Sunday, October 31, 2010

FLVTube - rogue video player

FLVTube is supposedly a video player that downloads and plays YouTube videos. Only a few anti-viruses categorize FLVTube as an adware, and most of the antivirus software do not have any detection for it. FLVTube uses the familiar fake codec download techniques to trick PC users in downloading their software: You chance upon a video clip on a random website and to view it you need to download FLVTube! If FLVTube is really a genuine video player, then I wonder why they are using such misleading installation strategies.


During installation, FLVTube gives options to install following affiliate products of questionable reputation:
  • Emoticons Toolbar by SweetIM
  • WhiteSmoke Grammar software
  • Uniblue RegistryBooster

And, it installs following mandatory components:
  • FLVTube Player
  • FLVTube Toolbar
  • QueryBrowser Search Assistant

FLVTube Toolbar and QueryBrowser Search Assistant hijack browser homepage and search provider to http://flvtubesearch.co and www.querybrowser.com (however, this is mentioned in terms and conditions during installation).


VirusTotal scan results of installer and browser plugins can be found here, here and here. Stay clear of this rogue video player! Malwarebytes Anti-Malware can be used to remove FLVTube Player.

Saturday, October 23, 2010

ThinkPoint rogue antivirus

ThinkPoint is a new addition to the long list of rogue antivirus programs. ThinkPoint uses fake codec download tricks for its distribution. Once installed, it shows a fake "Microsoft Security Essentials Alert" popup box showing a non-existent threat.


ThinkPoint adds a Winlogon Shell registry entry, so that ThinkPoint starts up instead of Windows Explorer during Windows startup. ThinkPoint hijacks the startup/login screen.


At this point, follow these steps to get back the standard Windows desktop:
  • Start Task Manager by pressing CTRL+ALT+DEL and kill the process named hotfix.exe.
  • Go to File Menu > New Task (Run) in Task Manager and type explorer.exe to spawn Windows Explorer.

In case you don't find hotfix.exe process in Task Manager, it could mean that the rogue program is using a different filename. Interestingly, there's a workaround built into this rogue program to get to desktop:
  • Click "Safe Startup" button and allow it to finish its fake scanning (duh!). After it completes scanning and shows scan results, click "Continue Unprotected".
  • Now, click "Settings" and select the option "Allow unprotected startup".
  • Close ThinkPoint rogue program's window by clicking the close button on top-right corner. This should take you to the standard Windows desktop.

VirusTotal scan results for ThinkPoint installer can be found here. Malwarebytes' Anti-Malware can be used to remove ThinkPoint rogue antivirus program completely.

Monday, September 13, 2010

OAuth support for twitCurl

The twitCurl twitter API library now supports OAuth authorization methods for twitter! Check out project wiki page for more information on twitCurl OAuth flow:

Labels: , , ,

Wednesday, September 01, 2010

ARKit updates

Few updates on ARKit library! Following functionalities have been added to the library:
  • VAD tree traversal to find images loaded by a process
  • SSDT hook restoration
  • Kernel inline hook restoration
  • Process detection by scanning Handle Table
  • Process termination using NtTerminateProcess and NtTerminateThread
Get the source code here.

Sunday, July 25, 2010

ARKit - An open-source rootkit detection library for Windows

ARKit is an open-source rootkit detection library for Microsoft Windows. ARKit has two components:
  1. ARKitLib - A Win32/C++ static library that exposes various methods to scan system and detect rootkits
  2. ARKitDrv - A device driver that actually implements methods to scan and detect rootkits
Currently, ARKit has following features:
  1. Process scanning – Detect all running processes (hidden and visible)
  2. DLL scanning – Detect DLLs loaded in a process
  3. Driver scanning – Detect all loaded drivers (hidden and visible)
  4. SSDT hook detection
  5. Sysenter hook detection
  6. Kernel inline hook detection
ARKit works on 32-bit flavors of Windows 2000, XP, 2003 and Vista. It has not been tested on Windows 2008 and Windows 7 yet.

For more information on ARKit project, please visit:

Tuesday, April 06, 2010

yelpcurl - C++ Yelp API library

yelpcurl is an open-source, pure C++ wrapper for Yelp's RESTful APIs. The library currently supports all the APIs provided by Yelp. yelpcurl uses cURL and is written in a similar way as that of twitcurl. Building applications using yelpcurl is quite easy:
  • Compile yelpcurl source files (yelpcurl.h and yelpcurl.cpp) and link with cURL library (libcurl.lib) to build static library yelpcurl.lib.
  • Include yelpcurl.h and cURL headers (present in /include/curl/ directory in cURL source) in your Yelp based application and link to yelpcurl.lib and also libcurl.lib/libcurl.dll.
  • Instantiate an object of yelpCurl class and use the Yelp API wrappers that are exposed as public methods.
yelpcurl works on all OS (Windows, Linux, Mac etc.) as it is written completely in C++ and the only dependency is cURL (which works on all OSes mentioned earlier).

More info about the yelpcurl library can be found here:

Wednesday, September 02, 2009

twitcurl - C++ twitter API library

twitcurl is an open-source pure C++ library for twitter REST APIs. Currently, it has support for most of the twitter APIs and it will be updated to support all the APIs. twitcurl uses cURL library for handling HTTP requests and responses. Building applications using twitcurl is quite easy:
  1. Compile twitcurl source files (twitcurl.h and twitcurl.cpp) and link with cURL library (libcurl.lib) to build twitcurl.lib
  2. Include twitcurl.h in your twitter based application and link to twitcurl.lib and libcurl.lib/libcurl.dll.
  3. Instantiate an object of twitCurl class and use the twitter API wrappers that are exposed as public methods.
twitcurl works on all OS (Windows, Linux, Mac etc.) as it is written completely in C++ and the only dependency is cURL (which works on all OSes mentioned earlier). More info about the twitcurl library along with an example program is available here:
http://code.google.com/p/twitcurl/