Cleaning up for Friends - My new pastime

Discussion in 'other anti-virus software' started by richrf, May 14, 2005.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi all,

    I spent several hours last week cleaning up a machine for a friend (who barely uses the computer) that was protected by Trend Micro. Just a few ordinary trojans. Minor stuff compared to today ...

    When a friend of mine was complaining about some annoying popups. I thought I could clean it in a hurry and get on with watching some DVDs. In this case, the machine was protected by Norton AV and Internet Security and MS Anti-Spyware. My friend who has been in computers (like myself) for about 35 years was very confident of his system, only when I installed some of my favorite AVs/ATs and ran some preliminary scans the following was found:

    1) Ewido: Found over 200 dlls, exes, and related files that were in the trojan category including keyloggers.

    2) TDS-3 found another 150 entries (I had to delete them one-by-one). They looked similar in nature to the ones that Ewido found but in different folders.

    3) Cleaned tons of stuff using HijackThis

    4) After all this, installed the latest version of KAV 5 Personal MP3 Beta with extended databases and right away KAV found five trojans trying to execute which I killed (system restore has been turned off)

    When I left, the KAV scan was still going. Not sure what it will find, but I plan to run NOD32 and BitDefender to see what they find. What a giant, colossal mess. If I told my friend a week ago that he needs more protection, he said he would never have listened. Tomorrow he is coming over to check out ProcessGuard, RegDefend, and KAV running on my machine along with Ewido. Let's say, he is one of those "motivated" users that I was talking about in the ProcessGuard thread.

    Nite everyone ... it's 1:00am and I am pooped.

    Rich
     
    Last edited: May 14, 2005
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Good job there rich! :)

    I for one have been studying Trojan behaviours for 15 hours now *yawn*
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Firecat,

    I forgot to give honorable mention to RegSeeker for cleaning up hundreds of entries from the registry that these trojans implanted. My friend didn't think the system would restart - but I had confidence in RegSeeker. :cool: All I can say is that I left my friend in a state of shock. It was a "rude awakening".

    Have a good night sleep. I headed in the same direction. :)

    Rich
     
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I will go to sleep in an hour or so at the maximum.....

    RegSeeker's always been nice. I've always kept my registry clean without it, but its good to have it around. It did wonders on my neighbour's PC, and the free eScan did the rest ;)
     
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Forgot to mention ... he had his new laptop for only one month. :eek: Before he was running Win2000. Welcome to the world of XP.

    Rich
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Such people really need raw detection force. Give him KAV or McAfee :p
    I'd also try to add NOD32 next to those if possible to extend strong signature/generic detections with heuristics for latest threats.
     
  7. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Totally agree.

    I will be meeting with him tomorrow and basically propose KAV, ProcessGuard, and RegDefend. Up until a week ago, I would consider this sufficient but when BitDefender's online scan found some genuine malware of the reasonably annoying sort that KAV's scan missed, I became a believer in backup AV for KAV (the BitDefender online scanner may be good enough). I also think NOD32 is a good backup for heuristic detection but I will leave it up to him. My own opinion is that the truly malicious stuff will be stopped by KAV, ProcessGuard, and RegDefend and other things can be picked up as required by Ewido (free is probably enough), Ad-aware, and BitDefender online.

    He is definitely "open" to suggestions as of today. ;)

    Rich
     
  8. Billy Blaze

    Billy Blaze Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    79
    Location:
    Vorticon VI
    Were you able to find the source(s) of these infections?

    And if you haven't already done so, it may also be worthwhile to give him some general tips on how to remain protected online.
     
  9. Pollmaster

    Pollmaster Guest

    Personally I think you should retitle this thread to - Marketing for Diamond CS, KAV,Ghost Security- My new past time. :))

    But then again , I suppose I do the same when cleaning up computers, though I generally recommend freeware stuff first since its general sufficient. But I won't hold back if I'm asked what I use.
     
  10. tahoma

    tahoma Registered Member

    Joined:
    May 31, 2003
    Posts:
    228
    people like that, one thing to do and thats to install firefox, delete all ie icons, give firefox an ie icon

    alternatively turn off activex in ie
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Billy and Tahoma,

    Yep, I installed FireFox right quick. Will have to install SpywareBlaster. I also gave him some pointers on safe hex surfing - though he already figured it out. What he was surprised at was how easily the trojans penetrated the software he had. He thought that even Norton was overkill. Live and learn.

    He may have to use IE once in a while. I find, for example, when I want to use one of the online virus scanners (e.g. KAV, BitDefender, or McAfee), I still have to resort to IE and ActiveX. I think these may be the only times I use IE nowadays. Most sites seem to be testing their software for FireFox compatibility.

    Pollmaster - you can also put me on your ignore list. This forum is not a boxing ring. It is a discussion forum.

    Rich
     
    Last edited: May 14, 2005
  12. Pollmaster

    Pollmaster Guest

    Hi Rich, yes, this is a discussion forum, and I didn't mean to offend you, just stating my opinion. If you think my little joke about "marketing" is too much, I apologise.

    I hope you are not one of those people who like to talk about free speech and discussion until the moment someone posts a contradictory opinion.
     
  13. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Pollmaster,

    I am not the least offended. If you are looking for a discussion, that is why I am here.

    The primary purpose of this thread is to highlight the fact that within the last two weeks, two of my friends have been badly burned by nasty trojans (in one case the total effects are not clear) and both were using highly rated AV products and firewalls. In both cases, my friends thought that they were extremely well protected - based upon the advice that they were getting. Clearly they were not nearly as well protected as they thought or desired.

    Given that Norton AV and Internet Security was insufficient in one case, and Trend Micro insufficient in the other case, it clearly shows that "basic" protection (whether it be paid or freeware) is not sufficient to guard users to the extent that they wish to be guarded. However, it is clear from my experiences with my friends, that it often takes incidents such as these to convince them that much higher level of protection is necessary and that they need to make changes somewhere. Safe hex surfing is not sufficient. One of my friends barely uses the Web and had a couple of nasty trojans.

    Given the state of the situation, I clearly suggest to my friends to put security packages in place that have the highest level of competency with overlap. I also try to keep it within the system's and user's capabilities and desires. For this reason, I almost always recommend KAV nowadays because it is highly competent across a broad range of malware classes (viruses, spys, trojans, worms, etc.). In my own experiences, it is almost unbeatable.

    But I do not entirely put my trust in KAV, so I also suggest guarding against unauthorized program execution and registry updates, which overlap each other as well as KAV. For this reason I highly recommend ProcessGuard and RegDefend. Of course there has to be a firewall, and since I am most used to ZoneAlarm Pro, this is what I recommend. I also recommend a router for additional blocking. Both of my friends were more than happy to finally get FireFox on their system.

    On top of these, I highly recommend freeware products such as Ad-aware, SpywareBlaster, ccleaner, RegSeeker. Other information products I recommend include HijackThis, Port Explorer, Process Explorer, and FileMon but this is usually beyond what most of my friends are willing to take on.

    I also have backup trojan scanners. I find TDS-3 and Ewido extremely useful when cleaning machines. But again this is beyond what my friends are willing to take on.

    I try to be pragmatic about what I recommend. I also want to make sure that I do not leave my friends "open" to further attacks. They are my friends, and these kind of "thefts" that can occur are worse than even normal thefts that they are use to. After all - they are my friends. :)

    I am sure you and others have your own set of recommendations. Everyone is different in this respect.

    Rich
     
    Last edited: May 14, 2005
  14. Pollmaster

    Pollmaster Guest

    Rich, nice to see you are not one of those people I was referring to.

    I personally believe though that it is not necessary to pay for all the best quality security software products, if what you want is a basic level of security that can stand up to the typical malware in the wild out there.

    Almost none of my friends are interested in computer security so I personally prefer to recommend the freebie stuff first and equip them with basic security tips and go from there. Only if this is not sufficient , then i might point them to higher quality products that cost $$.

    In all the cases I'm aware of, so far, none of them have had problems, once I put in place the freebie defenses and teach them how to update them.

    I would also point out that even with a nearly perfect defense setup as your favoured configuration, it is possible for a user to foul up and get infected.
    The problem of course is that the user will typically blame his software and switch to another antivirus, which inevitably fails and.... So the problem is most often the user, not the software.

    On the other hand, someone who practises safehex (plus hardening of OS), will find that practially any antivirus is sufficient.

    Have you attempted to ascertain how this happened? Unpatched OS, downloaded cracked software etc, are other reasons for this failure.

    The problem with relying with software, even the best is that they might fail, so it's best to avoid overrelying on them in the first place.

    of course Rich you can point out that they haven't failed you yet, but it's unclear if that's because you are careful or it's the software.

    And of course, i have computers at work that run nothing but Trend, and I have no problems with them, so it leads me to wonder what the difference is between your friends and me :)
     
  15. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Pollmaster,

    "If anything can go wrong, it will." - Murphy's Law

    At least that what seems to be continually happening to my friends. The particularly nefarious aspect of trojans, is that when things go wrong, the user may not necessarily know about it.

    Take my two friends for example. In all probability (based upon the work that I did), they were infected by really nasty trojans/keyloggers way before they actually became aware that something was wrong with their system. What happened in both cases was that some dinky piece of malware began to really annoy them. Pop-ups, etc. This caused them to complain to me and ask me to help them get rid of these little annoyances.

    It was only when I employed the most extensive and competent anti-malware tools that I am personally aware of and capable of using, that all of the really nasty pieces of trojans were uncovered. It was quite by accident. Had the little stuff not made itself known, then the big stuff might have been happily keylogging for quite some time without anyone knowing (so there are some benefits to annoying adware ;) ).

    Users of products such as ProcessGuard and RegDefend rely both on the proper design of the software as well as their own "smarts". Both of these products rely on users to take control of their PC and decide what will run and what will not. It also helps educate users on all of the things that are really running (or trying to run) on their system without them knowing it. A few months ago, a supposingly simple piece of software that I was going to installed was revealed by PG as trying to install a system service - with the purpose of trying to scan my full file system. Yikes! There is no telling what companies will do nowadays to make money for their "investors".

    Mistakes can and will be made. That is why layering provides a "second chance" to correct a mistake. A seemingly innocuous program that is permitted to execute by PG can still be stopped from further penetrating the system by RegDefend. Of course a top-notch AV such as Kaspersky will probably stop any of this if it is detected in time. If a person makes several mistakes, then that is life. But I think the biggest mistake is to think that one will not be attacked by some fairly malicious piece of software and there is no need to be concerned. It is just happening far to often among the people I know for anyone of us to ignore the issue.

    Since I began deploying a reasonably strong security setup on my son's system (which as always being attacked) and my own, we have been pretty clean. For how long - hopefully much longer than those who do not employ a strong defense. But who really knows?

    Where do these attacks come from? Who knows? Who knows when they happened and how long they were there? The problem with having porous protection (I use to use Norton and was attacked many times) is that no one really knows. It is best to have the best and then do one's best. It is so much better than trying to clean machines - and "hoping" that they are really clean.

    Rich
     
    Last edited: May 14, 2005
  16. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    i like the word raw protectoin force............. :D

    I think few things he need first is a proper broswer like Opera or firefox. ( Coz i bet he is running IE )
    2nd is a decent AV. ( Not saying Norton is not ) but for his usuage i think RAW protection force is needed :D Wahahaaaa ( KAV , Mcafee, F- Secure )

    Than may be Spysweeper or M$ Antispyware..........

    No wonder why we need faster hardware and memory for newbie computer :p
     
  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi iwod,

    Yep, I put Firefox on his system. I told him to use Thunderbird instead of outlook.

    In so far as his backup for KAV, I think protection software (i.e., software that prevents malware from installing) such as PG and RegDefend are better bets than additional detection software (i.e. software that attempts to detect and remove already installed malware), simply because in my experiences so far KAV pretty much catches everything that MS AS and Spysweeper catches. (Others may have different experiences).

    If I was to suggest any additional detection software it would probably be Ewido or TDS-3 which I believe actually adds value over and above KAV. There have been cases where I have found CounterSpy to pick up minor pieces of "tracking cookies" that everything else misses, but I am not sure it is worth it for most users. They could simply clear cookies if they wanted to.

    It is kind of odd that we need such a complicated architecture in order to support browsing. I am quite convinced that the problem lies in the fact that MS left many "windows" open in the Windows operating system so they can keep track of what customers are doing (e.g. the Update process), and in so doing have made the same "windows of opportunity" available to other, less friendly visitors. A better OS for browsing the Internet can be built (some point to Linux), and I am sure over time it will be embraced.

    Rich
     
    Last edited: May 14, 2005
  18. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    Actually if he only browse internet, watch DVD such simple function i recommand getting a Mac mini or imac G5.

    I agree with the situation. it is getting complicated to simply surf safely. AV, AT , AS, and who knows what else is coming.
     
  19. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Anti-Riskware (AR)
    Anti-PolyEngine (APE)
    Anti-Constructor (AC)
    Anti-HackTool (AHT)

    :D:D:D:eek::eek:;)
     
  20. Pollmaster

    Pollmaster Guest

    I'm afraid, Your friends seems to be of the extremely clueless types, in such cases, I'm wondering if anything is sufficient to protect them. Another thing to note, when scanning computers, I always distinguish between copies of malware sitting around unexecuted and those that are running. At any time, if you scan some of my computers, you might see copies of Sober sitting in my email folders. But does that mean I was attacked and penetrated? Clearly not.

    Perhaps, but another big mistake is to assume that everyone has to run the same exact security setup as oneself, without taking into account the value of the data placed. It is foolish to work oneself up to a state of paranoia just because you find that your clueless friends hasnt being practising safe hex and as a result got infected.

    Who really knows if it's the software that is making a difference, or if it's safe hex? Rich I think you underestimate the power of safe hex.


    How would you define an attack? I get hordes of virus infected mail a day, I don't consider those attacks, except in a very trival sense.
     
  21. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Pollmaster,

    As with any regime of safe (h,s)ex, it's easy to get caught up in the heat of the moment, so to speak, in which all good intentions give way to more primal forces. An errant click here or there as excitement mounts, and the double entendre's increasingly fly about, and before you know it, you are sunk.

    The psychology for both cases is the same, as can be the unfortunate outcome.

    Blue
     
  22. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Pollmaster,

    Are you suggesting abstinence? Otherwise there is no way to avoid problems nowadays. A few weeks ago I was browsing google with a quite harmless search and I was attacked. Paranoia? Clueless? The way you describe people is interesting.

    "How would you define an attack? I get hordes of virus infected mail a day, I don't consider those attacks, except in a very trival sense."

    Actually, these are real "attacks". You must be getting these confused with Prevx's definition. :D

    Rich
     
  23. Pollmaster

    Pollmaster Guest

    Details please. It's easy to throw around the word "attack".....

    I'm starting to see why you are so paranoid. If you are foolish enough to open such attachments, KAV as good as it is, isn't going to save you.

    I've seen enough reports of people who open obviously dangerous attachments merely because their AV cleared it.

    If you think such users can be protected with Any AV whatever the reputation, you are sadly mistaken.
     
  24. Pollmaster

    Pollmaster Guest

    You mistake my intent Bluezannetti.

    No one is arguing that one should rely ONLY on safe hex. On the other hand, safe hex plus any reasonable product (including trend) should be reasonably ok.

    The way Rich acts, it seems like if one does not run KAV+PG+Regdefend (or whatever he defines as the best), one is doomed to be infected. Don't get me wrong they are all excellent products that I use and recommend, but I wouldn't presume that just because someone doesn't use these products (or whatever is favoured by the 'expert' ), that person would be irresponsible and getting attacked is a matter of time.
     
  25. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Pollmaster,

    I don't know how you can label people, such as myself and my friends, as clueless and paranoid, without ever meeting them.

    In any case, a week ago they were in general following advice such as the one that you normally suggest and they ended up with unusable machines. I have given them different advice to follow and hopefully this helps them minimize their problems going forward.

    Rich
     
Loading...
Thread Status:
Not open for further replies.