Malware may still be active, but in a different location

[LHammonds]

P.S Anyone following that last link and wondering "Does this do the same as adblock?"

 

Yes - But a lot better.

 

Adblock will only help protect the browser you have plugged it into.

 

The hosts file stops ANY communications software resolving bad dns addresses - Even malware itself, if its dns is in the hosts file when malware tries to phone home - blocked.

FYI - To avoid double-posting like this, please use the EDIT button to edit your last post.

 

As for using the HOSTS file to block undesirable sites, that is exactly what two programs do that I mentioned earlier: SpywareBlaster and Spybot Search & Destroy. Still best to use the HOSTS file in conjunction with a popup blocker to catch new sites not already added to the HOSTS file.

 

Regarding Microsoft's "Security Essentials", I'm not going to put a lot of stock in Microsoft protecting their own product. If they could have done that, they would have done so long ago. I also don't think they can be totally biased as to who is considered malware or not...what if they have a partner who is a bit devious in what they do? Are they going to flag their own partner as malware? I'd rather trust a 3rd party who has no vested interest in MS or their "friends" determine what makes the "bad" list.

 

LHammonds

[Deleted133263User]

FYI - To avoid double-posting like this, please use the EDIT button to edit your last post.

 

Yes apologies for that, I will only post from home in future where the edit button actually works on this site. :)

 

As for using the HOSTS file to block undesirable sites, that is exactly what two programs do that I mentioned earlier: SpywareBlaster and Spybot Search & Destroy.

 

Well Spywareblaster is another tool I use myself which has very good merits with regards to windows internet options, and placing a very good blacklist in the zones and cookies restricted, but only browsers which use those will be protected, currently.....

 

Internet Explorer

Mozilla Firefox

Netscape

Seamonkey

Flock

K-Meleon

and browsers that use the IE engine, including:

AOL web browser

Avant Browser

Slim Browser

Maxthon (formerly MyIE2)

Crazy Browser

GreenBrowser

 

Not included:

Opera

Safari

and any Chrome forks.

Email clients

Messengers

And plugins

 

Spybot Search and Destroy - Used to be a long time favourite, Malwarebytes has taken over that slot for me. Spybot is however very good at locking down your system with Tea timer resident protection... but I find it too restrictive/user un-friendly for a general recommendation. New users often find some very complicated system entanglements after enabling it, which is why the author does not enable it by default.

 

I agree though as a combination they can be good, and the flaw with the hosts file being how often it is updated.... around once per month, it takes them that long to resolve still active addresses (sites with criminal intentions last only days sometimes before they move on), and legally they have to be correct with what they include.

 

Regarding Microsoft's "Security Essentials", I'm not going to put a lot of stock in Microsoft protecting their own product. If they could have done that, they would have done so long ago. I also don't think they can be totally biased as to who is considered malware or not...what if they have a partner who is a bit devious in what they do? Are they going to flag their own partner as malware? I'd rather trust a 3rd party who has no vested interest in MS or their "friends" determine what makes the "bad" list.

 

I had the same thoughts at first, but having read the malwarebytes forums well respected participants/programmers opinions, I started to change my mind, Steve Gibson of Security Now! fame has also given it a thumbs up, and it is a client of ForeFront which is the security solution MS use to protect their own corporate networks from attack, utilizing the same definitions/updates.

 

The only big problem I can see affecting users at home with it would be if an in-house definition/signature is written to stop employees of MS for instance using encrypted tunneling software within their network, and that carries over to the general publics updates, then joe bloggs at home wants to use such software to stop his ISP snooping, MSSE will kill it as it would a virus. Microsoft employee control becomes world home users are controlled too.

 

With regards third party agreements - The biggest concern I feel at the moment is a fast developing product by Adobe, who recently bought Omniture.

Google these three words 'Flash ActionSource Clickmap'. <shudders>, not forgetting LSO exploits, resurrecting HTTP cookies from shared objects to circumvent users cleaning out (or indeed blocking) cookies, and malicious vbscript tricks to circumvent users of flash and their settings manager preferences (that is IF the user ever find out how to do that - its a bit under the radar so to speak). Then try going anywhere on the internet without it. Also consider how reliable adobe/omniture are at locking down security faults with their software - They only listen if its going to cost them in revenue/bad publicity. Everyone has installed it though, or being forced to by what I consider really bad website design.

Advertising methods are the biggest and easiest channel for malware to piggy back. Given the seal of approval by government/economy golden handshakes, the participants of which completely clueless technologically.

 

MSSE pales in significance in this regard.

 

Anyway going a bit off topic/epic - Apologies

 

For anyone else interested in such things ... http://twit.tv/sn ... Episode 258 is an interesting one, download the video and have a watch, the very recent lnk exploit is alarming at the moment. Take care out there.

[grannywils]

Hi: I don't know if anyone is still following this thread, but wanted to add something that might help if I could. I have seen this virus, and can attest to the fact that it is extremely nasty. Fortunately my husband is a very good computer tech, and I do not ever click on anything suspicious without checking with him. This came up for me when I was on a Barnes and Noble site looking at a Holmes on Holmes video. All of a sudden I got that message. So before doing anything I checked with Gary, etc.. Anyway I digress.

 

I had him read all of the above posts, and he has cleaned up several computers that have contracted this virus; so he gave me a little blurb to post here for anyone who might be interested in how he goes about cleaning it off. It follows:

 

"Ok...All the methods submitted so far have been good as far as they go. However, this Virus originates in Eastern Europe and has only one aim, to get your credit card number. NEVER GIVE IT THAT NUMBER, and if you do, have the card changed asap.The virus shows itself by putting up a pop up on your screen saying that the below listed files are infected, DO NOTHING, if you say clean, the virus will delete perfectly good files; sometimes important Windows files and can trash your Windows installation.

 

Having cleaned this nasty crap off several computers, I am going to tell you what I had to finally do to eradicate it.

 

On a separate and CLEAN computer (that is not connected to the internet), install the following:

 

1 SUPER AntiSpyware free

 

2 Sophos root kit killer

 

3 Malware bytes free

 

4 e-Squared Free

 

5 Avast (latest version)

 

Then make sure all are updated. Take the hard drive you removed from the infected computer and install in this computer as a slave drive. I have a device that lets me hook up any drive outside of the computer as a usb drive which makes this process easier. Once this is done, run all the anti malware programs, except Sophos anti root kit (run this last), including Avast at the same time.

 

Even this may leave some scraps of the virus on your drive so when you reinstall it in the original computer, run Avast with the boot scan option checked. Then install and run Malware bytes and run a full scan.

 

When you are certain that you have cleaned everything, run task manager and check for a process executable (.exe) file with all caps like AXKFBHCP.exe or one with all digits like 184937658.exe or a combination of letters and digits. check for these for a couple of weeks after you clean your drive.

 

As a footnote, regardless of the Firefox hype, neither Firefox nor IE nor for that matter any other web browser is going to keep this nasty out. Just employing one of these programs will NOT guaranty that you're protected, this virus can and will re-infect your machine.

 

Yes, he is a professional, and yes it does seem like a lot of work, but some of this malware can really mess up your computers so badly; and the longer it resides on your drive the worse it can get. Oh, and by the way, as an aside, we live in a very depressed community (Pecos), just outside of a fairly wealthy one (Santa Fe). Gary charges really low rates, and never gouges his customers. Sorry, I just felt a need to defend him, since sometimes the computer techs get a bad rap.

 

[Deleted133263User]

Wow, if it was that bad I would just re-format the hard drive using a Parted Magic ISO burnt to CD ( http://partedmagic.com/ ), re-write the MBR, re-install windows, then re-install my backed up documents from a USB HD I do occasional back-ups to and dont keep connected in case of infections like these.

 

The idea being if you dont boot the infected HD, and instead boot from that CD, no malware gets chance to run or slip somewhere else the whole format wiping out any possibility of it coming back (depends on the users habits of course afterwards).

 

Could be problematic if you have not made your system recovery dvd's though. I dont envy professionals trying to recover whats left of a users machine if there answer to the question "Do you have your system install disks" is a glassy eyed "Huh?" :)

 

Edit: In fact using a Parted magic ISO in a bad case like that, you could recover a lot of the documents off the HD using the linux OS Parted Magic runs in, and save them somewhere temp on another HD before doing the above re-format routine, then thoroughly scanning what you managed to salvage before copying back to the new clean system.

[grannywils]

Hi: Gary read the above and responded with the following. He has since buried himself in his office, so I'm not sure if I'll see him again today, but hopfully this stuff is helpful.

 

"When I ask most customers if they ever made the recovery disks, the answer is usually, "what's that". Most users in the know have backups, but in the real world they don't. So we are left to try and recover their data any way we can. Formating would be the best. Not many viruses get past the format command. One other thing, this virus can infect oem recovery partitions. If that happens, you can use anyone's Windows disk, and then use your serial # on the tag on the side of your computer as long as the flavor of windows is the same, ie....Windows xp home (no service packs) or windows xp pro service pack 1 etc."

[LHammonds]

Everyone take notice that it was not me who 1st mentioned backups...but since it was brought up...

 

Article: Backup Your Data Files

Article: How To Protect Your PC

 

If you want to backup your OS so you can restore the entire drive (rather than re-format and re-install Windows), look up a product called DriveImage XML. Comes in handy if you have your XML drive image on a USB drive and you have a BartPE boot CD that also happens to have DriveImage XML on it so you can boot to the CD and restore your partition.

 

For those that like to make regular image backups, DriveImage XML can run and make snapshots of your OS while you are using your system. :thumbsup:

 

LHammonds

[TabuKuroshi]

Some of these viruses are using hidden streams, If you want to check out what is going on try this program: Hijack This

[Deleted133263User]

Another nice little utility and probably not so well known is Prio

 

http://www.prnwatch.com/prio.html

 

It replaces task manager, and adds to the functions of task manager, mostly centered around the ability to increase/decrease priority of processes and save those settings.

 

It also allows you to by-pass UAC for programs you trust - Silent elevation of CCleaner for example.

 

But have a scroll down on that page to the second to last screenshot - TCP/IP monitor also integrated.

 

Ctrl Alt Del to see what processes are making connections (or I prefer to go to C:\windows\system32\ find taskmgr.exe, right click on it and send to desktop, then drag the new desktop icon into your quick launch icons, now you dont have to ctrl alt del)

[LHammonds]

I've seen malware disable (gray-out) Task Manager where you could not launch it. I also use another process utility called Process Explorer that not only allows you to see the same stuff Task manager shows you but you also see who spawned whom and you can also see where the executable program resides on the file system...very helpful if you are trying to see if there is another "explorer.exe" that is being run from an alternate location such as C:\Explorer.exe which is a sign that it is not the real deal.

 

LHammonds

[ub3rman123]

They can disable the task manager? That's why my computer always gives me that beeping noise every time I press ctrl-alt. Guess it's time to do my yearly wiping of the computer.