Securing your computer

[Ubereil]

While we're at it, my brother's got some kind of trojan ;D. He got if when a "friend"sent him a "picture of himself". It seems to screw with his DDL-files, but it's all so messy we'll try to get the piles of [Censored]out first, before we ask for help with the dust in the corners .

What I wonder about is instead this: he's got Norton Anti-virus (in case you wonder why he got viruses ). So, I'm curious if anyone here could hook me up with some nice freeware anti-virus program for him that acually protects him. And thanks in advance .

Übereil

[Alrik]

Try several freeware programs parallel. 4-6 eyes see more that just 2.

[ss]

I havve

Ad-Aware SE,

Avast,

and Spybot Search and Destroy

...all are free...(my versions)...all seem to get rid of different viruses, but Ad-Aware always gets rid of my history on my drop down line but leaves my favorites alone, so works well...

Avast runs constantly and updates itself...I have to run to other two once or twice a month...get the latest updates and run them individually...

[Alrik]

You could try whether AntiVir Classic (a German product) runs on your PC, too.

www.free-av.de/

With the upper left drop-down list you can change the site's language into English.

[Ubereil]

OK, my brother really seems to have problems... The major problems is that windows doesn't find any viruses (so he don't know what he's got), and he keeps getting the same spyware, that changes his securitysettings. He tries to run spyboot before windows starts, but that won't happen, so he can't really remove them either. And he can't do stuff like update the windows security and stuff like that...

Übereil

[Alrik]

So the trojan is loaded BEFORE everything else is loaded. that's a serious problem.

Reminds me of how "root-kits" work.

If he has a linux distribution, he could try installing it; there are scanners for Linux out there, too.

Or he could try the "recovery console" or how it is called.

[Ubereil]

He doesn't have linux installed. If he was pro enought to have linux, you think he'd use norton?

The following spyware can't be removed:

Look2Me.Topconverting
Microsoft.Windows Security.Internet explorer (possibly without the spaces)
Mru list
Adware.Look2Me
Win32.TrojanDownloaderAdload (name sais it all )

Übereil

Edit: Installed Avast! and found a bunch of infected files. We can't repair, and they're placed in Win32 temp the whole bunch, so we're scared we'll crush windows if we remove them, so we're ignoreing them for the moment. But does the "temp" mean windows can do without them (ie is it safe to delete them)?

[Alrik]

Have you immunized with Spybot ?

You could try to use a packer to move the HOSTS and HOSTS.SAM files into a compressed files.
I do it often with files I don't need and with programs which I can't understand. Just move them into a .zip file, and if something doesn't run anymore, you know why, then.

And try ad-aware of you haven't done this already.

By the way, the infection took place while working under an administrator account, didn't it ?


You could try it the hard way : If you know the exact names of the files themselves, look out for them. And manually (under DOS) try to delete them.

Another way could be to develop a DOS boot disk with the NTFS driver of www.sysinternals.com

With the "Process explorer" of Sysinternals you can also kill certain tasks.

And try AntiVir, too, by the way. It's at www.free-av.de
You can change on that site the language via using the drop-down list on the far upper left.

Just see they have a program for reading NTFS under DOs : www.free-av.com/antivirclassic/avira_ntfs4dos.html

Ah, and a last edit : Have you tried to find the names of these trojans in Norton's database ? Or any other antivirus database ? Because these often provide very detailed descriptions on how they works and what's even more important : How to get rid of them !

[Ubereil]

I installed Avast! and are currentlly running it. I found loads of viruses . I've quarrantined them for the moment, until we decide what to do with them... We'll try to reboot in safemode when we're done, and see if we can remove any more files...

Übereil

[Alrik]

Symantec's article about Vundo : www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99

Seems to be a real threat.

[winlok]

I have a different problem then Uby. When I go to defrag my hard drive it doesn't respond. I want to do this to keep it running smoothly. I got the computer in June, but as far as I'm concerned it's new.

Anyways the defrag utility doesn't respond when I go to use it. I've scanned my hard drive, humpteen million times I'm exaggerating

I downloaded the Microsoft Defragmenter program, and at least got this message.

Windows cannot defragment this drive because it has been locked by disk utility. Quit any utilities that may have klocked this draive, and then try defragmenting the drive again.

ID No: DEFRAG00105

Does this sound common? It sounds like I've flipped a switch somewhere, by accident.

BTW: Uby since you have the option to quarantine things. I would run your computer for as few days, and if things work reasonably well you can delete them.

[Alrik]

Use a different defrag program and look at what it says (like the freeware version of O&O Defrag).

[winlok]

Thanks Alrik that did the trick, but I don't know what I'm looking for. It just defrag's, and that's that. I would like to get my original windows defrag working though, I hear a lot of conflicting stories about third party software. Some people say they're pretty good, and some people say they're a waste of money.

I've also tried running Sfc /Scannow, and a file protection box pops up saying "Files that are required for Windows must be copied to the DLL Cache.

Insert your Windows XP Professional Service Pack 2 CD Now"

I have Windows XP Home edition.

Can anyone help please?

BTW: I run eventvwr.msc and the event viewer has a few errors, But checking the ID's they are from games or sometimes I closed down to fast and it ended up hanging. Is it safe to delete those errors, with no harm to the computer.

It also has a ton of exclamation marks. Can the same deal apply?

The Defragmenter is the most important thing though, I want to get that working above all else.

[Alrik]

"Locking" usually means a program is currently using the hard disk, running in the background. I don't know whether MS Office's indexer does it, but this is an example of a program that :

- runs in the background
- accesses the HD very much
- slows the system down

Perhaps you could try the "Process Explorer" by Systeminternals, to see what's running in the background ?

[winlok]

If you want to check what is running in the background, couldn't you just type in msconfig in the run menu?

[Dark Phoenix Rising]

No, as that just shows you what's starting up from a couple of places that they can be started.

But I suspect that it's probably a media player of some discription that you have set to automatically keep track of changes to your music or such like.

[Alrik]

Sysinternals has with "Autoruns" the deepest looking glass for what's starting when windows starts up, imho.

[Dark Phoenix Rising]

The program that security professionals will generally get you to run online is hijackthis, a utility that displays everything that is starting from a hijacking point on the computer. The listings, however, are more than a little daunting for someone that isn't well versed in that sort of thing (i.e. me).

[jurak]

if all else fails... you can always do this

[xthink]

yeah, run hijack this, and search them all on google or some sort :-), or just check your software list in start -> configuration -> software. It could be that some malware is listed in it, then just uninstall it
then rerun avast, adaware and spybot :-)
or give ewido a try.
and make sure to scan with it in safe mode without internet connection, lots of malware downloads itself again.

If that doesn't work, do another hijack this session and post it's log here or so, or pm it to me.