Spybot, spy sweeper - not yet there!!!! 3

[mike0680]

Being a Sunday, I have spent the last twelve hours sorting out our network consisting of one 2003 server, a 2000 server acting as a terminal server and 10 workstations, 3 XP pro and 7 w2k professional.

Four workstations have been infected by viruses and spyware during the last 7 days, as had one of my clients' PCs. All were protected by Panda Titanium 2004 or Norton Internet Security 2004, yet we kept getting the "about:blank" as the home page and a spyware warning.

I checked out the previous threads here, and resolved our client's PC which simply could not load Internet Explorer 6 by running spybot which cleaned all but the registry-based files.

After updating the virus packages and installing spybot not much luck with our 4 PCs. However spy sweeper repaired two more PCs. So I am more than pleased with 60% success.

The two PCs that are still infected with spyware are both running w2k one with Panda, the other with NIS2004. Both have the latest updates.

Has anybody faced similar problems? Any ideas would be greatly appreciated.

Thanks,

Mike

 

[Zech]

Try ad-aware. I am currently using both Ad-aware and Spybot.

 

[AnalogAnomaly]

Sounds like a lame hijacker to me. first download spybot search and destroy, scan, fix, update, scan again, fix again. Then download adaware, scan, fix, update, scan again, fix again. then open internet explorer, go to tools> internet options> then on the first page there specify what you want your home page to be. for me it's always google or an intra-net site.

if this does not fix it, i reccomend getting a beter anti-virus. In my opinion F-Secure and Kapersky Labs/Bit Defender are hands down the best two on the market. Both make norton look stupid. of course McAffe and AVG are plain stupid. panda is bleh.. i have no strong feelings one way or the other about panda, pc cilling just plain isn't efficent enough, and doesn't get everything.

 

[zoeythecat]

I don't care what Anvtivirus Program you have. If your computer is not up to date with the latest Antivirus Updates and Windows Updates then it really does not matter. I have Norton at home and we use Sophos and MCAFEE at work. I have never had a problem with viruses because I keep my computer up to date. Our end users however, get killed with viruses because their computers are not always up to date (We do not have an enterprise manager to download virus signatures).

So MCAFEE and NORTON and PANDA will work and do its job but the end user needs to keep this updated as well as patching their systems via Windows Update. If the systems are not patched then it don't matter if you have an updated virus program or not.

More so, the end users need to be made aware not to open any suspicious emails. This is really how the systems become infected.

Another side note. If your email server is up to date with the latest virus signatures then there will be no infected emails making it to the end user.

 

[diogenes10]

I'm not real technical with this, but it looks to me like some of the adware/spyware/malware are grey areas as far as antivirus is concerned.

Items discussed as bad in spyware sites are in many cases not included in antivirus products. There are sometimes disagreement between the "experts" as to what should be removed and what shouldn't. And in some cases the user of the computer wants the filesharing program or the toolbar even though many others consider it to be a problem software.

http://www.javacoolsoftware.com/spywareblaster.html

This is a spyware defense program which I've seen suggested to be added to the defense programs.
[ forum here:

http://www.wilderssecurity.com/forumdisplay.php?s=b78f70a9f9a4b51c06f8929a93a25cbe&f=23

]

As far as the different antivirus products are concerned, I know that it has been mentioned more than once in various threads that sometimes one product will pick up things another doesnt. My [unconfirmed] opinion would be that that would be even more likely to be the case in relation to threats which are marginal for an antivirus to cover (like the adware situation we are discussing) or for brand new threats where whoever gets it first and/or has the quickest analysis time will get a solution out first. I do know that in one adware or trojan issue I was hunting for info on sometime ago- and looking at panda and trendmicro- I found that one detected it and the other didnt.

Last-in regard to about blank. I started trying to learn about analysing hijackthis logs in April. In just the few months from then to now the sophistication of attacks seems to have increased dramatically. It seems like there are more trojans. Some of the hijacker programs are now written to detect some attempts to disable them and are also capable of reloading from hidden dll or exe files. I dont understand the solutions for these, but I know it is considerably more complicated than just running spybot and cwshredder. The about:blank problem mentioned in the initial post is probably one of the newer coolwebsearch threats that reloads from hidden dll files. A link to discussion about one of them here:

http://www.wilderssecurity.com/showthread.php?t=28658&page=2

Regards.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[AnalogAnomaly]

zoey.. first i shall refer you to this thread which i belive has a link to an article that expresses something rather close to my feelings on depending on end users.
End User Education

Secondly, while yes, if your machine is not up to date with security patches and current virus definitions it likely (yes there are hardened systems that don't need such things, though contrary to the popular beleif of the uneducated masses, linux is not one of them) operates with unneccessary increased vunerability to malware. However where i disagree with you is that the user must keep this up to date, while norton and mcaffe have enterprise versions that allow administrative users to update most definition databases, updates are still dependant on having a competant person in charge. Such is rarely the case. F-Secure updates it's virus definition twice daily by itself assuming there is an internet connection available, if not it will nag you about updating your definions after a certian amount of time has passed, and the only way to get it to shutup is change the nag limit, uninstall the software (go uninstall that mcaffe of yours, tell me it doesn't fubar your load.. you don't have that kinda problem with f-secure) or actually let it connect and update. f-secure also takes up a very small amount of resources while running and is extremely effective at catching and removing malware (with the exception of spyware, no half-decent anti-virus removes spyware aswell) the very moment it is installed. Furthermore every machine that has ever come into my computer shop for repair with mcaffe on it has had over 200 infected files that mcaffe didn't catch, much less couldn't remove.

Yes all smtp servers should have an up to date anti-virus on them so that infected email is NOT passed, however outsider of my networks, there's nothing i can do about that and it unfortunately is one of many good practices that seem to be ignored by most of the industry. I clean out too many outlook.pst files as it is. There's no excuse for such mass stupidity.

Trusting end users not to be stupid will always have bad results.

Well I was on a rant here but between the continus barrage of distractions i seem to have forgotten where i was going with it. Lacking in any clear point now i shall end it.

 

[mike0680]

Analog,

Followed your suggestions with spybot and adaware. Have tried this before and results in returning the requested home page once(google)then after another attempt back to "about:blank" and spyware warning.
Downloaded f-secure 30 day evaluation copy to replace NIS2004. It could not remove all the viruses.


Zoey,

As soon as I saw the problem I implimented an updating policy and I am sure if everyone behaves this will show benefits in the future.


Diogenes,

Thanks for the links which I've checked out and going through.

I agree totally with your last paragraph, every attempt at removal is detected and activates a reload. However, I will keep trying.



I am trying to get up to speed to spyware. Can anyone explain why one of our PCs which was reinstalled with XP Pro, drivers and Norton Internet Security 2004, updated and completed patched to every critical update found to be riddled with spyware when checked with Ad-aware?

Who's guilty microsoft, symantec, adaware or could they be hanging around from the old installation.

Any ideas please????????

 

[diogenes10]

Was the drive reformatted for the reinstall?

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[mike0680]

Yes - drive was fully reformatted.

 

[zebratech]

Not to state the obvious but in the heat of battle sometimes we tend to forget, did you disable system restore (win xp)?



Unix IS user friendly... It's just selective about who its friends are.

 

[byteofram]

I would suggest running SpywareGuard...it's a program that runs real time, and although they haven't updated for awhile it keeps IE from being changed. It's been very helpful when trying to fight spyware. I've also noticed that having the user log in with no admin rights helps. It prevents the ones that want to install something in your registry from doing so because of the lack of admin rights. Isn't a catch all, but it does help.

----------
Computer TIPs - Columbus Computer Consultants

http://www.comptips.com