Remove the HWCLOCK.EXE/W32.Hwbot-A Trojan

I got the HWCLOCK.EXE when I was testing my new Internet connection.  I noticed it when my Internet DSL connection started feeling like a  56K dialup. 

I removed it by going into Showing all files, going into Safe Mode and deleting the HWCLOCK.exe/W32.Hwbot-A Trojan.

This is a trojan that can actually steal your passwords and other personal data.  On my system is was attacking other system.

I've got more detail instructions on how to remove the HWCLOCK.exe at

If you found this post or others useful, feel free to donate to

elamb – Home Computer Security.  No amount is too low (or high).

Securing Internet Explorer

Securing Internet Explorer:
Step 1.  Turn Security WAY UP
   Tools | Internet Options | select the Security tab | Move the
“security levels for this zone” to HIGH

Step 2. Turn off and Delete All Cookies.
   The first thing you should do is clear out all your cookies.
   Tools | Internet Options | select the Privacy tab | Move the slider in the Settings area to a higher level of security.  Keep in mind that if you block ALL cookies some sites will be limited or even unaccessable.. but you can always go back and change it.

Limiting the number of cookies you except can increase your privacy

Step 3. Disable Java and Active X
   Jave and Active X are know as mobile code because they download software from a remote source (or run from a remote source) to your computer.  Some of the most effective malware are mobile code.
   Tools | Internet Options | select the Security tab | Select the “Costum Level” button which will open up “security settings.”
   Once in Security Settings disable everything under “Active X” and “Scripting.”

What I do is Highten the Security Tab and use Internet Explorer as little as possible.  I use Firefox.  It is also very important to update these (and all other applications) with the latest patches.  This, combined with my router firewall, seems to work really well. 

Neither Firefox or Internet Explorer are secure if you don't take the appropriate measures.

If you do use cookies you should delete them all about twice a week. –> get rid of malware –> secure your broadband connection


A lot of people seem to have the Smitfraud trojan and seem to looking all over the place to get a fix.  So I've consolidated the best resources that I've found on the Smithfraud this blog.  Enjoy.


New Trojan Agent Go

Is a memory-resident trojan that comes through via downloads from malicious web sites.  It executes files from other websites.

Remove Trojan_Agent.go:

Open Task Manager:
CTRL+SHIFT+ESC (on XP), then click the Processes tab.

locate the process:

Select the EVTHTM.EXE process, then press either the End Task or the End Process button, depending on the version of Windows on your system.

  1. To check if the malware process has been terminated, close Task Manager, and then open it again.
  2. Close Task Manager.

If the process does not shutdown, Go to Safe Mode and shut it down.





Report Phishing Instantly with gmail

As I was hitting the “Show Original Message” link on my gmail account, I noticed that there is a “Report Phishing” link on my gmail account. 

Very cool.. Anyway here is the latest phishing attempt I got hit with.

This one is supposedly from ebay.  It is saying that some has added a seller to my account.  The only thing is that I don't have an ebay account attached to this email. 

So view the source of an email from your gmail account click “Show Options” Then “Show Original Message.”  Most email software have this feature:

X-Gmail-Received: 330662dcee7d7f96e1a81e48ae9c33265fe033b5
Received: by with SMTP id t17cs20860nza;
        Wed, 11 May 2005 14:15:24 -0700 (PDT)
Received: by with SMTP id u8mr396722nzd;
        Wed, 11 May 2005 14:15:24 -0700 (PDT)
Return-Path: <root@localhost.localdomain>
Received: from localhost.localdomain ( [])
        by with ESMTP id 15si749916nzn.2005.;
        Wed, 11 May 2005 14:15:24 -0700 (PDT)
Received-SPF: neutral ( is neither permitted nor denied by domain of root@localhost.localdomain)
Received: from localhost.localdomain (localhost.localdomain [])
 by localhost.localdomain (8.13.1/8.13.1) with ESMTP id j4BLAxdC009474
 for <>; Thu, 12 May 2005 06:10:59 +0900
Received: (from root@localhost)
 by localhost.localdomain (8.13.1/8.13.1/Submit) id j4BLAxA5009473
 for; Thu, 12 May 2005 06:10:59 +0900
Date: Thu, 12 May 2005 06:10:59 +0900
Subject: You have successfully added a new email address
Message-ID: <>
From: “eBay” <>
Content-Type: text/html

<DIV><DIV id=message><TT style=”FONT-SIZE: x-small;
FONT-FAMILY:'couriernew',monospace”>You have added <A href=”
target=_blank> </A>as a new email address for your
eBay account.<BR><BR>If you did not authorize this change or if you need
assistance with your account, please contact eBay customer service
at:&nbsp;</TT> <P><TT style=”FONT-SIZE: x-small; FONT-FAMILY:
you for using eBay!<BR>The PayPal Team<BR><BR><BR>Please do not reply to
this e-mail. Mail sent to this address cannot be answered. For
assistance, log in to your eBay account and choose the<BR>”Help” link in
the header of any
PROTECT YOUR PASSWORD<BR><BR>&nbsp;&nbsp; NEVER give your password to
anyone and ONLY log in at <A
target=_blank></A&gt; Protect yourself
against fraudulent websites by opening a new web browser (e.g. Internet
Explorer or Netscape) and typing in the eBay URL every time you log in
to your account.<BR><BR><BR>
<BR><BR><BR></B>eBay Email ID PP007</TT></P></DIV></DIV>


Knoppix STD

If you are a Geek, a computer loving freak, a security professional or
just tech-curious, you should check out Knoppix STD.  And NO, the
“STD” doesn't stand for Sexually Transmitted Disease, it stands for
Security Tools Distribution.

So what is Knoppix?  It is an operating system that runs from a
CD!! I learned about this a few years ago and I'm still blown
away.  It is the perfect tool for Security Professionals and
Hackers because it allows you to boot directly from the Disk and use
all the resources of the comptuer. 

The computer has to be set to boot from a disk of course, but that is
as hitting the F12 key (or whatever key it is.. don't recall.. F8.. no
thats SAFE MODE).  Some laptops are tricky as well.. may take some
tinkering with the different modes.

This sucker has all kinds of hacker, security, and even FORENSICS TOOLS built in it! 

Go out there and down load it.. its free.


I got Hacked: phishing, hacking, social engineering, INFOSEC

As a tribute to hacking, white hat and black hat (both the Dark Side and Light Side of the Force) I've put together a page called “I Got Hacked.” 

In it I talk about how I was almost a victim of phishing while on ebay in December 04. I'll also talk more on how I wiped   “trojan-spy.html.smithfraud” from my friends system, since that seems to be popular. 

I'm still working on getting some more content that is more fitting to home computer security made easy, so relax folx.  If you want some basics on how to get some security on your broadband dsl/cable device go my “Broadband Internet Security” page. 

Seems the more aware of information security I become the more hacks I am able to reckognize and get rid of  and the more weakness' and risks I see in other peoples systems, software and social practices. 

I like security and hacking because it can be used to strengthens existing structures be they legal or technological.  And the irony of it all is that all structures must eventually be destroyed for even galaxies die.

There can not be birth without death, light without shadow or security without hacker exploits.


Google Web Accelerator – Broadband Internet Security

Google has launched a web accelerator for broadband users.  And security has become an issue.   Some users are conscerned with cokies being copied and/or shared since the Google Web accelerator caches sites on computer systems to make downloads faster.

Web accelerator concerns on

by: n-g-k (0) on 10:34 AM 5/05/05 | Score:

This is the antithesis of the anonymous proxy, you're giving up privacy for a couple more seconds of speed here and there? Google is going to log everything, find out who goes from what site to whatever other site, datamine, look for patterns, find out all kinds of things about people and society for what purpose? To help them sell more advertising and make more money? Well, that's just the primary reason, who knows what other nefarious motivations there could be. Imagine yourself owning google with all of that supercomputing power, others have said it above, google is the ultimate hacker. You can have your GWA, I say “No thanks!”

Better solution: use Firefox, hold down CTRL when you click, any links you click on will open in a new tab and begin downloading. Using this method you can click a bunch of links you will want to see, then by the time you get to the tabs they are already opened. Use CTRL-W to close the tab when you are done reading it and the next tab will be up.

by: n-g-k (0) on 02:23 PM 5/05/05 | Score:

Here is a very good article that goes along with what I wrote above:

1 171 172 173 174