Re: slowly-spreading, but very annoying problem
From: wojo (kwoyach53954_at_yahoo.com)
Date: 03/21/04
- Next message: john: "windows restore"
- Previous message: Mike Kolitz: "Re: WindowsXPSP2"
- In reply to: cquirke (MVP Win9x): "Re: slowly-spreading, but very annoying problem"
- Next in thread: Ken: "Re: slowly-spreading, but very annoying problem"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 21 Mar 2004 14:17:33 GMT
Man that was an outstanding answer!
May take longer than reformating but no data loss (hopefully).
Cudos
"cquirke (MVP Win9x)" <cquirkenews@nospam.mvps.org> wrote in message
news:937r50565ucp7hvshfdtdmjp9q8f0h1nde@4ax.com...
> On Sat, 20 Mar 2004 12:09:30 -0600, "Ken" <kmelrose@kc.rr.com> wrote:
>
>>Please Help!
>
> OK, let's make a deal: I'll help you (from here in security_admin) if
> you cut down the number of ngs you send this to :-)
>
> Only kidding - I'll help you anyway - but machine-gunning multiple
> newsgroups is Bad. You'd alienate some good frontals that way.
>
>>I am seeing what appears to be a slowly-spreading, but very annoying
>>problem. Over the past three weeks, I have had three separate groups of
>>people (including myself) describe a problem their experiencing with their
>>Windows XP systems. There are several similarities in the symptoms being
>>reported.
>
>>All affected computers -
>
>>.are running Windows XP
>
> On FATxx or NTFS? Both can get shot to pieces by malware, but NTFS
> can pose obstacles in cleaning this up.
>
>>.have plenty of processor, memory and disk capacity
>>.have High-Speed cable network connection
>
> OK; a significant risk surface, that. Now I'mm waiting to see the
> words "firewall" and/or "router" :-)
>
>>.have been running efficiently until now
>>.only one user can login, others cannot
>
> Is that by design, or an effect of the problem? Sounds like something
> needed system-wide is patched in only through the user startup axis or
> similar runpoints. Smells like commercial malware; something like a
> namespace extender a la NewDotNet.
>
>>.detected large number (230-12000) of spy ware related files
>
> OK. How did you manage these, and did things go sour before or after
> you whacked 'em? Hopefully you logged what was found and done, as you
> never know when you may need to "go manual" in cleaning up the mess.
>
> That's when a GoOgleable name is a Good Thing To Have.
>
>>.have NOT detected any viruses using Norton Anti Virus
>
> <shrug> Well, it's active, ergo it got past Norton. Why does it not
> surprise me that active malware missed by Norton can maitain "air
> superiority" and keep itself hidden from Norton thereafter? If NAV
> was still working OK, a new update could help it detect the malware.
>
> But the malware's active, so Norton may no longer be working OK.
>
>>.have had their TEMP directories cleaned and are now empty
>
> Interesting, that.
>
>>.are now protected with Anti Spy and Virus, and Firewall software
>
> "now", eh? Hmm.
>
>>.are STILL running poorly and experiencing the same problems
>
> Yup.
>
>>Can anyone offer any guidance (please) on how we can regain control and
>>performance over my computers?
>
> 0) Isolate the PCs from LAN and WAN
> - pull cables
> - wireless devices; [x] Disable in this profile (DeviceManager)
>
> 1) Do a formal virus check
> - run NO code off HD in the process
> - scan all files
> - first, look don't clean; save log
> - then read up what you find (www.f-secure.com/v-descs etc.)
> - then if no caveats, clean the malware
> - if can't clean, no caveats; rename away so reversably inactive
> - www.f-prot.com, www.nod32.com, www.sophos.com for free tools
>
> Just because NTFS may make (1) difficult or impossible, makes it no
> less the bottom line here. Users don't get to pick only the easy,
> solvable problems; the problems pick you! If an NTFS victim, read up
> bootable CDRs such as Knoppix (Linux) or Bart's PE builder (XP) and
> start hunting for av that will run from these.
>
> 2) Manually clean up any residue; startup axis etc.
>
> 3) Informally scan and manage commercial malware
> - Ad-Aware, Spybot etc.; use more than one
> - keep logs, remember which order you ran them in
> - once again, read up on what you find
> - Spybot in particular may wave things best ignored
>
> 4) Apply risk management
> - decide what you don't need; wall it out
> - any file sharing over WAN
> - full shares of startup axis, including hidden admin shares
> - autorunning scripts in email "messages"
> - support for WSH, "remote desktop" etc.
> - only you know what's on this list
> - kill 'em all, but do so reversably
> - also; close broken-code autorun holes via patches
> - decide what some ppl need; pwd-protect it
> - goes about user permissions, good pwds etc.
> - a poor substitute for the above, where above applies
> - what may be risked, evaluate
> - build user skills to make that evaluation
> - ensure system doesn't "do it for the user" automatically
> - ensure system offers required info, e.g. show extensions
> - what is risked, screen first
> - firewall as doorman of last resort
> - antivirus as goalkeeper of last resort
>
> 5) Purge hidden malware stashes
> - System Restore (if cabbed, may be undetectable)
> - email apps that hide attachments in mailboxes
>
> 6) When all systems clean, reconnect LAN
>
> 7) When all systems patched and 'walled, reconnect WAN
>
> 8) When (if ever?) you know wireless is secure, enable wireless
>
> Sorry such a generic answer, but it's a generically common problem!
>
>
>
>>-------------------- ----- ---- --- -- - - - -
> Running Windows-based av to kill active malware is like striking
> a match to see if what you are standing in is water or petrol.
>>-------------------- ----- ---- --- -- - - - -
- Next message: john: "windows restore"
- Previous message: Mike Kolitz: "Re: WindowsXPSP2"
- In reply to: cquirke (MVP Win9x): "Re: slowly-spreading, but very annoying problem"
- Next in thread: Ken: "Re: slowly-spreading, but very annoying problem"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
