Was surfing yesterday in search of pics of the Russian and Chinese stealth fighters. Found the known old pics only, investiogated some sites nevertheless. Then left the house for some time. After coming back home and booting ther system, I was greeted by an error message that some sys32/rundll32.exe worked incorrect and that an entry FQ10 was missing.

Googling told me that this was an indication for a trojan infection. Further scanning showed that it was the jackpot: Spyware.Zeus and Trojan.Ransom.Gen. The latter is said that you can handle it if you discover it soon and get rid of it before it starts to really spread around. But Zeus is something different, andf they say even the latest definitions for malware and virus scanner detect it only with a probability of 23%.

Avira Security Suite rang no alarm. An active scan via Malware's Anti-Malware (free) found it. It even made short process with both. However - this must not mean that the thing is really gone, eh?

After that, I scanned again, full scans with Avira Security Suite, Malware's Anti-Malware, SuperAntiSpyware and Emsisoft Anti-Malware Squared. All with no results anymore. But I do not trust it, this Zeus is probably the most dangerous and well-supported criminal trojan currently plagueing the web. I hope those criminals behind it, and others like them, race against a tree with their cars or fall off a bridge.

System reinstallation is in order sooner or later, preferrably before I do my next financial transactions via my system. Great. Right what I was craving for. It'S not so much the installation - but the finetuning of options and individual preferrances.

:arrgh!: I hope Zeus punishes them with well-aimed lightning bolts.

Does anyone know how to prepare better against threats like Zeus which you can catch up by simple surf-bys? Detection probabilities of even the latest scanner updates of around 23% are not encouraging, are they.

As a warning to all others: if you ever meet Zeus, take it serious and realise that you just have been found by major trouble. I found this excellent German article published by an analyst from Kaspersky which describes it. It is so hard to detect becasue the gangsters behind it spread it in a myriads of versions - and make sure that they release only a small number of modifications into the wild at the same time - but in very short intervals. The record has been over 5000 mutations within just one month. The total number of altered versions of Zeus ranks amongst the hundreds of thousands. In 2009, over 3.6 million systems in the US alone were found to be infected, and formed one of the biggest botnets ever revealed.

http://www.viruslist.com/de/analysis?pubid=200883691

I am not aware that the article is around in English, too. If you stumble over it, link it.

Does anyone know how to prepare better against threats like Zeus which you can catch up by simple surf-bys? Detection probabilities of even the latest scanner updates of around 23% are not encouraging, are they.

You could try Avast! :yep:

I've used it for years and it is every bit as good as people say it is. :up:

Avast and use a noscript plug-in for your browser *if it supports one*
blocks all the nasty ambush ads that contain trojans and other malware.

HunterICX

I am pretty sure that I fell victim to a drive-by infection, since I was searching pics of those airplanes. Zeus is known to be extremely stealthy and extremely adaptable, and that is why even the latest up-to-date scanners and definitions have only a 1:2 - 1:3 chance of detecting the latest incarnations. Since some time it also has been known to have been encrypted even better, so that it can deceive security scanners even better.

So, Avast or Avira, Bit Defender or Kaspersky - you better do not feel safe against this beast. It completely escaped Avira Security 2012's radar - and that is a solid security suite as well.

Do a search for Zeus ion the Web to get some info. DO NOT TRUST YOUR SCANNERS TO PROTECT YOU IF YOU MEET IT. CHANCES ARE THEY WILL NOT. 70% of all PCs infested in 2009 or 2010 that were examined by a security company, were protected by up-to-date Firewalls and Virus-Scanners with updated definitions.

Will go to town now, and then this late afternoon start the dance.

Panda Cloud free antivirus is okay well i used it for a while but what got to me is its so silent that i use to wonder is it actually doing anything. No updates of the definitions are required because its running in the cloud. For a free antivirus reviews ive read have stood by it, but for me it was so damn silent where the paranoia got the better of me so i went back to a paid antivirus.

Only payware Firewall and AntiVirus suites for me. Nobody can convince me that what they do for a fee is done for same effectiveness but for free by "free versions". Additionally using free malware scanners is recommended. I use Malwarebyte'S program, and SuperAntiMalware. Emsisoft's program also often gets recommended over here.

This year, the internet suites of Bit Defender and Kaspersky, F-Secure and G-Data score highest for recognition rates and cleaning, according to testzs in German computer magazines. Panda Cloud was rated okay for recognition, but moderate in cleaning, another Panda version there is which is even weak in recognition. Avast is found to be moderate only in recognition, and weak in cleaning, it is the one suite that has massively lost in this year's incarnation, they say by their results (it was one of the top contenders in past years). My Avira scores good in recognition and cleaning, but moderate only regarding performance (it takes long time to scan the HD).

Well, that says the test by German market leading computer magazine Chip. I sticked with Avira only for reasons of comfort, I already had the abo last year. If I would install brandnew a suite, i would go with BitDefender this year. In the tests it was the only one scoring top in all three categories recognition rate, cleaning, and performance.

Regarding my Zeus problem, none of these suites gives you really safe security. If you got a Zeus clone, and it is not a years-old incarnation (and how would you tell, there are several hundred thousands), there is a good chance that it is still there after the scanner says he "cleaned" it, so REINSTALL. It was not Avira finding it, it was Malwarebyte's Anti-Malware and SuperAntiMalware, btw (both can be had for free in their active scan versions). I would recommend to run active scans with both once a week.

Hard to believe Avast! scored so poorly. Like I've said, I've used the (free ed.)
Avast! for years. I do a complete boot scan 1-2 a month and a more thorough
scan with Avast! and various anti-malware apps every 3 months or so. I haven't had
a single virus or malware in probably 2 years. Avast! always picks up bad websites
as I try to connect to them and automatically cuts the connection. :yep:

As for payware AV, my only experience is with F-Secure and I hated it. It was
slow and it leaked like hell. And just the other day, Crécy had problems starting
the Combat Mission: Commonwealth Forces add-on. Turns out his (payware)Norton
was for some reason blocking the executable. :doh:

I use to use Avast years ago and back then it was a very good free antivirus i dont know about now but i would presume it could only get better. The only thing that annoyed me was whenever a virus was found or an update was completed it scream out on the speakers about it. Not good when browsing then all a sudden YOUR ANTIVIRUS HAS BEEN UPDATED! :haha:

Only payware Firewall and AntiVirus suites for me. Nobody can convince me that what they do for a fee is done for same effectiveness but for free by "free versions".

that's the second time I have to agree with him.
I've been using Norton for sth like 6 years now and I've never had any problems.
I tried to use some free stuff for around a week a few years ago and after a few clicks my win XP tried to "save my marriage". After this prompt I immediately installed Norton back.

^Yeah ive gone back to Norton 360 premium edition. Works well and seems like its doing something, plus its smooth when gaming it has a silent mode option when gaming but i don't need to turn it on.

Hard to believe Avast! scored so poorly. Like I've said, I've used the (free ed.)
Avast! for years. I do a complete boot scan 1-2 a month and a more thorough
scan with Avast! and various anti-malware apps every 3 months or so. I haven't had
a single virus or malware in probably 2 years. Avast! always picks up bad websites
as I try to connect to them and automatically cuts the connection. :yep:

As for payware AV, my only experience is with F-Secure and I hated it. It was
slow and it leaked like hell. And just the other day, Crécy had problems starting
the Combat Mission: Commonwealth Forces add-on. Turns out his (payware)Norton
was for some reason blocking the executable. :doh:


Avast was a top contender until last year, but if you check over several years, you see that most internet suites go up and down and up and down in cycles which can have several year's lifespan.

From: Chip Magazine. Paste and copy did not work. Go here, and scroll down to the table. http://www.chip.de/artikel/Sicherheit-im-Internet-Security-Software-Januar_Februar-2012_55120663.html
the columns are entitled "Malware-Protection / Malware-Removing / Performance / Total "

I am sorry, but for those of us in the security world, this entire discussion is a lesson in irony.

Data security doesn't start at your PC - it starts with the user.

While I know Skybird posted this to help others, I am going to point out a couple of mental choices that show why he is now in this situation - hopefully to help folks avoid bad decisions.

First - let us review one very important fact. If you never want to "get hacked" or "infected" from the web is to stay off of it entirely. So the moment you choose to get on the interwebz, your choosing to expose yourself. Antivirus/anti-spyware software are risk mitigation, not a guarantee.

Now - Skybird wanted to do some research. Nothing wrong with that - but he states that some sites he chose to "investigate". Simple things like - if its an unknown site with a .ru or .cn domain, you have to be cognizent that your exposing yourself to an even higher risk. Tread carefully - ask yourself if your willing to take the risk to investigate.

Next, the idea of "drive by" infection. Infections don't just "happen" - they require either human interaction (via a click to open or save a picture) or they are injected using scripts. If you choose to open an infected file and your "real time protection" doesn't catch the threat, your had. But what about scripts - the dreaded "drive by, I didn't click anything" infection?

TURN OFF SCRIPTING or set it to prompt you for permission before running. ActiveX especially for IE (since most exploits target the largest market share) is the biggest culprit. So many people don't do this - and then get hit with a drive by that used scripting to infect them.

One tool most end users don't know about (or choose not to use) is sandboxing. Its creating a memory space that can run an application (including web browsers) without allowing direct hard drive access. So if you do get an infection - and it doesn't get caught - when the sandbox is "flushed" - the virus goes away. It never gets out of the "box" of memory devoted to the application. Again - not a perfect technology (and you need decent amounts of RAM to be able to dedicate some to the sandbox) but it can often save you heartache. Its likely that a sandbox would have saved Skybird the frustration he now has. A company I worked for at one time took this to the extreme - the entire OS and all applications ran in a sandbox - so if anything ever happened you rebooted and your machine came up clean. That takes it too far for most users, but it does point to our next tip....

Expect an infection. What does this mean? Simply put, infections are a pill because they take time to get rid of, and if you don't do a full rebuild you will always wonder "did I get it all?". Build your machine with the OS and truly critical apps. Update it. Tweak it. Then make an image of it. That way, if you are infected your looking at a quick reimage with a few additional apps/games to install instead of a multi-hour build. Plan for failure and your recovery will be much quicker.

On that point - ideally you want to avoid failure. Or at least - avoid it on your prize PC. Don't be a dummy, use a dummy instead! If you want to be on the interwebz, consider using an old, crappy piece of junk to do your web surfing on. Don't expose your expensive rig to the uglies IF you have an old clunker to ride the information superhighway in. A PC with top specs isn't going to outperform a clunker on the web in most cases - because the limiting factor is the speed of your internet connection - not the pc. Sure your browser may start slower, but after that its going to be all about the data flow..... So if you have a clunker, use it. And don't worry gents, all those hot girls on the interwebz can't see your driving the pinto when you meet then online! :rotfl2:

Of course - if your gaming online - using the clunker isn't an option. So use the gaming rig - but be disciplined. Don't go to links you don't know, don't open attachments or emails from people you are not sure of, etc.

Your brain is the first line of defence. Make good choices.

Oh - and for those that want them - there are some good, free tools out there for imaging and sandboxing.....

I made up my own security suite once and had this setup running for a while

Malwarebytes

Panda Cloud

McAfee SiteAdvisor
will give you update on sites you are entering

Microsoft Security Essentials

CCleaner,

Zonealarm firewall

Common sense

All the above is free, you now have yur own cowboy Security Suite. :D

I know that all, Haplo, and I agree.

I am quite aware of security holes like scriptings, Java, and that you should not trust to click everything, everywhere. And like I repeatedly said: even modern security software does not detect especially this damn Zeus thing reliably - as a matter of fact latest Zeus incrantions defeat dsecurity software most oif thte time. My browser is pretty much closed up, almost on maximum settings, but tzhere is always the chance of human error: that I oversee to update Adobe Flash in time, or during some ordering process I needed to unlock cookies or some scriptiung setting , and afterwards forgot to close the door again.

The damn thing with drive-by attacks is that yiou must not do anything anym,ore to exceute malware. Simply ladning on the site already triggers the activation, you must not open a mail or click on a link on that site. It is like walking in town. You muts not ask people to cpough at you. If there is a sick person breathing once or twice in your neck and you are unlucky, you got infected. You can avoid that only by staying at home, and not going out.

I do like this on the web most of the time. But some risks simply mjust be taken, and maybe this time I have leaned myself out of the window in just the wrong place. Click one pic of a Chinese fighter on Google Picture Search - and voila. I played, I took a risk, and this time I got burned. It's been the first timne since many years, and I am lucky enough to have realised it within hours of daytime and minutes of computer operation time.

The one tnhbing I wanted to get over in my opening posting is that there are threads out there, like Zeus, where you cannot trust in your security software to protect you. Zeus beats it in 3 out of 4 events.

You swim at the beach, its holiday. When you do not meet Mr. Shark in the water, everything's fine and holiday continues. When you meet him, you are srewed. That'S how it is.

Much worse it becomes when you do not realsie that you have been compromised and that you have been assimilated by a zombienet. And I think that is the case with most people who caught an infection. They even do not realise it. I have, immediately, and reinstalled and changed my important passwords, for banking and buying tansactions, not for harmless forums. Time-consuming, but no financial damage done (so far). :up: In the end, it just confirms me in my usual paranoia (shopping accounts, social networks, Google, and the like).

Skybird - I trust you know that wasn't aimed at you - you simply opened up an opportunity for me to impart some knowledge that others may read.

Were you running a sandbox? If not, make sure you add that to your suite of tools in the next build! Good luck!

One tool most end users don't know about (or choose not to use) is sandboxing. Its creating a memory space that can run an application (including web browsers) without allowing direct hard drive access. So if you do get an infection - and it doesn't get caught - when the sandbox is "flushed" - the virus goes away. It never gets out of the "box"

Sandboxing, this is new to me, I'm going to look into this, looks like a must have. I recently made a visit to a trusted site and clicked on a howto picture link only to be hit by a trojan. Security Essentials picked it up right away and wiped it, but the site has now been black balled as a bad risk.

Security Essentials seems to work quite well I recon, any thoughts on this ?

Skybird - I trust you know that wasn't aimed at you - you simply opened up an opportunity for me to impart some knowledge that others may read.
All lights on green, I knew it was nothing personal, don'T worry.

Indeed the fault is with me. I may have overseen to update something in time (I use Secunia PSI once a week, but it is not 100% perfect).


Were you running a sandbox? If not, make sure you add that to your suite of tools in the next build! Good luck!
And a second fault of mine - I always bypassed that, since I know not much about it and was too lazy to get the education on it. Have no idea how to do it, and I am wondering anyway: is there really no virus or malware that can defeat it? I mean the reserved space in memory still is physically attached to the system and all hardware. where there is physical connection, there is an entrance gate - always. You just need to learn how to use it. And is there really no hacker not able to defeat a sandbox? Layman on sandboxes that I am, I say: I do not believe that.

Sandboxing, this is new to me, I'm going to look into this, looks like a must have. I recently made a visit to a trusted site and clicked on a howto picture link only to be hit by a trojan. Security Essentials picked it up right away and wiped it, but the site has now been black balled as a bad risk.

Security Essentials seems to work quite well I recon, any thoughts on this ?
Just think of it: people want free versions of a security software - that needs constant maintenance and daily updates - to work as reliable and do as extensive a job, as a payware suite.

Why would anybvody buy the commercial versions then? I used the free versions of Avira AntiVir years ago, and a free firewall. But the commercial Avira suite does plenty more things than any of the free programs, and it is not just cosmetic options.

I would always reciommend people to go with a solid payware solution. It does not compare to the free antivirus scanners. As Haplo indicated, software alone does not give you total security, it is your behaviour in the first. But by software you can raise the hurdles for the hiuge diversity of different malware trying to enter. I mean when you leave the house, you do not leave the front door open, you close and you lock it, don'T you. When somebody wants to get in, no matter what, he nevertheless will, by brute force or clever, subtle ways. But still: you lock the door. The many criminals-by-opportunity you have discouraged by that already.

For a good (if somewhat dated) read on sandboxing:
http://www.windowsecurity.com/articles/Better-Security-through-Sandboxing.html

If you want total security, lock the PC in a room only you can get to, and disconnect it entirely from the internet. Congrats - its secure. Otherwise, its all about using every tool to create a layered defense.

Sandboxing - like anything else - is another tool in the toolbox. Its not foolproof. Yes - sandboxes can be detected and bypassed - but doing so requires additional code that makes a virus more detectable. To detect a sandbox, the infection must query the system about its resources. This query is one of the things most "real time" protections look for.

Things like Java are sandboxes in and of themselves. Its a technology you use a lot. Sandboxing software that you can use to run your browsers within are free and easy. Give it a shot - layered defenses are good.

Thanks, will consider it.

I bought an Anti Virus guard once, McAfie. It was a nightmare of odds and sods slapped together . The different parts must have been written by different companies I'm sure and that put me off for life.

I use Microsoft Essentials now, runs quite smoothly and uptil now is OK. I must admit to visiting or trying uknown sites, how else are you going to know them right. But recently I was fooled by a Site I trusted called PSDbox, a dedicated photoshop site with some interesting tutorials. But it hit me with trojans (described by Essentials as serious) , I mailed the owner in case he had been hacked because I like the site. But how can you guard yourself against this except good software.

Good thread t1 :up:

I've been using Norton for sth like 6 years now and I've never had any problems.


I knew it, I f... knew it :/\\!!:haha:
I knew that as soon as I write that Norton is a very good tool bla bla bla I will get 50 infections within 15 minutes. Well, not quite. It wasn't 15 minutes but a week and not 50 but 1, but still....
I was browsing some pages yesterday and apparently caught some .exe file which activated today. My Start button went grey and a bit 'inside' (as if it was pushed). I realised that I had got infected. So I scanned with Norton. No result.
I checked the Process manager to identify the file, found the .exe responsible for all that mess and scanned it once again (only this one single file). No result,a safe file. Right...
I decided to scan with Eset online. Fortunately it found the infection - win32 agent, a trojan horse - and removed it.:yeah:

Red Alert. It's all battle stations over here again.

I thought I got rid of my problem. I was wrong. It survived three times HD formatting with power cut between each round. It survived going back of backup files 3 months old, not from my USB sticks which I use to update every two weeks, but DVDs I burn every 3 months. It survived detection attempts with four different security scanners, plus firewall, all this and browser set to very tight and conservative settings.

My registry seems to desintegrate, browser no longer works beyond first adress (and often not even with that one), software entries in software list disappear, drivers got corrupted, and the firewall time and again rings alarm that something knocks and tries to kick in the door.

I am basing on the assumption that I have no technical problems, and so take desperate measure. The HD is 1 and a half year old, it will get replaced tomorrow with a factory-new one. And then it is all software installation again - and no use of old savegames, and any backups of working files younger than 6 months.

Let this be a warning for everybody. When one of the real nasty nasties hits you, you are no longer safe and should put the nuking option on the table immediately. In overklill capacity, please. If i would have not used just 3 months old backups and would have used a new HD, I would not need to redo the whole dance once again, just one week after the last party.

If I ever should happen to stumble over a malware hacker, that day will be the most pitiful day in his life, and IU will have very brutal fun with him.

Enjoy your weekend everybody. Mine is done.

You don't need to replace the hard drive.
Repartition it instead. There are a few security threats out there that can write to "sector 0" of the partition. By deleting the partitiions on the HD and recreating them, (preferably with a slightly different size - even 1kb difference) - you rewrite the tables, eradicating any "leftovers".

Also - when you formatted the HD - did you do a "quick" format? If so, you didn't rewrite the data on the drive - you simply deleted the file system location table. Always do a "full" or "unconditional" format. This forcibly rewrites all the data on the drive with 0's.

A couple of other security hints concerning rebuilding a machine. Whenever possible - preperation is always the best course. If you have the ability - download (from an uninfected machine) the latest virus definitions, updates, etc for your system beforehand. Put them on something that you can move them to the newly rebuilt machine. For things like service packs for the OS - download the "redistributable" or the version for IT folks. This is the full package, not just the "web install" that is usually used.

Secondly - rebuild the machine and apply the updates you have BEFORE you connect to the internet. The security holes that exist in freshly installed versions of windows NEED to be plugged before you expose the machine to the outside world. Not all attacks are "passive" - waiting on you to access a web site or whatnot. Many are active - port scanning on known vulnerabilities on new machines.

Good luck Skybird!

Thanks, Haplo, I fear I chased you around a bit over my own messing up of words: when I said "format", I indeed meant "repartition" the HD. That's what I did, dissolving all three partitions, I am just irritated that this process is so very quick under W7 and with this 18 months old hardware, under XP and with a years old rig the process of partitioning the whole HD easily took 40 minutes or so.

I interrupt after partitioning and immediately before Windows installs, by cutting power, waiting, and then starting new. By this I hope to kill any bugger that hides in RAM where it moved while partitioning is going one. I learned that some sophisticated malware have ther ablity to do so, or even can jump from one part of the HD to another while partitioning is in process. Maybe I am paranoid, but when you already go for the dance anyway, then dance all the way, eh?

I have introduced a second account, from which to run Internet surfing exclusively, with tight browser settings. Can I set that account separately for a sandbox that you mentioned ? I do not think I fully understood how to establish it, but maybe I had a slow brain day when reading about it.

And once again my Logitech Mouse and keyboard giove me troubles, Logitech is fine in hardware, but a terrible mess in customer support and software and drivers. I think they are rich snobs whpo have so much money already that they do not need to care for offering attractiove and easy-to-handle software solutions for paying customers. Setpoint cannot be ionstalled. Hell, their downloads are not even properly indexed and their textboxes when something failed do not even contain any words! Strange advice is rumoured: that their driovers do not install properly from behind a firewall or if you have not logged a support account. What? I need to create a full account with mandatory real world adress and tel-number to get them supporting the software mess I payed money fort to get delivered? That is called support these days?

Maybe they recruit from staff that gets fired over at Microsoft. They should outcource software developement and support, and limit themselves to make hardware exclusively.

At least the Logitech problem I got solved, by using a download from a computer magazine. That was like it it should be: nicely and correctly indexed, no fuzzy zipping, with a tiny symbol instead of a placeholder. Click it, and it starts to install everything.

Logitech - outsource your software support and download centre, really. Others know better how to do it, than you do.

I stumbled over "Sandboxie", and have installed it for tests inside a second acount that so far is mneant excluisvely for surfing.

I still feel not familiar with how to set up a sandbox correctly, but Sandboxie says there is the default setting for Explorer, which I additionally run with tight settings and without Java script, and Active X filter on.

Is this default Sandboxie thing any good?

They also recommend that one should switch on special protection for x64 windows systems. Buit when going into that option, it says that this could prevent future Windows Updates, so I interrupted there. Does this mean the default settings are useless on an x64 system?

I have still not looked into how it works with Live Mail.

Its probably a bit too late to post this...

But anyway, I'll post it because i'm feeling rebellious for some reason.

Sandboxie basically runs a computer within a computer (or in this case, a browser within a browser).
All your data from that session, whether its downloads, cookies etc is stored by sandboxie insted of your HDD, and as soon as that "session" is complete, sandboxie deletes/removes the data. This means anything you used during that session is gone - including nasty tag-along programs.

Sandboxie can also be used for running other internet applications in a "bubble", so if you want to isolate a FTP server for example.

For making sandboxie work with windows live mail : http://www.sandboxie.com/index.php?ApplicationsSettings

Thanks, danny, it is indeed a bit late. :) I have it up and running, and yes, it is a nice and relatively troublefree thing to use.

If a PC-Dummie like me can figure it out, than anyone else can as well. Sandboxie is recommended!