U.S. CitiesCity-Data Forum Index
Go Back   City-Data Forum > General Forums > Science and Technology > Computers
 [Register]
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
View detailed profile (Advanced) or search
site with Google Custom Search

Search Forums  (Advanced)
Reply Start New Thread
 
Old 12-29-2011, 01:01 AM
 
Location: Southern California
31,046 posts, read 17,345,568 times
Reputation: 54174

Advertisements

Quote:
Originally Posted by Skunk Workz View Post
had XP Security 2012 walk past MSE on my dad's machine a few days ago. If the end user actually allows the app onto the machine there isn't much you can do about it.
That reminds me of the PICNIC acronym, which means Problem In Chair, Not In Computer. Many of these virus and malware attacks can be prevented with safe web surfing habits.
Reply With Quote Quick reply to this message

 
Old 12-29-2011, 01:38 AM
 
Location: Seattle, Washington
3,733 posts, read 6,649,378 times
Reputation: 2000
For years I've used AVG. Never had any problems with it.
Reply With Quote Quick reply to this message
 
Old 12-29-2011, 04:13 AM
 
8,481 posts, read 6,033,960 times
Reputation: 1114
AVAST is pretty good and MBAM is, as pointed out. (No RT scanner w/ free version of MBAM.) Avast now will sandbox executables. Which is a pretty reliable way to prevent infections in the first place. Can use something like Sandboxie. Never hurts to use a multi-prong approach. One app isn't going to do it all. AVG started having way too many false-positives for my taste around version 7. Although this isn't uncommon in antivirus apps.

MBAM seems very accurate. Avast doesn't have much of a problem w/ false positives either. I agree that THE biggest issue w/ virus attacks are user habits.
Reply With Quote Quick reply to this message
 
Old 12-29-2011, 07:30 AM
 
Location: WV and Eastport, ME
11,968 posts, read 11,434,445 times
Reputation: 7810
Quote:
Originally Posted by JimRom View Post
I've since changed my opinion. Vista Security 2012 walked past Avast and Malwarebytes like they weren't even there, and I ended up doing a reformat over it. Installed MSE on the wife's laptop now, and so far all is well.
Quote:
Originally Posted by Skunk Workz View Post
had XP Security 2012 walk past MSE on my dad's machine a few days ago. If the end user actually allows the app onto the machine there isn't much you can do about it.
Quote:
Originally Posted by dennismpat View Post
That reminds me of the PICNIC acronym, which means Problem In Chair, Not In Computer. Many of these virus and malware attacks can be prevented with safe web surfing habits.
Both of these examples of [choose one: scareware, extortion-ware, highway robbery] will walk past most any antivirus program. Safe surfing habits will not stop them either. They install without user intervention, so nobody had to "allow" anything. In my searching, nobody has demonstrated exactly how or where these things come from, I have found no way to prevent them, and they are getting more and more difficult to remove.
Reply With Quote Quick reply to this message
 
Old 12-29-2011, 10:24 AM
 
11,715 posts, read 36,475,393 times
Reputation: 7514
Quote:
Originally Posted by mensaguy View Post
Both of these examples of [choose one: scareware, extortion-ware, highway robbery] will walk past most any antivirus program. Safe surfing habits will not stop them either. They install without user intervention, so nobody had to "allow" anything. In my searching, nobody has demonstrated exactly how or where these things come from, I have found no way to prevent them, and they are getting more and more difficult to remove.
So how is it possible that I've never been infected?
Reply With Quote Quick reply to this message
 
Old 12-29-2011, 10:41 AM
 
Location: Matthews, NC
14,693 posts, read 23,504,692 times
Reputation: 14344
Quote:
Originally Posted by mensaguy View Post
Both of these examples of [choose one: scareware, extortion-ware, highway robbery] will walk past most any antivirus program. Safe surfing habits will not stop them either. They install without user intervention, so nobody had to "allow" anything. In my searching, nobody has demonstrated exactly how or where these things come from, I have found no way to prevent them, and they are getting more and more difficult to remove.
I believe that this one may be prevented by using NoScript via Firefox. But the average user is not doing that nor are the going to. I'm also curious to know if just Firefox or other browsers in general would prevent it. All the infections I have seen have been on IE because that is what we use at work (and that is whay my wife uses).

Point is that this is not like the viruses where you have to download music, screensavers or naked pictures of tennis players to get it. I got infected myself one day while visting my local newspaper's website on my work PC. I didn't download anything, just clicked on a link in the article and boom I got popups telling me I was infected and to pay $50 to get rid of it.
Reply With Quote Quick reply to this message
 
Old 12-29-2011, 11:13 AM
 
Location: WV and Eastport, ME
11,968 posts, read 11,434,445 times
Reputation: 7810
Quote:
Originally Posted by EscapeCalifornia View Post
So how is it possible that I've never been infected?
Very possibly you are just one very lucky person. Have you considered buying lottery tickets?

Quote:
Originally Posted by bs13690 View Post
I believe that this one may be prevented by using NoScript via Firefox. But the average user is not doing that nor are the going to. I'm also curious to know if just Firefox or other browsers in general would prevent it. All the infections I have seen have been on IE because that is what we use at work (and that is whay my wife uses).

Point is that this is not like the viruses where you have to download music, screensavers or naked pictures of tennis players to get it. I got infected myself one day while visting my local newspaper's website on my work PC. I didn't download anything, just clicked on a link in the article and boom I got popups telling me I was infected and to pay $50 to get rid of it.
I saw it install once while waiting for a page to load from a local government web site, so I, like you, have seen with my own eyes that random clicking on popups from porn sites is not necessary to get it.

I'll remember to make sure NoScript is in use the next time I see it.
Reply With Quote Quick reply to this message
 
Old 12-29-2011, 11:31 AM
 
Location: Victoria TX
42,663 posts, read 75,810,589 times
Reputation: 36214
For the inexperienced, the easiest first check is to look at your Task Manager, and see if anything is running with high usage.
(hold Control Alt Del at same time, and choose Task Manager).

Choose Performance tab and look at the two graphs. If the top one holds a flat-topped max for more than a few seconds, there is a program running that you don't want. Click the Processes tab, check show processes from all users at the bottom, and look under the CPU column for the program that is hogging all your memory. (If it's normal, the biggest user will be System Idle.) Just click on that process and then click Quit Process.

If the bottom graph is gradually rising higher and higher, to way above the middle of the chart, you have memory leak, and all you need to do is close your browser and reopen it each time it runs high.

If you're lucky, this will pretty much solve your problem, or show you how to combat it.

Also, if your computer is running slow, run a speed test (speedtest.net) and see if you are getting the speed your provider is supposed to be sending. Sometimes they have slowdowns. Or, unplug and power down your high speed modem for a minute and plug it back in, sometimes it needs to be reset.

Last edited by jtur88; 12-29-2011 at 11:43 AM..
Reply With Quote Quick reply to this message
 
Old 12-29-2011, 05:05 PM
 
8,481 posts, read 6,033,960 times
Reputation: 1114
Nowadays most of this is coming in via the browser. FF w/ Noscript and Adblocker Plus go along way. I was seeing alot of this coming in through Facebook. High traffic areas are usually targeted and sites like Facebook that code in a "suspicious" way allow openings for this. Using Sandboxie or another type of virtualization just on the browser can prevent damage. You want to lock down IE also especially offline downloading etc... even if you don't use it. Adblocker is going to help w/ the flash type injections.

There have also been big increases in sophisticated multiprong attacks that go after exploits in servers backends or other sw. Once there if you don't catch it they reinfect multiple accounts over and over and end user accounts as well, they even use hijacking on end users to keep the game going. Most of this seems to be from China and Russia.
Reply With Quote Quick reply to this message
 
Old 12-29-2011, 08:48 PM
 
Location: 10110001010110100
6,399 posts, read 10,904,123 times
Reputation: 5594
Quote:
Originally Posted by Skunk Workz View Post
had XP Security 2012 walk past MSE on my dad's machine a few days ago. If the end user actually allows the app onto the machine there isn't much you can do about it.
Yep, as mentioned before so-called extortion or ransom-ware type infections do not act like a virus, they do not damage or replace any system files so they literally slip pass any AV scanner. Not even Enterprise level TrendMicro or Symantec catches them.

Quote:
Originally Posted by CDusr View Post
Nowadays most of this is coming in via the browser. FF w/ Noscript and Adblocker Plus go along way. I was seeing alot of this coming in through Facebook. High traffic areas are usually targeted and sites like Facebook that code in a "suspicious" way allow openings for this. Using Sandboxie or another type of virtualization just on the browser can prevent damage. You want to lock down IE also especially offline downloading etc... even if you don't use it. Adblocker is going to help w/ the flash type injections.

There have also been big increases in sophisticated multiprong attacks that go after exploits in servers backends or other sw. Once there if you don't catch it they reinfect multiple accounts over and over and end user accounts as well, they even use hijacking on end users to keep the game going. Most of this seems to be from China and Russia.
Yep, correctomundo! Prevention is the best way and the key is, it has to be at the browser level. All the malware sites I used to infect the virtual systems connected to IPs in Russia, only a few in China. Chinese crackers seems to prefer Trojans over ransom-ware.

From a little research I have done, there are mainly 2 types of ransom wares I encountered:

1) Type A: Single executable that when active, intercepts all system calls to open any of the executable file types it monitors (.exe, .com, .bat, etc.) and immediately shuts it down and runs itself and pretends the file/program that was being launched was infected. This infection does create and modify some of the registry keys. Executable is active from the moment system loads. Booting in Safe Mode and cleaning up all temp file directories along with the common location the executable typically copies itself to "%userprofile%\Local Settings\Application Data". In normal mode, the only way to take control is to forcefully terminate the executable but since the user cannot even run any programs Windows based or 3rd party, it becomes a catch-22.

2) Type B: Once active, the ransom-ware simply changes file associations to most file types, then the executable itself is no longer running in the background. You actually will not notice this executable unless you try to open one of the file types it associates itself with. Even for an experienced user or IT pro, taking control and accessing registry or running an executable to fix this would be quite challenging to say the least. For a novice home user, I can only imagine the frustration.
This fella only makes changes to Windows registry. it has no startup entry points since it waits for an associated file type to be launched.

Both types also have residue in the Temp locations which need to be emptied out. When they are active, cleaning up the system is pretty much impossible.

Anyhow, I wrote a batch script that seemed to have had success with both types with no derogatory effects. I tested it both under a standard user profile and the Admin profile on a virtual machine, it worked. I have to fine tune it a bit more and also make it Win 7 compatible. Of course, it is impossible to predict how it would do with every system but I believe it would be worth a shot.
For type A, script looks for the common location for all executables where normally there should be none. It lists the executable it finds. User is prompted to enter the full file name (khq.exe), the included process killer kills the executable and then deletes it along with all common temp file locations and internet cache. User at this point has full control of the system. Further scans and cleaning might be useful.
For type B, cleans up all common temp file locations which should take care of the malicious executable but it also prompts for registry patching to correct file associations. Afterwards, user have full system control but further scans to clean and correct leftovers might be necessary.

If anyone is interested (it should be ready soon), I will create a thread at the other forum where I am a Mod so I can upload it and turn it into a sticky and share the link to it.

If anyone encountered another type please provide detailed info so I might do some research on that type as well.

Last edited by TurcoLoco; 12-29-2011 at 09:03 PM..
Reply With Quote Quick reply to this message
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.

Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.


Reply
Please update this thread with any new information or opinions. This open thread is still read by thousands of people, so we encourage all additional points of view.

Quick Reply
Message:

Over $104,000 in prizes was already given out to active posters on our forum and additional giveaways are planned!

Go Back   City-Data Forum > General Forums > Science and Technology > Computers
Follow City-Data.com founder on our Forum or

All times are GMT -6.

© 2005-2020, Advameg, Inc. · Please obey Forum Rules · Terms of Use and Privacy Policy · Bug Bounty

City-Data.com - Archive 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35 - Top