New generation of spyware / trojans / virii
primesuspect
Beepin n' BoopinDetroit, MI Icrontian
Lately I've gotten a few computers on the bench or at customer sites that are just DRIPPING with spyware and trojans. I mean, terrible infestations.
As some of you know, I have a personal mission to eradicate spyware and trojans. I can't stand the buggers. It drives me nuts.
I have developed quite a knack for removing spyware and their ilk, and I have a little routine that involves a cocktail of NAV, Spybot S&D, AdAware, regedit, msconfig, etc.
But lately, no matter what, there are some trojans that escape my tirade. I have been pulling drives, dropping them into a new computer, doing full manual virus scans, manually deleting fishy .exe and .dll files, etc. When I'm done, and I put the drive back in the computer, it's STILL infected... I don't get it.
One thing I've been noticing is these pervasive BHOs that just WON'T go away. I'll reset all IE settings to default, blitz out the HOSTS file, change security levels back to defult, reset all web settings, etc. and then DNS will be broken. I can't figure this out for the life of me.
Thoughts on these new generation of BHO's, hijacks, spyware, trojans, etc. ?
As some of you know, I have a personal mission to eradicate spyware and trojans. I can't stand the buggers. It drives me nuts.
I have developed quite a knack for removing spyware and their ilk, and I have a little routine that involves a cocktail of NAV, Spybot S&D, AdAware, regedit, msconfig, etc.
But lately, no matter what, there are some trojans that escape my tirade. I have been pulling drives, dropping them into a new computer, doing full manual virus scans, manually deleting fishy .exe and .dll files, etc. When I'm done, and I put the drive back in the computer, it's STILL infected... I don't get it.
One thing I've been noticing is these pervasive BHOs that just WON'T go away. I'll reset all IE settings to default, blitz out the HOSTS file, change security levels back to defult, reset all web settings, etc. and then DNS will be broken. I can't figure this out for the life of me.
Thoughts on these new generation of BHO's, hijacks, spyware, trojans, etc. ?
0
Comments
I know CoolWebSearch is a particularly nasty SOB. You might want to add CWShredder and HijackThis! to your arsenal. HT is good for removing BHOs, and of course CWS is a single-purpose removal tool, but effective nonetheless.
The war is going to continue, and it's going to get harder and harder to remove these things.
I so did a Click Start > Run.
Type: regsvr32 /u [path to XPlugin.dll]and click OK.
And that worked.
I am seriously thinking about holding a workshop for all these people and their kids on how to safely surf the web. Although it would be taking money out of my pocket in the long run, I just hate to see the same people bringing their machine back to me because their kids (or so they say) re-infested the system.
It's definitely getting bad and it will only get worse. :sad2:
startup folder for all users
startup folder for each user
win.ini
HKLM/Software/Microsoft/CurrentVersion/Run
HKLM/Software/Microsoft/CurrentVersion/RunServices
HKLM/Software/Microsoft/CurrentVersion/RunOnce
HKCU/Software/Microsoft/CurrentVersion/Run
HKCU/Software/Microsoft/CurrentVersion/RunServices
HKCU/Software/Microsoft/CurrentVersion/RunOnce
Services management console
Any other suggestions of known startup folders?
Unfortunately in the last 4-6 montsh, we have gotten hit with hybrids, some of them multithread on XP and down. And the mimail removers, well, there are THREE that I know of, mimail.j is now hitting big time and it is a multithreading HYBRID, trojan plus three worm threads and not JUST a single worm thread that is initially active. If you get Blaster hit with removers run, restart, rerun remover, chances are you will find things that were not detected being found, and possibly for Mimail.c and Mimail.j also, as examples.
Look up, on Symantec's site, Xado for instance... It comes with um, questionable games and happily, when gem is installed and um "registered (NOT)" installs a Xado along with the install. There are IRC bot worms and trojan packs now, also. AND one update that turned off RPC for XP (on WindowsUpdate) also turned off virus intake.
Turn off RPC, do not use Kazaa, Morpheus, IMesh, adn do not IRC and do not use MSN Messenger if you want to be safe. Second, if restoring a box, get and install NAV and update it first. Here's why:
Last time I reloaded this box I proceeded to turn off RPC and update. update hung, box lock.
Reboot, serious error recovery. In about 2 min on the web, I got 2 Welchias and one Blaster. I found this out when I updated Norton and did an immediate scan, looked in logs, found Norton could not delete the Welchias as Windows was protecting the files (one was DLLHOST), and had killed the Blaster with an autokill delete. So, I manually killed the Welchia. Rebooted\restarted, and proceeded to get a serious error recovery. Rescan, ZIP. No virus, which I confirmed with another product. BUT, windows had restored its needed files.
Welchia and Blaster both register as system processes, and 98 SE and up can protect and restore system files. I now have my NAV 2003 (2002 is compromised, virus writers know how to disable it) set as follows:
Aggressive Heuristics.
In behavior for asuspicious files, I have it set to try to delete and if not to quarantine. The Blaster got quarantined and what else I did(see below) deleted it in quarantine.
Last, in scan, automatic is not enough. ALL FILES is enough, because then it delves into archives.
Next if you pick up email on these boxes, clear the email cacxhe and the IE cache when recovering, I have had many viruses hide in Temp Internet Files. When you bring up IE, some of them can launch from the CACHE as it polls it. Ditto,unfortunately, email cache. Scan every file on HD, is lesson, as in all files mode, if you tell NAV to scan archives also, NAV will find how the virus came in and kill the archive also by deleting it.
This mess started 2-3 years ago, and picks up whenever Microsoft is seen to go after Open Source, and the instance of both Open Source and Microsoft software targetting viruses go up in that time as some misguided idiots in boht camps attack users of opposing distributor's software just to make a point of the holes in it-- from both sides. This has happened again and again....
August was the worst month in the worst single year for virus hits on boxes, if the defs on a box are earlier than September, that box has at least one virus that will run on program run of the program it vectors into, and some of them copy worms three times and register them three times simply to be able to restore themselves. In fact, it has gotten so boxes that self-virus get zero-packed HDs and a full restore from CD and then get Norton 2003 put on first thing, stuck in a full aggressive mode,and then I WindowsUpdate.
Ever seen an XP with no MSN Messenger, with every service I can dep trace to NETBIOS off, and NETBIOS ports blocked at router (with ZERO violations of those port blocks logged for 3 days running now).... My XP is sans the services NETBIOS uses, as some of the new viruses are bot installs that seek NETBIOS responses for targetting. My latest XP has been up with no virus hits at all since December 12. Linux has intercepted zero email hits, and it scans for both Windows and the Unix O\S families of viruses, since about 4 weeks ago when Comcast had to fully reload their local email servers and cut their OVERALL traffic load to 2\3 by now scanning email as it comes into the servers (NETWORK WIDE).
Earthlink is riddled with this junk, and I get more Earthlink routed email en blank with headers only and a virus removal note in header than on any othr ISP. I hate to say it, but until more ISPs start scanning their email servers or also switch to non-Widnwos email servers, folks using those ISPs are gonna get a real self-replicating mess unless they have their virus scanners in very aggressive mode and turn on NAVAP, and update IE and OE completely to 6.0 SP1 and onward if Microsoft releases patches for that generation. So, I use Open Source to surf 90% of the time and Open Source O\Ss to pick up all email-- zero hits on XP, but XP can surf and get remote info for CDs from Windows Media Player 9.0(which has a security pack fix or three in it also).
Folks need to stop autoinstalling stuff from anywhere other than non-Windows FTP whic they know they can trust, or scan it before install. In other words, do not OPEN files in IE except for those from Microsoft's Windows Update site. Save, then scan and THEN install if you must, but do not be surprised to see hits on "questionable" game archives, PLEASE. Some "questionable source" games install a nice little remote-run, 2-WAY FTP SERVER plus a trojan and\or worms on your computer these days!
If you folks think this is scary, defense is to be VERY WARY these days of what you do with your web access.
John.
Rule #A1: Don't use internet explorer.
I use mozilla. When my GF used the comp, she didn't know, so she clicked the IE button. BAM instant death.
As said in earlier post - use the Immunize function. If your router has a firewall, enable it. Run Spybot, AdAware, your AV, and HijackThis religiously; and update them at least weekly. I am in no way an expert in this arena, but have had no persistent problems when using the above regimen. Also, when using Kazaa (DON'T! Use Kazaa Lite), run Spybot and AdAware as you download.
The worst source of spyware and it's ilk for my systems has not been chat or P2P, but Google! In a 20-minute session the other night, I managed to collect 67 nasty bugs. Watch out for entries whose URLs (listed at the bottom of each entry) don't seem to match what you're looking for.
Me too, I guess we're a dying breed.
I'm using XP Pro / Outlook 2003 with all available updates. When I log in (no PW, just click on my name, home machine, no need) to the right of my name it says "1 unread e-mail message". But when I go into Outlook, nothing, no unread messages. I tried selecting all and hit "mark as read". Still says "1 unread...."
Have any of you guys(or gals) seen this before?
Thanks,
RADA
The worst source of spyware for me is the family and all the little games they install. With AVG, Spybot, and AD-Aware though, I haven't had any problems.
pr0n dialers
"free" "fun" "save" things - games, coupon offers, weatherbug, precision time (duh! windows XP has this built in!), savings, "memory checkers", "performance enhancers", "spyware killers" "popup killers"
the problem is that your average home computer user does NOT know what's legit and what's not. So some popup comes up and says "hate popups? Click this blue activeX control and be sure to say "yes!"!!" -- boom, floodgates are open.
Next time you install XP, do an unattended install.
winnt.sif:
[Components]
IEAccess=Off
Note:
Then install Avant Browser or whatever floats your boat.
-drasnor
-drasnor
I'm an IE guy too, Mozilla is good but not supported by all web sites.
I think that non-geeks just don't understand or care about trojans, spyware and stuff until they get one. You can look at it this way, job security... lol
"g"