Poco Forums

[jayno]

Hi Eric, Tomas and all

It is only a few days since Eric concluded one of my topic threads in the Barca section (Empty Barca Folders) by giving me advice on general security. I wonder if we might start a 'Security' section on here that we can all contribute to and benefit from?

If this is of interest, I can start the ball rolling with reference to this very useful webpage I have come across, which has good advice on security layering - the topic that Eric raised with me:

http://www.dslreports.com/faq/8463

The issues Eric helped me sort out in relation to Barca 2.8 all began after I received a Trojan attack via a website I innocently opened in my browser. This was a "FakeAlert" Trojan. Not long before that I had been attacked by the dreaded "Virtumonde" Trojan. Last night, I experienced another such attack!! This time from the Win32 /Rootkit.agent.ODG Trojan - a very nasty item indeed.

I was surfing (using the latest version of Firefox) on the subject of email synchronisation (an old chestnut for Poco/Barca/MITG users!) and a site I clicked on was infected and things went wild immediately!

The Trojan disabled my ESET Smart Security (one of the best AV & firewall options around, which I had just upgraded to the latest version), took over the computers memory, and overrode all my anti-malware .exe files (including the wonderful Malware Bytes and the long respected Spybot S&D) so I couldn't go on the counter attack.

A very nasty experience, having just thoroughly cleaned the PC after my last problem, moved from XP sp2 to sp3 and installed all the latest Windows updates and security fixes, and downloaded the latest versions of my ESET, Browser and security software as mentioned above.

Fingers crossed, I have now got the latest Trojan killed off, but it has taken me 24 hours and I had to take the day off work to find a solution and go through all the procedures needed! I got rid of the Trojan by using a serious bit of software called "CombiFix" (see www. bleepingcomputer. com / combifix / how-to-use .. etc), plus Malware bytes, and HijackThis.

By searching help forums I found some of the 'bad' registry entries associated with this Trojan and I used HJT to 'fix' the one I could see in my registry.

The next problem was how to get the CombiFix .exe file dowloaded to my Desptop (you have to save it there with a changed name, or the Trojan 'sees' it and stops you)? I phoned a mate who works in IT. He downloaded it to his Desktop with the fake name "Notmalware" and used remote viewing of my PC to deposit it on my Desktop. Fortunately, I managed to open and run it from there, and CombiFix creates a 'restore point' before it does its work. You have to leave it completely alone to move through over 50 stages of analysis, deletions, resettings etc.

Once the Trojan was disabled and my various .exe files could be activated, I did a full scan with Malware Bytes and it presented me with a large number of the Trojan's infections for zapping.

All seems OK now, but I'm left feeling shaken and very disturbed that these Trojans have become so capable of disarming our well regarded security defences! I spoke with ESET and they said some of these Trojans revise themselves several times a day and keep attacking, so it is quite a challenge for AV companies to keep up with them, let alone get ahead and into a 'prevention' position.

I first switched to Firefox because everyone said Microsoft's Internet Explorer was vulnerable. I'm now going to start my learning curve on how to shore up Firefox's defences.

What's that "Sandboxie" thing you were trying to tell me about Eric?! It's more than a 'walk on the beach' I hope ... ('8)')

[Eric]

Hi John,

A very nasty experience, having just thoroughly cleaned the PC after my last problem, moved from XP sp2 to sp3 and installed all the latest Windows updates and security fixes, and downloaded the latest versions of my ESET, Browser and security software as mentioned above.

That's too bad.
100% protection can't be achieved, there's always something which may breach your security.
That's also why I chose a layered protection. Those malware writers don't stop for nothing. Each day new variants are found, so it's hard for those security companies to stay ahead of those threats.

Fingers crossed, I have now got the latest Trojan killed off, but it has taken me 24 hours and I had to take the day off work to find a solution and go through all the procedures needed! I got rid of the Trojan by using a serious bit of software called "CombiFix" (see www. bleepingcomputer. com / combifix / how-to-use .. etc), plus Malware bytes, and HijackThis.

By searching help forums I found some of the 'bad' registry entries associated with this Trojan and I used HJT to 'fix' the one I could see in my registry.

I know al those tools you mentioned, however it's not recommended to use it without advice from a spyware warrior.
Hijackthis can destroy someone's computer if used by someone who doesn't understand this tool.
That's also why I always post the links to hijackthis forums, so that person gets sound advice which tools to use, as well as instructions on how to remove those infections step by step. Their help is completely free, although you may donate, so they can keep providing their help.

Once the Trojan was disabled and my various .exe files could be activated, I did a full scan with Malware Bytes and it presented me with a large number of the Trojan's infections for zapping.

MalwareBytes is one of those tools which spyware warriors recommend for cleaning up your computer, however it's only one tool. Sometimes it's not enough to clean up everything and that's why they recommend some other tools, like combofix for example. It all depends on the infection you got

All seems OK now, but I'm left feeling shaken and very disturbed that these Trojans have become so capable of disarming our well regarded security defences! I spoke with ESET and they said some of these Trojans revise themselves several times a day and keep attacking, so it is quite a challenge for AV companies to keep up with them, let alone get ahead and into a 'prevention' position.

It does open your eyes on what's out there on the internet. Malware spreads like fire, so those companies providing protection have a hard time keeping up.

I first switched to Firefox because everyone said Microsoft's Internet Explorer was vulnerable. I'm now going to start my learning curve on how to shore up Firefox's defences.

All browsers are vulnerable, some more then others. I myself don't recommend using IE or IE clones.
Instead you can use Firefox (with the NoScript extension and AdBlock Plus) or Opera.
Activating scripts opens the way to malware, since they can execute within your browser. Once your browser gets infected, it spreads to your system.

What's that "Sandboxie" thing you were trying to tell me about Eric?! It's more than a 'walk on the beach' I hope ...

SandBoxie runs your browsers or other executables within a sandbox (virtual environment).
When malware gets in, it doesn't get out of this environment. Closing down your browser, elimates everything which got into your browser.

It does have a learning curve, although not that difficult and as you get along with it, you can add other restrictions (paid version).
There's also a forum to get assistance.

One thing I do love about this paid version, is that you can install it on as many computers that you own.
Besides that it's a lifetime license.

It's also one of those tools which are needed for me.
My kids do use my laptop too and they do play a lot of games.
Parental control is on, but on top of that the browser always runs SandBoxie.
In case something happens, no harm is done to my system.

Further more I don't only rely on this protection, since I work with snapshots, so I can go back anytime and remove the threat in a snap.
Next my imaging software which takes backups of everything on regular intervals.

Practice Safe Hex, stay safe.

[jayno]

Good to hear from Eric,

I've just been looking at Sandboxie. It looks very attractive, and it would be a good time to install it, as my PC is now showing completely clean on full scans from Malware Bytes, SUPERanti-spyware and ESET.

The only thing putting me off is its odd choice of language, and whether I will get confused and make errors trying to operate it!

e.g. Why call the procedure for allowing a file you want to permanently save to your system "Recovery"?!

Is there a simple auto-operating setup for beginners, or is that the wrong question?!

Jayno

[Eric]

e.g. Why call the procedure for allowing a file you want to permanently save to your system "Recovery"?!

That file only exists in your sandbox, so it needs to be recovered from it. You do have two choices, Quick Recovery which gives you the chance to recover the file when your browser was shut down or Immediate Recovery which pops-up a window as soon as the file is saved.

Is there a simple auto-operating setup for beginners, or is that the wrong question?!

It works out of the box, although you can set it the way you like it.

Not everyone has the same needs.
For me all is erased as soon as I close my browser. Files are saved to a predefined location. For others I do get the chance to recover them or not.

I don't have a problem with the language, since it's in Dutch, however the program settings are in English. I guess someone forgot to translate that too.

[robin]

All very sobering and quite rightly.

There was a tip that I got from the internet a while ago - sysinternals I think - to run your browser under a very limited user account that didn't let it do anything - if you downloaded a program it could not be run, not even if you launched an Explorer window from the download window. You had to explicitly find the file from a window not launched by the browser.

I'm not at the computer where it is installed at the moment, but I'll look it out when I get back.

Not sure about the separate section on security given that there are other well-supported sites out there - I just wonder if we might be duplicating what they already do without having the depth of knowledge to really do it justice?

[robin]

Found it - I use psexecfrom what was sysinternals.

The command line that I use is:

Code: Select all

"C:\Program Files\psexec.exe" -l -d "C:\Program Files\Mozilla Firefox\firefox.exe"

This causes Firefox to run as a limited user not administrator as most of us do (even though we know that we shouldn't).

[jayno]

Hi Robin

Just a quick message to acknowledge yours re psexec. Looks interesting, though a bit beyond my technical IQ level.

I'm now running Noscript on Firefox, which seems to do a good job at inhibiting webpages from doing anything I don't want them to do, plus I am finding surfing within Sandboxie a pretty effective safety layer.

Not spotted any other member comments re a Security section - have you?

Jayno

[ianw]

I use these programs in Vists x32 and W7 x64 7100.

Firefox
The next 3 are permanently ON - in my sys. tray.
SUPERantispyware
Trojan Hunter
ESET ESS (Firewall & AV)

Malwarebytes and
Spybot Search and Destroy in my Quick Launch bar to scan
when required.

All are updated EVERY day and I carefully set them up to achive maximum performance. I install them and other Utility software in another partition to prevent any possible problems, I have not had any. They are easy to defragment.

I also defrag them regulalrly.

Theres not much more to say apart from that I have no problems. A few times I had warnings that a website I was logging into had some sort of malware or virus's in it so I did not then go into those sites.