Just my brother experienced that his notebook computer was infected with a trojan which I suspected to coming from a wifi connection he regulary connects.
I reformatted the hard drive and reinstalled the OS and the other wares. Now... I wouldl like to know what is the best defense for such in the future? Does the Norton Internet Security offers enough protection for such ? Thanks!
Oh, this is great. Catch a virus, worm, or whatever, and wipe everything and start over. I remove such things almost daily from various users machines. I rarely have to wipe the machine and start over. What's he going to do if it happens again? Wipe the machine again (without a backup)?
Correct. Do it right NOW.
Learn to use System Restore: Start -> Programs -> Accessories -> System Tools -> System Restore
Learn to do image backups. I suggest Norton Ghost 2003 (not Ghost version 10) to a DVD drive or an external USB drive or burner.
Organize your hard disk so that backups are easy. Locate the well hidden directories where Microsoft buries its data files for Outlook, Outlook Express, Windoze Address Book, Favorites, etc. Those should also be backed up regularly. You can also use a USB dongle for current work backups.
Turn on the Windoze Firewall. Don't mess with the exceptions unless you know what you're doing. Start -> Settings -> Control Panel -> Windoze Firewall Norton Internet Security comes with a replacement firewall which has additional features (blocking outgoing traffic), but is pure hell to configure.
Get an Anti-Virus program. I use:
Internet Security includes Norton Anti-Virus which is fine. However, my experience with 2004 thru 2005 is that it slows the machine down drastically and often self destructs while trying to remove or block a virus. Fragile would be kind description. No clue on 2006 as I current remove the 90 day demo version before the customer even notices.
Get an Anti-Spyware program. I use Microsoft Defender Beta 2. A good alternative is Spybot S&D 1.4.
Don't use Internet Exploder 6 for anything except Windoze Updates. Download and install Mozilla Firefox, Mozilla Thunderbird, Opera, Eudora, or any other browser that knows how to *NOT* run ActiveX controls from the web browser or email attachment. My observed level of infections and attacks has decreased drastically since I abandoned IE6 and OE6.
Do updates regularly and often. In particular, do the Micrsoft updates, Office Updates, Mozilla updates, Acrobat Updates, Anti-Virus Updates, Anti-Spyware Updates, ad nausium. There are also a bunch of applications which offer automagic updates. If you deploy a machine with known vulnerability on the internet, it will get attacked. Last year, I setup an XP SP1 box without any updates and connected it directly to the internet (no firewall). It was attacked an compromised within 15 minutes.
There's lots of other things you should do, but these are the basics.
The Windows XP firewall is no good as certain files and programs configure the registry to allow permissions - so defeating the object! Use a third party firewall and virus scanner, then teach him not to click on make money quick type links or sites full of filth !
Learn to read the screen. When a box appears on the screen that says "click here to do whatever...", think about:
- Where did the message originate? If it came from a local program that was being installed, it's probably safe to click ok. However, if it came from some dubious web page, it's probably trying to trick you into installing something evil.
- Move the mouse over the box and see if the "action" in the lower left of the browser screen makes sense.
- Don't hit the "cancel" button. Use the [X] in the upper right hand corner of the box to dispose of it. The cancel button often does the same thing as the OK button. Even the [X] can be a trap. If there are multiple boxes within boxes on the screen, always hit the outermost box.
The XP firewall is simple enough that it's best for most users. It won't prevent outbound traffic, but there won't be any outbound traffic if the user didn't click on "bad stuff".
IME it's easier to teach them not to click on "bad stuff" than it is to teach them to parse "ksiej.dll requests access to the internet, allow or deny?", and Murphy sez they'll _always_ make the wrong choice.
One service call to determine why a virus scanner isn't updating (you know when those are happening, right?) only to discover that they've blocked it using the "if I don't understand it, block it" rule will cure you of the belief that anyone can consistently make the right choice on an outbound firewall.
Thank you very much for all the informative replies....!
I understand that one of the difference between WinXP SP1 and SP2 is the latter has an effective firewall which provides and additional protection but the problem is one you install the Internet Security software there is the need to inactivate their firewall.? Why is that? I have noticed that If I activate the Norton Internet Security personal firewall in version 2005 and 2006 there is a need to inactivate the Windows XP firewall. Is it not possible to have it activated simultaneously ? Which is much better ...the Norton Internet Security personal firewall or the WinXP SP2 firewall? Another thing is they Norton Internet security have its own spyware remover, what are you comments about this?
Wait, I had a question regarding this matter....in one of my notebooks the 100 Gig HD has been partitioned into C and D partition having file size of approximately 20 and 80 gigs respectively. I was surprised that in the C drive the declared empty space is 7.5gig and the filled portions is roughly12 Gig...but when I looked at the file size of the different folders and summed it up it only amounts to about 8 gig...what stuff fills up the remaining 4 gig or more.?
Another question about the windows update...one of my notebooks that was loaded with Win XP2 used to do this regularly in the fast several months but have stopped doing it lately, is that considered normal or it was inactivated by some means that I am unaware of.? I don't see anything abnormal in this unit except for that...
Well in this particular area Norton regularly updates its antivirus definitions but I am not sure if they are also doing the same with the spywares etc..? Does anybody have any ideas about this?
On Sat, 10 Jun 2006 15:05:06 -0700, Jeff Liebermann wrote in :
Good for you, but infections have now become so virulent that even experts are advising starting over instead of trying to disinfect a badly infected system. Regardless, it is of course a very good idea to make regular backups.
It's really a question of time and backups. If the drive is horribly trashed, I usually recommend that the customer allow me to buy a new, bigger, faster, and usually better hard disk drive. I install XP SP2 and all the proper protection software on the new drive. I then carefully copy over the data (not the programs) from the old drive. I usually catch a few viruses in the process of copying. I then reinstall the applications.
The advantage of this method is:
It always works (the first time).
If the vendor provides a recovery or reinstallation CD, it goes fairly quickly.
It provides an instant backup (the old drive).
The customer usually gets a faster and bigger drive.
If I forgot some obscure document, I can always go back to the old drive.
The problems are:
The customer usually can't find the original CD's or serial numbers.
It's sometimes difficult to determine what is installed on the machine. I use Belarc Advisor for software inventory control.
Copy protected and registered software is always a battle with the vendor.
On Sun, 11 Jun 2006 12:05:04 -0700, Jeff Liebermann wrote in :
"Infected Windows PC? Just nuke it" "Forget repairing virus infected systems, says MS security manager" :
The latest types of malware are so potent that organisations should forget about trying to cleanse infected systems, a top Microsoft security officer has advised. Mike Danseglio, a program manager in Microsoft's security group, said firms should think about establishing a process for backup and recovering rather than relying on anti-virus tools as a way of recovering from malware infection.
"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, a program manager in Microsoft's security group, told a security conference in Florida.
Rootkits - forms of malware that attempt to hide their presence on infected systems - are becoming more commonplace. Danseglio argued that such tactics made it too difficult to ensure that infected systems were fully repaired. ... Even though anti-virus technology is improving, Danseglio conceded that traditional approaches are failing in the face of more sophisticated malware and highly-motivated profit-driven virus writers. The threat has moved on from network worms towards Trojans and other forms of more difficult to detect malware. "Detection is difficult, and remediation is often impossible," he said.
To my clients and friends I recommend (in addition to one-touch USB drive backup):
Separating all user data into separate partition (D:\).
Building customized install image, ideally on DVD+-R.
Restoring install image when (not if) system drive (C:\) is damaged.
Successful recovery thus takes only a few minutes even if I'm not immediately available.