Author Topic: Trojan removal - Is it over?  (Read 2989 times)

0 Members and 1 Guest are viewing this topic.

Offline Nicholai

  • Hero Member
  • "This will all end in tears"
  • *****
  • Male
  • Posts: 1972
    • FA
Trojan removal - Is it over?
« on: December 02, 2010, 04:51:46 pm »
So, I accidentally downloaded a trojan/virus today.  Woops.

When I saw the program start up (it was one of those fake anti-virus deals) I immediately shut down the computer, and booted into safe mode. Once there, I found the offending EXE and killed it along with the corresponding HKCU startup entry. When I booted the computer back up, everything was fine. No sign of the virus, and everything is normal.
The only suspicious thing so far has been firefox telling me that it can't connect to the internet due to system proxy settings, so I changed Firefox's connection settings to get it back online. (Although I think this may be attributed to the fact that messed with a few windows security settings after I booted my computer back up.)

So here's my question: That seemed WAY to easy. Maybe it was just a really mediocre trojan or something, but I kind of expected it to put up more of a fight. Is there anything else I should look for? Are there any other files/DLLs/registry entries that could still be lurking around on the computer? Anything I should look out for?
"When you cannot joke about the darkness of life, that's when the darkness takes over."
-Amanda Palmer
-------
Cheetah: World's most adorable High-speed killer
Jaguar: World's most adorable Stalk-and-ambush killer
Hybridization: Murderously adorable. <3
---
Fun fact: I write music. If you have a second, have a listen.
http://soundcloud.com/grigori-wolf[/url

Offline furtopia02

  • *****
  • Posts: 1801
Re: Trojan removal - Is it over?
« Reply #1 on: December 02, 2010, 05:42:02 pm »
If you are using Vista or Seven then all you have to do is do a system restore back to the way it was right before you downloaded it. Easy fix actually. So if you are still worried try that.

Offline Mooshi

  • *****
  • Posts: 1686
Re: Trojan removal - Is it over?
« Reply #2 on: December 02, 2010, 05:54:49 pm »
Buy a Mac...8D

In all honesty, you should get the program "Deep Freeze" or try to find an open source alternative. Dealt with this in electronics class before. Basically it freezes your computer down so that it's idiot proof. What I mean is, you lock down a working config and will never have to worry about something going wrong.  All it takes is a reboot and your system goes back to the config you locked it on. The downside is you can't save anything on your primary parition unless you unlock your system because it wouldn't save. So make sure all your programs are already installed that you want before activating and save your data on a 2nd HDD.

Offline Nicholai

  • Hero Member
  • "This will all end in tears"
  • *****
  • Male
  • Posts: 1972
    • FA
Re: Trojan removal - Is it over?
« Reply #3 on: December 02, 2010, 06:18:58 pm »
If you are using Vista or Seven then all you have to do is do a system restore back to the way it was right before you downloaded it. Easy fix actually. So if you are still worried try that.

I was thinking about that, but system restore only monitors certain files and locations, so I'm a little leery about just setting it to an earlier restore point and calling it a day. Couldn't hurt to try though.



In all honesty, you should get the program "Deep Freeze" or try to find an open source alternative. 
 

Oh no, I know what deep freeze is. I worked as a intern under my high school's IT director last year, so I had a bit of exposure to the program. Although it feels like a good idea, it seems a little drastic, considering this the only virus/trojan I've ever gotten, EVER.
"When you cannot joke about the darkness of life, that's when the darkness takes over."
-Amanda Palmer
-------
Cheetah: World's most adorable High-speed killer
Jaguar: World's most adorable Stalk-and-ambush killer
Hybridization: Murderously adorable. <3
---
Fun fact: I write music. If you have a second, have a listen.
http://soundcloud.com/grigori-wolf[/url

Offline Mooshi

  • *****
  • Posts: 1686
Re: Trojan removal - Is it over?
« Reply #4 on: December 02, 2010, 07:06:24 pm »
aww, but overkill can be fun, though.

Offline Landrav

  • Hero Member
  • Flufftaur
  • *****
  • Male
  • Posts: 2441
    • My FA
Re: Trojan removal - Is it over?
« Reply #5 on: December 02, 2010, 09:01:54 pm »
If you're not installing/uninstalling or changing system settings very often, then it might be worth checking out.

If you know which virus/trojan you had, you might be able to check online what it changes, then verify that the files weren't changed.  Maybe.  Worth a shot?
http://www.furaffinity.net/user/landrav/

I am contractually obliged to state that Fluttershy is the best pony.

Offline Nicholai

  • Hero Member
  • "This will all end in tears"
  • *****
  • Male
  • Posts: 1972
    • FA
Re: Trojan removal - Is it over?
« Reply #6 on: December 02, 2010, 09:27:06 pm »

If you know which virus/trojan you had, you might be able to check online what it changes, then verify that the files weren't changed.  Maybe.  Worth a shot?

Nope. The second I saw it, I knew what it was, and I shut down my computer.  :D
"When you cannot joke about the darkness of life, that's when the darkness takes over."
-Amanda Palmer
-------
Cheetah: World's most adorable High-speed killer
Jaguar: World's most adorable Stalk-and-ambush killer
Hybridization: Murderously adorable. <3
---
Fun fact: I write music. If you have a second, have a listen.
http://soundcloud.com/grigori-wolf[/url

Offline Avan

  • Species: Azemdyn Sabertooth Hyena
  • Gender: Non-Binary, YEEN.
  • *
  • Posts: 5010
    • Our FA
Re: Trojan removal - Is it over?
« Reply #7 on: December 02, 2010, 09:52:21 pm »
Buy a Mac...8D
NO.

You can try using something like malwarebytes to search for any remaining infected files or registry entries.

Spybot also might find something, if it tampered with the browser, etc. But Spybot is a resource hog.
We are Dissociated Identities.

Avatar is of Avan-Syr (Saberyeen)
Old links to art sites we need to update:
Weasyl Page: https://www.weasyl.com/~avankaira
My FA page: http://www.furaffinity.net/user/avanwolf/

Steam: http://steamcommunity.com/id/avan_wolf/

Offline Foxpup

  • Hero Member
  • Species: Cyborg Fox
  • *****
  • Male
  • Posts: 1182
Re: Trojan removal - Is it over?
« Reply #8 on: December 02, 2010, 09:54:37 pm »
Trojans generally are that easy to deal with. Usually, once the .exe's gone, so is the Trojan. However, they do like to change your firewall and internet settings in the registry, leaving you open to other attacks. Download Malwarebytes' Anti-Malware, it'll scan your registry for suspicious settings and make everything all better.
“Hmm... They have the Internet on computers now.” - Homer Simpson

“Art doesn't work without pain. Art exists for compensating pain.” - Till Lindemann

“There's a fine line between sayings that make sense.” - Too Much Coffee Man

Offline Nicholai

  • Hero Member
  • "This will all end in tears"
  • *****
  • Male
  • Posts: 1972
    • FA
Re: Trojan removal - Is it over?
« Reply #9 on: December 02, 2010, 10:55:39 pm »
Thanks for the malwarebytes link fuzzies, I've been looking for something like that.

I did a system restore from the previous day, just to be safe.

So far everything seems fine, but I'm still a little curious about that proxy issue firefox was having. 0_o
"When you cannot joke about the darkness of life, that's when the darkness takes over."
-Amanda Palmer
-------
Cheetah: World's most adorable High-speed killer
Jaguar: World's most adorable Stalk-and-ambush killer
Hybridization: Murderously adorable. <3
---
Fun fact: I write music. If you have a second, have a listen.
http://soundcloud.com/grigori-wolf[/url

Offline Avan

  • Species: Azemdyn Sabertooth Hyena
  • Gender: Non-Binary, YEEN.
  • *
  • Posts: 5010
    • Our FA
Re: Trojan removal - Is it over?
« Reply #10 on: December 02, 2010, 11:18:10 pm »
What operating system was this on?
We are Dissociated Identities.

Avatar is of Avan-Syr (Saberyeen)
Old links to art sites we need to update:
Weasyl Page: https://www.weasyl.com/~avankaira
My FA page: http://www.furaffinity.net/user/avanwolf/

Steam: http://steamcommunity.com/id/avan_wolf/

Offline Nicholai

  • Hero Member
  • "This will all end in tears"
  • *****
  • Male
  • Posts: 1972
    • FA
Re: Trojan removal - Is it over?
« Reply #11 on: December 02, 2010, 11:37:54 pm »
What operating system was this on?

Vista home premium SP2, build 6002
"When you cannot joke about the darkness of life, that's when the darkness takes over."
-Amanda Palmer
-------
Cheetah: World's most adorable High-speed killer
Jaguar: World's most adorable Stalk-and-ambush killer
Hybridization: Murderously adorable. <3
---
Fun fact: I write music. If you have a second, have a listen.
http://soundcloud.com/grigori-wolf[/url

Offline Avan

  • Species: Azemdyn Sabertooth Hyena
  • Gender: Non-Binary, YEEN.
  • *
  • Posts: 5010
    • Our FA
Re: Trojan removal - Is it over?
« Reply #12 on: December 02, 2010, 11:39:18 pm »
Ok... I don't really know vista, but it probably has a similar backup/restore system to windows 7
We are Dissociated Identities.

Avatar is of Avan-Syr (Saberyeen)
Old links to art sites we need to update:
Weasyl Page: https://www.weasyl.com/~avankaira
My FA page: http://www.furaffinity.net/user/avanwolf/

Steam: http://steamcommunity.com/id/avan_wolf/

Offline Hoagiebot

  • Sr. Member
  • Species: Thinking Machines Corporation CM-5/1056
  • Analyzing MLP w/ 135-GFLOPS of raw computing power
  • ****
  • Male
  • Posts: 437
    • Project Destiny Studios
Re: Trojan removal - Is it over?
« Reply #13 on: December 05, 2010, 07:43:00 am »
Trojans generally are that easy to deal with. Usually, once the .exe's gone, so is the Trojan. However, they do like to change your firewall and internet settings in the registry, leaving you open to other attacks. Download Malwarebytes' Anti-Malware, it'll scan your registry for suspicious settings and make everything all better.

Foxpup, I am going to have to disagree with you strongly about your opinion that most malware infections are easy to deal with.  I would say that Nicholai was lucky that he got infected by something that was so easy to remove.  Very lucky.  There is a lot of malware out there that is truly devastating, and NOT EASY TO REMOVE AT ALL.  My Windows Vista Ultimate SP2 machine got nailed by the TDSS Rootkit about a year ago, and it was a nightmare.  It took me almost a week to finally get rid of the thing completely.  Why?  Well, for starters it prevents any process related to anti-virus or anti-malware products from running.  It also completely slaughtered System Restore.  After the infection was removed I discovered that all of my restore points, and system restore itself, had all been deleted by the TDSS rootkit, so there was no easy way to revert my system back to the state it was in right before the infection.

But that was just the start of the defenses that this particular rootkit implemented.  It rewrites your master boot record and causes it to load the rootkit's code from the last sectors of your hard drive, which are located outside of the file system.  If that wasn't sneaky enough, it also encrypts all of the code that it writes to these sectors and decrypts it on the fly as-needed.  This accomplishes two things: 1. It ensures that the rootkit's code gets executed before everything else, including Safe-Mode Windows.  2. It ensures that almost no virus or anti-malware scanner can find it, because its executable code is not stored in a file in the file system that can be scanned.  It's outside of the file system, and its your file system that almost every anti-virus and anti-malware scanner scans through.

But that is only the first thing that this bad boy does.  It gets better.  Way better.

To quote the PrevX blog write-up on this rootkit (emphasis theirs):

Quote
Then, to be loaded at Windows startup, Tdss rootkit uses a technique we have seen applied by Rustock.C rootkit - and other rootkits like Neprodoor: infecting Windows system drivers. Tdss rootkit walks back the chain of drivers that handle hard drive I/O looking for last miniport driver object. When found, it infects driver's PE file by overwriting 824 bytes of the resource section. By doing so, it evades a simple check that some antirootkits usually use to detect hidden rootkits: file size cross check. Usually rootkits that infect files can hide their presence by showing the original file instead of the infected one. Antirootkits which are using raw disk reading techniques could read below the filter applied by these kind of rootkits and could cross check file sizes looking for discrepancies.

This time is different, because of two evident reasons: currently no antirootkit is able to bypass disk filtering technique used by Tdss rootkit but, even if it was possible, this rootkit could not be detected by file size cross check because file size of the original and infected files are exactly the same.

When the infected driver runs, it executes the 824 bytes loader which then runs the kernel mode component of the infection. It creates a fake driver object, its relative device object, and hijacks every disk I/O communication at the level of drivers's chain where the infected driver was located (i.e. infected driver could be atapi.sys, or iastor.sys).

The rootkit intecepts every communication and filters out IRP_MJ_SCSI packets that have specific SRB flags set. By doing so, it hides the patched driver on the disk and all disk sectors where its components are located. This is a really effective technique of disk hiding.

Tdss rootkit then sets up a Load Image notify routine to intercept every process that loads kernel32.dll library. When intercepted, it injects inside the specified process its user mode components of the infection, tdlwsp.dll, tdlcmd.dll. They are able to turn infected PC in a botnet's zombie. Config.ini, one of the components of the infection, contains settings of the botnet, commands to be executed, bot ID and C&C servers addresses. Communication with C&C servers is SSL encrypted, to evade HTTP filters.

Tdss rootkit is indeed a really worrying infection, it is in the wild and it's quickly spreading without being intercepted and detected by almost anyone. Some antiviruses may throw up a warning about the presence of tdlcmd.dll or tdlwsp.dll, without being able to do anything. Most of times users won't be warned at all, they just don't know their PC is part of a botnet and it is under the control of malware writers which can use their PC as they please.

You can read the entire PrevX blog entry on this nasty here:  Tdss rootkit silently owns the net

What stupid thing did I do to get this horrible infection on my machine?  Nothing much, really.  It used a drive-by Internet Explorer 8 exploit (that Microsoft hadn't released a patch for yet) to infect my system through an infected Adobe Flash ad that was being shown on a otherwise reputable website.  That means that I didn't download and open anything suspicious, there was no pop-up ad that I clicked on, there was no UAC message, nothing.  I was just reading an article on a website one moment, and then the next moment everything was FUBAR.  My F-Prot anti-virus didn't detect it at all, and as I mentioned above it killed the threads of Malwarebytes, HijackThis, Spybot S&D, and Ad-Aware as soon as I tried to execute them.  In addition, the trick of renaming the Malwarebyte's executable file to get it to execute didn't work either.  

I had thought that the Smitfraud, VX2, and Opaserv infections that either I or my clients have gotten in the past were bad, but so far TDSS is the worst that I have ever had to deal with.  And it's not like I am a newbie at this stuff.  I used to do academic anti-virus research myself back in college, and I wrote some virii for research purposes years ago (Writing viruses is legal, spreading them is not.  I have never spread anything that I have written, and never will.)  I was once even quoted in an article as an expert on the subject.  With that said, it is absolutely amazing how much malware technology has progressed in the five years since I graduated and stopped deeply researching the subject.  Some of the methods employed by TDSS I was familiar with as they were evolutions of earlier methods that I had seen used in the past, but much of what TDSS did to accomplish its infections was way beyond anything that I had ever seen.  And if I had so much trouble cleaning off my system with my knowledge and experience, imagine how devastated a normal computer user would be?  Imagine, for example, if your grandparents' computer got hit with this thing!

Even scarier, the TDSS rootkit represented the state-of-the-art in malware over a year ago, so I am very uneasy to think about what the state-of-the-art in malware infection techniques could be now.  Just look at some of the news articles currently surrounding the industrial sabotage worm "Stuxnet."  That shows that the development of sophisticated malware is alive and well, and that the constant cat and mouse game between malware authors and the developers that come up with defenses against them will keep on raging, just like they have been since the days of the Creeper worm back in 1971.

So as a word of warning, don't get lulled into complacency just because your last trojan infection turned out to be easy to remove.  Keep your anti-virus software and Windows patches up to date, have more than one anti-malware scanner installed and kept up to date such as Spybot Search and Destroy or Malwarebytes Anti-Malware, try to use best computer security practices whenever possible, stay suspicious of any file that you download from an untrusted source even if your anti-virus scanner says that it's O.K., and only enable the services on your computer that you need for what you are using it for.  That still won't save you from everything, such as some of the nasty still-unpatched browser, Java, and Adobe product exploits out there, but in the end there is really only so much you can do without resorting to software applications such as the before-mentioned Deep Freeze or disconnecting your computer from all networks completely.
« Last Edit: December 05, 2010, 07:48:28 am by Hoagiebot »

Offline Avan

  • Species: Azemdyn Sabertooth Hyena
  • Gender: Non-Binary, YEEN.
  • *
  • Posts: 5010
    • Our FA
Re: Trojan removal - Is it over?
« Reply #14 on: December 05, 2010, 11:03:19 am »
It used a drive-by Internet Explorer 8 exploit (that Microsoft hadn't released a patch for yet) to infect my system through an infected Adobe Flash ad that was being shown on a otherwise reputable website.

The highlighted text should tell you all you need to know >.>
We are Dissociated Identities.

Avatar is of Avan-Syr (Saberyeen)
Old links to art sites we need to update:
Weasyl Page: https://www.weasyl.com/~avankaira
My FA page: http://www.furaffinity.net/user/avanwolf/

Steam: http://steamcommunity.com/id/avan_wolf/

Offline Hoagiebot

  • Sr. Member
  • Species: Thinking Machines Corporation CM-5/1056
  • Analyzing MLP w/ 135-GFLOPS of raw computing power
  • ****
  • Male
  • Posts: 437
    • Project Destiny Studios
Re: Trojan removal - Is it over?
« Reply #15 on: December 05, 2010, 07:05:23 pm »
It used a drive-by Internet Explorer 8 exploit (that Microsoft hadn't released a patch for yet) to infect my system through an infected Adobe Flash ad that was being shown on a otherwise reputable website.

The highlighted text should tell you all you need to know >.>

Don't start this war with me, Avan.  If you want me to start linking to dozens of bulletins for unpatched security holes in Mozilla Firefox, I will.  In fact, I never like to shoot my mouth off without backing it up with something, so here's an article from The Register discussing how a 0-day exploit for Firefox 3.6.11 was causing the same kind of drive-by malware infections to people visiting the Nobel Peace Prize website a little more than a month ago:  Hackers plant Firefox 0day on Nobel Peace Prize website.

Safari user?  I have got you covered too: Safari and Firefox updates plug critical holes.  That article talks about how three critical vulnerabilities in Safari and another 14 critical vulnerabilities had to be patched in Firefox back in September.  There is also a currently as of yet unpatched Denial of Service vulnerability for Firefox 3.6.12 (the current version) that was posted to the Packet Storm full-disclosure security website on November 20th.

So don't dish out any of that "Faster, Safer, Better" Firefox-propaganda in my direction-- every browser has more than their fair share of critical security vulnerabilities, and you can be drive-by attacked while using all of them.  And this is coming from someone who is not a Firefox hater.  I don't hate Firefox, in fact I am actually using Firefox right now to type out this forum post due to its very useful built-in spell-checker feature.  I just happened to be using IE8 at the time I got nailed by the TDSS worm last December.  What does annoy me however, which should be obvious because it caused me to write this post, are people who gloat and think that because they use product X they are somehow better than those who use product Y.  The bottom line is that security vulnerabilities effect all software from time to time.
« Last Edit: December 05, 2010, 07:07:59 pm by Hoagiebot »

Offline Avan

  • Species: Azemdyn Sabertooth Hyena
  • Gender: Non-Binary, YEEN.
  • *
  • Posts: 5010
    • Our FA
Re: Trojan removal - Is it over?
« Reply #16 on: December 05, 2010, 07:40:22 pm »
No, I was referring to adblock.
Firefox has an adblock plugin.

I've seen an obscene number of virus infections because people were not blocking ads. In fact, all but two of all of the ones I have seen were from flash ads (The other two were from flashdrives)
We are Dissociated Identities.

Avatar is of Avan-Syr (Saberyeen)
Old links to art sites we need to update:
Weasyl Page: https://www.weasyl.com/~avankaira
My FA page: http://www.furaffinity.net/user/avanwolf/

Steam: http://steamcommunity.com/id/avan_wolf/

Offline Kobuk

  • The "Malamute Dewd"
  • Hero Member
  • Species: Anthro Alaskan Malamute (Husky)
  • #1 Dew drinker.
  • *****
  • Male
  • Posts: 27484
Re: Trojan removal - Is it over?
« Reply #17 on: December 05, 2010, 08:05:21 pm »
Keep the discussion civil, please.

Click link below for more fursuit information. ;)
http://forums.furtopia.org/kobuk's-fursuit-guides/

Offline Foxpup

  • Hero Member
  • Species: Cyborg Fox
  • *****
  • Male
  • Posts: 1182
Re: Trojan removal - Is it over?
« Reply #18 on: December 05, 2010, 08:26:20 pm »
Trojans generally are that easy to deal with. Usually, once the .exe's gone, so is the Trojan. However, they do like to change your firewall and internet settings in the registry, leaving you open to other attacks. Download Malwarebytes' Anti-Malware, it'll scan your registry for suspicious settings and make everything all better.

Foxpup, I am going to have to disagree with you strongly about your opinion that most malware infections are easy to deal with.  I would say that Nicholai was lucky that he got infected by something that was so easy to remove.
I said "most". "Most" =/= "all", not by a long shot! I'm not denying that there's a lot of Trojans out there that will completely ruin your day.

Very lucky.  There is a lot of malware out there that is truly devastating, and NOT EASY TO REMOVE AT ALL.  My Windows Vista Ultimate SP2 machine got nailed by the TDSS Rootkit about a year ago, and it was a nightmare.  It took me almost a week to finally get rid of the thing completely.  Why?  Well, for starters it prevents any process related to anti-virus or anti-malware products from running.  It also completely slaughtered System Restore.  After the infection was removed I discovered that all of my restore points, and system restore itself, had all been deleted by the TDSS rootkit, so there was no easy way to revert my system back to the state it was in right before the infection.
Don't rely on System Restore. Ever.

But that was just the start of the defenses that this particular rootkit implemented.  It rewrites your master boot record and causes it to load the rootkit's code from the last sectors of your hard drive, which are located outside of the file system.  If that wasn't sneaky enough, it also encrypts all of the code that it writes to these sectors and decrypts it on the fly as-needed.  This accomplishes two things: 1. It ensures that the rootkit's code gets executed before everything else, including Safe-Mode Windows.  2. It ensures that almost no virus or anti-malware scanner can find it, because its executable code is not stored in a file in the file system that can be scanned.  It's outside of the file system, and its your file system that almost every anti-virus and anti-malware scanner scans through.
Linux boot CD = problem solved. Use parted to find your hard drive's block size and the offset of the end of your last partition, then pass it to dd (aka "Disc Destroyer"):
(assuming your hard drive is /dev/sda)

parted /dev/sda unit B print
Take the byte offset of the end of the last partition, add one and divide by the block size to get the block offset.

dd bs=block size seek=block offset if=/dev/zero of=/dev/sda
You might want to make a backup before doing this! :D Then just reinstall your bootloader.

But that is only the first thing that this bad boy does.  It gets better.  Way better.

To quote the PrevX blog write-up on this rootkit (emphasis theirs):

Quote
Then, to be loaded at Windows startup, Tdss rootkit uses a technique we have seen applied by Rustock.C rootkit - and other rootkits like Neprodoor: infecting Windows system drivers. Tdss rootkit walks back the chain of drivers that handle hard drive I/O looking for last miniport driver object. When found, it infects driver's PE file by overwriting 824 bytes of the resource section. By doing so, it evades a simple check that some antirootkits usually use to detect hidden rootkits: file size cross check. Usually rootkits that infect files can hide their presence by showing the original file instead of the infected one. Antirootkits which are using raw disk reading techniques could read below the filter applied by these kind of rootkits and could cross check file sizes looking for discrepancies.

This time is different, because of two evident reasons: currently no antirootkit is able to bypass disk filtering technique used by Tdss rootkit but, even if it was possible, this rootkit could not be detected by file size cross check because file size of the original and infected files are exactly the same.

When the infected driver runs, it executes the 824 bytes loader which then runs the kernel mode component of the infection. It creates a fake driver object, its relative device object, and hijacks every disk I/O communication at the level of drivers's chain where the infected driver was located (i.e. infected driver could be atapi.sys, or iastor.sys).

The rootkit intecepts every communication and filters out IRP_MJ_SCSI packets that have specific SRB flags set. By doing so, it hides the patched driver on the disk and all disk sectors where its components are located. This is a really effective technique of disk hiding.
You could just slave the hard drive to another computer and run your antimalware software from there. Most antimalware programs (at least, the good ones) use hash libraries, not a file size check, since what this rootkit is doing is no new trick - it's been going on for at least a decade.

So as a word of warning, don't get lulled into complacency just because your last trojan infection turned out to be easy to remove.  Keep your anti-virus software and Windows patches up to date, have more than one anti-malware scanner installed and kept up to date such as Spybot Search and Destroy or Malwarebytes Anti-Malware, try to use best computer security practices whenever possible, stay suspicious of any file that you download from an untrusted source even if your anti-virus scanner says that it's O.K., and only enable the services on your computer that you need for what you are using it for.  That still won't save you from everything, such as some of the nasty still-unpatched browser, Java, and Adobe product exploits out there, but in the end there is really only so much you can do without resorting to software applications such as the before-mentioned Deep Freeze or disconnecting your computer from all networks completely.
Good advice.

EDIT: typo
« Last Edit: December 05, 2010, 08:43:08 pm by Foxpup »
“Hmm... They have the Internet on computers now.” - Homer Simpson

“Art doesn't work without pain. Art exists for compensating pain.” - Till Lindemann

“There's a fine line between sayings that make sense.” - Too Much Coffee Man

Offline Mooshi

  • *****
  • Posts: 1686
Re: Trojan removal - Is it over?
« Reply #19 on: December 05, 2010, 10:05:52 pm »
Just throwing this out there: no browser is the best. Some are better than others, but none is perfect. Browsers like Chrome are horrible because Google has a bad habit of spying on tracking you. >.> - Reason why IE gets hate is because its notorious for not adhering to web standards. Web developers also have to constantly baby IE 6 because people still use that horrible browser! D:< If your OS is pre Windows 7, IE is tied into your system...which is a major security flaw. In Windows 7, IE can be removed without breaking anything. If you don't like Firefox, there is always Opera or you could develope your own browser with webkit. ;)
« Last Edit: December 05, 2010, 10:09:41 pm by Mooshi »

Offline Kobuk

  • The "Malamute Dewd"
  • Hero Member
  • Species: Anthro Alaskan Malamute (Husky)
  • #1 Dew drinker.
  • *****
  • Male
  • Posts: 27484
Re: Trojan removal - Is it over?
« Reply #20 on: December 05, 2010, 10:24:13 pm »
Know what the best defense is against viruses, rootkits, trojans, etc. is? And even then, it still isn't enough. The best defense is: YOURSELF (I don't just mean you, Hoagiebot. I mean ALL people in general.) . If people were a little more vigilant, informative, and aware of where they went on the Internet and what they were doing, What they're clicking, and were also more comp/tech savvy, then they wouldn't have all the virus and other problems that they have. The first line of defense in any comp/Net security/virus situation isn't McAffee, Spybot S&D, etc., It's yourself. ;)
« Last Edit: December 05, 2010, 10:43:07 pm by Kobuk »
Click link below for more fursuit information. ;)
http://forums.furtopia.org/kobuk's-fursuit-guides/

Offline Landrav

  • Hero Member
  • Flufftaur
  • *****
  • Male
  • Posts: 2441
    • My FA
Re: Trojan removal - Is it over?
« Reply #21 on: December 05, 2010, 10:36:43 pm »
I've read about some really interesting yet disturbing trends in computer security that show the biggest threats now are social engineering.  My favorite example from class was that a researcher put a bowl full of USB sticks on the receptionist's desk with a sign saying "FREE!"  But the USB drives were loaded with potential malware.
http://www.furaffinity.net/user/landrav/

I am contractually obliged to state that Fluttershy is the best pony.

Offline Nicholai

  • Hero Member
  • "This will all end in tears"
  • *****
  • Male
  • Posts: 1972
    • FA
Re: Trojan removal - Is it over?
« Reply #22 on: December 05, 2010, 11:08:53 pm »


You could just slave the hard drive to another computer and run your antimalware software from there.

*Nods* This is what I had planned to do if my manual 'safe mode and hunt' technique failed.

Just throwing this out there: no browser is the best. Some are better than others, but none is perfect.
This. No browser  is even close to 100% secure. Also, the Trojan was my fault -- I downloaded something from a faked/Cybersquatting twitter account.
"When you cannot joke about the darkness of life, that's when the darkness takes over."
-Amanda Palmer
-------
Cheetah: World's most adorable High-speed killer
Jaguar: World's most adorable Stalk-and-ambush killer
Hybridization: Murderously adorable. <3
---
Fun fact: I write music. If you have a second, have a listen.
http://soundcloud.com/grigori-wolf[/url

Offline Hoagiebot

  • Sr. Member
  • Species: Thinking Machines Corporation CM-5/1056
  • Analyzing MLP w/ 135-GFLOPS of raw computing power
  • ****
  • Male
  • Posts: 437
    • Project Destiny Studios
Re: Trojan removal - Is it over?
« Reply #23 on: December 06, 2010, 02:48:06 am »
No, I was referring to adblock.
Firefox has an adblock plugin.

I've seen an obscene number of virus infections because people were not blocking ads. In fact, all but two of all of the ones I have seen were from flash ads (The other two were from flashdrives)

Fair enough.  Adobe Flash is one of the largest vectors of infection and Firefox's Adblock plugin is a good defense against that.  You didn't make it clear that you were talking specifically about the plugin, so I miss understood you and thought that you were doing one of those generic "Firefox rules, IE sucks" kind of smears that really rub me the wrong way.  Sorry if I came across as starting to become uncivil-- I just wanted to make the point that there is no browser out there that is completely bullet-proof.  In fact, I am currently signed up to attend a free blackhat.com security webcast occurring in a couple weeks talking about how you can abuse the newly implemented HTML5 support found in many browsers to perform attacks that at one time could only be executed outside of the browser's sandbox.  This webcast goes to show that the potential for new security vulnerabilities still marches on, and effects every new technology.

I've read about some really interesting yet disturbing trends in computer security that show the biggest threats now are social engineering.  My favorite example from class was that a researcher put a bowl full of USB sticks on the receptionist's desk with a sign saying "FREE!"  But the USB drives were loaded with potential malware.

Malware using social engineering tactics has been around for many years now, and has proven to be extremely successful.  In fact, the LoveLetter worm that struck in 2000 still holds the record for causing more monetary damage to businesses than any other malware program.  The Anna Kournikova worm was also a pretty famous example.  And the very idea behind Trojan Horse programs, that they convince you into thinking that they are a legitimate program so that you execute them, is a form of social engineering.  The prevalence of malware using social engineering as an attack vector makes what Kobuk said above definitely ring true about the first line of defense being yourself.

You could just slave the hard drive to another computer and run your antimalware software from there.

Two words of caution about doing this if you are using two Windows machines:

1. Windows XP, Vista, 7, etc. adds unique identifiers to the internal hard drives that you use in your system.  If you remove your internal hard drive from one Windows system and place it into another one it will change the identifier on the disk, the disk will become marked as "unallocated," and you will likely lose much of the data on your drive.  I found this out the hard way once when I moved a NTFS-formatted hard drive from the motherboard's IDE controller to a Promise Technology IDE controller card in the same machine.  Just changing what controller the drive was plugged into made Windows Server 2K3 think that it was a different drive entirely, and it automatically marked the entire drive as being "unallocated."  After trying several ways to recover the drive's file system I finally had to resort to using low-level hard drive recovery program to restore the file system of the drive, and even after all of that effort many of the files ended up already being corrupted.  Back in the FAT32 days you could swap your internal hard disks between computers at will, but thanks to someone's bright idea at Microsoft that is just not the case anymore.  Move your NTFS-formatted internal hard disks to and from Windows machines at your own risk!

2. Some malware (such as a Smitfraud infection that I once battled) will add autorun.inf files to the root directories of your hard drives, which will cause them to run the malware code on a computer as soon as the drive is accessed.  This is done with the specific purpose of infecting your second Windows computer if you place the infected drive in it as a slave or hook it up to your computer through an external hard drive enclosure.  So watch out, the malware writers could be one step ahead of you and may have thought of that already!

That is why it is so important to do what Landrav recommended above and identify what malware is infecting your system.  That way you can find out exactly how it entrenches itself onto your machine, what methods it uses to infect other systems, etc., which will allow you to be able to plan your countermeasures against it accordingly.  That way little tricks like using autorun.inf files as an attack vector won't catch you off guard and infect yet another machine.

Offline Mooshi

  • *****
  • Posts: 1686
Re: Trojan removal - Is it over?
« Reply #24 on: December 06, 2010, 01:27:39 pm »
So, I think we learned the obvious. Don't click funny things and don't accept things from strangers. :D Almost is like what our mothers would tell us on how open candy is bad on Halloween. (Free USB drives in this case) Never accept media unless it's still in its packaging. :3  I don't think OP was doing this on purpose, mind you. Sometimes people put vile things within something that appears harmless...like when /b/tards uploaded porn to Youtube under the disguise of Justin Beiber videos..bet those kids here shocked. Never trust the internet or crappy "artists" xD