Yowzers! My dad's infection hell.

Discussion in 'other anti-malware software' started by muf, Aug 15, 2009.

Thread Status:
Not open for further replies.
  1. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    My dad is 76 and not completely computer savvy. He was having some problems and asked me to take a look. He was trying to download an update from the Microsoft website and ended up installing Windows Live on his pc. So I uninstalled that and still it was treacle slow. Ran ccleaner and it cleared 70mb of cookies(well virtually!). Still no better. He has something called NTLGuard running realtime which is a security suite provided free of charge by his service provider NTL.

    So I had previousy installed SAS and decided to update it and give it a run. Only as a precaution as I didn't think there would be any infections with him running real time protection. Holy cow! How wrong could I be! Get this. 775 infection's. My eyes popped out of my head. It wasn't the number he had that amazed me, it was how crap this NTLGuard must be. Anyway, after a couple of tries SAS successfully cleaned it. SAS crashed first time it tried.

    So I uninstalled NTLGuard, downloaded and installed AVG free. Scanned the full system and bam! clean as a whistle!!!

    Just how good is SAS. I keep telling people and I think they are starting to believe me.

    Next thing to do is take my USB stick around there and grab a copy of the log file from SAS for close analysis. Need to get a grip on just how bad those critters were. Incidently, SAS didn't ask for a reboot to complete the clean up. That impressed me. :thumb:
     
  2. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    I'm glad the system is doing better. And, yes, Super Antispyware is a good product. But it is not intended to be an all-in-one scanner, so I suggest you scan with a few other just to be safe; namely Prevx Edge, AVP Tool, and CureIT. I don't trust AVG as much as the ones I listed.
     
  3. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    yeh i think there are others than avg to use especially when cleaning up because there could be rootkits, but all is good.
     
  4. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I can say straight away that I wouldn't trust AVG either - I do on the other hand have a thought out, automatic setup for PCs (or average Joe's if you wish to call it that - I personally like the same operation as "they" do; only alert me if really necessary, so, well...), which is the following, taken from a list of my own that I update when making changes to my preferred setup:

    Microsoft Security Essentials
    MVPS HOSTS File
    Opera
    OpenDNS

    - at a minimum, but just fine at that level. That would be only one security program running in tray. I personally have one program total in tray full-time - pretty awesome actually. :D Drivers for my graphics card and sound card didn't need its "services", so I could turn those off as well. I installed that setup above on my brother's PC not long ago - think it was yesterday? He has two non-Windows things in tray total - MSE included (Microsoft Security Essentials). Have Hitman Pro on there to do manual scans when I wish.

    And BTW... Hitman Pro is also what I would've used to begin with, cleaning your father's PC. ;)
     
  5. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I agree with Raven,
    It would have been interesting to see what Hitman Pro would have initially found on that infected pc.
     
  6. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    The number is quite amazing. Looks like NTLGuard was asleep on duty.

    To be honest, this is a system that I wouldn't trust again no matter how many scanners you run over it. If you dad has any personal data that he values or does online banking or online purchases, I would format the drive and start over.

    Since you say your dad is not too computer-saavy, why not set him up with a limited user account? I'd be willing to bet that 99% of that crap wouldn't have had a chance if he wasn't running as admin. As an additional benefit it costs nothing and uses no resources.
     
  7. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Very, very good point - LUA for those who aren't computer savvy (FTW :D). :D
     
  8. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Yes, only geniuses run as admin. :rolleyes:
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Not really, they usually just hit OK to get rid of the popup! :ouch:
     
  10. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    If you install Returnil or Shadow Defender, he can activate after he boots up and it will delete everything he does when he shuts down. I had a similar situation with my Grand Daughters computer, where they picked up all kinds of malware including the vundo trojan. I installed Returnil and taught them to activate it every time they went on line. All's quiet ever since. ;)
     
  11. techman89

    techman89 Registered Member

    Joined:
    Aug 15, 2009
    Posts:
    3
    Some bozo in the office installed that on all of our work computers and it wiped out my settings everyday for like a week. If I decided that I would create a folder and save some batch script, or information that I would later use in my job, the next day it would be gone. Needless to say, we uninstalled it within a week. The rascal who did it remains anonymous!

    You know they say that 70% of all malware infections are due to user error. Why not just educate him a bit?
     
  12. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Techman, That experience must have been terrible for you. In this case however, we are referring to a senior citizen who apparently is the only person using the computer. I agree that educating him would be the best course of action. Doing that would depend on who you are trying to educate too. Sometimes it's easier to teach a ten year old, than it is to teach someone who has been analog all his life. :)
     
  13. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Which popup are you referring to? I don't get that one, I'm a little slow this morning.
     
  14. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I was about to post about the same thing - but I think he means UAC and not the "real" LUA.
     
  15. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I agree about the first part.

    LUA is probably not the best idea.
    There is no substitute for some basic computer security education. Like, don't click on ads, don't reply to spam/phishing, check if some program is safe before downloading, install patches.
    Complement it with a good security suite ? That's probably the most simple solution.
     
  16. Mapson

    Mapson Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    54
    NTLGuard was replaced by PCGuard a long time ago, that could explain the infections as the updates stopped.

    http://help2.virginmedia.com/help/getContent.jspx?page=ser_pcguard_total

    On my Dad's old (256mb) laptop I installed:

    Kerio 2.x
    Peerguardian with DShield, Hijacked, Spyware lists
    Avira personal with all threat categories enabled
    SetSafer
    Sandboxie

    No infections or problems in over 3 years.
     
  17. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Sure, but LUA and a security app. with hardening around it on a clean system (reformat) would IMHO be a lot more secure.
     
  18. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    :thumb: This is my advice as well. When a system is seriously infected, it's always safer to research what the infection was and then flatten and reinstall. It's 100 % certain that no AV will detect all malware in the world and even all the AVs in the world combined won't do that, and that means that just running AV scans cannot ensure the system is really clean and trustworthy.

    :thumb: :thumb: More good advice. Most current malware fails when executed by a limited user. And even the malware that doesn't fail is limited in what it can do, and can't create a system wide infection and install the really evil stuff like kernel mode rookits.

    Yeah, that's what I was thinking, too. If you're really LUA, you can't just click OK on something and get admin privileges or give admin privileges to some software. At the very least you have to give the admin password. And as for UAC? You can just use group policy to set that to automatically fail elevation without prompting the user so that when you run something that wants admin rights it just fails without asking you for anything. Personally, I find that "Joe Average" who uses their computer pretty much as a browser, email client, and a video or audio player and perhaps for playing a game or two can happily run all of the time logged in as LUA and almost never need to log in as admin. So, therefore, you can just tell them to never give the admin password to anything or anyone, with only one exception - when they themselves boot the system and log in as admin to run some software's update checker, and then immediately log out after that is done.

    Why is LUA not "the best idea"? What is wrong with the concept, especially for a Joe Average type user who doesn't run his computer just so he can play with anti-rootkits or hack the registry all day long (which would require admin rights)? :D

    There is certainly no substitute for user education. But there is no substitute for the principle of least privilege, either. There's no reason why you can't do both. But there's a lot of reason why you should do both. And if you then run some decently coded security software on top of that, you're certainly much better off than just running as admin with the same security software, user education or no.
     
  19. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Windchild, since you're mentioning some things about updates and so on...

    1. Am I able to do Windows Updates as a LUA (e.g. through Automatic Updates)?

    2. If not, can I do it manually by running the shortcut to Windows Update through IE as an Admin through SuRun?

    3. Is most, if not all security software today (e.g. NAV2010 since that's what I at least currently run...) able to update in an LUA account? That question would be REALLY important to me at least since it would definitely get really frustrating if things are otherwise...


    Think there was something else, but I'll get back to you when/if I remember it. :)
     
  20. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    These two statements are contradictory. LUA *is* basic computer security. I don't understand the resistance to it by members of a so-called security forum. It uses no resources, doesn't have to be updated and will still stop the vast majority of malware without any interaction on the part of the user. People like Mark Russinovich and Aaron Margosis just might know what they are talking about when they recommend not running as admin.


    That's advisable no matter what type of account it is. You didn't mention drive-by downloads, which in almost all cases are dependent on admin rights. If the AV doesn't happen to have a signature for that particular malware, you're screwed. With a limited user account almost all of this crap is not able to install.

    That's debatable. With all of the popups from firewalls and behaviour blockers, a lot of these users are overwhelmed and start clicking things away just to avoid the annoyance.

    I've set up computers for inexperienced people with LUAs and they have no problem with it. Installing SuRun simplifies the matter even more.
     
  21. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    1. Yes. Automatic Updates works with LUA. Updates can automatically download and install.

    2. As far as I know, explorer.exe needs to be running as admin for Windows/Microsoft Update to work, so just plain Run As from a limited user account wouldn't work, since it would only give the IE process admin privileges and leave explorer.exe running with limited privileges. I don't know about SuRun, but my guess is that it doesn't, either, due to the same reason.

    3. Depends on the security software. Any decently coded software should be able to successfully update even when the user is logged in as a limited user. (The important parts of the security software should be running with higher privileges anyway, to be able to clobber any malware, and the updater can run with the same privileges, enabling automatic updates regardless of who is logged in.) I have never used NAV 2010, so I don't know how it works, but my guess is that it can update just fine in a limited user account - anything else would be really poor coding from Symantec. Three ways to find out: Google, asking Symantec support and testing it yourself. :)
     
  22. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Thank you, Windchild. :)
     
  23. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    OK, that makes some sense now.

    Regarding your post to Windchild, yes, Windows automatic updates work with LUA. Windows Update is a system-level service and has the necessary privileges.

    Updating manually with IE started as admin using SuRun is another story. Windows update recognizes that you have a limited account and says no dice. You can just log off and login to the admin account and run it, then switch back. This is seldom necessary, though. You really only need it if you want to check the optional updates.

    I installed a trial of Norton 2009 a while back to see if it really isn't a resource hog anymore. It worked fine, it updated, I could run scans, etc. Only problem is if you want to change the configuration. You have to login as admin to do that, which is probably a Good Thing (tm). The changes carry over to the LUA no problem. I would imagine that this hasn't changed for the 2010 version.
     
  24. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,124
    Location:
    Pennsylvania.
    Get him WOT and have it set to block. :) That should help. Tell him about the traffic light style rating and he should get it.
     
  25. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852

    Seems I was the slow one here, I read UAC instead of LUA by accident. :ouch:
     
Thread Status:
Not open for further replies.