ( and who knows what else ) into my browser.

I raised this with several of my work colleagues as a cautionary note.    What hope does the average computer user have in situation like this.

Nothing fancy

I found myself in a situation where the “end game” elements of DDO were exhausting and repetitive.   Worse now, for me at least, was the Anniversary event.    I’m not into events as such.    It’s a glossy coating for a different type of grinding.   This is not unique to DDO, it happens in most MMOs.   So I under went the process of True Reincarnation a couple of weeks back, starting over from level 1.     My class of choice this time round was the Bard.   This was motivated by having a tried and tested build to follow.

It was quiet today, I’d done my errands and found that it was time for Xuro to breach Splinterskull.

screenshot00002
Xuro, in all her bardy glory

I’d not been in there that long when a spindly gimpy wizard made an appearance, and for my part, took very little convincing to join me.  The two of us plus four hirelings,  yay for full group.

Splinterskull annoys me, in and then out, and repeat time and time again.  Going deeper and deeper into the fortress.    Out numbered and outgunned we didn’t have an fancy gear at our disposal.  Just our wits.   The wizard Obsydhia popped a web in the door and I opened the door.   Choke point fighting, effective to be sure   Using their lack of line of sight to avoid nasty spell fire.   I would throw in my hypnotise when the web was stressing and followed up with fascinate.    Between the three crowd control abilities at our disposal we were able to whittle down the enemy numbers.    Having the enemy either entangled or standing dormant while you kill them certainly helps.

Despite Obsydhias’ repeated proclamation of being useless, she did save the day by carrying my soul stone to a shrine.   I lagged right into a spinning blade trap, and boom.

No one tanking, no access to decent ranged attacks or devastating warlock spells.   Just some crowd control, our wits and a penchant for going slow; the Flower Sniffer way.

 

Feelings I didn’t expect

I play several online games and in nearly all of them have a group of friends that bonded together and formed a guild.   Like minded individuals, similar goals and enjoyed playing the game together.

One game, The Secret World, while I hadn’t played much of over the past few months; what with work and family issues, my own personal leisure time was altered.

Now and again, I check the website for our guild to see what people have been up to and today I saw a message from the guild leader, The Last Transmission.   Our guild had been disbanded.

I logged into game, and there wasn’t much more of an explanation to it; though if you actually wanted to know why it happened there was someone to message.

The guild as a whole had a bumpy ride, we had our good times and our dark times.    I’ve got fond memories from my time there and I’d made friends along the way.  The guild roster was my friendlist, with that gone I’ve effectively lost touch with people.

As I read over the guild message of the day for the second time, tears onset.   I couldn’t help it, it was an emotional thing for me.   I didn’t expect to feel this way at all.

So long and farewell to The Hive Protocol.

I spoke to guild mates in another game I was logged in at the time (Dungeons and Dragons Online), my thanks to the Flower Sniffers of Destiny for your support, especially Even, who kept me distracted for an hour while I calmed down.

Some poignant moments that I remember fondly.

sparrowx-2015-10-23-20-53-32
The day I got my wings

 

sparrowx-2015-11-22-12-09-48
Me (left) and Black-Arrow at the beach lair rocking some firepower
sparrowx-2016-03-06-13-58-08
Me (left) and Volanna having a quiet moment after the raid
sparrowx-2015-11-30-19-39-40
Left to Right: unknown, Broadcast, Black-Arrow, Me, Vyner – first time in the Manufactory
sparrowx-2016-03-12-18-11-40
My first time tanking a summoned boss
sparrowx-2016-02-26-17-29-01
Left to Right: Volanna, Mell (sleeping), Me, Minejas