Need a decent antivirus program...

[pauldun170]

Quote:

Originally Posted by dubbs

Don't understand that statement.. I download TBs of data a week.. 100mbits down 15 up..

I use the shit out of it.. I love downloading at 10MB/s..

Meaning: I download a lot and much of that are torrents...some of which are not the cleanest files out there.

[Lamnidae]

Quote:

Originally Posted by dubbs

If you knew how to properly use a PC, you wouldn't need anti-virus.. (I've never had anti-virus software on any of my PCs and never had any issues, not being a dick, I'm just an IT Consultant)

Microsofts newest product - Microsoft Security Essentials is a bare bones version, doesn't load up on resources and out performs most other brands..

Agree and somewhat disagree.


I use AVG and Malware.


One of the biggest problems most general users have is that they don't patch their shit either. Gee, if you don't apply the patches (and fuck you, Mac's have security issues too) then you're just waiting for the moment to have a virus walk in on you while you've got your dick stuck in the vacuum cleaner....


Patch your shit.

Don't be a dumbass while browsing the web.

Really, leave the pirated software alone.

Watch what your family does on the system (give 'em the guest account to use or generic user acct's).

Maintain your anti-virus.



With as much shit as people do on their pc's it's amazing to see how unprotected most folks are in thier home. Thank god I refuse to do home-based service.

[Papa_Complex]

Amblyopic I would have agreed with you in the past, but the current run of infections are something a little different. We generally refer to them collectively as "FakeAV" around here. They are generally being lauched via web browser (IE or Firefox; it doesn't matter). They disable a good deal of the user interaction with the browser, so it takes more than a basic user's skills to get rid of it (most users have no idea what Task Manager is).

I suspect that the virus is spread both by infected pages and infected ad banners. The browser window resizes and immediately warns you, with an official looking window, that your system is infected with a large number of viri. It also gives instructions for removal ('click here') and takes you to a site where you can purchase the removal tool. Of course this is progressively causing a deeper and deeper exploitation of your system. So far I've only had one user who foolishly clicked all the way through to the point of giving a credit card number, out of the few hundred removals I've done.

The most invasive version of this trojan loads a bunch of 'don't run' commands into the system registry, as the second step of the infection (first click on the window). This blocks every antivirus that I've ever heard of, Malwarebytes, Spybot, AdAware, and dozens of other tools. Even HijackThis is blocked from execution. In some cases I've been able to manually remove the worst of the infection by booting with ERD Commander (a butchered version of WinXP that boots from CD), but I've failed miserably to definitely clean the system in fully 50% of the cases with this version of the virus.

Most of the people involved had the Windows Firewall enabled and had a good corporate level antivirus installed, and up to date on the system. It didn't help. This stuff is something new.

[Lamnidae]

Quote:

Originally Posted by Papa_Complex

Amblyopic I would have agreed with you in the past, but the current run of infections are something a little different. We generally refer to them collectively as "FakeAV" around here. They are generally being lauched via web browser (IE or Firefox; it doesn't matter). They disable a good deal of the user interaction with the browser, so it takes more than a basic user's skills to get rid of it (most users have no idea what Task Manager is).

I suspect that the virus is spread both by infected pages and infected ad banners. The browser window resizes and immediately warns you, with an official looking window, that your system is infected with a large number of viri. It also gives instructions for removal ('click here') and takes you to a site where you can purchase the removal tool. Of course this is progressively causing a deeper and deeper exploitation of your system. So far I've only had one user who foolishly clicked all the way through to the point of giving a credit card number, out of the few hundred removals I've done.

The most invasive version of this trojan loads a bunch of 'don't run' commands into the system registry, as the second step of the infection (first click on the window). This blocks every antivirus that I've ever heard of, Malwarebytes, Spybot, AdAware, and dozens of other tools. Even HijackThis is blocked from execution. In some cases I've been able to manually remove the worst of the infection by booting with ERD Commander (a butchered version of WinXP that boots from CD), but I've failed miserably to definitely clean the system in fully 50% of the cases with this version of the virus.

Most of the people involved had the Windows Firewall enabled and had a good corporate level antivirus installed, and up to date on the system. It didn't help. This stuff is something new.

Yeah, they're getting harder and harder to clean and protect from... the threat is growing exponentially. Go to the SANS's site often if you don't already... I spend a lot of time there. But one of the larger things you're mentioning is the ad based viruses.... and so many people fall prey to these attacks, because... they just don't know any better.


And one of the biggest things I argue is that the users really need to patch their systems (both the OS and so many just leave the programs as-is). Adobe's got so many holes it's not funny, same w/ Sun's Java........ the list goes on and on.


.... just like Windows 7. I love the OS, i've had the beta running since June-ish and the RTM......... god, ... can't remember when, but I'm running it.... But anyways, even before official release to the public it already had its first major vulnerability (Zero Day attack - BSOD w/ a single packet, IIRC, let me know and I can get you the article and subsquent alerts).....


.... I think we can agree on something.


There's a lot of bad people out there who want either A) to get your identity or B) just make your day as shitty as possible with these malware advertisements, viruses, etc. I mean, Mitnick didn't do it to really do harm to peoples stuff, he did it just to see if he could.... Have you met Mitnick before? I haven't had the chance yet (was supposed to be at a conference he was going to speak but didn't get to go), but I did get a chance to hear a speaking by Johnny Long.... cool dude.

[pauldun170]

Quote:

Originally Posted by Papa_Complex

Amblyopic I would have agreed with you in the past, but the current run of infections are something a little different. We generally refer to them collectively as "FakeAV" around here. They are generally being lauched via web browser (IE or Firefox; it doesn't matter). They disable a good deal of the user interaction with the browser, so it takes more than a basic user's skills to get rid of it (most users have no idea what Task Manager is).

I suspect that the virus is spread both by infected pages and infected ad banners. The browser window resizes and immediately warns you, with an official looking window, that your system is infected with a large number of viri. It also gives instructions for removal ('click here') and takes you to a site where you can purchase the removal tool. Of course this is progressively causing a deeper and deeper exploitation of your system. So far I've only had one user who foolishly clicked all the way through to the point of giving a credit card number, out of the few hundred removals I've done.

The most invasive version of this trojan loads a bunch of 'don't run' commands into the system registry, as the second step of the infection (first click on the window). This blocks every antivirus that I've ever heard of, Malwarebytes, Spybot, AdAware, and dozens of other tools. Even HijackThis is blocked from execution. In some cases I've been able to manually remove the worst of the infection by booting with ERD Commander (a butchered version of WinXP that boots from CD), but I've failed miserably to definitely clean the system in fully 50% of the cases with this version of the virus.

Most of the people involved had the Windows Firewall enabled and had a good corporate level antivirus installed, and up to date on the system. It didn't help. This stuff is something new.

My mother got hit with something along those lines.

Hijackthis + AVG +Avasts + Malwarebytes + poking around +4 gours of my life to clean up her system.

Told her to stop looking at porn and then she laughed...
which means she's been looking at porn

[Papa_Complex]

Quote:

Originally Posted by pauldun170

My mother got hit with something along those lines.

Hijackthis + AVG +Avasts + Malwarebytes + poking around +4 gours of my life to clean up her system.

Told her to stop looking at porn and then she laughed...
which means she's been looking at porn

If it took that long, then you can bet that there is still something on the system; back door, bot net, fake service... One interesting trick that they've started to use is a hidden chron job in the Windows\Tasks directory. You think that the system is clean and then the next morning it's re-virused. These days I recommend that most home user's just back their shit up and blow the drive away. It takes less time and it's the only way to be reasonably certain.

[Papa_Complex]

Quote:

Originally Posted by Amblyopic

There's a lot of bad people out there who want either A) to get your identity or B) just make your day as shitty as possible with these malware advertisements, viruses, etc. I mean, Mitnick didn't do it to really do harm to peoples stuff, he did it just to see if he could.... Have you met Mitnick before? I haven't had the chance yet (was supposed to be at a conference he was going to speak but didn't get to go), but I did get a chance to hear a speaking by Johnny Long.... cool dude.

Last Spring the infections were trying to communicate with Ukraine. That raises some obvious possibilities.

[pauldun170]

Quote:

Originally Posted by Papa_Complex

If it took that long, then you can bet that there is still something on the system; back door, bot net, fake service... One interesting trick that they've started to use is a hidden chron job in the Windows\Tasks directory. You think that the system is clean and then the next morning it's re-virused. These days I recommend that most home user's just back their shit up and blow the drive away. It takes less time and it's the only way to be reasonably certain.

Most of that time was spent on scans and writing a cheat sheet for her in case it happens again.

Normally I would just do a fresh install but on that occasion I didn't feel like wasting all that time on it.

[Lamnidae]

Quote:

Originally Posted by Papa_Complex

If it took that long, then you can bet that there is still something on the system; back door, bot net, fake service... One interesting trick that they've started to use is a hidden chron job in the Windows\Tasks directory. You think that the system is clean and then the next morning it's re-virused. These days I recommend that most home user's just back their shit up and blow the drive away. It takes less time and it's the only way to be reasonably certain.

yeah, blow it away and be done with it. I typically don't recommend really repairing a system.... if you do, its only to get that last bit of "OMG I can't loose it!" personal data that the user should have had backed up..... Get your stuff then blow it away. not worth it to have something even remotely in the background. Typical system restore for me takes about an hour and a half if that.

Quote:

Originally Posted by Papa_Complex

Last Spring the infections were trying to communicate with Ukraine. That raises some obvious possibilities.

You see a lot of that. Several other countries not just Ukrane as well though. Use your imagination.