Consolidated Security Thread (legacy)

[JustStarting]

We should start a Vista compatible list of security software.... maybe it's already done and I overlooked it??

I've tried AVG 7.5 (free), AVast 4.7.942 (free), but I've yet to find a good firewall that will install. Vista has it own Windows firewall as usual plus Windows defender..... is this good enough??

 

[Schadenfroh]

I had a Windows XP 64-bit security applications thread, it was merged with this one, and later with the hot deals thread. A Vista security software list would be more handy, will add in the next revision.

 

[John]

Originally posted by: bloodandsoil
I was a software quality engineer and worked in OS-level software development for 7 years. I have also done a year of work as a bench technician at a PC-repair shop. Currently employed as an information systems analyst with the U.S. Army.

Obviously you're a savvy user and probably have a lot of common sense. Unfortunately a lot of end users do not.

Listen, there's no need to turn your PC into an anti-virus processing machine. I've seen many folks creating much unnecessary overhead. From personal and professional experience, here are my recommendations for a clean-machine.

1. Buy a legit copy of XP.
2. Update all critical updates.
3. Go here -- http://home3.ca.com/Microsoft/Default.aspx?lang=en-US -- and download a free 1-year version of Computer Associates Anti-Virus 2007. This is the anti-virus program that Microsoft itself uses on it's own computers. Less heavy than Norton or McAfee. Less buggy also.
4. Go to www.microsoft.com and get Windows Defender. This program originated when MS bought out Giant Anti-Spyware. Giant Anti-Spyware was hands-down THE best anti-malware program out there. Microsoft incorporated it's technology, re-branded and re-coded and voila...we have Windows Defender.
5. Optional step. Get Mozilla Firefox. Also, if you use a mail client like Outlook or Outlook Express (as opposed to webmail), recommend getting Mozilla Thunderbird.

That's pretty good advice, but unfortunately some of it is dated. CA anti-virus has a mediocre detection rate, and although it has several VB100% certs under its belt that doesn't mean it has a good detection rate outside of those specific tests. NOD32, Kaspersky, and Avira offer superior detection and real-time protection.

While Giant was a leading anti-spyware tool a few years ago, since MS acquired the company it has taken a backseat to several programs. Defender is a basic tool with real-time protection and a mediocre detection rate. If you want a true real-time application with virtually no overhead and has one of the best detection rates on the market check out SUPERAntiSpyware. If you'd like feedback on it head over to Wilders Security. As far as on-demand scanners AVG/Ewido, Spy Sweeper, Counterspy, and a-squared are solid choices.

That's it. No need to go crazy installing multiple anti-spyware, anti-adware, pop-up blockers, anti-malware, anti-virus, firewalls, etc. You just need ONE anti-virus program, ONE anti-malware solution, and ONE firewall.

I think you meant to say one real-time anti-malware/spyware app. No product is 100% and you need several quality tools to remove various infections.

Also, I recommend periodically booting into safe mode and running full scans with your anti-virus and anti-malware programs. And, if you suspect any infections, remove your HDD and mount it into a known clean system and run the scans externally.

I agree with the safe mode scans, but scanning the drive on another pc is a bad idea. A lot of infections occur in the registry and malware removal tools cannot access the registry when it's a slave drive.

 

[ScrapSilicon]

Originally posted by: John No product is 100% and you need several quality tools to remove various infections.

Also, I recommend periodically booting into safe mode and running full scans with your anti-virus and anti-malware programs. And, if you suspect any infections, remove your HDD and mount it into a known clean system and run the scans externally.

I agree with the safe mode scans, but scanning the drive on another pc is a bad idea. A lot of infections occur in the registry and malware removal tools cannot access the registry when it's a slave drive.

yes but by doing the slave route you possibly might get the drive back to the point where it's bootable enough to get to safe mode As you said

No product is 100% and you need several quality tools to remove various infections.

you might also want to say as well "methods"

 

[Thawk]

Is this still the place to post problems? I hope so.

MY brower is getting hijacked at launch to http://www.allsecuritynotes.com/. I used some of the tools here to fix some other issues but this problem continues. Is there a specific action I can take to remove this?
Thanks!
Don

 

[Schadenfroh]

Thawk, does this sound like your problem?

http://forums.techguy.org/security/539424-exclamation-mark.html

We cannot be sure until we see a hijackthis log.

 

[Thawk]

Originally posted by: Schadenfroh
Thawk, does this sound like your problem?

http://forums.techguy.org/security/539424-exclamation-mark.html

We cannot be sure until we see a hijackthis log.

That was it, thanks! I used the steps they suggested and it worked! Not the only wierd thing is that no matter what I set my default home page too it reverts to blank after reboot. Not really a big deal but annoying. Anyone had that happen?

Here is my hijack log.
*****
Logfile of HijackThis v1.99.1
Scan saved at 5:26:06 PM, on 1/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\system32\winclean.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DONAVE~1\LOCALS~1\Temp\Rar$EX00.594\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winclean] c:\windows\system32\winclean.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/downl...hapx/RhapsodyPlayerEngine_Inst_Win.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

[Medea]

You've got at least one backdoor bot on your system. Don't do any online banking, online transactions, etc. until your computer is cleaned. Also, you didn't extract HijackThis properly, and it's going to get flushed along with the backups it makes when you clean your Temp folders.

Make a folder on your C:\ drive, name it something like HJT and move HijackThis.exe over to it.

Post in a forum like bleepingcomputer, spywareinfo, castlecops, etc. and post your log there. I can guarantee that you've got more on your system than what is showing in your HJT log.

 

[Schadenfroh]

Do as Medea suggested, Thawk. Those guys at Bleepingcomputer, spywareinfo and castlecops know a good deal more than I do nowadays about HijackThis.

 

[John]

Click the link in my sig, making sure that after you install and update the programs in 3-8 in normal mode you reboot to safe mode to run all of the tools in the order they are listed. Afterwards you can run a mcafee command line scan (look under Virus removal), reboot to normal mode, then post a new HJT log in this thread.

 

[TheRyuu]

How come when I extract a rar file with a few exe files in it, NOD32 CPU usage spikes and it takes a while for it to extract? (I gather thats NOD32 scanning it???)

Thanks

 

[Kaido]

I'm dropping AVG.

I'm a big fan of AVG - lightweight, easy to use - but my mom's computer was running slow (daily updates/scans with AVG) and so I ran Kaspersky online - it's already detected 3 viruses and 31 infected objects. Way to go AVG :disgust:

 

[Schadenfroh]

wizboy11, many pieces of malware are compressed, NOD32 is scanning it as you extract.
rxblitzrx, CST support for Vista is planned, for now please see the VST in my sig.

 

[Schadenfroh]

Draft 1 of the CST (The Vista Update) is complete, I have sent copies to various security gurus of Anandtech for critique. If anyone would like a copy of it PMed to them, let me know, as I would appreciate the feedback.

UPDATE 2/09/07: Major revision of draft 1 is needed
UPDATE 2/10/07: mechBgon's suggestions have been implemented in draft 2, still working on integrating Medea's.