indication for a trojan infection

[kranz]

Quote:

Originally Posted by Skybird

Only payware Firewall and AntiVirus suites for me. Nobody can convince me that what they do for a fee is done for same effectiveness but for free by "free versions".

that's the second time I have to agree with him.
I've been using Norton for sth like 6 years now and I've never had any problems.
I tried to use some free stuff for around a week a few years ago and after a few clicks my win XP tried to "save my marriage". After this prompt I immediately installed Norton back.

[kiwi_2005]

^Yeah ive gone back to Norton 360 premium edition. Works well and seems like its doing something, plus its smooth when gaming it has a silent mode option when gaming but i don't need to turn it on.

[kranz]

Quote:

Originally Posted by kranz

I've been using Norton for sth like 6 years now and I've never had any problems.

I knew it, I f... knew it
I knew that as soon as I write that Norton is a very good tool bla bla bla I will get 50 infections within 15 minutes. Well, not quite. It wasn't 15 minutes but a week and not 50 but 1, but still....
I was browsing some pages yesterday and apparently caught some .exe file which activated today. My Start button went grey and a bit 'inside' (as if it was pushed). I realised that I had got infected. So I scanned with Norton. No result.
I checked the Process manager to identify the file, found the .exe responsible for all that mess and scanned it once again (only this one single file). No result,a safe file. Right...
I decided to scan with Eset online. Fortunately it found the infection - win32 agent, a trojan horse - and removed it.

[Skybird]

Red Alert. It's all battle stations over here again.

I thought I got rid of my problem. I was wrong. It survived three times HD formatting with power cut between each round. It survived going back of backup files 3 months old, not from my USB sticks which I use to update every two weeks, but DVDs I burn every 3 months. It survived detection attempts with four different security scanners, plus firewall, all this and browser set to very tight and conservative settings.

My registry seems to desintegrate, browser no longer works beyond first adress (and often not even with that one), software entries in software list disappear, drivers got corrupted, and the firewall time and again rings alarm that something knocks and tries to kick in the door.

I am basing on the assumption that I have no technical problems, and so take desperate measure. The HD is 1 and a half year old, it will get replaced tomorrow with a factory-new one. And then it is all software installation again - and no use of old savegames, and any backups of working files younger than 6 months.

Let this be a warning for everybody. When one of the real nasty nasties hits you, you are no longer safe and should put the nuking option on the table immediately. In overklill capacity, please. If i would have not used just 3 months old backups and would have used a new HD, I would not need to redo the whole dance once again, just one week after the last party.

If I ever should happen to stumble over a malware hacker, that day will be the most pitiful day in his life, and IU will have very brutal fun with him.

Enjoy your weekend everybody. Mine is done.

[CaptainHaplo]

You don't need to replace the hard drive.
Repartition it instead. There are a few security threats out there that can write to "sector 0" of the partition. By deleting the partitiions on the HD and recreating them, (preferably with a slightly different size - even 1kb difference) - you rewrite the tables, eradicating any "leftovers".

Also - when you formatted the HD - did you do a "quick" format? If so, you didn't rewrite the data on the drive - you simply deleted the file system location table. Always do a "full" or "unconditional" format. This forcibly rewrites all the data on the drive with 0's.

A couple of other security hints concerning rebuilding a machine. Whenever possible - preperation is always the best course. If you have the ability - download (from an uninfected machine) the latest virus definitions, updates, etc for your system beforehand. Put them on something that you can move them to the newly rebuilt machine. For things like service packs for the OS - download the "redistributable" or the version for IT folks. This is the full package, not just the "web install" that is usually used.

Secondly - rebuild the machine and apply the updates you have BEFORE you connect to the internet. The security holes that exist in freshly installed versions of windows NEED to be plugged before you expose the machine to the outside world. Not all attacks are "passive" - waiting on you to access a web site or whatnot. Many are active - port scanning on known vulnerabilities on new machines.

Good luck Skybird!

[Skybird]

Thanks, Haplo, I fear I chased you around a bit over my own messing up of words: when I said "format", I indeed meant "repartition" the HD. That's what I did, dissolving all three partitions, I am just irritated that this process is so very quick under W7 and with this 18 months old hardware, under XP and with a years old rig the process of partitioning the whole HD easily took 40 minutes or so.

I interrupt after partitioning and immediately before Windows installs, by cutting power, waiting, and then starting new. By this I hope to kill any bugger that hides in RAM where it moved while partitioning is going one. I learned that some sophisticated malware have ther ablity to do so, or even can jump from one part of the HD to another while partitioning is in process. Maybe I am paranoid, but when you already go for the dance anyway, then dance all the way, eh?

I have introduced a second account, from which to run Internet surfing exclusively, with tight browser settings. Can I set that account separately for a sandbox that you mentioned ? I do not think I fully understood how to establish it, but maybe I had a slow brain day when reading about it.

And once again my Logitech Mouse and keyboard giove me troubles, Logitech is fine in hardware, but a terrible mess in customer support and software and drivers. I think they are rich snobs whpo have so much money already that they do not need to care for offering attractiove and easy-to-handle software solutions for paying customers. Setpoint cannot be ionstalled. Hell, their downloads are not even properly indexed and their textboxes when something failed do not even contain any words! Strange advice is rumoured: that their driovers do not install properly from behind a firewall or if you have not logged a support account. What? I need to create a full account with mandatory real world adress and tel-number to get them supporting the software mess I payed money fort to get delivered? That is called support these days?

Maybe they recruit from staff that gets fired over at Microsoft. They should outcource software developement and support, and limit themselves to make hardware exclusively.

[Skybird]

At least the Logitech problem I got solved, by using a download from a computer magazine. That was like it it should be: nicely and correctly indexed, no fuzzy zipping, with a tiny symbol instead of a placeholder. Click it, and it starts to install everything.

Logitech - outsource your software support and download centre, really. Others know better how to do it, than you do.

[Skybird]

I stumbled over "Sandboxie", and have installed it for tests inside a second acount that so far is mneant excluisvely for surfing.

I still feel not familiar with how to set up a sandbox correctly, but Sandboxie says there is the default setting for Explorer, which I additionally run with tight settings and without Java script, and Active X filter on.

Is this default Sandboxie thing any good?

They also recommend that one should switch on special protection for x64 windows systems. Buit when going into that option, it says that this could prevent future Windows Updates, so I interrupted there. Does this mean the default settings are useless on an x64 system?

I have still not looked into how it works with Live Mail.