dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2889

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

Dustyn to R2

Premium Member

to R2

Re: How do these get on to a computer?

Unfortunately... that is not all that surprising to me. Even on DSRL, there should be a couple of logs at least. This tells me what I've been saying about IE11. Go to those same sites with any other browser and you should see logs.

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2

MVM

FYI, Malwarebytes finds the most number of problems. Other programs were good, but nothing was quite as thorough as Malwarebytes at cleaning up the system. I hope everything is gone now... Time will tell.
R2

1 recommendation

R2 to lawsoncl

MVM

to lawsoncl
Interestingly it looks like AdMuncher works on Chrome just not IE 11. I did find log entries after using Chrome! So I have to say Dustyn is right.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

1 recommendation

justin to R2

Mod

to R2
I'm at my brothers place he has windows 7 home premium and his PC was a rats nest. I had to run spybot search and destroy (which took several hours). Spyware blaster, which he had, was a fail. Key loggers, hotbars, you name it.

His family like to use uTorrent and they usually get fooled by those DOWNLOAD NOW adverts. The ones that infest apparently all sites that offer downloads except for github. The adverts that for some reason google Adsense or legit ad networks seem to allow, probably because they are extremely lucrative. Even though they are completely misleading.

I can only conclude that despite all the improvements Windows 7 brought to security, and the "reset browser" options, and the IE11 Alt-t menu for removing extensions, there are still a dozen ways for stuff to worm its way into the OS, into menus and into the registry As a habitual user of another OS it was a real shock.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

Makes me think fondly when all operating systems were command line based, it was intimidating to some, and many didn't try. When I was hiding files in dos in a directory with an extended ascii character that looked like a space so most people didn't think anything of it others weren't even reading the manual to set the time on their vcr. When win 9x came around, and malware really started taking off I got tired of cleaning people's computers quick, however back then Microsoft was also slow to patch problems, especially with IE so it was best to use IE with everything in the restricted zone by default. Thankfully phoenix rose from the ashes of Netscape, later to be called Firefox over naming issues, and restored some balance to the internet.

Not bragging, but I'm also posting from an os other than windows, however i still maintain a windows installation for some software I find it's a royal pita to emulate/virtualize.

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

1 edit

R2 to justin

MVM

to justin
Hey, justin, long time.

Ugg. Yes, these kinds of things are huge time wasters! It takes hours to really clean up an infected machine. I do find it a little humorous that these guys use names that sort of make it easier - like CheepDeaals or CoupoonSaave. They title the program folder with that, and also add registry entries with that kind of name! Grant it, not all of them are that way, but the vast majority of them were!

And I swear this computer had the same infections about a year ago, or at least very similar ones. And the ones that register themselves with the class IDs should be easily preventable with SpywareBlaster. Unless, they are using some kind of random number generator giving them the class ID number. But I don't think that's what's happening. Now that spyware blaster's gone to a ?fourth party, I'm not sure the updates are keeping up with the malware.

Is JavaCool still around, or am I dating myself?

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to R2

Premium Member

to R2
said by R2:

How to I prevent this from happening a THIRD time??? Thank you.

Some guy named Steve See Profile once offered this advice.
»technet.microsoft.com/en ··· %29.aspx

Sparrow
Crystal Sky
Premium Member
join:2002-12-03
Sachakhand

Sparrow to Dustyn

Premium Member

to Dustyn
Very odd. Then why am I not seeing ANY ads whatsoever? I have nothing else loaded on here. Is it possible only the logging isn't working on IE?

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to Snowy

MVM

to Snowy
That would be great, however the stupid program that she has to use requires her to be in an Administrator. I tried making her a Limited User and all that did was have her run to get me every five minutes to come back and run something as administrator again! It was a nightmare and simply not possible. I can't spend every five minutes of every day running back to run something as an Administrator!

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to Sparrow

Premium Member

to Sparrow
There must be something else you have going on. No matter what I did, I couldn't get AdMuncher working on my tablet with IE11. I had to resort to relying only on a HOSTS file. This annoys me as I use Metro IE often, since it's a tablet.

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2

MVM

AdMuncher is certainly not logging any activity when I use IE 11 - but it does log activity if I use Chrome. I think it unlikely that the "logging function" is broken only for IE, and it is much more plausible that the filtering function is what is not working.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to R2

Premium Member

to R2
said by R2:

Is JavaCool still around, or am I dating myself?

His official forums are still active at Wilders. He replied to a Spyware Blaster user on March 29, 2015.

What's this about Spyware Blaster having gone to a "fourth party"? I've been using it since it was first in beta...all those years ago.. 2002? (so if you are "dating" yourself then I am also)! As far as I know JavaCool still owns it and he is still the moderator of Javacool official forums. He's also still a member here but has not been active for almost two years.

»www.wilderssecurity.com/ ··· orum.23/

Maybe you need the additional custom list installed:

»Opinions on Spywareblaster
fixrman
From a broken heart to a hole in the sky
Premium Member
join:2003-02-10
Hatboro, PA
·Verizon FiOS

fixrman to R2

Premium Member

to R2
said by R2:

This is from an employee that SWEARS she never does any thing but use the computer for work - never searches for things or buys things - yet twice in a year she gets the same infections. (OK, yeah right...)

Yeah, sure. If you are the IT guy, you could just have a list of approved websites and keep her out of her shopping habits. If she was just getting SPAM Emails, I'd believe her, but you should know that CLSIDs appear from user action. Perhaps someone else shares that unit?

Social Engineering and Click-Happy Button Pressers is how it happens.

The other way to prevent it is to install Linux on her computer and have her go on line with that.
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned) to Velnias

Member

to Velnias
Sound perfect world ...... just people most reluctant to learn new OS with NOT be able to open daily task ¿ ¿ My perception is, "MASTERING" your OS is the KEY Just my own opinon !
said by Velnias:

Install Ubuntu and forget all these baddies. Works well for ignorant users.

Windows never was secure and may never be. Unless you get paid for fiddling with Windows, don't waste your time and money.


R2
R Not
MVM
join:2000-09-18
Long Beach, CA

2 edits

R2 to Mele20

MVM

to Mele20
Hey Mele,

Thanks. I am probably misinterpreting how the program is "produced" now - it appears to come from some larger organization, but maybe JavaCool has just done a great job of setting up his business! I just thought he likely sold it off to someone else - like most inventors do. Kudos to him for doing a great job.

I have to believe that the user just clicked on the things she's not supposed to. She's not the most Internet savvy, and in fact the words Internet savvy and her don't belong in the same sentence! I know "how" she got them, I'm just perplexed how into 2015 this can still be happening - despite all of our knowledge!!!! Yes, I've been here since way before 2002 - I guess when SpywareBlaster started - and we had the same problems back then! It's frustrating how little progress we have made in 13 years.

I have a thought. Perhaps these infections are not actually "new", but residual of stuff I never fully cleaned off last time. I cleaned up a bunch of these less than a year ago. What if I missed a couple, and they had the ability to bring back some of the others. Many of them all seem to be related, and it wouldn't be surprising that one could "breed" others. Does that make sense?

I don't really have the option to put on a new operating system, as much of what we do must run on Windows. I guess I could lock down her computer and only make it able to go to a few websites. I certainly could use a hosts file, but I recognize the hosts file is only as good as it's last update. I would have to constantly monitor and update that.
R2

1 edit

R2 to fixrman

MVM

to fixrman
How exactly can I lock it down to only a few websites?

Doesn't seem odd that a program from the Internet has the ability to register itself with a CLSID - and Windows doesn't complain once! If I try to open Regedit, I get a warning Message Box that this might change my system. Why doesn't the same warning pop up when something rogue accesses is my Registry?? Even if I'm running as
Administrator, I find it highly illogical that something, anything is able to RegWrite to the CSLID section of my Registry, and I get no warning from the OS.

I can't believe that would be difficult to set up. I recognize programs are accessing, reading, and even writing to the Registry all the time, but not typically to the CLSID section. That happens when programs or DLLs are "registered" - I believe. Couldn't that be monitored???
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

'Registering with a CLSID' is a pretty innocuous operation - it merely says that such-and-such a number means such-and-such a program.

By contrast, a human being with an unimpeded registry editor can cause total havoc. For example, your user that can't even be trusted with a web browser is unlikely to come out of regedit with a system intact. And in any case, the warning is not specific to regedit; it is the warning for any program that wants to elevate access level.

If you have a program 'registering with a CLSID' then it is because you've already consented to run that program. If it is malware, it has already screwed you up. All that adding yet another warning would do would be to make your click-happy user click on 'OK' again.
fixrman
From a broken heart to a hole in the sky
Premium Member
join:2003-02-10
Hatboro, PA
·Verizon FiOS

1 recommendation

fixrman to R2

Premium Member

to R2
Uhhh... Do you own the company? A couple of questions need to be asked here:

1. Is the employee being honest? I suspect not, at least not at the outset. If you know enough about registry editing to fix the problem AFTER the barn door has been opened, you should be able to prevent the CSLID from installing itself in the first place. If I had a nickel for every time somebody told me never... But if you truly removed the rogue programs before, they should not be there now if the employee only uses the machine for work and never shops on line - after all, she "swears". Just sayin'.

2. Why do you think Windows would prevent you from doing harm to your computer? The car will not stop one from speeding, the bottle won't prevent from drinking too much alcohol. Protections are restrictive and people are as ignorant about computers as they are about their cars, insurance policies, appliances - pretty much everything,. Most people take the Blue Pill®When they do that, they invite problems.

Making excuses for people's bad behaviour only makes the problem worse. Let's face it, some people just should not be trusted with a company computer. Why? Because they are Click-Happy Button Pressers! I have a brother like that. He "swears" he doesn't install bad stuff, but he always calls me and #3 for advice on how to get rid of the programs he "never" installs and has "no idea how they got there". Sure.

NoScript will prevent a lot of the stuff you don't want, but it is intrusive. People who use it have to know what to do and what not to do. Most of them get frustrated and select "Allow Scripts Globally" to restore total functionality. All that does it unlock the door and prop it open.

AdBlock Plus can help remove annoying popups, but one has to know when to allow pop ups and when not to. Some people have no idea how to tell the difference.

Better Privacy blocks and removes LSOs, Flash cookies, etc. - but again, people have to know it is there, how it works and the why. BP tends to be less intrusive and restrictive than some other programs.

Ghostery will block Trackers, but again - it can be intrusive and people have to fire up a few brain cells to use it. Most folks whine and complain about protections because they won't take the time due to laziness to figure out what the programs are doing, why and how they work.

Sorry for the in-your-face wording, but people have to take responsibility for things. When they don't, they invite problems. I can only suggest protections, but people rarely listen because people don't want restrictions. It is another one of those, "Fail to Plan" scenarios.

I have never had a virus on any of my computers.
scelli (banned)
Four More Years!
join:1999-08-07
FLOT/FEBA

scelli (banned)

Member

said by fixrman:

Making excuses for people's bad behaviour only makes the problem worse.

Imagine that! Actually making an individual responsible for their own actions. One of the best DSLR postings on this subject...ever.
resare
join:2012-11-07
Greenfield Park, QC

resare to R2

Member

to R2
I see a great case for a Virtual Machine, backed up daily.

If an infection comes in, simply revert to the backup saved the days before.

Maybe a software such as "DeepFreeze" could help keep the system stable ? Just sayin.

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

4 edits

R2 to scelli

MVM

to scelli
Ooops, this is supposed to be for fixrman. Maybe my computer skills should be called in question too!

Fixrman:
No offense taken - I appreciate your comments. The employee is otherwise a great employee and not malicious or conniving. I truly believe she doesn't mean to do anything wrong but simply doesn't understand what some of these messages mean. I had a serious talk with her the last time, and she swears that since the last time she hasn't done anything that might get her into trouble. That's what I'm wondering if I didn't do a good enough clean job last time, and therefore this is all residual growth from a prior infection. I have certainly found out that one adware removing program is simply not enough. Unfortunately her job requires her to go on the Internet at times. Maybe I could get a list of the exact websites she might need, and then allow access to only them. I'm not exactly sure how to do that. And I'm sure I'd have to always be adding yet another website in the middle of my workday.

I have to call you on this:
"you should be able to prevent the CSLID from installing itself in the first place"

If I could do that in a reliable fashion, I'd retire and move to the Maldives.
R2

1 edit

R2 to dave

MVM

to dave
Yeah, you're probably right. Or I am sure you are right! It is just frustrating that so many years have gone by, and we still have the exact same problems! I was thinking that at least maybe there was some action, like writing to the CLSID section of the Registry, that could trigger another warning and prevent these things from being installed. But then of course I would bitch and moan because there were too many warnings every time I use Windows!

And I'm pretty sure one of the ways SpywareBlaster works is preventing or interfering with the registration of those CLSIDs - at least that's what it used to do. It sets the "killbit", does it??
scelli (banned)
Four More Years!
join:1999-08-07
FLOT/FEBA

scelli (banned) to R2

Member

to R2
said by R2:

I truly believe she doesn't mean to do anything wrong but simply doesn't understand what some of these messages mean. I had a serious talk with her the last time, and she swears that since the last time she hasn't done anything that might get her into trouble. That's what I'm wondering if I didn't do a good enough clean job last time, and therefore this is all residual growth from a prior infection.

You need to let go and make her responsible in the future for her own actions. Is this an individual who is in any sort of leadership position? If so, her chain of command needs to address the issue from here on out, not you. It appears you've done everything possible in good faith to impart on this person the error of her ways, but there comes a time when you must cut the cord and let those in higher positions of authority handle the matter. If not, you'll be cleaning up such ongoing messes for the duration of both your tenures of employment at this company.

This has little to do with being malicious or conniving. It has everything to do with possessing the necessary computer skills and abilities for performing job functions properly and in a manner commensurate with the expectations of those who employ her.

John Galt6
Forward, March
Premium Member
join:2004-09-30
Happy Camp

1 recommendation

John Galt6 to R2

Premium Member

to R2
All it takes is *one single click* on the wrong thing...
psloss
Premium Member
join:2002-02-24

psloss to R2

Premium Member

to R2
said by R2:

That would be great, however the stupid program that she has to use requires her to be in an Administrator. I tried making her a Limited User and all that did was have her run to get me every five minutes to come back and run something as administrator again! It was a nightmare and simply not possible. I can't spend every five minutes of every day running back to run something as an Administrator!

Problem is, if your user(s) are running software "as root" all day then it's only a matter of time before they run something that is much smarter than they are.

(Is this old software that "requires" root/admin privileges?)

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

1 recommendation

R2 to scelli

MVM

to scelli
Yes, she is the manager! And again, she does her job great, except for this one little thing!! We've already had a talk again, and I put layers more security on. If I find is happening one more time, that's going to be it. But I have to be able to prove it - if I can't prove it, then it becomes a legal issue! If I have no other reason to fire her except for "you might be clicking on the wrong thing", that gets a little vague.

The virtual machine is an idea I should probably look at it in more detail. There's always System Restore - which is what I did in part this time.

Thank you everyone for the input.
R2

R2

MVM

Well, another thing that makes the issue sticky from a legal standpoint is that the user claims it's not her!

You're going to love the design of the program we have to use, but when she's not in the office the other employees have to logon under her account name - otherwise they can't use the system. She claims the other girls caused all the problems. Of course that makes no sense, because the other girls computers never have infections! But again I can't prove it definitely. This becomes a sticky situation that ends up in a court room. I've already been through one minor legal battle with two employees pointing fingers at each other with no way to prove who's at fault. So yeah, you all can sit back and say, "Why don't you fire her?" But realistically that is a can of worms that's worse than all the adware on her computer! And the expense of going to court certainly is more than the expense of buying a new computer!

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

1 recommendation

sivran

Premium Member

How is it that you cannot prove it is her? Shared logins?

Also, have you considered a solution like sudown (assuming that still works with newer Windows)?

Or alternatively, running her browser as a lower-privileged account...

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2

MVM

Like I said, to use the program, they have to log in as "her" when she's not there! They have to know her password. This is a government mandated program and we don't have much choice in the matter. I completely understand that it is ridiculous. But I have to work within the parameters I'm given.

There's one rule you have to remember. Even if you're "legally right", it can cost you a lot of money to prove it. Is it worth the money? Have you guys ever tried to fire an employee? It takes a lot of documentation and a lot to proof to make sure you don't get slapped with a lawsuit. Whatever. I'm not gonna fire her now anyways, but it is really a challenge. You don't just do it lightly.

The idea of suDown sounds good to me. I'll take a look at it more thoroughly later. Thank you very much.
fixrman
From a broken heart to a hole in the sky
Premium Member
join:2003-02-10
Hatboro, PA
·Verizon FiOS

fixrman to R2

Premium Member

to R2
I do it all the time, mate. The key is training your employee not to do it.

I feel your pain, and I am not taking a shot at your computer skills. Trust me, I know how difficult this can be. You should hear the discussion I have with my wife about why she runs out of hot water and I never do. I have better luck convincing the daffodils.

Don't fire her, teach her. The employee apparently doesn't know or realise what she is doing wrong. Use Adblock Plus for starters within Firefox as a browser. If IE is the browser being used, there's a large part of the problem.