lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs: 
2 edits | reply to CalamityJane
Post that was here
Deserves it's own topic 
»[OT] Kudos |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | reply to icex _
Re: [Virus] Virus's and spyware!
Good job, icex_!  |
|
icex _
Premium
join:2004-05-22
USA
clubs:
 ·Colane Cable
| reply to CalamityJane
Yes, I noticed that avast has realtime protection, so I uninstalled AVG since avast! detected more virus's than avg did.
Yep, they had ares installed, about the worst program to install realy. Its gone though, formated. =) It doesent have the service pack 2 anymore, but when I take it back to her, I'm going to immediatly download all updates on her dsl connection.
--
Team Discovery |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to icex _
Yes, both Avast and AVG antivirus do have realtime protection. But only use one running realtime (not good to have 2 antiviruses running at the same time). You can have multiple antispyware programs (and you had mentioned AVG antispyware which is different from the AV program they also offer).
Protection software is a really good idea, but your users also need to understand that one can't expect software to catch 100% of everything. THey need to practice some safer computer habits. I think I noticed a P2P program installed - do they realize the danger in downloading files from a P2P network?
I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!
Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).
A word about shared computers and networks.
Share Your PC
»www.microsoft.com/windowsxp/usin···tro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.
Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .
How do I prevent Browser Hijacks and Spyware?
»Security Cleanup FAQ »How do I prevent Browser Hijacks and Spyware?
I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
»update.microsoft.com/microsoftupdate/
And see this link for instructions on how to configure the enhanced security features in SP2:
»www.microsoft.com/technet/securi···cxp.mspx
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
»www.microsoft.com/technet/securi···ome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.
Also visit this Free Online Scanner from Microsoft for PC Health and Safety
»safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
»www.microsoft.com/athome/securit···ult.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
icex _
Premium
join:2004-05-22
USA
clubs: | reply to icex _
Ok, Avast! does have a real-time protection scanner. Is there anything else I should install? I don't want this to happen to this computer again.
--
Team Discovery |
|
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| reply to CalamityJane
I just want to ask one more thing.
So far I have installed Avast! antivirus, AVG anti spyware, Spybot - Search and destroy, Tea-timer, and Ad-aware. Does avast have automatic protection like AVG? I'm getting ready to install AVG for the real-time protection, if Avast! doesent.
--
Team Discovery |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | reply to icex _
Glad we could help icex_ |
|
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
1 edit | reply to CalamityJane
I'm only 16 to be honest. Started doing computer work when I was eleven pretty much, got tired of it last year.
Yes, I don't know if she will or not, but I told her to contact the debit card company, and to watch her credit report for awhile.
And, no I won't take advantage of anyone here. I realy wasent planning on comming here; because I've fixed about 3 computers before with the exact problem, except they dident have backdoors and all that. But this computer is so bad, I had to get professional advice. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to icex _
You're welcome. You sound like good guy so I think you would not take advantage of our volunteer services here. My biggest concern is the severe nature of the infections found on this PC. If it has been going on a while that makes it even worse.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
1 edit | reply to CalamityJane
No, I do not mean paying anyone at dslreports.com. I have worked on this computer before and never accepted payment, but she gave me $25 for working on it anyway. She asked me how much I would charge and I said I'll see.
I don't realy have time to work on computers hardly anymore. Last year when I worked on this computer that was all I done, was worked on computers, because I enjoyed it. Now, I workout everyday, and I enjoy doing other things, not working on computers much anymore. I hope this post doesent sound sarcastic or anything.
She told me these problems have been going on for along time, and she could only use her daughters account. I am guessing there has been alot of stuff on here -- and it has downloaded all of this new stuff.
Thank you for taking your time to help me though. I realy do appreciate it. If I was still into computers like I use to be, then I probaly wouldent care to fix it for nothing. But like I said, I workout everday and like doing other things. We just got a boat, but I'm trying to fix this, which is taking time from me.
I'm not going to rip someone off when I fix their computer. When I use to work on computers, I never asked for anything, and still don't, they just ask me for a price. I try to be fair; computer shops would charge atleast $120 for what I am doing right now. I hope you understand, and thank you again for your help.
Edit to add: I always give a speech to people about security, and show them how to use their anti virus/anti spyware when I install it. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to icex _
That's a good idea. Backup any documents to removable media and be sure that you scan them with a number of anti-malware apps before putting them onto a clean computer.
SO you do have reinstall disks?
As for getting paid - there is no payment requested nor expected here for the advice we give in cleanups. We are volunteers giving freely of our own time. In fact, we rather resent using our volunteer time to help others if you are going to turn around and charge someone for it so I sure hope you do NOT include any of the time we have spent here! The other thing is that you need to be sure that in your cleaning you keep in mind the total needs of the person you are helping. In the best interest of this person's computer, good security advice would entail letting them know the risks involved and the total picture of future security. As I said earlier, it is a trivial matter in this case to clean off infected files and remove symptoms of the infection, but learning what exactly what that infection has done is important to relay back to the user so they can make an informed decision that will ensure minimal risk of future exposure. Cleaning is not always the ideal remediation. A PC as infected as this one with the most malicious types of malware - it is a prime example of when cleaning is not a recommendation.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| reply to CalamityJane
One more thing I forgot to mention, she uses a debit card ALL THE TIME on her computer, so I told her to call the credit card company and the credit bureau or whatever and tell them to watch her credit for a month or two for suspicious activity.
--
Team Discovery |
|
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| reply to CalamityJane
Well, heres an update.
She sent the disks to me today, and told me to just get her pictures, word perfect documents and music and wipe it clean. So thats what I am doing now =)
--
Team Discovery |
|
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| reply to CalamityJane
I will let you know when she calls back what's going on. She may just say to clean it the best I can and give it to her, or she may say she'll buy a new one. I have wasted a whole week on this thing, pretty much for nothing, because I doubt she's going to pay me for something unfixable.
--
Team Discovery |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
2 edits | reply to icex _
said by icex _  :I called and she wasent home. I left a message. I am going to ask her if she has entered credit cards, or anything like that, and if she has to keep a check on her credit report and possibly alert the credit card company to look for suspicious charges, since her computer was pretty much hacked. I found a keylogger on here to when I first worked on the computer, so that pretty much is a high risk that any passwords, credit card numbers, etc has been logged. Yes, please do follow up on that. If a keylogger was found that further complicates any data at all on that computer. Earlier I linked an FAQ here that should also help:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
»Security »How to report ID theft, fraud, drive-by installs, hijacking and malware?
ALL passwords to ANY accounts should be changed and monitored for suspicious activity. That would include, in addition to any personal financial information or accounts but also emails, internet accounts anything at all could have been stolen and you have to assume it was, as badly hacked as this PC was/is (it's still got a rootkit and other nasties lurking on there so make sure this doesn't go on the net anymore). The presence of a keylogger further solidifies the malicious intent of the intruder.
Consider also any other information or records that may belong to others and stored on that PC? The keylogger records keystrokes; those backdoor trojans can steal any documents/info they want and can just access anything (documents, addressbooks, etc.) without the knowledge of the user.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| reply to CalamityJane
I called and she wasent home. I left a message.
I am going to ask her if she has entered credit cards, or anything like that, and if she has to keep a check on her credit report and possibly alert the credit card company to look for suspicious charges, since her computer was pretty much hacked. I found a keylogger on here to when I first worked on the computer, so that pretty much is a high risk that any passwords, credit card numbers, etc has been logged.
--
Team Discovery |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | reply to icex _
I think that's a good idea to let her know because this machine IS a security risk even if we try to clean it up. Refer her to this topic and our posts here. |
|
icex _
Premium
join:2004-05-22
USA
clubs: | reply to CalamityJane
I'm going to call her and see what she wants me to do. I will probaly offer to build her a computer, better and cheaper then dell.
--
Team Discovery |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to icex _
I have a really bad feeling that by helping you remove the infected files, that I'm giving you a false sense of security and that the original owner of this PC will be left in the dark about how serious this breach of their computer has been and the security implications with running this as a trusted machine in the future.
quote:
This computer has two accounts. On the "Mom" account it seems fine. On the other account, (their both admin accounts by the way) all is not fine
Has "Mom" been informed fully that this computer has been hosed to the point that there is no guarantee that these "fixes" will keep their info and data safe in the future and, more importantly, the very real possibility that any sensitive data stored on this PC is now at risk and could very well be in the hands of an attacker?
Some points to note as we are removing infected files and you may NOT notice symptoms of system changes by the attacker:
said by Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I,
Security Program Manager,Microsoft Corporation, Published: May 7, 2004 :
So, you didn’t protect the system and it got hacked. What to do? Well, let’s see:
• You can’t clean a compromised system by patching it. Patching only removes the vulnerability. Upon getting into your system, the attacker probably ensured that there were several other ways to get back in.
• You can’t clean a compromised system by removing the back doors. You can never guarantee that you found all the back doors the attacker put in. The fact that you can’t find any more may only mean you don’t know where to look, or that the system is so compromised that what you are seeing is not actually what is there.
• You can’t clean a compromised system by using some “vulnerability remover.” Let’s say you had a system hit by Blaster. A number of vendors (including Microsoft) published vulnerability removers for Blaster. Can you trust a system that had Blaster after the tool is run? I wouldn’t. If the system was vulnerable to Blaster, it was also vulnerable to a number of other attacks. Can you guarantee that none of those have been run against it? I didn’t think so.
• You can’t clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system can’t be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. Note that if you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no back doors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system. For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if the vulnerability used by the worm was available remotely without user action, then you can’t guarantee that the worm was the only thing that used that vulnerability. It is entirely possible that something else used the same vulnerability. In this case, you can’t just patch the system.
• You can’t clean a compromised system by reinstalling the operating system over the existing installation. Again, the attacker may very well have tools in place that tell the installer lies. If that happens, the installer may not actually remove the compromised files. In addition, the attacker may also have put back doors in non-operating system components.
• You can’t trust any data copied from a compromised system. Once an attacker gets into a system, all the data on it may be modified. In the best-case scenario, copying data off a compromised system and putting it on a clean system will give you potentially untrustworthy data. In the worst-case scenario, you may actually have copied a back door hidden in the data.
• You can’t trust the event logs on a compromised system. Upon gaining full access to a system, it is simple for an attacker to modify the event logs on that system to cover any tracks. If you rely on the event logs to tell you what has been done to your system, you may just be reading what the attacker wants you to read.
• You may not be able to trust your latest backup. How can you tell when the original attack took place? The event logs cannot be trusted to tell you. Without that knowledge, your latest backup is useless. It may be a backup that includes all the back doors currently on the system.
• The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
The above quote taken from this page:
»www.microsoft.com/technet/commun···504.mspx
Not having the original install disk and/or backups prior to the compromise makes this option pretty much impossible. However, continuing to use this PC on the internet as a trusted machine is a risk for future use. It might be time for a new computer and retire this one.
I can tell you that I would not use it after this serious a breach. Give your friend this link if they do not understand what happens when your computer is wide open and under control of a remote access trojan:
Invasion of the Computer Snatchers
»www.washingtonpost.com/wp-dyn/co···342.html
That is the reality of what we are dealing with here. This PC has been so seriously compromised that I do not want to mislead you into thinking that this "cleaning" will reverse the potential of the damage already done. The fact that it was hosting Multiple rootkits and backdoor trojans makes the breach pretty much a worst case scenerio, with many of these problems you have seen thus far trying to "clean" the system.
Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
»www.microsoft.com/technet/commun···704.mspx
quote:
with a rootkit on the system that makes the system no longer trustworthy. Windows Explorer and the command line will no longer show you the files that are actually on the system. The registry editor is now lying. Account manager tools will not show you all the users. At this stage of an intrusion, you can no longer trust the system to tell you about itself. That’s where you get into a flatten and rebuild (some people call it "nuke and pave") scenario. The system is now completely compromised.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
