Jump to content
Seth

How well is Vista inherently protected?

Recommended Posts

Computer technicians (like myself) make a significant portion of their income by disinfecting computers. So what effect will it have on their business now that Window's Vista comes with the antimalware application "Windows Defender"?

Last night I got in an HP laptop that wasn't even one month old. It was running Norton Internet Security and of course, Window's Defender. The computer was infected with the rogue antimalware application called "SpyCrush". Both Norton and Defender let it run freely.

Vista kept informing me that "Windows Explorer can't run" and needs to be restarted. The desktop kept flashing on and off, and SpyCrush was bombarding me with popups. I managed to get into Task Manager and ended SpyCrush's Process Tree. NOTE: This is a good tip: End the Process Tree, not just the Process.

I managed to get SAS installed. Check this out:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 06/21/2007 at 09:48 PM

Application Version : 3.8.1002

Core Rules Database Version : 3259

Trace Rules Database Version: 1270

Scan type : Complete Scan

Total Scan Time : 00:58:58

Memory items scanned : 408

Memory threats detected : 0

Registry items scanned : 8146

Registry threats detected : 150

File items scanned : 68020

File threats detected : 110

Malware.SpyCrush (paths removed as there were way too many).

Trojan.Smitfraud Variant

HKLM\Software\Classes\CLSID\{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}

HKCR\CLSID\{8BBE40FD-0416-4C3F-80EA-0C7AD5FB1AAB}

HKCR\CLSID\{8BBE40FD-0416-4C3F-80EA-0C7AD5FB1AAB}\InProcServer32

HKCR\CLSID\{8BBE40FD-0416-4C3F-80EA-0C7AD5FB1AAB}\InProcServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\IGPFCED.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler#{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}

Trojan.Media-Codec/V3

HKLM\Software\Classes\CLSID\{CDE8EAB9-CEF3-4885-B12F-26960A25C800}

HKCR\CLSID\{CDE8EAB9-CEF3-4885-B12F-26960A25C800}

HKCR\CLSID\{CDE8EAB9-CEF3-4885-B12F-26960A25C800}\InprocServer32

HKCR\CLSID\{CDE8EAB9-CEF3-4885-B12F-26960A25C800}\InprocServer32#ThreadingModel

C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESPLG.DLL

HKLM\Software\Classes\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}

HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}

HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}

HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}\Implemented Categories

HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}\Implemented Categories\{00021493-0000-0000-C000-000000000046}

HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}\InprocServer32

HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}\InprocServer32#ThreadingModel

C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESBPL.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{CDE8EAB9-CEF3-4885-B12F-26960A25C800}

HKLM\Software\Microsoft\Internet Explorer\Toolbar#{DF4E7A0C-E233-4906-B4C1-A404356541FF}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\IExplorer Security Plug-in

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\IExplorer Security Plug-in#DisplayName

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\IExplorer Security Plug-in#UninstallString

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Internet Explorer Secure Bar

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Internet Explorer Secure Bar#DisplayName

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Internet Explorer Secure Bar#UninstallString

C:\Program Files\Video ActiveX Access\iesbunst.exe

C:\Program Files\Video ActiveX Access\iesmin.exe

C:\Program Files\Video ActiveX Access\iesunst.exe

C:\Program Files\Video ActiveX Access\imsmn.exe

C:\Program Files\Video ActiveX Access\imsunst.exe

C:\Program Files\Video ActiveX Access\ot.ico

C:\Program Files\Video ActiveX Access\ts.ico

C:\Program Files\Video ActiveX Access\uninst.exe

C:\Program Files\Video ActiveX Access

Trojan.Security Toolbar

C:\ProgramData\Microsoft\Windows\Start Menu\Online Security Guide.url

C:\ProgramData\Microsoft\Windows\Start Menu\Security Troubleshooting.url

C:\Users\Public\Desktop\Security Troubleshooting.url

C:\Users\Public\Desktop\Online Security Guide.url

Trojan.Media-Codec

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Video ActiveX Object

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Video ActiveX Object#ProductionEnvironment

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Video ActiveX Object#DisplayName

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Video ActiveX Object#URLInfoAbout

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Video ActiveX Object#Publisher

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Video ActiveX Object#UninstallString

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Video ActiveX Object#DisplayIcon

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Video ActiveX Object#DisplayVersion

HKCR\VideoAXObject.Chl

HKCR\VideoAXObject.Chl\CLSID

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\explorer\run#user32.dll [ C:\Program Files\Video ActiveX Access\iesmn.exe ]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\explorer\run#rare [ C:\Program Files\Video ActiveX Access\imsmain.exe ]

Malware.SpyLocked

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Windows Safety Alert

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Windows Safety Alert#DisplayName

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Windows Safety Alert#UninstallString

Browser Hijacker.Favorites

C:\USERS\ALL USERS\MICROSOFT\WINDOWS\START MENU\ONLINE SECURITY GUIDE.URL

C:\USERS\ALL USERS\MICROSOFT\WINDOWS\START MENU\SECURITY TROUBLESHOOTING.URL

C:\USERS\CHANTEL\FAVORITES\ONLINE SECURITY TEST.URL

Trojan.Unknown Origin

C:\USERS\CHANTEL\APPDATA\LOCAL\TEMP\LAFB6A8.TMP

On reboot all was well.

Norton was removed, Defender was disabled, and the customer purchased SAS Pro Lifetime. She now has a clean system that runs a lot faster and is infinitely better protected. For a much cheaper price too!

Note: SpyCrush and SpyLocked are persistant, but they are very common. To say it's pathetic that Norton and Defender allowed it (and the other malware to run), is an understatement.

Share this post


Link to post
Share on other sites

Hello Seth,

From one computer tech to another, what AV program did you replace Norton with? Just curious. :)

Share this post


Link to post
Share on other sites
Hello Seth,

From one computer tech to another, what AV program did you replace Norton with? Just curious. :)

Greetings SirJon.

I'm going to stick my neck out on this one...

In testing and comparing various antimalware applications, I came across SAS about a year ago. I've yet to find any other AV or AS that even comes close to SAS's detection and removal abilities. I was so impressed with SAS, that I became a reseller. I've sold and installed 120+ lifetime subscriptions in the last few months.

As you probably know, virtually all malware today is in the form of Trojan Horses which deploy a payload of various Adware. For those experienced in malware, TH's are easy to avoid when surfing the net.

For infected systems, I replace the customer's AV with SAS. They always want it off anyway when they see what SAS has found and removed. I also educate my customer on how to recognize TH's when surfing the net.

Combined with their new found knowledge of TH's and the protection of SAS, my customers systems have remained clean.

...and even if SAS misses something, send a Support Ticket and Nick will take care of it 8) .

Share this post


Link to post
Share on other sites
For those experienced in malware, TH's are easy to avoid when surfing the net.

I also educate my customer on how to recognize TH's when surfing the net.

How about a quick education for the rest of us??

Share this post


Link to post
Share on other sites
For those experienced in malware, TH's are easy to avoid when surfing the net.

I also educate my customer on how to recognize TH's when surfing the net.

How about a quick education for the rest of us??

Sure thing:

When surfing the net, you will come across pop ups or advertising such as:

"We've detected your computer is infected with Spyware. Click here to download (whatever) program"

"Your computers registry needs optimizing. Click here to download..."

"We've detected 76 errors on your computer. Click here to download..."

"Your computer has traces of adult sites. Click here to remove them with..."

These are Trojan Horse programs that will deploy Adware/Spyware, and almost all malware is a result of TH's.

Another major form of TH's is "media codec". When trying to view an online video, you may not be able to unless you agree to install their codec, toolbar, or media player. These will install some form of Adware.

Many screensaver sites use screenavers that are TH's.

One other...if you use any sort of chatting service (like Messenger), and a message appears that is similar to "Check out this picture of (whatever) I just sent you", then it's likely malware unless you can confirm that it was sent by the person you were chatting with.

The above knowledge will allow you to avoid 99% of all current malware. Now add in SAS Pro and IMO you're covered.

Share this post


Link to post
Share on other sites
Sure thing:

Seth - Thanks very much. I'm sure this sounds like common sense to you, but it tought me some valuable stuff and learning valuable stuff is like gold to me. And I love gold.

and fatdcuk - thank you for the link. I just finished my second trip through it and now I'm going through the secondary level or all the links to the link or . . . there must be a word for it. Who cares, it's great info: thanks!

Hey Seth or fatdcuk - here's a non-sequitor for you guys (gals?). I hate Windows Firewall on theoretical grounds, being inbound-only protection and mediocre at that. On the other hand I've gone two and a half years without a truly malicious piece of code infecting my system and I'm online every day. I recently switched from Webroot to SAS to lighten my load (68MB to 37MB RAM w/ real-time enabled - she's faster to boot plus smoother to run). And everything's playing nice as it was before.

Given the preceding, would either of you replace Windows Firewall with a competent bi-directional soft firewall? As they say, unexpected threats don't come from history. I wish I'd said that.

Take Care,

-P220ST (cool forum y'all got going on here)

Share this post


Link to post
Share on other sites

@ fatdcuk. Link Bookmarked!

@ Seth. Nice simplistic tutorial for all level's of users.

My wee motto for safety is don't participate in 'The 3 P's', (porn, piracy, & p2p).

And I know this sounds like a real drag, but read the EULA's, particularly on freeware/shareware downloads that are not sourced from a reputable vendor's site, they do usually inform you of exactly what your about to unleash on your machine! :shock: The likes of rogue antispyware programs and pesky adware can simlpy be avoided by getting into this practice, tedious as it seems.

Share this post


Link to post
Share on other sites
Given the preceding, would either of you replace Windows Firewall with a competent bi-directional soft firewall? As they say, unexpected threats don't come from history

Hi P220ST

Having seen some of your other posts in theses forums i would classify you as low-risk user in the sense you have a good level of security awareness and avoid high risk sources.Your choice of security software would suggest a high level of this awareness but IMO i would also add the 2way firewall to compliment& complete your existing layered stategy.

The advantages of using this type of software IMO are too good to not using.Not only do you take control of what is allowed to phone home(so to speak) amongst your legitimate softwares but also should malicious code somehow bypass your current security arrangement then there is a very high percentage that its outbound communication will be caught by the firewall which subsequently alerts you to it presence on your computer.

Thats my layman's take on things :)

HTH:)

Et all,

I've probaly posted the following info 100's of times over the years but if it helps even 1 more person then it really worth posting again at every opportunity :wink:

Before opening file attachments or after downloading files reguardless of the source(trusted/untrusted)its always best to give it an integrity check before letting it loose on your secure computer.

Now most folks run resident AV(or at least should!) which almost certainly checks the file against its blacklist of malicious code but this will only be flagged if it is *known* by that software Vendor.The reality is no one software detects all malicious code so there always a chance that file integrity check will be bypassed and malicious code will be allowed entry onto your computer.

So now using risk assessment it would be better to integrity check a file against 31 databases as opposed 1,2....maybe 3 resident(AV,AT & ASW) softwares.

:idea: So before opening that email attachment give it the once over at VirusTotal Service>>>

http://www.virustotal.com/en/indexf.html

Same goes when downloading files off the web,save the file instead of running on the file download prompt screen.Before opening the file upload it to VT for integrity checking and if any databases flag the file then nuke it(do not open it).

Is this foolproof ...well nothing is 100% guaranteed but what it is doing is narrowing the risks greatly of malicious code getting onto your PC by thoes 2 avenues.

Fwiw 100% security is impossible to achieve(there is no silver bullet) but what folks can do is take steps to minimise the attack surfaces where malicious code can gain entry onto your system.

Share this post


Link to post
Share on other sites

Another strategy is to completely discontinue the usage of Internet Explorer except for downloading Windows Updates. Switch to Mozilla, K-Meleon or Opera when accessing the Internet for general browsing. When using a Mozilla browser, install the plugins NoScript and Adblock Plus for added security.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...