Overclock.net › Forums › Software, Programming and Coding › Networking & Security › XP Internet Security - WHERE does it come from?
New Posts  All Forums:Forum Nav:

XP Internet Security - WHERE does it come from?

post #1 of 11
Thread Starter 
About once or twice a day, I'm making visits to get rid of this XP Internet Security 2011 (or the various other identical malware programs with the same name).

Combofix is fixing it with no problem (once, I did have to use regrun to get rid of a rootkit).

Where does this come from? I don't want to be 'that guy' and accuse people of clicking on fake virus scanner advertisements ... but is that where it is coming from?

Does it come from infected web sites?

How can we stop this thing from happening?

Steps already taken
1) Disable all other user accounts on the computer
2) Revoke administrative privileges for the user account that is remaining
3) Malware Bytes Paid Service (for a select few who have had numerous infectinos)
4) Modified hosts file that redirects a ton of spam/advertisements to 127.0.0.1
5) Spybot immunization.

Is there anything else that can be done or is this all just user error?

Thanks!
IBuyJunk
    
CPUMotherboardGraphicsRAM
E6300 @ 2.3 GHz Foxconn Intel x3100 4.5 Rendition 
Hard DriveOptical DriveOSMonitor
160+500 DVDRW Server 08 x64 Princeton 17'' square 
KeyboardPowerCaseMouse
Unicomp Germanic Model M 250W Dell Vostro 200 Gateway Ball Mouse 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
E6300 @ 2.3 GHz Foxconn Intel x3100 4.5 Rendition 
Hard DriveOptical DriveOSMonitor
160+500 DVDRW Server 08 x64 Princeton 17'' square 
KeyboardPowerCaseMouse
Unicomp Germanic Model M 250W Dell Vostro 200 Gateway Ball Mouse 
  hide details  
Reply
post #2 of 11
Considering all the preemptive measures you've taken... most likely user error at this point.

Or really really nasty adverts sliding through your hosts edit... maybe try adblock+ for either chrome or firefox? :\\

Also, keep Avira or MSE running in the background with MBAM, MBAM is completely unobtrusive to other AV software, and really is the technical last line of defense imo
    
CPUMotherboardGraphicsRAM
Intel i7 4790k Asus Maximus Impact VII Z97 EVGA GTX 780 Classified Crucial Ballistix VLP 2x8GB 1600 
Hard DriveHard DriveOptical DriveCooling
Samsung 830 256GB Seagate 1TB SSHD Lite-On eNAU108-111 Thermalright Ultra Extreme Black 
OSMonitorKeyboardPower
Windows 8.1 Professional Asus PB278Q Das Keyboard Ultimate 4 Seasonic 760W Platinum 
CaseMouseMouse PadAudio
CaseLabs Nova X2M Logitech G602 Razer Scarab Asus Sonar Impact II + AudioEngine A2 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Intel i7 4790k Asus Maximus Impact VII Z97 EVGA GTX 780 Classified Crucial Ballistix VLP 2x8GB 1600 
Hard DriveHard DriveOptical DriveCooling
Samsung 830 256GB Seagate 1TB SSHD Lite-On eNAU108-111 Thermalright Ultra Extreme Black 
OSMonitorKeyboardPower
Windows 8.1 Professional Asus PB278Q Das Keyboard Ultimate 4 Seasonic 760W Platinum 
CaseMouseMouse PadAudio
CaseLabs Nova X2M Logitech G602 Razer Scarab Asus Sonar Impact II + AudioEngine A2 
  hide details  
Reply
post #3 of 11
PEBKAC.

Basic users have a very hard time distinguishing fake AV infection warnings from legitimate AV software... Hence, "Oh noes, my antivirus said I have 8,000 viruses so I clicked 'Install Virus Kleener'!!"
At long last...
(13 items)
 
  
CPUMotherboardGraphicsRAM
920 D0 | 4104MHz@1.23V Big Bang XPower 5850 | 880/1050 6GB Sector 7 | 1728MHz 
Hard DriveOSMonitorPower
F115 W7P64 245BW SPI Magna 1kW 
Case
cardboard (case/loop in prog) 
  hide details  
Reply
At long last...
(13 items)
 
  
CPUMotherboardGraphicsRAM
920 D0 | 4104MHz@1.23V Big Bang XPower 5850 | 880/1050 6GB Sector 7 | 1728MHz 
Hard DriveOSMonitorPower
F115 W7P64 245BW SPI Magna 1kW 
Case
cardboard (case/loop in prog) 
  hide details  
Reply
post #4 of 11
That would suck.. I have a suggestion, Look at implementing an updated signature based NIPS. Snort with the SQL/barnyard extension is a really good free option if you don't have the budget for a more expensive (Cisco IPS) solution. you'll be able to manage infection points, and root out the cause much cleaner, faster and efficiently so you don't have to sneaker-net all over the place..

Just a suggestion.. But If you're paid by the hour - Disregard..
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
post #5 of 11
Coz you surfing on a outdated browser on a outdated os with admin rights. Go in safe mode and run malware bytes. It should remove it.

Then next time use sandboxie when you surf with your browser.
post #6 of 11
Maybe remove IE from the kernel layer and force them to use Firefox or Chrome?
post #7 of 11
Quote:
Originally Posted by Spooony View Post
Coz you surfing on a outdated browser on a outdated os with admin rights. Go in safe mode and run malware bytes. It should remove it.

Then next time use sandboxie when you surf with your browser.
Something tells me you did nothing but read the title. It is not his machine he is talking about, rather his clients/customers.
post #8 of 11
Thread Starter 
Quote:
Originally Posted by Munkypoo7 View Post
Considering all the preemptive measures you've taken... most likely user error at this point.

Or really really nasty adverts sliding through your hosts edit... maybe try adblock+ for either chrome or firefox? :\\

Also, keep Avira or MSE running in the background with MBAM, MBAM is completely unobtrusive to other AV software, and really is the technical last line of defense imo
MSE was running on a few of these computers, along with AVG. I understand that a traditional virus scanner isn't going to do much against one of these.

I'm 100% certain that it is users clicking on fake stuff and installing it thinking they are doing the right thing. Unfortunately, being frank with people makes them feel bad and makes me look bad in the sensitivity department.


Quote:
Originally Posted by MCBrown.CA View Post
PEBKAC.

Basic users have a very hard time distinguishing fake AV infection warnings from legitimate AV software... Hence, "Oh noes, my antivirus said I have 8,000 viruses so I clicked 'Install Virus Kleener'!!"
Quote:
Originally Posted by Spooony View Post
Coz you surfing on a outdated browser on a outdated os with admin rights. Go in safe mode and run malware bytes. It should remove it.

Then next time use sandboxie when you surf with your browser.
That could have quite a bit to do with it, actually. A lot of these computers are running proprietary applications and running windows update can easily "break" the entire software package. Interestingly enough, we have one office with a particular OfficeJet HP printer - every time there is a round of Windows updates, it starts printing in reverse.

It is little things like that, all the way up to major things like programs ceasing to function that cause us/people to not update their OS and browser.

Admin privileges are being revoked along with disabling any other user accounts on the computer.

Quote:
Originally Posted by Phaedrus2129 View Post
Maybe remove IE from the kernel layer and force them to use Firefox or Chrome?
Most people would freak out if "GOOGLE" wasn't there. Unfortunately, removing IE (or the links to IE) wouldn't work. Plus it's a bit harder when it's integrated into the explorer shell ...
    
CPUMotherboardGraphicsRAM
E6300 @ 2.3 GHz Foxconn Intel x3100 4.5 Rendition 
Hard DriveOptical DriveOSMonitor
160+500 DVDRW Server 08 x64 Princeton 17'' square 
KeyboardPowerCaseMouse
Unicomp Germanic Model M 250W Dell Vostro 200 Gateway Ball Mouse 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
E6300 @ 2.3 GHz Foxconn Intel x3100 4.5 Rendition 
Hard DriveOptical DriveOSMonitor
160+500 DVDRW Server 08 x64 Princeton 17'' square 
KeyboardPowerCaseMouse
Unicomp Germanic Model M 250W Dell Vostro 200 Gateway Ball Mouse 
  hide details  
Reply
post #9 of 11
Quote:
Originally Posted by IBuyJunk View Post
MSE was running on a few of these computers, along with AVG. I understand that a traditional virus scanner isn't going to do much against one of these.

I'm 100% certain that it is users clicking on fake stuff and installing it thinking they are doing the right thing. Unfortunately, being frank with people makes them feel bad and makes me look bad in the sensitivity department.






That could have quite a bit to do with it, actually. A lot of these computers are running proprietary applications and running windows update can easily "break" the entire software package. Interestingly enough, we have one office with a particular OfficeJet HP printer - every time there is a round of Windows updates, it starts printing in reverse.

It is little things like that, all the way up to major things like programs ceasing to function that cause us/people to not update their OS and browser.

Admin privileges are being revoked along with disabling any other user accounts on the computer.



Most people would freak out if "GOOGLE" wasn't there. Unfortunately, removing IE (or the links to IE) wouldn't work. Plus it's a bit harder when it's integrated into the explorer shell ...
Thats where a lot of people make the mistake. Even if you delete the account malware can still use the name and have free access to your system.

You can do the following

1 Spywareblaster. Protect and backup your system settings aswell as block bad sites with it. Its a small free utility.

2. Adobe flash and java. They are the reason why browser security are failing. Keep them updated. Remember to remove all you old java installations coz malware can use the old ones with the exploids to render a page.
Thats why a program like Sandboxie is so important. Is a great little utility.

3. CCleaner Always clear the junk folders. Cleaning the temp folders make it more dufficult for malware to hide.

4. IE. No theres no protection like no script for it like Firefox and Chrome provides. Install FF or Chrome with the following add ons

No Script
Add block plus
Add block pop up blocker
Vacuum
WOT
Panic
BetterPrivacy Great for deleting flash cookies
Ghostery

Make sure your adobe and java are on regular daily updates and the old java versions and older software thats updated are removed.
post #10 of 11
Quote:
Originally Posted by IBuyJunk View Post
About once or twice a day, I'm making visits to get rid of this XP Internet Security 2011 (or the various other identical malware programs with the same name).

Combofix is fixing it with no problem (once, I did have to use regrun to get rid of a rootkit).

Where does this come from? I don't want to be 'that guy' and accuse people of clicking on fake virus scanner advertisements ... but is that where it is coming from?

Does it come from infected web sites?

How can we stop this thing from happening?

Steps already taken
1) Disable all other user accounts on the computer
2) Revoke administrative privileges for the user account that is remaining
3) Malware Bytes Paid Service (for a select few who have had numerous infectinos)
4) Modified hosts file that redirects a ton of spam/advertisements to 127.0.0.1
5) Spybot immunization.

Is there anything else that can be done or is this all just user error?

Thanks!
IBuyJunk
I got the same problem as you OP. I notice most of my customers get this specific infection all the same way. The go to Google images, they search 'royal wedding' or something random, and then they click on 20 different pictures.

The problem with these pictures is the websites they are hosted on are all infected with dirty Chinese redirects. And then... TROJANS EVERYWHERE. Nothing you can really do.

Also, I notice some people getting fake emails being from UPS or FedEx claiming their package is ready for claiming.

If you want to try it yourself, in a controlled environment go to Google images and search something, 1 of 10 images of a popular name is infected with this XP Internet Security Tool 2011 you speak of.

Thats all I know of so far.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › XP Internet Security - WHERE does it come from?