No announcement yet.

OT malware is getting worse

  • Filter
  • Time
  • Show
Clear All
new posts

  • OT malware is getting worse

    neighbor has the worst malware problem I have yet seen.

    of course, he is using XP with no service packs, although he IS (was?) using Zonealarm and an anti-virus program.

    Apparently his IP suggested a program to fix a problem for him, and he says that the program infected the comp.... maybe, maybe not.

    In any case, the malware pops up a message to go and get a particular program to fix the detected problem. He at least isn't silly enough to do that.

    It has also turned off Zonealarm, turned off the AV, and refuses to let any remotely common AV or antispyware program run.

    Zonealarm is represented by a red X in the tray, and the malware has added another X next to it as its link to whatever nasty stuff it wants to do.


    Keep eye on ball.
    Hashim Khan

  • #2
    I had a similar problem a while back and these folks here walked me through it and helped me get rid of it for free. They do accept donations.
    "The men the American people admire most extravagantly are the greatest liars; the men they detest most violently are those who try to tell them the truth." H. L. Mencken

    "All truth passes through three stages. First, it is ridiculed, second it is violently opposed, and third, it is accepted as self-evident."

    "When fear rules, reason and logic are ruled out."


    • #3
      Change extension

      Hi JT
      Look up program in "Add or Delete Program" then change extension in order to be able to delete it. If extension is not changed you won't be able to delete it. This worked for me before.


      • #4
        Add or delete WHAT?

        You didn't suppose the malware was going to look like MS Works or "Mavis Beacon Typing Tutor" in the "all programs" display, did you?

        Obviously it came IN with the alleged program, but does not DELETE with it.....

        Keep eye on ball.
        Hashim Khan


        • #5
          Find the name of it.. so we can warn our friends.

          the last one that bad I saw was the CIH (chernoble virus) back in 2002. it would eat a virus scanner and flash your bios on the 28th of any month. back then I used everything to try and get rid of it. One program would load up and kill it....... Norton the one and only POS.. but it did work.

          My brand new laptop came with norton for 60 days after that im dumping it.


          • #6
            These discussions always get my broken record spinning - nothing takes the heartbreak out of running Windows like running Windows in a virtual machine. Even when Windows is the host the VM runs in.

            When a VM becomes infected (and it will) you just delete it and replace it with a fresh copy from a DVD or set of CD's, complete with all your applications already installed and ready to go. In fact that is the only role the host OS has - to replace and run the VM. Because you never actually use the host it can never become infected.

            You need only be sure you don't store your data in the virtual machine hard drive without backing it up to the host - you can copy your vm "My Documents" folder to your host system by dragging and dropping, or by sharing your host's folders to your vm. We're talking about 30 minutes recovery time for a full recovery - far less than it takes to dl yet another AV/Malware tool and install it, and by deleting and replacing the VM you delete the viruses with it.

            The software that runs the VM is free. How you get a Windows virtual machine to run is as simple as asking a Mac owner to make one from your installation DVD or CD.


            • #7
              'Tain't my problem, it's my neighbor's.

              I have to place SOME blame on him for running XP no service packs, and possibly not having all the AV running. And, not updating Zonealarm for a recent vulnerability, etc, etc, etc.

              While I don't think SP2 is that much better, some programs require it, and AFAIK nothing refuses to run if it is in place.........

              Anywho, I gave him a CD with every freeware AV and anti-spy program I know of on it. Something has to work, or he will have to re-install.

              And that may not even do it, I understand some malware hides very well in "unused" or "marked bad" areas of the disk.

              I think this one may be actually "Blackmail-ware"...... the kind that installs malware, and then requires a specific pay-for program to remove it. Naturally, your CC is probably "collected and re-used" when you DO "pay-for"..................


              Keep eye on ball.
              Hashim Khan


              • #8
                Malware cleanup

                Most malware nowdays travels in the form of "bots" looking for vulnerable machines. No SP1, no post-SP1 hotfixes, no SP2, no post SP2 Hotfixes etc....that's a HUGE number of vulnerabilities your neighbor has chosen to live with. Security is about doing all the right things (not just some) and hoping for the best. Just using a firewall is one piece. Its not a substitute for plugging the list of holes that get fixed nearly every month. He needs to have automatic updates turned on. Without it, running a firewall is like locking the doors when you leave home, but leaving all the windows open.

                In our experience, once a machine is hacked, usually the first piece of many that the bot installs is a rootkit used to hide the other stuff installed from the user logged in at the console. We usually then remotely map to the c$ share on an infected machine so that Virus detection etc. can find stuff that it would miss if run on the local machine (due to the rootkit damage done).

                One other trick is to go get the malware removal tool released monthly from MS. Running it will touch nearly every file and often "touching" those files will allow your virus detection (if updated) to see a payload in a file that may otherwise lay dormant until the next reboot--at which time registry keys that were added will make use of don't reboot until you are done with some cleanup.

                Once infected its pretty much impossible to know you found everything they did under the cover of a rootkit. The most common things are that an FTP server or remote control service will get installed on some odd TCP port number and a port scanner would let you find odd open ports. You then have to figure out what service is running that accounts for it. They occasionally name things poorly enough in the service names or in the "comments" in the services applet that you can easily find it--sometimes in broken english. Sometimes even names of legitimate services that were otherwise disabled are used to hide the FTP server and others they are running. You might have the "indexing service" disabled, for example and they name their malware item "indexing service" in hopes that it will get overlooked. You pull up properties on each service and look at the path to the executable and compare to a clean machine and it points to something other than the executable that is the indexing service on the good machine. Again, however, this is usually hidden from the console user so you have to use the "services" applet on another computer and point it to that one.

                Good luck
                Paul Carpenter
                Mapleton, IL


                • #9
                  With only a very few exceptions a firewall does nothing to protect your machine against client level malware. That isn't the purpose of a firewall. The primary job of a firewall is to monitor traffic to see where it is coming from and why. In general, unless you are running a server of some sort there is no reason for a connection to be initiated from the outside. Note that various forms of chat software, webcam software, inet phone software et al may contain a server function as well as some gaming software. The firewall inspects data packets to see why they exist, not what they contain. The default condition for nearly any firewall is to not allow connections to be started from outside the machine. This has virtually nothing to do with stopping a virus with the exception of a few items such as the Code Red worm or the Blaster worm. Viruses sail right through the best firewalls because identifying and stopping them is not a firewall's job.

                  The great majority of viruses/spyware/malware/scamware depend on the user to do something in order to install the malware. They generally use "social engineering" to trick the user into activating the virus. This is far easier for the hackers than trying to find and exploit a vulnerability that allows for fully remote compromise of a machine. It means that if your machine has a virus it is most likely because you did something to help it.

                  You might try SuperAntiSpyware. I have used it in the past and it seems pretty effective.

                  Free software for calculating bolt circles and similar: Click Here


                  • #10
                    A good firewall can prevent interior systems from connecting on well-known and dangerous ports. In a well managed environment there is little if any reason for an interior system to connect to any exterior system on port 25 (smtp) except for those addresses provided by the ISP. This prevents the system from becoming a spam broadcaster and is simple to do. Same goes for ports 20, 21, 22, 23, and a number of others (IRC ports are evil). Shut them down (for outgoing connections) and your system becomes useless for the attacker's purposes.

                    A good firewall will also act as a proxy for many inbound and outbound connections and can actually use real-time AV software to check incoming data. See

                    A really good firewall will inspect all outgoing mail to be sure it is virus and spam-free. Nowhere near enough businesses check their outgoing mail for viruses which of course means I have to check it on inbound. All the servers I run also check outbound and alla y'all who don't get spam and viruses from my systems are welcome

                    All it requires is a decent dual-core PC running Solaris 10 or Linux of some flavor and some free software.


                    • #11
                      A really good firewall will inspect all outgoing mail to be sure it is virus and spam-free.
                      That isn't a firewall function within the original meaning of the term. "Firewalls" are turning into security suites instead of just a firewall. The problem is that many firewalls available including the one built in to Windows XP are just firewalls. Expecting them to prevent a virus or spyware riding in on legit data is a misplaced hope based on an incomplete understanding of what a firewall should do. The firewall included with XP serves just fine as a firewall and is all you need for the firewall function. To detect malware requires different functionality which may or may not be included in a firewall package. For a software vendor to describe a product as a firewall even though it doesn't contain virus checking or other malware prevention features is perfectly honest and consistent with the definition of firewall.
                      Free software for calculating bolt circles and similar: Click Here


                      • #12
                        1) Many "firewalls" are pretty meaningless.

                        however, Zonealarm does TWO things, both within the basic firewall "definition".

                        a) it closes all open ports except ones you WANT open. That means that remote atempts to access via an open port will fail, there will appear to be no machine present.

                        b) it also closes off OUTGOING traffic except from authorized apps. Obviously this is not "as" effective, since in order to use the 'net, some form of browser is needed, and it must be open for receive and send. To "hide", malware need only use the services of an authorized program such as a browser. However, that is almost unavoidable.

                        None of the above will help when the user, as apparently occurred in this case, actually downloads and installs a program which is either carrying malware, or is pretending to be "goodware".

                        As far as "automatic updates", MS versions of that can be dangerous. I have personally seen "security updates" make certain programs unusable, turn off services, etc. The default seems to be "turn it off" before figuring out how to actually FIX the problem.

                        I don't recall the details, it was at the last job, and the IT people were pretty hot about the user in question (not me) having activated updates. But I DO recall that it messed up some programs as well as system access, and they had to work on his machine for some time.

                        Keep eye on ball.
                        Hashim Khan


                        • #13
                          Originally posted by J Tiers
                          1) I don't recall the details, it was at the last job, and the IT people were pretty hot about the user in question (not me) having activated updates. But I DO recall that it messed up some programs as well as system access, and they had to work on his machine for some time.
                          Poor IT people I'm afraid, if they didn't want him to do that it is within the capability of any decent IT department to produce a Windows build with any chosen functionality denied to the user, most are too lazy or not competent enough to do it though,


                          • #14
                   is within the capability of any decent IT department to produce a Windows build with any chosen functionality denied to the user...
                            Yep. You could do it even with Win 98, NT is a snap. People lose sight of the fact that a machine supplied by an employer is a tool to do a job and how it works is entirely up to the employer. We had laptops when I worked for Xerox and they soon adopted a policy of total standardization of the software suite on the machine. This was done by issuing updates as "golden images" on a CD that replaced the entire disk image with a new one by ghosting the C drive. Any data that needed to be persistent was was first burned on a CD by a script and that most definitely didn't include anything that wasn't part of the approved install package. If you didn't update your machine it soon became out of sync with the online systems it had to communicate with and you couldn't do your job. When they implemented that system there was a lot of grumbling but they pointed out that they supplied the computer and keeping it working their way was a condition of employment.
                            Free software for calculating bolt circles and similar: Click Here


                            • #15
                              Originally posted by Evan
                              That isn't a firewall function within the original meaning of the term. "Firewalls" are turning into security suites instead of just a firewall.
                              Evan, firewalls are my livelihood and have been for years (well, before I retired a few weeks ago) so trust me when I tell you, firewalls do so very much more than what you describe and even what I have described so far. They have always been "suites". An interesting early implementation being the "Firewall Tool Kit". We now have streams based stateful inspection packet sniffers and marvelous opensource tools like "Snort" to examine content in real time and compare it against databased patterns (, full intrusion detection tools, malware detection in real time, behavior analysis, data mining... A very large list. These and more are what people I deal with expect from their firewalls. The term firewall defines a boundary, not an implementation.

                              What constituted a firewall 20 years ago when I first started working with them has grown into what we have today. It would be odd to cling to an early definition of a term that actually began as jargon and nobody in the trade considers describing modern firewalls to be anything but more complete firewalls. Clearly the field has grown by necessity, but the objective of today's very complex firewalls remains what it was when the Internet went public - keep the bad guys out, detect them if they get in, fix the hole.

                              But to put things on context, I'm talking about real firewalls, not the kinds of things an end user is likely to install on their Windows box. Not that there's anything about the systems I work on that cannot be put in place in the home. I have one and I'm building one for a friend in Hawaii who was recently hacked (on a Mac of all things).

                              The notion of having a firewall on the end-user's system is in itself a bit optomistic. They really need to be stand-alone systems as the name implies - between the user and the world. To a degree many cable and DSL modems provide simple firewall features, but the CPU on those things haven't the power to deal with much of a threat, and you'll read many support websites where people complain their modems restart constantly.