Rogue anti virus: Total Security

[DavidU (Dave)]

Watch out for Total security ! It is very difficult to remove. It took many hours to get it off my laptop. If you don't purchace the program on line it slowly stops most programs and disables any other removal tool.I suspect it loaded a stack of trackers & trojans last night, and yes all my anti virus programs were on and up to date.
It also disables your ability to get into the directory to find tse.exe.

[renormalised (Carl)]

I never download anything I don't trust and certainly never anything like these....learnt that lesson many many moons ago.

[DavidU (Dave)]

Quote:

Originally Posted by renormalised

I never download anything I don't trust and certainly never anything like these....learnt that lesson many many moons ago.

The thing is I didn't down load anything, no one touched my laptop ! There is a fuss on the net about it
http://www.bleepingcomputer.com/viru...total-security

[dpastern (Dave Pastern)]

My advice David - backup all user data, wipe the system with a low level format, make sure to fdisk /mbr from a bootable DOS floppy too. Reinstall everything and then your user data.

My reasoning is that you can't be sure that you got everything that this mongrel application installed.

Dave

[DavidU (Dave)]

Quote:

Originally Posted by dpastern

My advice David - backup all user data, wipe the system with a low level format, make sure to fdisk /mbr from a bootable DOS floppy too. Reinstall everything and then your user data.

My reasoning is that you can't be sure that you got everything that this mongrel application installed.

Dave

Yep, doing that tonight. still stuff in sys32 etc.
This is the worst one I have seen.

[Tandum (Robin)]

It's just the lastest version of pav (personal antivirus). Google it. It's not hard to remove.

[dpastern (Dave Pastern)]

As someone who works in the industry, I can only stress that today's modern viruses tend to try and install as much crap on your system once they gain a foothold. As Hicks said in Aliens - the only way to be sure is to nuke it from orbit.

Dave

[Ghost_Returns (Richard)]

Gentlemen,

3 programs to run that will forever remove the little bugger.

1) Combofix (Bleeping Computers)
2) SDfix (Only works for XP)
3) Spybot search & destroy



Having 20years working in th industry of IT,and running and managing my own IT business, I work on these issues on a daily basis.

[dpastern (Dave Pastern)]

Richard - I respectively disagree. In today's modern world, when a system gets compromised, in a lot of instances, getting rid of the junk on someones system is not only difficult, but extremely time consuming. Also, there are means and ways around your noted software finding problems, i.e compromised binaries (a la rootkits).

Dave

edit: whilst this covers Debian GNU/Linux, many of the principles are the same dealing with other operating systems:

http://www.debian.org/doc/manuals/se....html#contents

and specifically:

http://www.debian.org/doc/manuals/se...romise.en.html

Note what it says:

Quote:

Remember that if you are sure the system has been compromised you cannot trust the installed software or any information that it gives back to you. Applications might have been trojanized, kernel modules might be installed, etc.

[snowyskiesau]

I thought the original post was about a Windows virus/malware infection.

How's the reference to Debian relevant?

[dpastern (Dave Pastern)]

Quote:

Originally Posted by snowyskiesau

I thought the original post was about a Windows virus/malware infection.

How's the reference to Debian relevant?

Geoff - if you take the time to read my post you'll see that I said:

Quote:

edit: whilst this covers Debian GNU/Linux, many of the principles are the same dealing with other operating systems

The principles for dealing with compromised systems are the same no matter which o/s you are running. There is little in the way of documentation for securing the Windows operating system, unless you wish to look at thousands of different webpages over the web. Since my argument revolved around assuming that no compromised system is totally safe thereafter, and I wanted to demonstrate what other security minded peoples think of the matter, I quoted from the Debian guide.

Please try and find a similar quality article for the Windows system ;-)

Dave

[mithrandir (Andrew)]

Quote:

Originally Posted by dpastern

... Since my argument revolved around assuming that no compromised system is totally safe thereafter, and I wanted to demonstrate what other security minded peoples think of the matter, I quoted from the Debian guide.
Please try and find a similar quality article for the Windows system ;-)

I've had one suspect Linux system in over 10 years. I booted off CD and verified all files against the originals on CD or fresh copies of patch sets.

"Windows virus" and "Windows malware" are both tautologies. The most recent malware I've seen in action will require a complete system rebuild. I might get round to it sometime.

[dpastern (Dave Pastern)]

[now becoming a bit off topic]

Linux rootkits are becoming more common sadly. Most of the people running Linux as servers, with connectivity to the big bad wide world, do not lock their systems down properly. Blackhats just love 'em! Cracking a system isn't about the hollywood BS that you see, it's about knowing the operating system, knowing the vulnerable pieces of software on it, and knowing how to exploit them. It's more like detective work than glamour work. Windows XP pre SP 2 could be p0wned in under a minute if you knew how. At least XP SP 2 is much, much better.

Personally, on a work system, I prefe to have each major directory on its own mountable partition (/root, /boot, /etc, /var, /opt, /bin, /sbin and so on and so forth) - it makes it far easier when dealing with intrusions. I personally like tripwire installed on any production system, with the results burnt to a non re-writeable CD. When you get a problem, remove drive from system, boot off a non infected system and mount said drive, then compare the hashes from the CD to the drive in question to see which binaries and files have been modified. In most cases, it's not worth the effort - far better to blow the system away on a low level format with multiple passes imho.

Dave

[DavidU (Dave)]

Now thats cool Dave

Quote:

Originally Posted by dpastern

[now becoming a bit off topic]

Linux rootkits are becoming more common sadly. Most of the people running Linux as servers, with connectivity to the big bad wide world, do not lock their systems down properly. Blackhats just love 'em! Cracking a system isn't about the hollywood BS that you see, it's about knowing the operating system, knowing the vulnerable pieces of software on it, and knowing how to exploit them. It's more like detective work than glamour work. Windows XP pre SP 2 could be p0wned in under a minute if you knew how. At least XP SP 2 is much, much better.

Personally, on a work system, I prefe to have each major directory on its own mountable partition (/root, /boot, /etc, /var, /opt, /bin, /sbin and so on and so forth) - it makes it far easier when dealing with intrusions. I personally like tripwire installed on any production system, with the results burnt to a non re-writeable CD. When you get a problem, remove drive from system, boot off a non infected system and mount said drive, then compare the hashes from the CD to the drive in question to see which binaries and files have been modified. In most cases, it's not worth the effort - far better to blow the system away on a low level format with multiple passes imho.

Dave

[dpastern (Dave Pastern)]

Quote:

Originally Posted by DavidU

Now thats cool Dave

It is. Computer security is a very interesting topic, no matter what o/s you use. The principles for securing a system are the same, but UNIX and other UNIX like systems have a good, solid head start over Windows, simply because their primary design ideals have been for security and reliability, not ease of use. Ease of use is nice, but it will always result in trade offs on security/reliability imho. It's a fine line to walk. OS X does a nice job of it imho.

You could get really crazy and run stuff like freeBSD with jails, or Linux with chroots, or Solaris with zones and tie them down very tightly.

The debian guide was really just to show the basics of securing a system and if a system has been compromised, imho, the best way of dealing with it is blowing it away. You simply cannot be 100% sure that software will find every bit of trash I wish it was that easy.

That said, Geoff has good points - these automated software cleanups will get rid of *most* of the junk, possibly all. There are some good books on the subject of computer security, and it's fun to read. Knowing what black hats get up to can sometimes help you learn how to tighten your system down. The fact that I work in the business only adds to the importance of learning about computer security imho.

Dave

[White Rabbit]

Yeah, I reformat every 3 months or so. As soon as my system starts to show signs of slowing down, I wipe it and start again.

[dpastern (Dave Pastern)]

Quote:

Originally Posted by White Rabbit

Yeah, I reformat every 3 months or so. As soon as my system starts to show signs of slowing down, I wipe it and start again.

Ah the joys of Windows ;-) I have to say though, I've been very happy with my Vista install - I haven't noticed the usual slowdown that Windows does. I'll probably upgrade to Windows 7 as well.

Dave

[kustard (Simon)]

Quote:

Originally Posted by dpastern

Ah the joys of Windows ;-) I have to say though, I've been very happy with my Vista install - I haven't noticed the usual slowdown that Windows does. I'll probably upgrade to Windows 7 as well.

Dave

I've been running Vista on my home machine now for about 3 years. I've had it BSOD a few times on me which were caused by video card driver issues. I can't upgrade to the new ServicePack though as I have a dual boot system with linux and the SP install doesn't like not having control over the MBR. I'll soon reformat and re-install, probably with win7.

As for the Total Security program, it's a nasty piece of work. A guy here at work had it on his laptop after he let his kids play games on it. I managed to clean it off, but then I still backed up his data and reformatted.

[dpastern (Dave Pastern)]

I triple boot XP 32 bit, Debian AMD 64 bit and Vista 64 bit without issues.

Dave