Topic 'Trojans,spyware,etc......' in forum 'Security' - dslreports.com http://www.dslreports.com/forum/Trojansspywareetc-22651724 en Sat, 11 Feb 2012 16:12:31 EDT Sat, 11 Feb 2012 16:12:31 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22657735
Thanks,
//A]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22657735 Sun, 05 Jul 2009 16:45:43 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22656738 Re: Trojans,spyware,etc.......

The colon (:) got picked up as part of the URL, invalidating it.]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22656738 Sun, 05 Jul 2009 11:30:59 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22656656
Take the advice in this thread and run Malware Bytes and SuperAntiSpyware. You are most likely still infected. My concern would be how you got infected to begin with. It seems you don't have any programs in place that provide real time scanning.]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22656656 Sun, 05 Jul 2009 11:02:27 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22656410
I found task manager, local registry editing and windows security centre disabled; a remote user, however, could edit the registry. Windows would not boot up in safe mode. Most malware scanners and hijack this would not run. Threatfire installed, however, and spotted various normally innocuous programs (eg, soundman.exe) altering other .exe files at a high rate.

Using system restore I re-enabled safe mode, reg edit and task manager, and I got some boot time scans done. Found two trojans and 1793 instances of win32:sality. The applications and Windows are effectively wrecked, all system restore has done is allow me to get in there and try and rescue important data.

System restore might make things look better, but it almost certainly hasn't removed all of the malware.]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22656410 Sun, 05 Jul 2009 09:29:00 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22654973 said by Dude111:

Spysweeper didnt seem to stop this fake ANTIVIRUS 2009 from installing...... (Thats what is on there)
That's the wrong type of program to prevent mistakes. Install some type of white list program:

[att=2]

On family computers, I instruct the users thus:

RULE: If you don't specifically go looking for a program, do not install.

This also takes care of being tricked with fake videos a la Waledac 4th of July stuff:

[att=1]

RULE: Pictures and Videos are not programs that install.

----
rich
Click for full size
Click for full size
]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22654973 Sat, 04 Jul 2009 19:31:57 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22654776 said by Dude111:

It all is very scary how this crap can just install itself on your computer!!

My mom was using the XP this morning doing some research and all of a sudden she started saying "Whats going on??"

I went into the room and ANTIVIRUS PRO 2009 HAD INSTALLED and was throwing up porn popups,etc....... (Thats a fake virus program that tries to say your PC is infected,etc)

I told my mom to relax as i did a system restore to June 16th and it was gone.....

My mom doesnt know much about computers or i would try to explain to her about SURFING WITH SCRIPTS DISABLED.. (Much safer)

She uses IE7 and when i use that computer,i use Firefox 1.5 (WITH SCRIPTS DISABLED) as i dont like IE7 at all....... (And ff1.5 is alot like MyIE2 (My favourite browser))

Spysweeper didnt seem to stop this fake ANTIVIRUS 2009 from installing...... (Thats what is on there)

Its all quite scary the level these scumbags go thru to hurt people and thier computers!!
The first thing you need to ask yourself: Does your mom really need to be using Windows? If she doesn't know much about computers, she is never going to be able to put the time and effort needed into securing that inherently insecure OS. It would probably be better to back up her important docs, pics, videos, etc., wipe the drive and install a Linux distro. Then the security issues are fixed for good.

This is what I did for my mother. I got sick and tired of seeing all the crapware and trojans that were installed when I visited. It's easier to install Ubuntu and be done with it as opposed to trying to explain "safe computing practices" to someone who doesn't know the first thing about the subject.]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22654776 Sat, 04 Jul 2009 18:17:54 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22654344 This »support.microsoft.com/kb/281616 is a no show ?On my end, it opens properly and is searchable (see attached snip image). The direct link should work: »support.microsoft.com/kb/281616

//A
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights.
Click for full size
Windows 7 Enterprise Build 7100 x64 via Windows Internet Explorer 8.
]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22654344 Sat, 04 Jul 2009 16:09:06 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22654229 said by Rebirth:

Enhance what. Pages can be made perfectly fine, and SAFER ( well by people who know how to ) without scripting. For eg, with CSS.

even better in txt format, keep it simple

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2009]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22654229 Sat, 04 Jul 2009 15:28:25 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22654216
enhance ?

Enhance what. Pages can be made perfectly fine, and SAFER ( well by people who know how to ) without scripting. For eg, with CSS.

Anyway my post was a direct reply to Ahulett, so i look forward to his responses on the points i raised. Thanks]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22654216 Sat, 04 Jul 2009 15:24:46 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22654186 said by Rebirth:

And whilst we're on the subject listed on there, why does MS insist on using pages that require scripting, when they could be made without ? Scripting, ActiveX and iframes are the Malware merchants best friends !
the same reason all other sites have it, to enhance. Just javascript is sufficient for those pages

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2009]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22654186 Sat, 04 Jul 2009 15:16:46 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22654173
Some usefull links there.

This »support.microsoft.com/kb/281616 is a no show ?

And whilst we're on the subject listed on there, why does MS insist on using pages that require scripting, when they could be made without ? Scripting, ActiveX and iframes are the Malware merchants best friends !

On here http://support.microsoft.com/kb/959063 it states ( The utility creates restore points once a day by default. ) I have a PC with XP on it i've been using for a couple of years, and it NEVER did this once. Only after these events

installing software
updating hardware drivers
installing new hardware drivers
manual creations of restore points

I'm also on a Vista PC right now, and it only does the same ?

Also on quite a number of occasions i've needed to do a SR for people after Malware infections etc. Quite often ALL the SR events have dissapeared, big problems as you can imagine. Can't MS properly protect these in future, they already should be. For example they could be encrypted and be made free from tamper/deletion.

Thanks
Click for full size
No show & scripting
]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22654173 Sat, 04 Jul 2009 15:12:31 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22654045
In any case, if you'd like to investigate running as a limited user, I suggest setting up a separate account rather than convert this one. This way, if there's a blocking issue or some other thing that requires administrator privileges, you can easily log in with the other account and keep going.

//A
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights.]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22654045 Sat, 04 Jul 2009 14:30:42 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22654012
Windows Help and How-to
What types of files does System Restore change?
»windowshelp.microsoft.com/Window···033.mspx
Excerpt:
System Restore can make changes to Windows system files, registry settings, and programs installed on your computer. It also can make changes to scripts, batch files, and other types of executable files on your computer. Personal files, such as documents, e‑mail, photos, and music files, are not changed.
Microsoft Knowledge Base Article 955063
What is System Restore?
»support.microsoft.com/kb/959063
Excerpt:
System Restore is a Microsoft® Windows® tool designed to protect and repair the computer software. System Restore takes a "snapshot" of the some system files and the Windows registry and saves them as Restore Points. When an install failure or data corruption occurs, System Restore can return a system to working condition without you having to reinstall the operating system. It repairs the Windows environment by reverting back to the files and settings that were saved in the restore point.

Note: It does not affect your personal data files on the computer.
(Yes, I see the extra 'the' in 'of the some system files' - I'll open an edit request with the Knowledge Base team to call attention to it.)

Microsoft Knowledge Base Article 306084
How antivirus software and System Restore work together
»support.microsoft.com/kb/306084

And from KB Article 555367 at »support.microsoft.com/kb/281616:
For a full list of all the files that are excluded from the System Restore procedure, view the following file:

%SystemRoot%\System32\Restore\Filelist.xml
Although I can't find that file in that location on my Windows 7 machine, so it may only apply to Windows XP Professional as shown in the article's Applies To section.

//A
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights.]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22654012 Sat, 04 Jul 2009 14:18:08 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22653660 http://www.dslreports.com/forum/Re-Trojansspywareetc-22653660 Sat, 04 Jul 2009 12:34:15 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22653620 http://www.dslreports.com/forum/Re-Trojansspywareetc-22653620 Sat, 04 Jul 2009 12:20:26 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22653406 I went into the room and ANTIVIRUS PRO 2009 HAD INSTALLED and was throwing up porn popups,etc....... (Thats a fake virus program that tries to say your PC is infected,etc)It didn't "just install". She had to click on something before it would install.

Admittedly, it's a nasty and tends to put the browser in a loop that you cannot break out of except by installing or killing the browser process, or logout then log back in and let Windows kill the browser process. Perhaps a bit more education is in order, so she knows how to avoid this in future.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22653406 Sat, 04 Jul 2009 11:01:35 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22653348 said by Dude111:

Well doing a system restore REPLACES ALL FILES ON THE COMPUTER.....

if only, see what gets or not restored
»www.kellys-korner-xp.com/xp_restore.htm

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2009]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22653348 Sat, 04 Jul 2009 10:43:52 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22653334
So when i did a restore to June 16th,that anti-virus program WAS NOT ON THE COMPUTER.. (The computer is fine now)

I was actually surprised the fake anti-virus program DID NOT DELETE ALL RESTORE POINTS!! (Most of them do this so you cannot get rid of it)]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22653334 Sat, 04 Jul 2009 10:40:19 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22653159
I would like to add one extra point though as we're well aware even legitimate websites can be compromised and host attack code.

There is still the elevated risk from the dark side of the web @ pr0n,Keygens,Warez site etc

So becareful where you choose to park that car !

Certain neighbourhoods represent higher risk of theft or vandalism...
--

Ade Gill
Malwarebytes Researcher]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22653159 Sat, 04 Jul 2009 09:27:57 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22652901
It's like your car. You always lock the door. We don't have periods where we leave the car unlocked because there's no reports of car theft... we lock the door no matter what, because it helps protect it and its contents.

And, if someone we know has items stolen from inside their car, and we find out they left the doors unlocked, we immediately think, "Geez, umm, you kind of earned that one, you didn't lock the door."

But yet we don't think this way about protecting our computers.

How come? Well, to help prevent someone from stealing items from your car, on many cars nowadays, one just pushes a button on their keychain remote, the doors lock, the car alarm activates and they're all set (or more accurately, they feel they're all set). This doesn't exist, exactly, for PCs.

Security programs tried heading in that direction by pulling together the important aspects of things, mainly antimalware, firewall, installing system updates and taking data backups, providing one-button fixes when things needed attention, and even there things aren't done yet, such as updating third party applications and browser plug-ins. Just as with our cars, even though we lock the doors, we should hide valuables, or even take them with us rather than leave them in the car to tempt those passing by.

Of course, once you have antimalware, firewalls, updates installed and backups made, you're not done yet. You're never done. Remember, the moment you think you're secure is the moment you're most vulnerable. And to use the original post as an example, you might say run Firefox with scripts disabled, and you may even update to the latest version of Firefox, but that's ok, the 'bad guys' can come in via Flash, or as an attachment in an email that looks like it came from your mom's bank, or if they're lucky enough, SneakerNet will get things in there.

Which is why my other post asked about updating other things, as it appears the solution was to simply roll back to an earlier state, move on and dangerously assume the malware didn't survive the rollback. Its a Secret See Profile has it right... you're not done yet. Going back to the car analogy, someone broke the passenger window, and you replaced it, but you haven't looked around in the car yet to see if anything else is missing or damaged, or if something NEW is in there monitoring you driving.

I hope, that in the long run, you're thinking beyond the browser and looking at a full security solution which includes an antimalware scanner, an inbound firewall, installing system updates, updating third-party software, including browsers and their add-ons, and EDUCATING your mom on how to both recognize attempts to infect (such as by a malicious web page or a fradulent email or instant message), and even more importantly, what to do if she suspects she's infected, even if the first step is simply, "Call you." Remember, you're still not done at this point, but if you get here, you're sitting pretty good in my personal opinion.

//A
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights.]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22652901 Sat, 04 Jul 2009 05:19:52 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22652754 Some identify it as SKYNET/TDSS/gxvxc rootkit. Very nasty.
»community.norton.com/norton/boar···id=59550
A couple of my friends have encountered it as well in the last couple of weeks.
A little OT, but just thought i'd add that in.]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22652754 Sat, 04 Jul 2009 02:37:45 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22652709 http://www.dslreports.com/forum/Re-Trojansspywareetc-22652709 Sat, 04 Jul 2009 02:12:56 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22651828
//A

This post is provided "AS IS" without warranty, and confers no rights.
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights.]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22651828 Fri, 03 Jul 2009 21:13:42 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22651774 when i use that computer,i use Firefox 1.5

FF 1.5 is way out dated and probably not as safe as the newer(est) version(s). You should up date that as well. ]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22651774 Fri, 03 Jul 2009 21:01:00 EDT Re: Trojans,spyware,etc...... http://www.dslreports.com/forum/Re-Trojansspywareetc-22651733
Or better yet, go to »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance and do the full monty.

Best of luck!
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous]]> http://www.dslreports.com/forum/Re-Trojansspywareetc-22651733 Fri, 03 Jul 2009 20:51:53 EDT Trojans,spyware,etc...... http://www.dslreports.com/forum/Trojansspywareetc-22651724
My mom was using the XP this morning doing some research and all of a sudden she started saying "Whats going on??"

I went into the room and ANTIVIRUS PRO 2009 HAD INSTALLED and was throwing up porn popups,etc....... (Thats a fake virus program that tries to say your PC is infected,etc)

I told my mom to relax as i did a system restore to June 16th and it was gone.....

My mom doesnt know much about computers or i would try to explain to her about SURFING WITH SCRIPTS DISABLED.. (Much safer)

She uses IE7 and when i use that computer,i use Firefox 1.5 (WITH SCRIPTS DISABLED) as i dont like IE7 at all....... (And ff1.5 is alot like MyIE2 (My favourite browser))

Spysweeper didnt seem to stop this fake ANTIVIRUS 2009 from installing...... (Thats what is on there)

Its all quite scary the level these scumbags go thru to hurt people and thier computers!!]]> http://www.dslreports.com/forum/Trojansspywareetc-22651724 Fri, 03 Jul 2009 20:49:06 EDT