vcf1
join:2000-03-21
Duncansville, PA | reply to goofy01
Re: How did someone with a limited account install Antivirus XP
Surfing I'm sure and believing what they see.
--
Dick |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to norwegian
said by norwegian  :I did notice though, exocet's pdf file on the link supplied is not there any more either in that topic. It is archived here:
»web.archive.org/web/*/http://www···inxp.pdf
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
norwegian_away
@net.au | reply to redxii
Thanks for the clarification
I was curious if it was related to the topic raised by psloss, the shortcuts being placed on other accounts, which is why I brought it up. Excuse my thinking if I was incorrect. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| reply to fatdcuk
That took quite a bit of user interaction, but all it did was install the xpantivirus2008 scamware at the worst in the admin account. It just added a RunOnce key to the limited user's account which pointed to a file in the cache, but that was only after willingly running the exe.
This was XP Pro SP3, IE6 and none of the internet settings were altered from install defaults.
The previous mentioned thread was about OEMs relaxing permissions. They aren't Microsoft's defaults. Permissions can be set in INF files w/ SDDL, and since INFs are plain text anyone can edit them and if you can understand the SDDL syntax you can make it anything you want. |
|
norwegian
Premium
join:2005-02-15
Outback
 ·WestNet Broadband
| reply to fatdcuk
First, no expert here. Kaspersky warned of installation, and 6 or so popups from registry, exe etc, so allowed them all, but in the latest version it it placed in low restricted. After found nothing installed, but with "low restricted" is isn't allowed some permissions on the O/S.
Once I'm home tonight, this home user will turn off KIS to see what happens then.
First test - negative
Note: There was no messages of permissions from using a limited account either....Mmmmm
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
fatdcuk
Premium
join:2005-02-20
England
| reply to goofy01
Well if any experts wants to experiment with live xpantivirus2008 infection and ltd account etc then here is source for it**(ActiveX install & file download)
infectionscanner.com/1/?xx=1&in=2&h=1
**Do not run infection unless you know how to manually clear it up and also repair settings damaged incurred!
VT currently flagging dropper@ 5/33
»www.virustotal.com/analisis/c45f···8143f917 |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| reply to redxii
Spot on the mark Red. Not that I was trying to disagree, but it is possible. I did notice though, exocet's pdf file on the link supplied is not there any more either in that topic.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas | reply to norwegian
You mean this? »Who else is having fun with OEM security defaults? |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| reply to redxii
There was a topic here where is was proved that shortcuts can be placed elsewhere from a limited acct. I believe psloss asked the question. I proved it on 2 of my O/S's. Can't remember the name of the topic though. That was a year ago, seems that isn't fixed yet, or it's using another method.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
ExceptThat
@inet.fi | reply to goofy01
Except that if you're referring to All Users\Desktop or something like that, limited users do not have write privileges there. Are you absolutely sure the account is a limited user and not a member of admin group? How have you confirmed this? |
|
goofy01
join:2004-02-05
Hammond, IN | reply to goofy01
Wrong Red. When this one hit me, it placed the icon in the shared desktop folder, so this icon came up on all users desktops. It didn't hijack the backgrounds on all users though, just on the one that was logged in. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
1 edit | reply to goofy01
It wasn't a limited account if it could place a shortcut outside the limited account; and hijack your desktop, if you mean it prevented you from making changes.
Or not using NTFS. |
|
Lanik
Lab-nik
Premium,ExMod 2002-03
join:2001-06-25
Bay Area | reply to La Luna
That did it thanks.  |
|
Lanik
Lab-nik
Premium,ExMod 2002-03
join:2001-06-25
Bay Area | reply to Shriyash
I've already been through them guys, thanks.
I can't unregister these files shlwapi.dll, wininet.dll there is no unregister information.
--
"If it ain't broke don't fix it." |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs: | reply to goofy01
More on Antivirus XP:
»What is this Antivirus XP? |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to Lanik
XP Antivirus 2008 Removal Instructions (XP Antivirus 2008)
»www.windowsvistaplace.com/xp-ant···-removal
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| reply to Lanik
Thanks Google. 
»www.xp-vista.com/spyware-removal···rus-2008
»www.2-spyware.com/remove-antivirus-xp.html
»fix-computer-problem.com/rogue-a···rus.html
»www.bleepingcomputer.com/malware···-xp-2008
--
Skin colour is only skin deep.
Everybody wants to be Loved and give Love. |
|
Lanik
Lab-nik
Premium,ExMod 2002-03
join:2001-06-25
Bay Area
2 edits | reply to goofy01
This just happen to a coworker of mine and to make matters worse the desktop background gets hijacked and Display properties are missing tabs so you can't switch your desktop now. Does anyone know what Antivirus XP 2008 installs and how to get rid of it.
Thanks.
--
"If it ain't broke don't fix it." |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
1 edit | reply to goofy01
said by goofy01 : he was browsing and said something like "It said to update my player, so I clicked on it" Yep, definitely sounds like a fake codec update that installs spyware upon execution.
It may have looked something like the pic in this post.
Edit: i would install No-Script if i were you. |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:
| reply to goofy01
This is why I've warned from time to time a limited account alone is not a magic bullet. A limited user account can infect himself with malware and also a compromised program under a limited user account can destroy all of the data that account has write access to.
So, if you're the only user of your system, and run under a single limited account for most of your work, are you really better off? I would make the argument that no, you're not much better off... At least to me, losing all my documents is probably a bigger inconvenience than having to reload the OS.
This day and age, we need more fine-grained limited permissions, possibly to the point of sandboxing each application to its own account or security sandbox context.
--
Ubuntu MOTU Developer and Forums Council |
|
