Teknum Systems, Attack disables Restore in XP

Discussion in 'malware problems & news' started by srfox, Aug 30, 2003.

Thread Status:
Not open for further replies.
  1. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    I got attacked by this, which I now consider a real threat and I wanted you guys to know about it. First thing that happened is I was unable to update my Spyware Blaster. Then, it disabled my restore function, XP went through it's usual reboot and everything but when it reappeared it said it couldn't do the restore. I then scanned with Spybot, which found the culprit and I was able to disable it and then do a restore from an earlier point. People should be warned about putting Handy Bits encrypter on their machines. This behavior I would classify as a worm, since it disables restore. Someone should send webattack a report on this so they can remove it from their lists, as well as any other site that might support their downloads and they ought to boycotted.

    :(--------------
    Steve Fox
    The universe is laughing behind your back.
     
  2. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    :( So you downloaded Handybits. Oh dear, I guess I should have posted something on this a while back when I thought it was a nice piece of software. Yes, it does contain spyware among other things and extremely difficult to remove. I tackled Teknum about this and even sent them proof but they vehmently denied they loaded their software with nasties. I had to manually get rid of the sucker piece by piece ..what a pain!! Their update installer, once it was removed, the software would not run because it was designed to gather and send information collected home. Did you manage to get yours out completely? I did.
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You can download updEnabler.exe on http://www.handybits.com/update_service.asp
    It will allow you to disable the update service.

    Your program will still require Update.exe to load at startup, but it won't want to access the net any more.
     
  4. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Thank you Tony - I got it all cleared out of my system bit by bit. What amazes me that TechTV guys are actually recommending this software in their newsletter. I most certainly wrote them and "poo-pooed" it and suggested they do a bit more research. Okay for us who have the knowledge to clear things up but those who don't, well we all know the dilema they can find themselves in. :rolleyes:
     
  5. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    I was able to get rid of it with Spybot, so I think I got all the pieces. And Tony, I don't care if handy bits posted a disabler; bottom line, I don't trust them.
    And peaches4U, please let me know any registry setting it creates so I can double check and you're right it's alright for us that know how to get rid of it, but others have to just suffer with it without even knowing that it's doing something in the background.

    Like I said, The Freeware sites that have this available as a download should be alerted.
     
  6. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi Srfox - I did a full search for Handybits and then a new search for Teknum Industries ... found them all and deleted them. Then on 2nd thought, I figured if I missed anything, I simply used my System Restore to the day before the download and now positive it is all gone.... did a Search after the Restoration and no evidence of the software. Those who do not have XP and this feature, have a job on their hands.

    By disabling the Updater, the software would not work - I did the test. Also, the updater re-installed itself in a sneaky way as I found it in the Search I did.

    Have a friend with Lou Gehrigs disease and this program would have been very nice since he has lost the use of one arm and now the other is almost completely gone. I was testing this for this friend so still hunting for good software that he can use for voice emails.... anyone out there have any solid recommendations? Has limited budget so preferrably something free, if possible.
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Peaches,

    I'm sorry to hear so; wish him best of luck!

    Would you mind opening a new thread on this one in a different appropriate forum? ;)

    regards.

    paul
     
  8. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    Peaches, Sorry to hear about your friend. When you start a new thread as Paul suggested, let me know where it is. Yes, anybody without XP has a job on their hands, as I said it disables XP restore, so this is definitely acting like a trojan.
     
  9. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Thanks for the wishes Paul & Srfox. Paul can you suggest where I can start a new thread? LWM will probably spank me if I don't do it right. :D :'(

    Srfox re Handybits - it is much easier to remove from WinXP than say Win98. We can go back into a restore point prior to download and everything is fixed. However, if you lose restore points, then you simply disable SR, which will completely delete all files in SR thus cleaning out any trojan there, do an outside scan say with TrendMicro to be sure, then enable SR, & set a new clean restore date. This cannot be done in Win98 and one would have to do the Search and remove piece by piece.
    My SR was fine because I smelled a rat instantly and thus acted immediately.
     
  10. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    yeah, I smelled a rat too when I noticed Windows autoupdate on and then I stopped it right in the middle and immediately tried to do a restore which was blocked of course so I ran spybot, which found it. Then I did a restore which was now working, but thanks for the pointer on restoring restore. That might come in handy sometime.
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Peaches,

    "Software & Services" would be the place ;)

    regards.

    paul
     
  12. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Am I out of the woods yet?

    I installed "handybits easy crypt" by TEKNUM
    because it was highly recommended by sites I
    formerly regarded as being credible. After
    ad-watch, ad-aware and spybots blew the whistle
    on it i removed it. And then...

    At about 05:21 in the morning my computer on
    its own when here: C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_2145.xml

    Then at about 11:00, out of the blue, ad-watch blocks an attempt to write a registry value for Teknum's updater.exe. AFTER I HAD THOUGHT EVERTHING HAD BEEN UNISTALLED AND DELETED!

    I admit i don't know much about computer
    security, however I keep ad-watch running at
    startup, so when TEKNUM attempted to write to
    my registry it was blocked. I searched for the
    instigator. and found this .XML file. I don't
    even know what an .XML file is. It seems to
    link to the internet. Is this what i have
    heard referred to as a "script"? I am deleting
    because whatever it is i do not guess i want to
    have it!

    C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\
    CollectedData_2145.xml

    <?xml version="1.0" encoding="unicode" ?>
    - <CIM CIMVERSION="2.0" DTDVERSION="2.0">
    - <DECLARATION>
    - <DECLGROUP.WITHPATH>
    - <VALUE.OBJECTWITHPATH>
    - <INSTANCEPATH>
    - <NAMESPACEPATH>
    <HOST>CIRCUITRY GIRL</HOST>
    - <LOCALNAMESPACEPATH>
    <NAMESPACE NAME="root" />
    <NAMESPACE NAME="cimv2" />
    </LOCALNAMESPACEPATH>
    </NAMESPACEPATH>
    - <INSTANCENAME CLASSNAME="Win32_StartupCommand">
    - <KEYBINDING NAME="Command">
    <KEYVALUE VALUETYPE="string">C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup</KEYVALUE>
    </KEYBINDING>
    - <KEYBINDING NAME="Location">
    <KEYVALUE VALUETYPE="string">HKU\S-1-5-21-1757981266-299502267-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</KEYVALUE>
    </KEYBINDING>
    - <KEYBINDING NAME="Name">
    <KEYVALUE VALUETYPE="string">Update Service</KEYVALUE>
    </KEYBINDING>
    - <KEYBINDING NAME="User">
    <KEYVALUE VALUETYPE="string">CIRCUITRYGIRL\Black Blade</KEYVALUE>
    </KEYBINDING>
    </INSTANCENAME>
    </INSTANCEPATH>
    - <INSTANCE CLASSNAME="Win32_StartupCommand">
    - <PROPERTY NAME="Command" TYPE="string">
    <VALUE>C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup</VALUE>
    </PROPERTY>
    - <PROPERTY NAME="Location" TYPE="string">
    <VALUE>HKU\S-1-5-21-1757981266-299502267-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</VALUE>
    </PROPERTY>
    - <PROPERTY NAME="Name" TYPE="string">
    <VALUE>Update Service</VALUE>
    </PROPERTY>
    - <PROPERTY NAME="User" TYPE="string">
    <VALUE>CIRCUITRYGIRL\Black Blade</VALUE>
    </PROPERTY>
    - <PROPERTY NAME="Change" TYPE="string">
    <VALUE>Delete</VALUE>
    </PROPERTY>
    </INSTANCE>
    </VALUE.OBJECTWITHPATH>
    </DECLGROUP.WITHPATH>
    </DECLARATION>
    </CIM>

    What's this all about? Anyone?
     
  13. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi - have started a new thread on this subject on Software & Services as suggested.
     
  14. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    Yep, HandsOff, Teknum is a bitch to get rid of. Suggest you run scans with adaware and spybot, then do a search like Peaches suggested. I believe Peaches wants to know what system you are running?

    Seems I spoke too soon. When I did a scan with the updated Adaware, I found the following: TEKNUM UPDATER
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[0]=Folder : C:\Program Files\Common Files\Teknum Systems
    obj[1]=File : c:\system volume information\_restore{4c782806-b9b4-468e-b22d-d8f3a6ed399d}\rp316\a0071507.dll

    Peaches, thanks for the heads up.
     
  15. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    Just ran a scan of the registry and found the following:
    Searchresults for "teknum" ,9/18/2003:

    HKEY_CURRENT_USER
    Software\Lavasoft\ReghanceLast key

    HKEY_CURRENT_USER
    Software\Microsoft\Search Assistant\ACMru\5604000

    HKEY_CURRENT_USER
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\teknum.com

    HKEY_USERS
    S-1-5-21-436374069-789336058-854245398-1003\Software\Lavasoft\ReghanceLast key

    HKEY_USERS
    S-1-5-21-436374069-789336058-854245398-1003\Software\Microsoft\Search Assistant\ACMru\5604000

    HKEY_USERS
    S-1-5-21-436374069-789336058-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\teknum.com

    The search assistant is probably just because I search for it. Should I delete all these keys?
     
  16. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Wow, so its not just me.
    I too am running xp with spybots, ad-aware/ad-watch, Norton antivirus inboard, and Panda AV outboard, and Norton Firewall...that said my real protection is (and i am embarassingly proud of this: my maxtor external hard drive with Dantz Retrospect backup software. I have my system restore function disabled, since normally it is much much better to restore from the external backup since the built in restore is notorius for restoring viruses that you removed, ect...only...dont laugh, i did too much work between backups so i prefer not to go back.

    OK, I just found "HKEY USERS\S-1-5-21...\SOFTWARE\TEKNUM\REFCOUNT 0X00000162

    But that doesnt bother me nearly as much as that all this time after having (somewhat) uninstalled "Easy Crypt" i now have TWO ENTRIES APPEICE in the windows explorer menu offering to encrypt and decrypt files.

    This might sound crazy, but i think i am going to install the program again, in order to get another shot at removing it. Brilliant? If you dont here from me in a few days then you may assume that i did not fare to well.
     
  17. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Srfox: I can only see two areas where Teknum is present. If you go to Start/Search and then type in Teknum where is says to search all files & folders, wherever it is, it will be found and is listed on the page to the right. If it says Teknum, it is okay to delete. Now that you have done that, do another search and type in Handybits, and any files & folders with Handybits will list on the right hand side & may be deleted. If there are none found, the page will remain blank.

    When all of the above is done, do a Spybot scan and see if you come up clean.... you should. Then the next day do another Spybot scan. If you come up clean, then you have it all deleted, if not, do the search again.

    If the installer keeps re-installing, what I did was put a diskette in A drive and then I right clicked on the installer, click the "Move to" , choose A: and bye, bye sent if off to the diskette which I then tossed into the trash can. By doing this, the installer was moved out of my computer. [I stumbled on this quite by accident and it worked]. Thus, I did not have to fool around with the registry, which by the way, if you do mess around there, always make a back up first. Anyway, I recommend you avoid the registry unless you fully understand what you are doing, as you may well delete stuff that you shouldn't.

    If you think that Teknum/Handybits is in your System Restore [WindowsXP], let me know and I will give you instructions how to clean things up. I may have already posted my procedure in a previous post. It took me a while to figure things out as I did not really trust the instructions that Teknum gave me so preferred to do my own thingie - my own thingie, by the way, worked very safely & well for me. :) Puter is purring like a kitten. :cool:
     
  18. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Either way, let us know one way or another. Tx.
     
  19. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    Well I did a search for teknum and the only entries left are my search entries and Spybot and Adware isolation files and references, so what I want to know about is the registry settings I posted.
     
  20. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Srfox - :( I am not an expert when it comes to registry editing. However, I would think that the only items I would attempt to delete would be the following that is highlited:

    HKEY_USERS
    Settings\ZoneMap\Domains\teknum.com
    HKEY_CURRENT_USER
    Settings\ZoneMap\Domains\teknum.com
    You can also delete Teknum from your Ad-Ware & SpyBot isolation and references.
    Were you able to get rid of the installer??

    Handsoff - you can delete the item that you mentioned you found, namely in "HKEY USERS\S-1-5-21...\SOFTWARE\

    TEKNUM\REFCOUNT 0X00000162
     
  21. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    yeah, the installer is gone. I'll delete the suggested.
     
  22. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Remember an earlier response from TonyKlein,

    "You can download updEnabler.exe on http://www.handybits.com/update_service.asp
    It will allow you to disable the update service.

    Your program will still require Update.exe to load at startup, but it won't want to access the net any more."

    I sort of misread Peaches4Me's response when she said she disabled the updater and that did not solve the problem. In my mind it read that 'update_service.asp' did not work. Realizing my mistake I went back and downloaded the asp fix after reinstalling EasyCrypt. This is so anticlimatic, but i am thinking that the program is working now, even better, perhaps, than TonyKlein predicted. I say this after logging my program modules and encrypting and decrypting a few times. The updater did not even want to run, TonyKlein! and the program worked great with no sneaky maneuvers on the part of the 'updater'.

    Oh, did i mention that i also deactivated the autostart program,

    "C:\Prog...1\Common...1\Teknum...1\Update.exe/startup" ?

    Yes, by joining TonyKlein and Peaches for you, I was able to achieve very satisfactory results.

    Keep up the good work guys, and best of luck to you!
     
  23. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I got rid of Teknum junk a year ago right after I downloaded Handybits and could see right away it was spyware. However, I do still have a folder C:\Program Files\Common Files\Teknum Systems. There is a notepad file in that folder which warns that you must not delete the folder or anything in it otherwise your computer will not function! Is this just some crap that Teknum thought up to scare people like myself? Is it safe to get rid of the entire folder?

    Spybot Search and Destroy hasn't found anything and the only thing I find when doing a registry search is :
    MyComputer\HKEY_CLASSES_ROOT\tsSetup

    I have W98SE.
     
  24. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    The TS setup key is probably so it can set itself back up. I would get rid of that. The folder warning is probably bull. But wait till you hear from the experts here.
     
  25. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I guess if you want to split hairs then IF you have important files that are STILL ENCRYPTED when you remove the programs, then to the extent that those files will be inaccessible you can say that the computer in not functioning. However, were that the case, then I would imagine most people would reinstall the program long enough to decrypt their files.
    By the way, does it strike you as sort of bad planning to install spyware in a program that will be of interest mainly to people who are actively taking steps to secure their computers?
    Their advice to those who chose to deactivate the updater was to at least activate the updater temporarily every week or so to insure that we are made aware of important ...what was it....patches? bugs? fixes? once a week.
    I don't know about you, but when I encryt something using 128 bit strong encryption, I'd like for the outfit who makes it to be just a little more confident that users will in fact be able to decrypt their files again when the time comes.
    I like this site...where else can I talk like this and believe that someone listening might just understand!
     
Loading...
Thread Status:
Not open for further replies.