• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Malware Warfare

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

I.M.O.G.

Glorious Leader
Joined
Nov 12, 2002
Location
Rootstown, OH
"Malware Warfare - A Step-By-Step Infantry Training Camp"

Something I whipped up in a couple hours this weekend, those of you who contributed to it considerably will know who you are, and I thank you. :)

The only addition I would like to make to the article is that adaware has a vx2 plugin now also, so if you find you are infected with this specific malware, you should download this plugin and use it also.

Feel free to comment or discuss. :)
 

Nunyas

New Member
Joined
Jul 7, 2004
Although I do agree that it is a good article over all, I disagree with one point:

Keep in mind that switching from IE to Firefox is a functional solution, but it's a lot like putting a bandaid on a bullet wound - it's not fixing the problem, it's just covering it up.

A functional solution like switching to Netscape, Mozilla, Mozilla Firefox, Opera, or whatever non-IE browser you wish to name from IE is more like going from being the target on the firing line to standing on the side lines. You are relatively safe from the shooters while you are on the side lines until they turn towards you.

The bandaid on a bullet wound is more like MS's solution to the download.ject virus/malware problem. They just slapped a bandage on their wound that'll get ripped off and leave you exposed again when you apply the "super security enhancer" Service Pack 2 to Windows XP, unless you reapply the bandage again afterwards naturally. :)

Granted the problem is still there (in this case it's IE and ActiveX), but if your primary browser is not the problem then the likely hood of your problem becoming a bullet wound is lower. It is still important to stay on top of all those security patches and virus scans, etc. that includes for your non-IE browser too, because you never know when those shooters will turn on you. :)
 

matttheniceguy

Member
Joined
Apr 1, 2004
Location
Vancouver Canada
VERY well written.

I have battled with the BEAST far to many times, and more often than not they have messed their computer up soo badly I just go straight for the reformat. Maby next time I will try your steps before I go for that XP disk.

"A window came up and said my pc was running too slow, but I clicked on the thing to fix it and make it faster" :bang head

"A window came up and told me I had a security leak and was broadcasting my IP address, so I installed their fix" :bang head

"I installed some thing to get access to all their free porn" :bang head
 
OP
I.M.O.G.

I.M.O.G.

Glorious Leader
Joined
Nov 12, 2002
Location
Rootstown, OH
matttheniceguy said:
VERY well written.

I have battled with the BEAST far to many times, and more often than not they have messed their computer up soo badly I just go straight for the reformat. Maby next time I will try your steps before I go for that XP disk.

"A window came up and said my pc was running too slow, but I clicked on the thing to fix it and make it faster" :bang head

"A window came up and told me I had a security leak and was broadcasting my IP address, so I installed their fix" :bang head

"I installed some thing to get access to all their free porn" :bang head

Heh, I've come across two out of three of those... I can't wait till I come across the third... Atleast that person understands what they are trying to do - the others are completely clueless! :)
 

Stedeman

The Half Asleep Member
Joined
Aug 29, 2002
Location
Lewiston Maine
[RANT!] People who do not want to invest the time "or" listen when someone tells them about this stuff deserves to get it. [/RANT!]
With that sputtered out, I have to thank this crap, for keeping me up to date on cleaning up systems. The last time I hooked a friend up with a system cleaning they hooked me up with $40 :) so it's not a total waste I guess.
 

hkgonra

Member
Joined
Aug 16, 2001
Location
West TN.
I can't say a learned a ton with this article although I did learn a little. However I still LOVED this article !!!! I sent copies of it to all the people who send me their pc's to be tuned up. They always wonder what I do to fix it. This article was well written detailed explanation of exactly what I do. Thanks for investing so much time to write this all out.
 

Kendan

Senior Punk
Joined
Aug 27, 2001
Location
Dark side of hell
Nunyas said:
Although I do agree that it is a good article over all, I disagree with one point:



A functional solution like switching to Netscape, Mozilla, Mozilla Firefox, Opera, or whatever non-IE browser you wish to name from IE is more like going from being the target on the firing line to standing on the side lines. You are relatively safe from the shooters while you are on the side lines until they turn towards you.

The bandaid on a bullet wound is more like MS's solution to the download.ject virus/malware problem. They just slapped a bandage on their wound that'll get ripped off and leave you exposed again when you apply the "super security enhancer" Service Pack 2 to Windows XP, unless you reapply the bandage again afterwards naturally. :)

Granted the problem is still there (in this case it's IE and ActiveX), but if your primary browser is not the problem then the likely hood of your problem becoming a bullet wound is lower. It is still important to stay on top of all those security patches and virus scans, etc. that includes for your non-IE browser too, because you never know when those shooters will turn on you. :)

Hmm, maybe you just don't realise that the browser is not the only way that spyware/malware finds it way into a system. And I also wonder why spywareblaster also protects firefox. So the problem is actually more than just IE and active X but you recomended staying on top of security updates patches and virus defiunitions so you must know that already;)
 
OP
I.M.O.G.

I.M.O.G.

Glorious Leader
Joined
Nov 12, 2002
Location
Rootstown, OH
I guess a couple people who read the article ended up contacting DeepFreeze and told them that they heard of their application from my article.

I got an email last week from the Faronics Account Manager Corp/Gov. division. She wanted to know how I heard about them and other information. Once I mentioned that I'm in Sherwin-Williams IT she got a little more interested. :D

From what I've mentioned so far, SW isn't too interested in trying it - but thats mostly because of a previous trial at creating users as power user accounts, and an increased load on the call center as an effect. We actually get less problems from letting everyone run as admin. :rolleyes:

So it seems there is what I consider to be a misconception that running as power user and running deepfreeze is in some way similar. Of course, they both do limit user rights, but DF does so while eliminateing all software issues, so the only calls we would get would be hardware, network, or calls for tokens in order to unfreeze a workstation so that XX could be installed.

In the mean time, we'd stop everyone from doing all the crap they shouldn't be doing.
 

FizzledFiend

Member
Joined
Jun 18, 2001
Location
Winston Salem NC
stupid question..I ain't no super dupper uber geek, but i do get systems to clean up..my biggest hang up was safemode with AXS to the net...hows this done?
 

Nunyas

New Member
Joined
Jul 7, 2004
well... on NT based machines, including Windows XP, when you 'F8' to get the boot up options you should see a choice to boot up with "net access" or something very similar to that wording. I know it's there on my Windows XP Pro machine... However, I can't remember exactly whether or not the option is there for Home Edition. I think it is, but I just can't say with 100% certianty.
 
OP
I.M.O.G.

I.M.O.G.

Glorious Leader
Joined
Nov 12, 2002
Location
Rootstown, OH
Welcome to the forums Nunyas, and thanks for the great input! :)

Win95&98 did not have the safe mode with networking option I believe. I am not certain on W2K, though I think it has it. I am fairly certain that XPhome has safe mode with networking also.
 
OP
I.M.O.G.

I.M.O.G.

Glorious Leader
Joined
Nov 12, 2002
Location
Rootstown, OH
Thanks for the appreciation - knowing some people found it useful is what makes it worthwhile. I appreciate all of the emails and messages people have sent. :)
 

JohnDoemakt

Member
Joined
Apr 7, 2002
Location
Norway, the red house, under the bed
Tired of users that won't run aaw and other anti-spyware programs?
Then atleast make it harder for them to get infected:

(I found this on the JSIfaq that is a great source to WinNT progblem solving and improving. Thanks JSI)

3807 » How do I prevent the applications in the Registry RUN key from starting?


If you enable the Disable legacy run list Group Policy at User Configuration\Administrative Templates\System\Logon/Logoff or Computer Configuration\Administrative Templates\System\Logon/Logoff, the applications in the the Registry RUN key, at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run will not run when a user logs on.

If the policy is Not configured, you can implement it by setting the DisableLocalMachineRun value name, a REG_DWORD data type, to 1 at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.

3808 » How do I prevent the applications in the Registry RunOnce key from starting?


When a user logs on, the programs and documents in the run-once list are run just once, but never again. These entries are generally configured by installation routines.

To prevent the entries in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce key and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce from starting, enable the Disable the run once list Group Policy at Computer Configuration\Administrative Templates\System or User Configuration\Administrative Templates\System.

If the policy is Not configured, you can implement it by setting the DisableLocalMachineRunOnce value name, a REG_DWORD data type, to 1, at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer or HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer.

Combine this with a batch file that deletes everything in the "startup" folder (or deny access to it if you are using NTFS) and a logonscript that runs everything that originally was in "RUN" and "Startup".

Quick and dirty, but could help in some cases.

EDIT: Forgot to say "great article".
 

Imperial

Disabled
Joined
Jul 13, 2004
I recently had some on my computer. Via adaware & spybot I think its all gone. Is there more to malware than I suspect?
 
OP
I.M.O.G.

I.M.O.G.

Glorious Leader
Joined
Nov 12, 2002
Location
Rootstown, OH
Yes. If you notice its there you've got big problems. Many things will infect your system while remaining under your radar.

Malware is just as bad as Virii. But depending on how you take care of your own system, hopefully following that guide to the T isn't necessary - it is what you should do with a system that has never had any maintenance performed on it, or that has some serious malware problems.
 

hrdwrjnkie

Member
Joined
Jan 25, 2003
Location
Middle of Nowhere and getting lost fast!
As a computer consultant, I agreee with IMOG on the value of DeepFreeze. I have several clients that I have installed the system on, and it works beautifully.

Some customers will bawk at the idea of $25 per workstation for it, as well as the need to set up some sort of network storage, but after two or three service calls to do a good cleaning or an OS reinstall, they reconsider quickly.

This is one of the most underrated and underpublicized programs on the net. As a matter of fact, I use it on the three comps in my home network, with all storage taking place on my server. Works beautifully.

Oh, and great article IMOG. Malware is fast becoming the number one cause for tech support and onsite service in my market.

IMOG said:
The user is a callous, abominable beast. Many PC support methods are terribly inefficient, but hell, they keep a lot of people employed... for now.

I couldn't agree more. :D :beer: